diff options
-rwxr-xr-x | functest/ci/config_functest.yaml | 1 | ||||
-rwxr-xr-x | functest/ci/exec_test.sh | 5 | ||||
-rwxr-xr-x | functest/ci/testcases.yaml | 21 | ||||
-rw-r--r-- | functest/core/feature_base.py | 1 | ||||
-rwxr-xr-x | functest/opnfv_tests/features/security_scan.py | 24 | ||||
-rw-r--r-- | functest/opnfv_tests/openstack/snaps/health_check.py | 34 | ||||
-rw-r--r-- | functest/opnfv_tests/openstack/tempest/conf_utils.py | 51 | ||||
-rw-r--r-- | functest/opnfv_tests/security_scan/config.ini | 29 | ||||
-rw-r--r-- | functest/opnfv_tests/security_scan/connect.py | 245 | ||||
-rw-r--r-- | functest/opnfv_tests/security_scan/examples/xccdf-rhel7-server-upstream.ini | 29 | ||||
-rw-r--r-- | functest/opnfv_tests/security_scan/examples/xccdf-standard.ini | 29 | ||||
-rw-r--r-- | functest/opnfv_tests/security_scan/scripts/createfiles.py | 26 | ||||
-rw-r--r-- | functest/opnfv_tests/security_scan/scripts/internet_check.py | 27 | ||||
-rwxr-xr-x | functest/opnfv_tests/security_scan/security_scan.py | 220 |
14 files changed, 116 insertions, 626 deletions
diff --git a/functest/ci/config_functest.yaml b/functest/ci/config_functest.yaml index f6cb14cb1..6a10e382b 100755 --- a/functest/ci/config_functest.yaml +++ b/functest/ci/config_functest.yaml @@ -27,6 +27,7 @@ general: repo_parser: /home/opnfv/repos/parser repo_domino: /home/opnfv/repos/domino repo_snaps: /home/opnfv/repos/snaps + repo_securityscan: /home/opnfv/repos/securityscanning functest: /home/opnfv/functest functest_test: /home/opnfv/repos/functest/functest/opnfv_tests results: /home/opnfv/functest/results diff --git a/functest/ci/exec_test.sh b/functest/ci/exec_test.sh index 5d2865000..aa0cfaf7e 100755 --- a/functest/ci/exec_test.sh +++ b/functest/ci/exec_test.sh @@ -105,11 +105,6 @@ function run_test(){ # no need to run anything until refactoring done # ${REPOS_DIR}/ovno/Testcases/RunTests.sh ;; - "security_scan") - echo "Sourcing Credentials ${FUNCTEST_CONF_DIR}/stackrc for undercloud .." - source ${FUNCTEST_CONF_DIR}/stackrc - python ${FUNCTEST_TEST_DIR}/security_scan/security_scan.py --config ${FUNCTEST_TEST_DIR}/security_scan/config.ini - ;; *) echo "The test case '${test_name}' does not exist." exit 1 diff --git a/functest/ci/testcases.yaml b/functest/ci/testcases.yaml index 7a3dc229f..6007f9720 100755 --- a/functest/ci/testcases.yaml +++ b/functest/ci/testcases.yaml @@ -19,6 +19,22 @@ tiers: installer: '' scenario: '^((?!lxd).)*$' - + name: snaps_health_check + criteria: 'status == "PASS"' + blocking: false + description: >- + This test case creates executes the SimpleHealthCheck + Python test class which creates an, image, flavor, network, + and Cirros VM instance and observes the console output to + validate the single port obtains the correct IP address. + + dependencies: + installer: '' + scenario: '^((?!lxd).)*$' + run: + module: 'functest.opnfv_tests.openstack.snaps.health_check' + class: 'HealthCheck' + - name: connection_check criteria: 'status == "PASS"' blocking: true @@ -223,10 +239,13 @@ tiers: criteria: 'status == "PASS"' blocking: false description: >- - Simple security Scan + Simple Security Scan dependencies: installer: 'apex' scenario: '^((?!fdio).)*$' + run: + module: 'functest.opnfv_tests.features.security_scan' + class: 'SecurityScan' # - # name: copper # criteria: 'status == "PASS"' diff --git a/functest/core/feature_base.py b/functest/core/feature_base.py index 873e21dae..fe9a99989 100644 --- a/functest/core/feature_base.py +++ b/functest/core/feature_base.py @@ -24,6 +24,7 @@ class FeatureBase(base.TestcaseBase): self.post() self.parse_results(ret) self.log_results() + self.logger.info("Test result is stored in '%s'" % self.result_file) return base.TestcaseBase.EX_OK def prepare(self, **kwargs): diff --git a/functest/opnfv_tests/features/security_scan.py b/functest/opnfv_tests/features/security_scan.py new file mode 100755 index 000000000..bcae516b8 --- /dev/null +++ b/functest/opnfv_tests/features/security_scan.py @@ -0,0 +1,24 @@ +#!/usr/bin/python +# +# Copyright (c) 2015 All rights reserved +# This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +import functest.core.feature_base as base +from functest.utils.constants import CONST + + +class SecurityScan(base.FeatureBase): + def __init__(self): + super(SecurityScan, self).__init__(project='security_scan', + case='security_scan', + repo='dir_repo_securityscan') + self.cmd = ('bash {0} && ' + 'cd {1} && ' + 'python security_scan.py --config config.ini && ' + 'cd -'.format(CONST.openstack_creds, + self.repo)) diff --git a/functest/opnfv_tests/openstack/snaps/health_check.py b/functest/opnfv_tests/openstack/snaps/health_check.py new file mode 100644 index 000000000..993c1000c --- /dev/null +++ b/functest/opnfv_tests/openstack/snaps/health_check.py @@ -0,0 +1,34 @@ +# Copyright (c) 2015 All rights reserved +# This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# +# http://www.apache.org/licenses/LICENSE-2.0 + +import unittest + +from snaps.openstack.tests.os_source_file_test import OSIntegrationTestCase +from snaps.openstack.tests.create_instance_tests import SimpleHealthCheck + +from functest.core.pytest_suite_runner import PyTestSuiteRunner +from functest.opnfv_tests.openstack.snaps import snaps_utils +from functest.utils.constants import CONST + + +class HealthCheck(PyTestSuiteRunner): + """ + This test executes the SNAPS Python Test case SimpleHealthCheck which + creates a VM with a single port with an IPv4 address that is assigned by + DHCP. This test then validates the expected IP with the actual + """ + def __init__(self): + super(HealthCheck, self).__init__() + + self.suite = unittest.TestSuite() + self.case_name = "snaps_health_check" + ext_net_name = snaps_utils.get_ext_net_name() + + self.suite.addTest( + OSIntegrationTestCase.parameterize( + SimpleHealthCheck, CONST.openstack_creds, ext_net_name, + use_keystone=CONST.snaps_use_keystone)) diff --git a/functest/opnfv_tests/openstack/tempest/conf_utils.py b/functest/opnfv_tests/openstack/tempest/conf_utils.py index 91a5bb4b0..f013b4421 100644 --- a/functest/opnfv_tests/openstack/tempest/conf_utils.py +++ b/functest/opnfv_tests/openstack/tempest/conf_utils.py @@ -110,24 +110,23 @@ def get_verifier_deployment_dir(verifier_id, deployment_id): def configure_tempest(deployment_dir, IMAGE_ID=None, FLAVOR_ID=None): """ - Add/update needed parameters into tempest.conf file generated by Rally + Calls rally verify and updates the generated tempest.conf with + given parameters """ - tempest_conf_file = os.path.join(deployment_dir, "tempest.conf") - if os.path.isfile(tempest_conf_file): - logger.debug("Verifier is already configured.") - logger.debug("Reconfiguring the current verifier...") - cmd = "rally verify configure-verifier --reconfigure" + conf_verifier_result = configure_verifier(deployment_dir) + if conf_verifier_result == releng_constants.EXIT_RUN_ERROR: + return releng_constants.EXIT_RUN_ERROR else: - logger.info("Configuring the verifier...") - cmd = "rally verify configure-verifier" - ft_utils.execute_command(cmd) + configure_tempest_update_params(conf_verifier_result, + IMAGE_ID, FLAVOR_ID) + return releng_constants.EXIT_OK - logger.debug("Looking for tempest.conf file...") - if not os.path.isfile(tempest_conf_file): - logger.error("Tempest configuration file %s NOT found." - % tempest_conf_file) - return releng_constants.EXIT_RUN_ERROR +def configure_tempest_update_params(tempest_conf_file, + IMAGE_ID=None, FLAVOR_ID=None): + """ + Add/update needed parameters into tempest.conf file + """ logger.debug("Updating selected tempest.conf parameters...") config = ConfigParser.RawConfigParser() config.read(tempest_conf_file) @@ -178,7 +177,29 @@ def configure_tempest(deployment_dir, IMAGE_ID=None, FLAVOR_ID=None): shutil.copyfile(tempest_conf_file, os.path.join(TEMPEST_RESULTS_DIR, 'tempest.conf')) - return releng_constants.EXIT_OK + +def configure_verifier(deployment_dir): + """ + Execute rally verify configure-verifier, which generates tempest.conf + """ + tempest_conf_file = os.path.join(deployment_dir, "tempest.conf") + if os.path.isfile(tempest_conf_file): + logger.debug("Verifier is already configured.") + logger.debug("Reconfiguring the current verifier...") + cmd = "rally verify configure-verifier --reconfigure" + else: + logger.info("Configuring the verifier...") + cmd = "rally verify configure-verifier" + ft_utils.execute_command(cmd) + logger.debug("Looking for tempest.conf file...") + + if not os.path.isfile(tempest_conf_file): + logger.error("Tempest configuration file %s NOT found." + % tempest_conf_file) + return releng_constants.EXIT_RUN_ERROR + + else: + return tempest_conf_file def configure_tempest_multisite(deployment_dir): diff --git a/functest/opnfv_tests/security_scan/config.ini b/functest/opnfv_tests/security_scan/config.ini deleted file mode 100644 index b97de80fa..000000000 --- a/functest/opnfv_tests/security_scan/config.ini +++ /dev/null @@ -1,29 +0,0 @@ -[undercloud] -port = 22 -user = stack -remotekey = /home/stack/.ssh/id_rsa -localkey = /root/.ssh/overCloudKey - -[controller] -port = 22 -user = heat-admin -scantype = xccdf -secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml -cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml -profile = stig-rhel7-server-upstream -report = report.html -results = results.xml -reports_dir=/home/opnfv/functest/results/security_scan/ -clean = True - -[compute] -port = 22 -user = heat-admin -scantype = xccdf -secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml -cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml -profile = sstig-rhel7-server-upstream -report = report.html -results = results.xml -reports_dir=/home/opnfv/functest/results/security_scan/ -clean = True diff --git a/functest/opnfv_tests/security_scan/connect.py b/functest/opnfv_tests/security_scan/connect.py deleted file mode 100644 index 3d5456c50..000000000 --- a/functest/opnfv_tests/security_scan/connect.py +++ /dev/null @@ -1,245 +0,0 @@ -#!/usr/bin/python -# -# Copyright (c) 2016 Red Hat -# Luke Hinds (lhinds@redhat.com) -# This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# 0.1: OpenSCAP paramiko connection functions - -import os -import socket -import paramiko - -import functest.utils.functest_logger as ft_logger -import functest.utils.functest_constants as ft_constants - -# add installer IP from env -INSTALLER_IP = ft_constants.CI_INSTALLER_IP - -# Set up loggers -logger = ft_logger.Logger("security_scan").getLogger() -paramiko.util.log_to_file("/var/log/paramiko.log") - - -class SetUp: - def __init__(self, *args): - self.args = args - - def keystonepass(self): - com = self.args[0] - client = paramiko.SSHClient() - privatekeyfile = os.path.expanduser('/root/.ssh/id_rsa') - selectedkey = paramiko.RSAKey.from_private_key_file(privatekeyfile) - client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - try: - client.connect(INSTALLER_IP, port=22, username='stack', - pkey=selectedkey) - except paramiko.SSHException: - logger.error("Password is invalid for " - "undercloud host: {0}".format(INSTALLER_IP)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "undercloud host: {0}".format(INSTALLER_IP)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(INSTALLER_IP)) - stdin, stdout, stderr = client.exec_command(com) - return stdout.read() - client.close() - - def getockey(self): - remotekey = self.args[0] - localkey = self.args[1] - privatekeyfile = os.path.expanduser('/root/.ssh/id_rsa') - selectedkey = paramiko.RSAKey.from_private_key_file(privatekeyfile) - transport = paramiko.Transport((INSTALLER_IP, 22)) - transport.connect(username='stack', pkey=selectedkey) - try: - sftp = paramiko.SFTPClient.from_transport(transport) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(INSTALLER_IP)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(INSTALLER_IP)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(INSTALLER_IP)) - sftp.get(remotekey, localkey) - sftp.close() - transport.close() - - -class ConnectionManager: - def __init__(self, host, port, user, localkey, *args): - self.host = host - self.port = port - self.user = user - self.localkey = localkey - self.args = args - - def remotescript(self): - localpath = self.args[0] - remotepath = self.args[1] - com = self.args[2] - - client = paramiko.SSHClient() - privatekeyfile = os.path.expanduser('/root/.ssh/id_rsa') - selectedkey = paramiko.RSAKey.from_private_key_file(privatekeyfile) - client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - # Connection to undercloud - try: - client.connect(INSTALLER_IP, port=22, username='stack', - pkey=selectedkey) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(self.host)) - - transport = client.get_transport() - local_addr = ('127.0.0.1', 0) - channel = transport.open_channel("direct-tcpip", - (self.host, int(self.port)), - (local_addr)) - remote_client = paramiko.SSHClient() - remote_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - # Tunnel to overcloud - try: - remote_client.connect('127.0.0.1', port=22, username=self.user, - key_filename=self.localkey, sock=channel) - sftp = remote_client.open_sftp() - sftp.put(localpath, remotepath) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(self.host)) - - output = "" - stdin, stdout, stderr = remote_client.exec_command(com) - stdout = stdout.readlines() - # remove script - sftp.remove(remotepath) - remote_client.close() - client.close() - # Pipe back stout - for line in stdout: - output = output + line - if output != "": - return output - - def remotecmd(self): - com = self.args[0] - - client = paramiko.SSHClient() - privatekeyfile = os.path.expanduser('/root/.ssh/id_rsa') - selectedkey = paramiko.RSAKey.from_private_key_file(privatekeyfile) - client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - # Connection to undercloud - try: - client.connect(INSTALLER_IP, port=22, username='stack', - pkey=selectedkey) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(self.host)) - - transport = client.get_transport() - local_addr = ('127.0.0.1', 0) # 0 denotes choose random port - channel = transport.open_channel("direct-tcpip", - (self.host, int(self.port)), - (local_addr)) - remote_client = paramiko.SSHClient() - remote_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - # Tunnel to overcloud - try: - remote_client.connect('127.0.0.1', port=22, username=self.user, - key_filename=self.localkey, sock=channel) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(self.host)) - - chan = remote_client.get_transport().open_session() - chan.get_pty() - feed = chan.makefile() - chan.exec_command(com) - print feed.read() - - remote_client.close() - client.close() - - def download_reports(self): - dl_folder = self.args[0] - reportfile = self.args[1] - reportname = self.args[2] - resultsname = self.args[3] - client = paramiko.SSHClient() - privatekeyfile = os.path.expanduser('/root/.ssh/id_rsa') - selectedkey = paramiko.RSAKey.from_private_key_file(privatekeyfile) - client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - # Connection to overcloud - try: - client.connect(INSTALLER_IP, port=22, username='stack', - pkey=selectedkey) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(self.host)) - - transport = client.get_transport() - local_addr = ('127.0.0.1', 0) # 0 denotes choose random port - channel = transport.open_channel("direct-tcpip", - (self.host, int(self.port)), - (local_addr)) - remote_client = paramiko.SSHClient() - remote_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - # Tunnel to overcloud - try: - remote_client.connect('127.0.0.1', port=22, username=self.user, - key_filename=self.localkey, sock=channel) - except paramiko.SSHException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except paramiko.AuthenticationException: - logger.error("Authentication failed for " - "host: {0}".format(self.host)) - except socket.error: - logger.error("Socker Connection failed for " - "undercloud host: {0}".format(self.host)) - # Download the reports - sftp = remote_client.open_sftp() - logger.info("Downloading \"{0}\"...".format(reportname)) - sftp.get(reportfile, ('{0}/{1}'.format(dl_folder, reportname))) - logger.info("Downloading \"{0}\"...".format(resultsname)) - sftp.get(reportfile, ('{0}/{1}'.format(dl_folder, resultsname))) - sftp.close() - transport.close() diff --git a/functest/opnfv_tests/security_scan/examples/xccdf-rhel7-server-upstream.ini b/functest/opnfv_tests/security_scan/examples/xccdf-rhel7-server-upstream.ini deleted file mode 100644 index 43b2e82d6..000000000 --- a/functest/opnfv_tests/security_scan/examples/xccdf-rhel7-server-upstream.ini +++ /dev/null @@ -1,29 +0,0 @@ -[undercloud] -port = 22 -user = stack -remotekey = /home/stack/.ssh/id_rsa -localkey = /root/.ssh/overCloudKey - -[controller] -port = 22 -user = heat-admin -scantype = xccdf -secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml -cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml -profile = stig-rhel7-server-upstream -report = report.hmtl -results = results.xml -reports_dir=/home/opnfv/functest/results/security_scan/ -clean = True - -[compute] -port = 22 -user = heat-admin -scantype = xccdf -secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml -cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml -profile = stig-rhel7-server-upstream -report = report.hmtl -results = results.xml -reports_dir=/home/opnfv/functest/results/security_scan/ -clean = True diff --git a/functest/opnfv_tests/security_scan/examples/xccdf-standard.ini b/functest/opnfv_tests/security_scan/examples/xccdf-standard.ini deleted file mode 100644 index bfbcf82d3..000000000 --- a/functest/opnfv_tests/security_scan/examples/xccdf-standard.ini +++ /dev/null @@ -1,29 +0,0 @@ -[undercloud] -port = 22 -user = stack -remotekey = /home/stack/.ssh/id_rsa -localkey = /root/.ssh/overCloudKey - -[controller] -port = 22 -user = heat-admin -scantype = xccdf -secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml -cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml -profile = standard -report = report.hmtl -results = results.xml -reports_dir=/home/opnfv/functest/results/security_scan/ -clean = True - -[compute] -port = 22 -user = heat-admin -scantype = xccdf -secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml -cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml -profile = standard -report = report.hmtl -results = results.xml -reports_dir=/home/opnfv/functest/results/security_scan/ -clean = True diff --git a/functest/opnfv_tests/security_scan/scripts/createfiles.py b/functest/opnfv_tests/security_scan/scripts/createfiles.py deleted file mode 100644 index b828901a5..000000000 --- a/functest/opnfv_tests/security_scan/scripts/createfiles.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/python -# -# Copyright (c) 2016 Red Hat -# Luke Hinds (lhinds@redhat.com) -# This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# 0.1: This script creates the needed local files into a tmp directory. Should -# '--clean' be passed, all files will be removed, post scan. - - -import os -import tempfile - -files = ['results.xml', 'report.html', 'syschar.xml'] - - -directory_name = tempfile.mkdtemp() - -for i in files: - os.system("touch %s/%s" % (directory_name, i)) - -print directory_name diff --git a/functest/opnfv_tests/security_scan/scripts/internet_check.py b/functest/opnfv_tests/security_scan/scripts/internet_check.py deleted file mode 100644 index d417d1748..000000000 --- a/functest/opnfv_tests/security_scan/scripts/internet_check.py +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/python -# -# Copyright (c) 2016 Red Hat -# Luke Hinds (lhinds@redhat.com) -# This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Performs simple connection check, falls to default timeout of 10 seconds - -import socket - -TEST_HOST = "google.com" - - -def is_connected(): - try: - host = socket.gethostbyname(TEST_HOST) - socket.create_connection((host, 80), 2) - return True - except: - return False - - -print is_connected() diff --git a/functest/opnfv_tests/security_scan/security_scan.py b/functest/opnfv_tests/security_scan/security_scan.py deleted file mode 100755 index f0673924e..000000000 --- a/functest/opnfv_tests/security_scan/security_scan.py +++ /dev/null @@ -1,220 +0,0 @@ -#!/usr/bin/python -# -# Copyright (c) 2016 Red Hat -# Luke Hinds (lhinds@redhat.com) -# This program and the accompanying materials -# are made available under the terms of the Apache License, Version 2.0 -# which accompanies this distribution, and is available at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# 0.1: This script installs OpenSCAP on the remote host, and scans the -# nominated node. Post scan a report is downloaded and if '--clean' is passed -# all trace of the scan is removed from the remote system. - - -import datetime -import os -import sys -from ConfigParser import SafeConfigParser - -import argparse -from keystoneclient import session -from keystoneclient.auth.identity import v2 -from novaclient import client - -import connect -import functest.utils.functest_constants as ft_constants - -__version__ = 0.1 -__author__ = 'Luke Hinds (lhinds@redhat.com)' -__url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security' - -# Global vars -INSTALLER_IP = ft_constants.CI_INSTALLER_IP -oscapbin = 'sudo /bin/oscap' -functest_dir = '%s/security_scan/' % ft_constants.FUNCTEST_TEST_DIR - -# Apex Spefic var needed to query Undercloud -if ft_constants.OS_AUTH_URL is None: - connect.logger.error(" Enviroment variable OS_AUTH_URL is not set") - sys.exit(0) -else: - OS_AUTH_URL = ft_constants.OS_AUTH_URL - -# args -parser = argparse.ArgumentParser(description='OPNFV OpenSCAP Scanner') -parser.add_argument('--config', action='store', dest='cfgfile', - help='Config file', required=True) -args = parser.parse_args() - -# Config Parser -cfgparse = SafeConfigParser() -cfgparse.read(args.cfgfile) - -# Grab Undercloud key -remotekey = cfgparse.get('undercloud', 'remotekey') -localkey = cfgparse.get('undercloud', 'localkey') -setup = connect.SetUp(remotekey, localkey) -setup.getockey() - - -# Configure Nova Credentials -com = 'sudo /usr/bin/hiera admin_password' -setup = connect.SetUp(com) -keypass = setup.keystonepass() -auth = v2.Password(auth_url=OS_AUTH_URL, - username='admin', - password=str(keypass).rstrip(), - tenant_name='admin') -sess = session.Session(auth=auth) -nova = client.Client(2, session=sess) - - -class GlobalVariables: - tmpdir = "" - - -def run_tests(host, nodetype): - user = cfgparse.get(nodetype, 'user') - port = cfgparse.get(nodetype, 'port') - connect.logger.info("Host: {0} Selected Profile: {1}".format(host, - nodetype)) - connect.logger.info("Checking internet for package installation...") - if internet_check(host, nodetype): - connect.logger.info("Internet Connection OK.") - connect.logger.info("Creating temp file structure..") - createfiles(host, port, user, localkey) - connect.logger.debug("Installing OpenSCAP...") - install_pkg(host, port, user, localkey) - connect.logger.debug("Running scan...") - run_scanner(host, port, user, localkey, nodetype) - clean = cfgparse.get(nodetype, 'clean') - connect.logger.info("Post installation tasks....") - post_tasks(host, port, user, localkey, nodetype) - if clean: - connect.logger.info("Cleaning down environment....") - connect.logger.debug("Removing OpenSCAP....") - removepkg(host, port, user, localkey, nodetype) - connect.logger.info("Deleting tmp file and reports (remote)...") - cleandir(host, port, user, localkey, nodetype) - else: - connect.logger.error("Internet timeout. Moving on to next node..") - pass - - -def nova_iterate(): - # Find compute nodes, active with network on ctlplane - for server in nova.servers.list(): - if server.status == 'ACTIVE' and 'compute' in server.name: - networks = server.networks - nodetype = 'compute' - for host in networks['ctlplane']: - run_tests(host, nodetype) - # Find controller nodes, active with network on ctlplane - elif server.status == 'ACTIVE' and 'controller' in server.name: - networks = server.networks - nodetype = 'controller' - for host in networks['ctlplane']: - run_tests(host, nodetype) - - -def internet_check(host, nodetype): - import connect - user = cfgparse.get(nodetype, 'user') - port = cfgparse.get(nodetype, 'port') - localpath = functest_dir + 'scripts/internet_check.py' - remotepath = '/tmp/internet_check.py' - com = 'python /tmp/internet_check.py' - testconnect = connect.ConnectionManager(host, port, user, localkey, - localpath, remotepath, com) - connectionresult = testconnect.remotescript() - if connectionresult.rstrip() == 'True': - return True - else: - return False - - -def createfiles(host, port, user, localkey): - import connect - localpath = functest_dir + 'scripts/createfiles.py' - remotepath = '/tmp/createfiles.py' - com = 'python /tmp/createfiles.py' - connect = connect.ConnectionManager(host, port, user, localkey, - localpath, remotepath, com) - GlobalVariables.tmpdir = connect.remotescript() - - -def install_pkg(host, port, user, localkey): - import connect - com = 'sudo yum -y install openscap-scanner scap-security-guide' - connect = connect.ConnectionManager(host, port, user, localkey, com) - connect.remotecmd() - - -def run_scanner(host, port, user, localkey, nodetype): - import connect - scantype = cfgparse.get(nodetype, 'scantype') - profile = cfgparse.get(nodetype, 'profile') - results = cfgparse.get(nodetype, 'results') - report = cfgparse.get(nodetype, 'report') - secpolicy = cfgparse.get(nodetype, 'secpolicy') - # Here is where we contruct the actual scan command - if scantype == 'xccdf': - cpe = cfgparse.get(nodetype, 'cpe') - com = '{0} xccdf eval --profile {1} --results {2}/{3}' \ - ' --report {2}/{4}' \ - ' --cpe {5} {6}'.format(oscapbin, - profile, - GlobalVariables.tmpdir.rstrip(), - results, - report, - cpe, - secpolicy) - connect = connect.ConnectionManager(host, port, user, localkey, com) - connect.remotecmd() - elif scantype == 'oval': - com = '{0} oval eval --results {1}/{2} ' - '--report {1}/{3} {4}'.format(oscapbin, - GlobalVariables.tmpdir.rstrip(), - results, report, secpolicy) - connect = connect.ConnectionManager(host, port, user, localkey, com) - connect.remotecmd() - else: - com = '{0} oval-collect '.format(oscapbin) - connect = connect.ConnectionManager(host, port, user, localkey, com) - connect.remotecmd() - - -def post_tasks(host, port, user, localkey, nodetype): - import connect - # Create the download folder for functest dashboard and download reports - reports_dir = cfgparse.get(nodetype, 'reports_dir') - dl_folder = os.path.join(reports_dir, host + "_" + - datetime.datetime. - now().strftime('%Y-%m-%d_%H-%M-%S')) - os.makedirs(dl_folder, 0755) - report = cfgparse.get(nodetype, 'report') - results = cfgparse.get(nodetype, 'results') - reportfile = '{0}/{1}'.format(GlobalVariables.tmpdir.rstrip(), report) - connect = connect.ConnectionManager(host, port, user, localkey, dl_folder, - reportfile, report, results) - connect.download_reports() - - -def removepkg(host, port, user, localkey, nodetype): - import connect - com = 'sudo yum -y remove openscap-scanner scap-security-guide' - connect = connect.ConnectionManager(host, port, user, localkey, com) - connect.remotecmd() - - -def cleandir(host, port, user, localkey, nodetype): - import connect - com = 'sudo rm -r {0}'.format(GlobalVariables.tmpdir.rstrip()) - connect = connect.ConnectionManager(host, port, user, localkey, com) - connect.remotecmd() - - -if __name__ == '__main__': - nova_iterate() |