From 0c3b23c3a3f48f1fbc2e59e76245a847de53ab92 Mon Sep 17 00:00:00 2001 From: "Sridhar K. N. Rao" Date: Sun, 18 Apr 2021 13:39:40 +0530 Subject: [WIP]: Openstack Security Check This patch adds openstack security checking. This is based on https://docs.openstack.org/security-guide/checklist.html Support reading configuration from default file and environment Added reference security.conf Update the Documentation. Update index to include security Fix bug reported by Parth, and another. JIRA: CIRV-49 Signed-off-by: Sridhar K. N. Rao Change-Id: I72579a861409c3aaf464f44f0cdc24dc33cd4345 --- sdv/docker/sdvsecurity/nfvsec/utils/__init__.py | 16 + sdv/docker/sdvsecurity/nfvsec/utils/k8sclient.py | 58 ++++ sdv/docker/sdvsecurity/nfvsec/utils/sshclient.py | 419 +++++++++++++++++++++++ 3 files changed, 493 insertions(+) create mode 100644 sdv/docker/sdvsecurity/nfvsec/utils/__init__.py create mode 100644 sdv/docker/sdvsecurity/nfvsec/utils/k8sclient.py create mode 100644 sdv/docker/sdvsecurity/nfvsec/utils/sshclient.py (limited to 'sdv/docker/sdvsecurity/nfvsec/utils') diff --git a/sdv/docker/sdvsecurity/nfvsec/utils/__init__.py b/sdv/docker/sdvsecurity/nfvsec/utils/__init__.py new file mode 100644 index 0000000..16e9790 --- /dev/null +++ b/sdv/docker/sdvsecurity/nfvsec/utils/__init__.py @@ -0,0 +1,16 @@ +# Copyright 2015 Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Tools package. +""" diff --git a/sdv/docker/sdvsecurity/nfvsec/utils/k8sclient.py b/sdv/docker/sdvsecurity/nfvsec/utils/k8sclient.py new file mode 100644 index 0000000..b1eba5a --- /dev/null +++ b/sdv/docker/sdvsecurity/nfvsec/utils/k8sclient.py @@ -0,0 +1,58 @@ +""" +Kubernetes cluster api helper functions +""" + + +import time + +from kubernetes import client, config +from kubernetes.client import Configuration +from kubernetes.client.api import core_v1_api +from kubernetes.client.rest import ApiException +from kubernetes.stream import stream + +from kubernetes.stream import stream +import logging +from conf import settings # pylint: disable=import-error + + +class K8sClient(): + """ + Class for controlling the pod through PAPI + """ + + def __init__(self): + """ + Initialisation function. + """ + self._logger = logging.getLogger(__name__) + config.load_kube_config(settings.getValue('K8S_CONFIG_FILEPATH')) + self.api = client.CoreV1Api() + + def get_pod(self, namespace, name): + """ + Returns json details any one pod with matching label + + :param namespace: namespace to use + :param namespace: name of the pod (Longest possible). + :return: pod details + """ + api_response = self.api.list_namespaced_pod(namespace) + for pod in api_response.items: + #print(pod.metadata.name) + if pod.metadata.name.startswith(name): + return pod + return None + + + def execute(self, pod, cmd): + """ + Executes `cmd` inside `pod` and returns response + :param pod: pod object + :param cmd: command to execute inside pod + :return: response from pod + """ + response = stream(self.api.connect_get_namespaced_pod_exec, + pod.metadata.name, pod.metadata.namespace, command=cmd, + stderr=True, stdin=False, stdout=True, tty=False) + return response diff --git a/sdv/docker/sdvsecurity/nfvsec/utils/sshclient.py b/sdv/docker/sdvsecurity/nfvsec/utils/sshclient.py new file mode 100644 index 0000000..cc1f521 --- /dev/null +++ b/sdv/docker/sdvsecurity/nfvsec/utils/sshclient.py @@ -0,0 +1,419 @@ +"""High level ssh library. + +Usage examples: + +Execute command and get output: + + ssh = sshclient.SSH("root", "example.com", port=33) + status, stdout, stderr = ssh.execute("ps ax") + if status: + raise Exception("Command failed with non-zero status.") + print(stdout.splitlines()) + +Execute command with huge output: + + class PseudoFile(io.RawIOBase): + def write(chunk): + if "error" in chunk: + email_admin(chunk) + + ssh = SSH("root", "example.com") + with PseudoFile() as p: + ssh.run("tail -f /var/log/syslog", stdout=p, timeout=False) + +Execute local script on remote side: + + ssh = sshclient.SSH("user", "example.com") + + with open("~/myscript.sh", "r") as stdin_file: + status, out, err = ssh.execute('/bin/sh -s "arg1" "arg2"', + stdin=stdin_file) + +Upload file: + + ssh = SSH("user", "example.com") + # use rb for binary files + with open("/store/file.gz", "rb") as stdin_file: + ssh.run("cat > ~/upload/file.gz", stdin=stdin_file) + +""" +from __future__ import print_function +#import io +import logging +import os +import re +import select +import socket +import time + +import paramiko +#from oslo_utils import encodeutils +from scp import SCPClient +import six + +NON_NONE_DEFAULT = object() + +def try_int(s, *args): + """Convert to integer if possible.""" + #pylint: disable=invalid-name + try: + return int(s) + except (TypeError, ValueError): + return args[0] if args else s + +class SSH(): + """Represent ssh connection.""" + #pylint: disable=no-member + + SSH_PORT = paramiko.config.SSH_PORT + DEFAULT_WAIT_TIMEOUT = 120 + + @staticmethod + def gen_keys(key_filename, bit_count=2048): + """ + Generate Keys + """ + rsa_key = paramiko.RSAKey.generate(bits=bit_count, progress_func=None) + rsa_key.write_private_key_file(key_filename) + print("Writing %s ..." % key_filename) + with open('.'.join([key_filename, "pub"]), "w") as pubkey_file: + pubkey_file.write(rsa_key.get_name()) + pubkey_file.write(' ') + pubkey_file.write(rsa_key.get_base64()) + pubkey_file.write('\n') + + @staticmethod + def get_class(): + """ + Get Class object + """ + # must return static class name, anything else + # refers to the calling class + # i.e. the subclass, not the superclass + return SSH + + @classmethod + def get_arg_key_map(cls): + """ + Get Key Map + """ + return { + 'user': ('user', NON_NONE_DEFAULT), + 'host': ('ip', NON_NONE_DEFAULT), + 'port': ('ssh_port', cls.SSH_PORT), + 'pkey': ('pkey', None), + 'key_filename': ('key_filename', None), + 'password': ('password', None), + 'name': ('name', None), + } + + #pylint: disable=too-many-arguments + def __init__(self, user, host, port=None, pkey=None, + key_filename=None, password=None, name=None): + """Initialize SSH client. + :param user: ssh username + :param host: hostname or ip address of remote ssh server + :param port: remote ssh port + :param pkey: RSA or DSS private key (not supported) + :param key_filename: private key filename + :param password: password + """ + self.name = name + if name: + self.log = logging.getLogger(__name__ + '.' + self.name) + else: + self.log = logging.getLogger(__name__) + + self.wait_timeout = self.DEFAULT_WAIT_TIMEOUT + self.user = user + self.host = host + # everybody wants to debug this in the caller, do it here instead + self.log.debug("user:%s host:%s", user, host) + + # we may get text port from YAML, convert to int + self.port = try_int(port, self.SSH_PORT) + self.pkey = pkey + self.password = password + self.key_filename = key_filename + self._client = False + # paramiko loglevel debug will output ssh protocl debug + # we don't ever really want that unless we are debugging paramiko + # ssh issues + if os.environ.get("PARAMIKO_DEBUG", "").lower() == "true": + logging.getLogger("paramiko").setLevel(logging.DEBUG) + else: + logging.getLogger("paramiko").setLevel(logging.WARN) + + @property + def is_connected(self): + """ + Return true if connected + """ + return bool(self._client) + + def _get_client(self): + """ + Get Client object + """ + if self.is_connected: + return self._client + try: + self._client = paramiko.SSHClient() + self._client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + self._client.connect(self.host, username=self.user, + port=self.port, pkey=self.pkey, + key_filename=self.key_filename, + password=self.password, + allow_agent=False, look_for_keys=False, + timeout=1) + return self._client + except (paramiko.BadHostKeyException, + paramiko.AuthenticationException, + paramiko.ChannelException, + paramiko.SSHException, + socket.error) as error: + message = ("Exception %(exception_type)s was raised " + "during connect. Exception value is: %(exception)r" % + {"exception": error, "exception_type": type(error)}) + self._client = False + print(message) + + def close(self): + """ + Close connection + """ + if self._client: + self._client.close() + self._client = False + + #pylint: disable=too-many-arguments + def run(self, cmd, stdin=None, stdout=None, stderr=None, + raise_on_error=True, timeout=3600, + keep_stdin_open=False, pty=False): + """Execute specified command on the server. + + :param cmd: Command to be executed. + :type cmd: str + :param stdin: Open file or string to pass to stdin. + :param stdout: Open file to connect to stdout. + :param stderr: Open file to connect to stderr. + :param raise_on_error: If False then exit code will be return. If True + then exception will be raized if non-zero code. + :param timeout: Timeout in seconds for command execution. + Default 1 hour. No timeout if set to 0. + :param keep_stdin_open: don't close stdin on empty reads + :type keep_stdin_open: bool + :param pty: Request a pseudo terminal for this connection. + This allows passing control characters. + Default False. + :type pty: bool + """ + + client = self._get_client() + + if isinstance(stdin, six.string_types): + stdin = six.moves.StringIO(stdin) + + return self._run(client, cmd, stdin=stdin, stdout=stdout, + stderr=stderr, raise_on_error=raise_on_error, + timeout=timeout, + keep_stdin_open=keep_stdin_open, pty=pty) + + #pylint: disable=too-many-arguments,too-many-nested-blocks + def _run(self, client, cmd, stdin=None, stdout=None, stderr=None, + raise_on_error=True, timeout=3600, + keep_stdin_open=False, pty=False): + """ + Actual Run function (internal) + """ + + transport = client.get_transport() + session = transport.open_session() + if pty: + session.get_pty() + session.exec_command(cmd) + start_time = time.time() + + # encode on transmit, decode on receive + #data_to_send = encodeutils.safe_encode("", incoming='utf-8') + data_to_send = "".encode('utf-8', 'strict') + stderr_data = None + + # If we have data to be sent to stdin then `select' should also + # check for stdin availability. + if stdin and not stdin.closed: + writes = [session] + else: + writes = [] + + while True: + # Block until data can be read/write. + expe = select.select([session], writes, [session], 1)[2] + + if session.recv_ready(): + #data = encodeutils.safe_decode(session.recv(4096), 'utf-8') + data = session.recv(8192).decode('utf-8', 'strict') + self.log.debug("stdout: %r", data) + if stdout is not None: + stdout.write(data) + continue + + if session.recv_stderr_ready(): + #stderr_data = encodeutils.safe_decode( + # session.recv_stderr(4096), 'utf-8') + stderr_data = session.recv_stderr(4096).decode( + 'utf=8', 'strict') + self.log.debug("stderr: %r", stderr_data) + if stderr is not None: + stderr.write(stderr_data) + continue + + if session.send_ready(): + if stdin is not None and not stdin.closed: + if not data_to_send: + stdin_txt = stdin.read(4096) + if stdin_txt is None: + stdin_txt = '' + #data_to_send = encodeutils.safe_encode( + # stdin_txt, incoming='utf-8') + data_to_send = stdin_txt.encode('utf-8', 'strict') + if not data_to_send: + # we may need to keep stdin open + if not keep_stdin_open: + stdin.close() + session.shutdown_write() + writes = [] + if data_to_send: + sent_bytes = session.send(data_to_send) + # LOG.debug("sent: %s" % data_to_send[:sent_bytes]) + data_to_send = data_to_send[sent_bytes:] + + if session.exit_status_ready(): + break + + if timeout and (time.time() - timeout) > start_time: + message = ('Timeout executing command %(cmd)s on host %(host)s' + % {"cmd": cmd, "host": self.host}) + raise socket.timeout(message) + if expe: + raise paramiko.SSHException('Socket error') + + exit_status = session.recv_exit_status() + if exit_status != 0 and raise_on_error: + fmt = "Command '%(cmd)s' failed with exit_status %(status)d." + details = fmt % {"cmd": cmd, "status": exit_status} + if stderr_data: + details += " Last stderr data: '%s'." % stderr_data + raise paramiko.SSHException(details) + return exit_status + + def execute(self, cmd, stdin=None, timeout=3600, raise_on_error=False): + """Execute the specified command on the server. + + :param cmd: (str) Command to be executed. + :param stdin: (StringIO) Open file to be sent on process stdin. + :param timeout: (int) Timeout for execution of the command. + :param raise_on_error: (bool) If True, then an SSHError will be raised + when non-zero exit code. + + :returns: tuple (exit_status, stdout, stderr) + """ + stdout = six.moves.StringIO() + stderr = six.moves.StringIO() + + exit_status = self.run(cmd, stderr=stderr, + stdout=stdout, stdin=stdin, + timeout=timeout, raise_on_error=raise_on_error) + stdout.seek(0) + stderr.seek(0) + return exit_status, stdout.read(), stderr.read() + + + def put(self, files, remote_path=b'.', recursive=False): + """ + Push Files to remote + """ + client = self._get_client() + + with SCPClient(client.get_transport()) as scp: + scp.put(files, remote_path, recursive) + + def get(self, remote_path, local_path='/tmp/', recursive=True): + """ + Get Files from remote + """ + client = self._get_client() + + with SCPClient(client.get_transport()) as scp: + scp.get(remote_path, local_path, recursive) + + # keep shell running in the background, e.g. screen + def send_command(self, command): + """ + Execute in Background + """ + client = self._get_client() + client.exec_command(command, get_pty=True) + + def _put_file_sftp(self, localpath, remotepath, mode=None): + """ + Transfer file (internal) + """ + client = self._get_client() + + with client.open_sftp() as sftp: + sftp.put(localpath, remotepath) + if mode is None: + mode = 0o777 & os.stat(localpath).st_mode + sftp.chmod(remotepath, mode) + + TILDE_EXPANSIONS_RE = re.compile("(^~[^/]*/)?(.*)") + + def _put_file_shell(self, localpath, remotepath, mode=None): + # quote to stop wordpslit + """ + Transfer file (Internal) by ssh + """ + tilde, remotepath = self.TILDE_EXPANSIONS_RE.match(remotepath).groups() + if not tilde: + tilde = '' + cmd = ['cat > %s"%s"' % (tilde, remotepath)] + if mode is not None: + # use -- so no options + cmd.append('chmod -- 0%o %s"%s"' % (mode, tilde, remotepath)) + + with open(localpath, "rb") as localfile: + # only chmod on successful cat + self.run("&& ".join(cmd), stdin=localfile) + + def put_file(self, localpath, remotepath, mode=None): + """Copy specified local file to the server. + + :param localpath: Local filename. + :param remotepath: Remote filename. + :param mode: Permissions to set after upload + """ + try: + self._put_file_sftp(localpath, remotepath, mode=mode) + except (paramiko.SSHException, socket.error): + self._put_file_shell(localpath, remotepath, mode=mode) + + def put_file_obj(self, file_obj, remotepath, mode=None): + """ + CHange file permission + """ + client = self._get_client() + + with client.open_sftp() as sftp: + sftp.putfo(file_obj, remotepath) + if mode is not None: + sftp.chmod(remotepath, mode) + + def get_file_obj(self, remotepath, file_obj): + """ + Get File Object + """ + client = self._get_client() + + with client.open_sftp() as sftp: + sftp.getfo(remotepath, file_obj) -- cgit 1.2.3-korg