Devel

defaults/main.yml

 ---
 # defaults file for paas-ci
 paas_ci_orchestrator_url: https://paas.cloud.infn.it/orchestrator
+paas_ci_iam_group: admins/cicd 
 paas_ci_workdir: "{{ lookup('env','WORKSPACE') }}"        
-python3_script_path: 'python3 /home/gmp/.ansible/roles/paas-ci/utils/script.py'
+paas_ci_scan_script_path: '/opt/scan.py'

tasks/1-create-deployment.yml

+---
 - name: Get template
   get_url:
     url: "{{ paas_ci_test.template_url }}"
@@ -5,7 +6,7 @@
 
 - name: Deployment command
   set_fact:
-    depcreate_cmd: "orchent depcreate --ojson template.yaml -g admins/beta-testers {{ paas_ci_test.inputs }}"
+    depcreate_cmd: "orchent depcreate --ojson template.yaml -g {{ paas_ci_iam_group }} {{ paas_ci_test.inputs }}"
 
 - name:  Create the deployment
   command: "{{ depcreate_cmd }}"

tasks/2-scan.yml

-- name: "Ping scans"
-  shell:
-    cmd: "ping -c1 -w 2 {{ pinging_host }}"
-  register: pingged_host
-  ignore_errors: yes
-  with_items:
-    - scans.cloud.infn.it
-  loop_control:
-    loop_var: pinging_host
-
-- name: "Result ping"
-  debug:
-    var: pingged_host
-
-- name: " ***Ip  ping"
-  debug:
-     msg: "{{  pingged_host.results|map(attribute='rc')|list }}"
 
+---
 - name: Set SSH tunnel
-  command: ssh -f -N -L localhost:9390:192.168.187.162:9390 jenkins@scans.cloud.infn.it 
+  command: ssh -o StrictHostKeyChecking=no -f -N -L localhost:9390:192.168.187.162:9390 jenkins@scans.cloud.infn.it 
 
 - debug: 
-    var: endpoints_to_scan
+    var: paas_ci_test.endpoints_to_scan
     
 - name:  Run scan
-  command: "{{ python3_script_path }} {{ endpoints_to_scan }} {{ paas_ci_workdir + '/dep.json'}} {{ paas_ci_workdir }}" 
+  command: "python3 {{ paas_ci_scan_script_path }} {{ paas_ci_test.endpoints_to_scan }} {{ paas_ci_workdir + '/dep.json'}} {{ paas_ci_workdir }}" 
   register: scan_output
 
 - name: Find report files
@@ -32,10 +16,10 @@
     patterns: '*report.txt'
   register: report_files
 
-- name: Show reports
-  debug:
-    msg: "{{lookup('file', item.path)}}"
-  with_items: "{{report_files.files}}"
+# - name: Show reports
+#   debug:
+#     msg: "{{lookup('file', item.path)}}"
+#   with_items: "{{report_files.files}}"
 
 - name: get Severity file content
   shell: cat "{{ paas_ci_workdir + '/severity.json'}}"

tasks/3-clean.yml

+---
 - set_fact:
     deployment: "{{ lookup('file', paas_ci_workdir + '/dep.json') }}"
 

tasks/main.yml

@@ -11,7 +11,7 @@
   when: paas_ci_test_step == 'create_deployment'
 
 - include: 2-scan.yml
-  when: paas_ci_test_step == 'scan'
+  when: paas_ci_test_step == 'scan' and paas_ci_test.endpoints_to_scan is defined
 
 - include: 3-clean.yml
   when: paas_ci_test_step == 'clean'
\ No newline at end of file

tests/test-jupyter-vm.yml

@@ -13,6 +13,6 @@
       paas_ci_test:
         template_url: https://baltig.infn.it/infn-cloud/tosca-templates/-/raw/master/jupyter/jupyter_vm.yaml
         inputs: |
-          '{ "users": [{"os_user_add_to_sudoers": true, "os_user_name": "scans", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQvE3sXtg4D/KYzhCdP6cICvy5foeSkHenKTisxdGJK8L0cDmV+4k7fIah1GIXrldjQBGWHSTbIj1qRTXG2OPWFxeDoXIN1FyKxwdOgwIfzIRtVq18VZEqt9eOiNUXN8jGoEAgcU7obqXuPqKAndk4tyOnSDuVnfnZWAiesVvWK16GEq0PAxBhJoX3eq501ilsNnJZDMEnvQEgtFuIbADEanrhRV3yaEca+9vFyOQRkyxDF8Gn6P/wZ4oe35bdgXxi/hg8JVKYbDCLlT+Fdi+OC3trRhwCcBSvDFD0ZQ8oLemzUk+732TqR+I8gVjPE9fiNF+/mrj5OX55SDr8Qgf scans"}]}'
+          '{ "enable_monitoring": "true", "users": [{"os_user_add_to_sudoers": true, "os_user_name": "scans", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQvE3sXtg4D/KYzhCdP6cICvy5foeSkHenKTisxdGJK8L0cDmV+4k7fIah1GIXrldjQBGWHSTbIj1qRTXG2OPWFxeDoXIN1FyKxwdOgwIfzIRtVq18VZEqt9eOiNUXN8jGoEAgcU7obqXuPqKAndk4tyOnSDuVnfnZWAiesVvWK16GEq0PAxBhJoX3eq501ilsNnJZDMEnvQEgtFuIbADEanrhRV3yaEca+9vFyOQRkyxDF8Gn6P/wZ4oe35bdgXxi/hg8JVKYbDCLlT+Fdi+OC3trRhwCcBSvDFD0ZQ8oLemzUk+732TqR+I8gVjPE9fiNF+/mrj5OX55SDr8Qgf scans"}]}'
         endpoints_to_scan: |
-          jupyter_notebook,grafana_endpoint
\ No newline at end of file
+          jupyter_endpoint,grafana_endpoint
\ No newline at end of file

tests/test-simple-node.yml

@@ -13,4 +13,4 @@
       paas_ci_test:
         template_url: https://baltig.infn.it/infn-cloud/tosca-templates/-/raw/master/single-vm/single_vm.yaml
         inputs: |
-          '{ "users": [{"os_user_add_to_sudoers": true, "os_user_name": "antonacci", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE887DQ8WcX5f8d9/MakzMhG/QovKzjrgDzJ0CwjxKm3kUYildhPcUtj7k73WdcP06st6cWpxQ+7HmFseuX+1GASorENAqMHbOvoT0K6pkNlgwgyDOYdR5JSnXIEfR7gTE391SuYN8lbLEvFCscNHYP6814tYochO+sSlpa3XJ2nHvvVp4Ikt/X2Q+zidkKzuMUwFeGf4MZz93Nlwcbg3UM+ENEjjksb7Rqxx2WtYAv8Gn6Jr1X3PmvMoaO9HBgZaosp7NXh20LRHJW+aiEKcr+vzFlgUjTcd/h2CrkgS6+AhjKqpMNS1sS/QuOvPVMUNr1dSOkmAR5EwfHcXpY9RL marica@MacBook-Air-di-marica.local"}]}'
+          '{ "users": [{"os_user_add_to_sudoers": true, "os_user_name": "scans", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQvE3sXtg4D/KYzhCdP6cICvy5foeSkHenKTisxdGJK8L0cDmV+4k7fIah1GIXrldjQBGWHSTbIj1qRTXG2OPWFxeDoXIN1FyKxwdOgwIfzIRtVq18VZEqt9eOiNUXN8jGoEAgcU7obqXuPqKAndk4tyOnSDuVnfnZWAiesVvWK16GEq0PAxBhJoX3eq501ilsNnJZDMEnvQEgtFuIbADEanrhRV3yaEca+9vFyOQRkyxDF8Gn6P/wZ4oe35bdgXxi/hg8JVKYbDCLlT+Fdi+OC3trRhwCcBSvDFD0ZQ8oLemzUk+732TqR+I8gVjPE9fiNF+/mrj5OX55SDr8Qgf scans"}]}'
\ No newline at end of file

utils/Dockerfile

 FROM jenkins/ssh-agent:4.1.0
 
 ARG ORCHENT_VERSION=1.2.9
-ARG LIBQRENCODE_PATH=/tmp/libqrencode.deb
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-       gnupg2 \
-       apt-utils \
-       software-properties-common \
-       wget \
-       git \
-       ansible \
-       python3-pip \
-       iproute2 \
-       net-tools \
-       dialog \
-       vim \
-       openssh-client \
-       && apt-get clean && rm -rf /var/lib/apt/lists/*
-    
-RUN DEBIAN_FRONTEND=noninteractive \
-    && wget -O ${LIBQRENCODE_PATH} http://archive.ubuntu.com/ubuntu/pool/universe/q/qrencode/libqrencode3_3.4.4-1build1_amd64.deb \
-    && dpkg -i ${LIBQRENCODE_PATH} && rm -f ${LIBQRENCODE_PATH} \
-    && apt-key adv --keyserver hkp://pgp.surfnet.nl --recv-keys ACDFB08FDC962044D87FF00B512839863D487A87 \
-    && add-apt-repository "deb http://repo.data.kit.edu/ubuntu/bionic ./" 
-    
-RUN DEBIAN_FRONTEND=noninteractive \
-    && apt-get update \
-    && apt-get install -y oidc-agent \
+    && apt-get install -y wget git ansible python3-pip iproute2 iputils-ping \
     && wget https://github.com/indigo-dc/orchent/releases/download/v${ORCHENT_VERSION}/orchent_${ORCHENT_VERSION}_amd64.deb \
     && dpkg -i orchent_${ORCHENT_VERSION}_amd64.deb \
-    && pip install gvm-tools jq yq \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
-RUN useradd -ms /bin/bash gmp \
-    && mkdir /home/gmp/.ssh
+RUN pip install gvm-tools jq yq
 
-RUN chown -R gmp:gmp /home/gmp /tmp \
-    && chown gmp:gmp /etc/environment \
-    && export PATH=$PATH:~/.local/bin
-
-USER gmp
-
-RUN eval `oidc-agent-service start`
-
-WORKDIR /home/gmp
-    
+COPY script.py /opt/scan.py
\ No newline at end of file

utils/Jenkinsfile

+pipeline {
+    agent { label 'docker-paas-agent' } 
+
+    options {
+        timestamps()
+    }
+    
+    environment {
+        ORCHENT_AGENT_ACCOUNT='infn-cloud'
+        ORCHENT_URL='https://my.cloud.infn.it/orchestrator'
+    }
+    
+    stages {  
+        stage ('Create test deployment'){
+            steps {
+                sh '''#!/bin/bash
+                      wget -O site.yaml "${PLAYBOOK_URL}"
+                      ansible-playbook site.yaml --extra-vars "paas_ci_test_step='create_deployment'"  
+                     
+                '''
+            }
+        }        
+        stage ('Scan endpoints'){
+            steps {
+                withCredentials([
+                    sshUserPrivateKey(credentialsId: "ssh_scans", keyFileVariable: 'keyfile'),
+                    usernamePassword(credentialsId: "jenkins_scans_creds", usernameVariable: 'GMP_USER', passwordVariable: 'GMP_PASSWORD')
+                ]) {
+                    sh '''#!/bin/bash
+                          cp ${keyfile} /home/jenkins/.ssh/id_rsa
+                          ansible-playbook site.yaml --extra-vars "paas_ci_test_step='scan'"  
+                         
+                    '''
+                }
+            }
+            post {
+                failure {
+                    archiveArtifacts artifacts: '*report.txt', allowEmptyArchive: true
+                    emailext attachmentsPattern: '*report.txt', body: '$DEFAULT_CONTENT', subject: '$PROJECT_NAME - Build # $BUILD_NUMBER: Vulnerabilities detected!', to: '$DEFAULT_RECIPIENTS'
+                }
+            }
+        }    
+    }
+    post { 
+        always { 
+            sh '''#!/bin/bash
+            ansible-playbook site.yaml --extra-vars "paas_ci_test_step='clean'" 
+            '''
+        }
+    }   
+}
\ No newline at end of file

utils/script.py

@@ -399,7 +399,8 @@ auth_name = os.getenv('GMP_USER')
 auth_passwd = os.getenv('GMP_PASSWORD')
 print(auth_name, auth_passwd)
 logging.basicConfig(filename='debug.log', level=logging.DEBUG)
-local_ip = socket.gethostbyname(socket.gethostname())
+#local_ip = socket.gethostbyname(socket.gethostname())
+local_ip = '127.0.0.1'
 connection = TLSConnection(hostname=local_ip)
 transform = EtreeTransform()
 config = {'id':"9866edc1-8869-4e80-acac-d15d5647b4d9"}