From 41d963f89b9a1de8c7a4583ff1bbe1275e5ac0c2 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Thu, 9 Jun 2016 19:14:19 +0100 Subject: Fixes and Docker Specific Attributes on security_scan JIRA: FUNCTEST-306 Fixed Incorrect logging format Added Key Download Added Docker Specifics discovered during tests Change-Id: I0c275c77a1eeb5911afb472bd0cb9c8020ae5879 Signed-off-by: Luke Hinds --- testcases/security_scan/config.ini | 8 +- testcases/security_scan/connect.py | 41 ++++++--- .../examples/xccdf-rhel7-server-upstream.ini | 8 +- .../security_scan/examples/xccdf-standard.ini | 8 +- testcases/security_scan/security_scan.py | 96 +++++++++++----------- 5 files changed, 95 insertions(+), 66 deletions(-) (limited to 'testcases') diff --git a/testcases/security_scan/config.ini b/testcases/security_scan/config.ini index 440b23cb..992ca7e3 100644 --- a/testcases/security_scan/config.ini +++ b/testcases/security_scan/config.ini @@ -1,7 +1,12 @@ +[undercloud] +port = 22 +user = stack +remotekey = /home/stack/.ssh/id_rsa +localkey = /home/opnfv/.ssh/overCloudKey + [controller] port = 22 user = heat-admin -user_key = /root/.ssh/stackkey scantype = xccdf secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml @@ -14,7 +19,6 @@ clean = True [compute] port = 22 user = heat-admin -user_key = /root/.ssh/stackkey scantype = xccdf secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml diff --git a/testcases/security_scan/connect.py b/testcases/security_scan/connect.py index e040de16..d0ef02d5 100644 --- a/testcases/security_scan/connect.py +++ b/testcases/security_scan/connect.py @@ -21,13 +21,9 @@ INSTALLER_IP = os.getenv('INSTALLER_IP') # Set up loggers logger = ft_logger.Logger("security_scan").getLogger() - -paramiko.util.log_to_file("/var/log/paramiko.log") - paramiko.util.log_to_file("/var/log/paramiko.log") - -class novaManager: +class setup: def __init__(self, *args): self.args = args @@ -48,14 +44,35 @@ class novaManager: "undercloud host: {0}".format(INSTALLER_IP)) stdin, stdout, stderr = client.exec_command(com) return stdout.read() + client.close() + + def getOCKey(self): + remotekey = self.args[0] + localkey = self.args[1] + client = paramiko.SSHClient() + client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + try: + client.connect(INSTALLER_IP, port=22, username='stack') + sftp = client.open_sftp() + sftp.get(remotekey, localkey) + except paramiko.SSHException: + logger.error("Authentication failed for " + "host: {0}".format(self.host)) + except paramiko.AuthenticationException: + logger.error("Authentication failed for " + "host: {0}".format(self.host)) + except socket.error: + logger.error("Socker Connection failed for " + "undercloud host: {0}".format(self.host)) + client.close() class connectionManager: - def __init__(self, host, port, user, user_key, *args): + def __init__(self, host, port, user, localkey, *args): self.host = host self.port = port self.user = user - self.user_key = user_key + self.localkey = localkey self.args = args def remotescript(self): @@ -88,7 +105,7 @@ class connectionManager: # Tunnel to overcloud try: remote_client.connect('127.0.0.1', port=22, username=self.user, - key_filename=self.user_key, sock=channel) + key_filename=self.localkey, sock=channel) sftp = remote_client.open_sftp() sftp.put(localpath, remotepath) except paramiko.SSHException: @@ -142,7 +159,7 @@ class connectionManager: # Tunnel to overcloud try: remote_client.connect('127.0.0.1', port=22, username=self.user, - key_filename=self.user_key, sock=channel) + key_filename=self.localkey, sock=channel) except paramiko.SSHException: logger.error("Authentication failed for " "host: {0}".format(self.host)) @@ -192,7 +209,7 @@ class connectionManager: # Tunnel to overcloud try: remote_client.connect('127.0.0.1', port=22, username=self.user, - key_filename=self.user_key, sock=channel) + key_filename=self.localkey, sock=channel) except paramiko.SSHException: logger.error("Authentication failed for " "host: {0}".format(self.host)) @@ -204,9 +221,9 @@ class connectionManager: "undercloud host: {0}".format(self.host)) # Download the reports sftp = remote_client.open_sftp() - logger.info("Downloading \"{0}\"...\n".format(reportname)) + logger.info("Downloading \"{0}\"...".format(reportname)) sftp.get(reportfile, ('{0}/{1}'.format(dl_folder, reportname))) - logger.info("Downloading \"{0}\"...\n".format(resultsname)) + logger.info("Downloading \"{0}\"...".format(resultsname)) sftp.get(reportfile, ('{0}/{1}'.format(dl_folder, resultsname))) sftp.close() transport.close() diff --git a/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini b/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini index cd5d4d27..9d12fa27 100644 --- a/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini +++ b/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini @@ -1,7 +1,12 @@ +[undercloud] +port = 22 +user = stack +remotekey = /home/stack/.ssh/id_rsa +localkey = /home/opnfv/.ssh/overCloudKey + [controller] port = 22 user = heat-admin -user_key = /root/.ssh/stackkey scantype = xccdf secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml @@ -14,7 +19,6 @@ clean = True [compute] port = 22 user = heat-admin -user_key = /root/.ssh/stackkey scantype = xccdf secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml diff --git a/testcases/security_scan/examples/xccdf-standard.ini b/testcases/security_scan/examples/xccdf-standard.ini index 440b23cb..992ca7e3 100644 --- a/testcases/security_scan/examples/xccdf-standard.ini +++ b/testcases/security_scan/examples/xccdf-standard.ini @@ -1,7 +1,12 @@ +[undercloud] +port = 22 +user = stack +remotekey = /home/stack/.ssh/id_rsa +localkey = /home/opnfv/.ssh/overCloudKey + [controller] port = 22 user = heat-admin -user_key = /root/.ssh/stackkey scantype = xccdf secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml @@ -14,7 +19,6 @@ clean = True [compute] port = 22 user = heat-admin -user_key = /root/.ssh/stackkey scantype = xccdf secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml diff --git a/testcases/security_scan/security_scan.py b/testcases/security_scan/security_scan.py index 25b5b292..9803dd3c 100644 --- a/testcases/security_scan/security_scan.py +++ b/testcases/security_scan/security_scan.py @@ -22,8 +22,6 @@ from keystoneclient.auth.identity import v2 from keystoneclient import session from novaclient import client -import functest.utils.functest_logger as ft_logger - __version__ = 0.1 __author__ = 'Luke Hinds (lhinds@redhat.com)' __url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security' @@ -32,52 +30,54 @@ __url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security' INSTALLER_IP = os.getenv('INSTALLER_IP') oscapbin = 'sudo /bin/oscap' -# Configure Nova Credentials -com = 'sudo hiera admin_password' -connect = connect.novaManager(com) -keypass = connect.keystonepass() -auth = v2.Password(auth_url='http://{0}:5000/v2.0'.format(INSTALLER_IP), - username='admin', - password=str(keypass).rstrip(), - tenant_name='admin') -sess = session.Session(auth=auth) -nova = client.Client(2, session=sess) - - # args parser = argparse.ArgumentParser(description='OPNFV OpenSCAP Scanner') parser.add_argument('--config', action='store', dest='cfgfile', help='Config file', required=True) args = parser.parse_args() -# functest logger -logger = ft_logger.Logger("security_scan").getLogger() - # Config Parser cfgparse = SafeConfigParser() cfgparse.read(args.cfgfile) +# Grab Undercloud key +remotekey = cfgparse.get('undercloud', 'remotekey') +localkey = cfgparse.get('undercloud', 'localkey') +setup = connect.setup(remotekey, localkey) +setup.getOCKey() + + +# Configure Nova Credentials +com = 'sudo hiera admin_password' +setup = connect.setup(com) +keypass = setup.keystonepass() +auth = v2.Password(auth_url='http://{0}:5000/v2.0'.format(INSTALLER_IP), + username='admin', + password=str(keypass).rstrip(), + tenant_name='admin') +sess = session.Session(auth=auth) +nova = client.Client(2, session=sess) + def run_tests(host, nodetype): - port = cfgparse.get(nodetype, 'port') user = cfgparse.get(nodetype, 'user') - user_key = cfgparse.get(nodetype, 'user_key') - logger.info("Host: {0} Selected Profile: {1}").format(host, nodetype) - logger.info("Creating temp file structure..") - createfiles(host, port, user, user_key) - logger.info("Installing OpenSCAP...") - install_pkg(host, port, user, user_key) - logger.info("Running scan...") - run_scanner(host, port, user, user_key, nodetype) + port = cfgparse.get(nodetype, 'port') + connect.logger.info("Host: {0} Selected Profile: {1}".format(host, nodetype)) + connect.logger.info("Creating temp file structure..") + createfiles(host, port, user, localkey) + connect.logger.info("Installing OpenSCAP...") + install_pkg(host, port, user, localkey) + connect.logger.info("Running scan...") + run_scanner(host, port, user, localkey, nodetype) clean = cfgparse.get(nodetype, 'clean') - logger.info("Post installation tasks....") - post_tasks(host, port, user, user_key, nodetype) + connect.logger.info("Post installation tasks....") + post_tasks(host, port, user, localkey, nodetype) if clean: - logger.info("Cleaning down environment....") - logger.info("Removing OpenSCAP....") - removepkg(host, port, user, user_key, nodetype) - logger.info("Deleting tmp file and reports (remote)...") - cleandir(host, port, user, user_key, nodetype) + connect.logger.info("Cleaning down environment....") + connect.logger.info("Removing OpenSCAP....") + removepkg(host, port, user, localkey, nodetype) + connect.logger.info("Deleting tmp file and reports (remote)...") + cleandir(host, port, user, localkey, nodetype) def nova_iterate(): @@ -96,25 +96,25 @@ def nova_iterate(): run_tests(host, nodetype) -def createfiles(host, port, user, user_key): +def createfiles(host, port, user, localkey): import connect global tmpdir localpath = os.getcwd() + '/scripts/createfiles.py' remotepath = '/tmp/createfiles.py' com = 'python /tmp/createfiles.py' - connect = connect.connectionManager(host, port, user, user_key, + connect = connect.connectionManager(host, port, user, localkey, localpath, remotepath, com) tmpdir = connect.remotescript() -def install_pkg(host, port, user, user_key): +def install_pkg(host, port, user, localkey): import connect com = 'sudo yum -y install openscap-scanner scap-security-guide' - connect = connect.connectionManager(host, port, user, user_key, com) + connect = connect.connectionManager(host, port, user, localkey, com) connect.remotecmd() -def run_scanner(host, port, user, user_key, nodetype): +def run_scanner(host, port, user, localkey, nodetype): import connect scantype = cfgparse.get(nodetype, 'scantype') profile = cfgparse.get(nodetype, 'profile') @@ -132,47 +132,47 @@ def run_scanner(host, port, user, user_key, nodetype): report, cpe, secpolicy) - connect = connect.connectionManager(host, port, user, user_key, com) + connect = connect.connectionManager(host, port, user, localkey, com) connect.remotecmd() elif scantype == 'oval': com = '{0} oval eval --results {1}/{2} ' '--report {1}/{3} {4}'.format(oscapbin, tmpdir.rstrip(), results, report, secpolicy) - connect = connect.connectionManager(host, port, user, user_key, com) + connect = connect.connectionManager(host, port, user, localkey, com) connect.remotecmd() else: com = '{0} oval-collect '.format(oscapbin) - connect = connect.connectionManager(host, port, user, user_key, com) + connect = connect.connectionManager(host, port, user, localkey, com) connect.remotecmd() -def post_tasks(host, port, user, user_key, nodetype): +def post_tasks(host, port, user, localkey, nodetype): import connect # Create the download folder for functest dashboard and download reports reports_dir = cfgparse.get(nodetype, 'reports_dir') dl_folder = os.path.join(reports_dir, host + "_" + datetime.datetime. now().strftime('%Y-%m-%d_%H-%M-%S')) - os.makesdir(dl_folder, 0755) + os.makedirs(dl_folder, 0755) report = cfgparse.get(nodetype, 'report') results = cfgparse.get(nodetype, 'results') reportfile = '{0}/{1}'.format(tmpdir.rstrip(), report) - connect = connect.connectionManager(host, port, user, user_key, dl_folder, + connect = connect.connectionManager(host, port, user, localkey, dl_folder, reportfile, report, results) connect.download_reports() -def removepkg(host, port, user, user_key, nodetype): +def removepkg(host, port, user, localkey, nodetype): import connect com = 'sudo yum -y remove openscap-scanner scap-security-guide' - connect = connect.connectionManager(host, port, user, user_key, com) + connect = connect.connectionManager(host, port, user, localkey, com) connect.remotecmd() -def cleandir(host, port, user, user_key, nodetype): +def cleandir(host, port, user, localkey, nodetype): import connect com = 'sudo rm -r {0}'.format(tmpdir.rstrip()) - connect = connect.connectionManager(host, port, user, user_key, com) + connect = connect.connectionManager(host, port, user, localkey, com) connect.remotecmd() -- cgit 1.2.3-korg