summaryrefslogtreecommitdiffstats
path: root/testcases/security_scan
diff options
context:
space:
mode:
authorLuke Hinds <lukehinds@gmail.com>2016-06-09 19:14:19 +0100
committerLuke Hinds <lukehinds@gmail.com>2016-06-09 19:45:53 +0100
commit41d963f89b9a1de8c7a4583ff1bbe1275e5ac0c2 (patch)
tree223137d4a2b692b5828f4562dedc2b9440893b09 /testcases/security_scan
parentb049ac7ad61134b4a405505db5e041fd6bdb8a5c (diff)
Fixes and Docker Specific Attributes on security_scan
JIRA: FUNCTEST-306 Fixed Incorrect logging format Added Key Download Added Docker Specifics discovered during tests Change-Id: I0c275c77a1eeb5911afb472bd0cb9c8020ae5879 Signed-off-by: Luke Hinds <lukehinds@gmail.com>
Diffstat (limited to 'testcases/security_scan')
-rw-r--r--testcases/security_scan/config.ini8
-rw-r--r--testcases/security_scan/connect.py41
-rw-r--r--testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini8
-rw-r--r--testcases/security_scan/examples/xccdf-standard.ini8
-rw-r--r--testcases/security_scan/security_scan.py96
5 files changed, 95 insertions, 66 deletions
diff --git a/testcases/security_scan/config.ini b/testcases/security_scan/config.ini
index 440b23cbe..992ca7e34 100644
--- a/testcases/security_scan/config.ini
+++ b/testcases/security_scan/config.ini
@@ -1,7 +1,12 @@
+[undercloud]
+port = 22
+user = stack
+remotekey = /home/stack/.ssh/id_rsa
+localkey = /home/opnfv/.ssh/overCloudKey
+
[controller]
port = 22
user = heat-admin
-user_key = /root/.ssh/stackkey
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
@@ -14,7 +19,6 @@ clean = True
[compute]
port = 22
user = heat-admin
-user_key = /root/.ssh/stackkey
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
diff --git a/testcases/security_scan/connect.py b/testcases/security_scan/connect.py
index e040de16f..d0ef02d56 100644
--- a/testcases/security_scan/connect.py
+++ b/testcases/security_scan/connect.py
@@ -21,13 +21,9 @@ INSTALLER_IP = os.getenv('INSTALLER_IP')
# Set up loggers
logger = ft_logger.Logger("security_scan").getLogger()
-
-paramiko.util.log_to_file("/var/log/paramiko.log")
-
paramiko.util.log_to_file("/var/log/paramiko.log")
-
-class novaManager:
+class setup:
def __init__(self, *args):
self.args = args
@@ -48,14 +44,35 @@ class novaManager:
"undercloud host: {0}".format(INSTALLER_IP))
stdin, stdout, stderr = client.exec_command(com)
return stdout.read()
+ client.close()
+
+ def getOCKey(self):
+ remotekey = self.args[0]
+ localkey = self.args[1]
+ client = paramiko.SSHClient()
+ client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+ try:
+ client.connect(INSTALLER_IP, port=22, username='stack')
+ sftp = client.open_sftp()
+ sftp.get(remotekey, localkey)
+ except paramiko.SSHException:
+ logger.error("Authentication failed for "
+ "host: {0}".format(self.host))
+ except paramiko.AuthenticationException:
+ logger.error("Authentication failed for "
+ "host: {0}".format(self.host))
+ except socket.error:
+ logger.error("Socker Connection failed for "
+ "undercloud host: {0}".format(self.host))
+ client.close()
class connectionManager:
- def __init__(self, host, port, user, user_key, *args):
+ def __init__(self, host, port, user, localkey, *args):
self.host = host
self.port = port
self.user = user
- self.user_key = user_key
+ self.localkey = localkey
self.args = args
def remotescript(self):
@@ -88,7 +105,7 @@ class connectionManager:
# Tunnel to overcloud
try:
remote_client.connect('127.0.0.1', port=22, username=self.user,
- key_filename=self.user_key, sock=channel)
+ key_filename=self.localkey, sock=channel)
sftp = remote_client.open_sftp()
sftp.put(localpath, remotepath)
except paramiko.SSHException:
@@ -142,7 +159,7 @@ class connectionManager:
# Tunnel to overcloud
try:
remote_client.connect('127.0.0.1', port=22, username=self.user,
- key_filename=self.user_key, sock=channel)
+ key_filename=self.localkey, sock=channel)
except paramiko.SSHException:
logger.error("Authentication failed for "
"host: {0}".format(self.host))
@@ -192,7 +209,7 @@ class connectionManager:
# Tunnel to overcloud
try:
remote_client.connect('127.0.0.1', port=22, username=self.user,
- key_filename=self.user_key, sock=channel)
+ key_filename=self.localkey, sock=channel)
except paramiko.SSHException:
logger.error("Authentication failed for "
"host: {0}".format(self.host))
@@ -204,9 +221,9 @@ class connectionManager:
"undercloud host: {0}".format(self.host))
# Download the reports
sftp = remote_client.open_sftp()
- logger.info("Downloading \"{0}\"...\n".format(reportname))
+ logger.info("Downloading \"{0}\"...".format(reportname))
sftp.get(reportfile, ('{0}/{1}'.format(dl_folder, reportname)))
- logger.info("Downloading \"{0}\"...\n".format(resultsname))
+ logger.info("Downloading \"{0}\"...".format(resultsname))
sftp.get(reportfile, ('{0}/{1}'.format(dl_folder, resultsname)))
sftp.close()
transport.close()
diff --git a/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini b/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini
index cd5d4d27b..9d12fa27b 100644
--- a/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini
+++ b/testcases/security_scan/examples/xccdf-rhel7-server-upstream.ini
@@ -1,7 +1,12 @@
+[undercloud]
+port = 22
+user = stack
+remotekey = /home/stack/.ssh/id_rsa
+localkey = /home/opnfv/.ssh/overCloudKey
+
[controller]
port = 22
user = heat-admin
-user_key = /root/.ssh/stackkey
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
@@ -14,7 +19,6 @@ clean = True
[compute]
port = 22
user = heat-admin
-user_key = /root/.ssh/stackkey
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
diff --git a/testcases/security_scan/examples/xccdf-standard.ini b/testcases/security_scan/examples/xccdf-standard.ini
index 440b23cbe..992ca7e34 100644
--- a/testcases/security_scan/examples/xccdf-standard.ini
+++ b/testcases/security_scan/examples/xccdf-standard.ini
@@ -1,7 +1,12 @@
+[undercloud]
+port = 22
+user = stack
+remotekey = /home/stack/.ssh/id_rsa
+localkey = /home/opnfv/.ssh/overCloudKey
+
[controller]
port = 22
user = heat-admin
-user_key = /root/.ssh/stackkey
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
@@ -14,7 +19,6 @@ clean = True
[compute]
port = 22
user = heat-admin
-user_key = /root/.ssh/stackkey
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
diff --git a/testcases/security_scan/security_scan.py b/testcases/security_scan/security_scan.py
index 25b5b292d..9803dd3c1 100644
--- a/testcases/security_scan/security_scan.py
+++ b/testcases/security_scan/security_scan.py
@@ -22,8 +22,6 @@ from keystoneclient.auth.identity import v2
from keystoneclient import session
from novaclient import client
-import functest.utils.functest_logger as ft_logger
-
__version__ = 0.1
__author__ = 'Luke Hinds (lhinds@redhat.com)'
__url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security'
@@ -32,52 +30,54 @@ __url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security'
INSTALLER_IP = os.getenv('INSTALLER_IP')
oscapbin = 'sudo /bin/oscap'
-# Configure Nova Credentials
-com = 'sudo hiera admin_password'
-connect = connect.novaManager(com)
-keypass = connect.keystonepass()
-auth = v2.Password(auth_url='http://{0}:5000/v2.0'.format(INSTALLER_IP),
- username='admin',
- password=str(keypass).rstrip(),
- tenant_name='admin')
-sess = session.Session(auth=auth)
-nova = client.Client(2, session=sess)
-
-
# args
parser = argparse.ArgumentParser(description='OPNFV OpenSCAP Scanner')
parser.add_argument('--config', action='store', dest='cfgfile',
help='Config file', required=True)
args = parser.parse_args()
-# functest logger
-logger = ft_logger.Logger("security_scan").getLogger()
-
# Config Parser
cfgparse = SafeConfigParser()
cfgparse.read(args.cfgfile)
+# Grab Undercloud key
+remotekey = cfgparse.get('undercloud', 'remotekey')
+localkey = cfgparse.get('undercloud', 'localkey')
+setup = connect.setup(remotekey, localkey)
+setup.getOCKey()
+
+
+# Configure Nova Credentials
+com = 'sudo hiera admin_password'
+setup = connect.setup(com)
+keypass = setup.keystonepass()
+auth = v2.Password(auth_url='http://{0}:5000/v2.0'.format(INSTALLER_IP),
+ username='admin',
+ password=str(keypass).rstrip(),
+ tenant_name='admin')
+sess = session.Session(auth=auth)
+nova = client.Client(2, session=sess)
+
def run_tests(host, nodetype):
- port = cfgparse.get(nodetype, 'port')
user = cfgparse.get(nodetype, 'user')
- user_key = cfgparse.get(nodetype, 'user_key')
- logger.info("Host: {0} Selected Profile: {1}").format(host, nodetype)
- logger.info("Creating temp file structure..")
- createfiles(host, port, user, user_key)
- logger.info("Installing OpenSCAP...")
- install_pkg(host, port, user, user_key)
- logger.info("Running scan...")
- run_scanner(host, port, user, user_key, nodetype)
+ port = cfgparse.get(nodetype, 'port')
+ connect.logger.info("Host: {0} Selected Profile: {1}".format(host, nodetype))
+ connect.logger.info("Creating temp file structure..")
+ createfiles(host, port, user, localkey)
+ connect.logger.info("Installing OpenSCAP...")
+ install_pkg(host, port, user, localkey)
+ connect.logger.info("Running scan...")
+ run_scanner(host, port, user, localkey, nodetype)
clean = cfgparse.get(nodetype, 'clean')
- logger.info("Post installation tasks....")
- post_tasks(host, port, user, user_key, nodetype)
+ connect.logger.info("Post installation tasks....")
+ post_tasks(host, port, user, localkey, nodetype)
if clean:
- logger.info("Cleaning down environment....")
- logger.info("Removing OpenSCAP....")
- removepkg(host, port, user, user_key, nodetype)
- logger.info("Deleting tmp file and reports (remote)...")
- cleandir(host, port, user, user_key, nodetype)
+ connect.logger.info("Cleaning down environment....")
+ connect.logger.info("Removing OpenSCAP....")
+ removepkg(host, port, user, localkey, nodetype)
+ connect.logger.info("Deleting tmp file and reports (remote)...")
+ cleandir(host, port, user, localkey, nodetype)
def nova_iterate():
@@ -96,25 +96,25 @@ def nova_iterate():
run_tests(host, nodetype)
-def createfiles(host, port, user, user_key):
+def createfiles(host, port, user, localkey):
import connect
global tmpdir
localpath = os.getcwd() + '/scripts/createfiles.py'
remotepath = '/tmp/createfiles.py'
com = 'python /tmp/createfiles.py'
- connect = connect.connectionManager(host, port, user, user_key,
+ connect = connect.connectionManager(host, port, user, localkey,
localpath, remotepath, com)
tmpdir = connect.remotescript()
-def install_pkg(host, port, user, user_key):
+def install_pkg(host, port, user, localkey):
import connect
com = 'sudo yum -y install openscap-scanner scap-security-guide'
- connect = connect.connectionManager(host, port, user, user_key, com)
+ connect = connect.connectionManager(host, port, user, localkey, com)
connect.remotecmd()
-def run_scanner(host, port, user, user_key, nodetype):
+def run_scanner(host, port, user, localkey, nodetype):
import connect
scantype = cfgparse.get(nodetype, 'scantype')
profile = cfgparse.get(nodetype, 'profile')
@@ -132,47 +132,47 @@ def run_scanner(host, port, user, user_key, nodetype):
report,
cpe,
secpolicy)
- connect = connect.connectionManager(host, port, user, user_key, com)
+ connect = connect.connectionManager(host, port, user, localkey, com)
connect.remotecmd()
elif scantype == 'oval':
com = '{0} oval eval --results {1}/{2} '
'--report {1}/{3} {4}'.format(oscapbin, tmpdir.rstrip(),
results, report, secpolicy)
- connect = connect.connectionManager(host, port, user, user_key, com)
+ connect = connect.connectionManager(host, port, user, localkey, com)
connect.remotecmd()
else:
com = '{0} oval-collect '.format(oscapbin)
- connect = connect.connectionManager(host, port, user, user_key, com)
+ connect = connect.connectionManager(host, port, user, localkey, com)
connect.remotecmd()
-def post_tasks(host, port, user, user_key, nodetype):
+def post_tasks(host, port, user, localkey, nodetype):
import connect
# Create the download folder for functest dashboard and download reports
reports_dir = cfgparse.get(nodetype, 'reports_dir')
dl_folder = os.path.join(reports_dir, host + "_" +
datetime.datetime.
now().strftime('%Y-%m-%d_%H-%M-%S'))
- os.makesdir(dl_folder, 0755)
+ os.makedirs(dl_folder, 0755)
report = cfgparse.get(nodetype, 'report')
results = cfgparse.get(nodetype, 'results')
reportfile = '{0}/{1}'.format(tmpdir.rstrip(), report)
- connect = connect.connectionManager(host, port, user, user_key, dl_folder,
+ connect = connect.connectionManager(host, port, user, localkey, dl_folder,
reportfile, report, results)
connect.download_reports()
-def removepkg(host, port, user, user_key, nodetype):
+def removepkg(host, port, user, localkey, nodetype):
import connect
com = 'sudo yum -y remove openscap-scanner scap-security-guide'
- connect = connect.connectionManager(host, port, user, user_key, com)
+ connect = connect.connectionManager(host, port, user, localkey, com)
connect.remotecmd()
-def cleandir(host, port, user, user_key, nodetype):
+def cleandir(host, port, user, localkey, nodetype):
import connect
com = 'sudo rm -r {0}'.format(tmpdir.rstrip())
- connect = connect.connectionManager(host, port, user, user_key, com)
+ connect = connect.connectionManager(host, port, user, localkey, com)
connect.remotecmd()