From 86b731e8176e386f88370f6de552edf547b966d9 Mon Sep 17 00:00:00 2001
From: Marica Antonacci <marica.antonacci@ba.infn.it>
Date: Thu, 13 Oct 2022 09:23:19 +0200
Subject: [PATCH] Devel
---
defaults/main.yml | 3 ++-
tasks/1-create-deployment.yml | 3 ++-
tasks/2-scan.yml | 32 ++++++----------------
tasks/3-clean.yml | 1 +
tasks/main.yml | 2 +-
tests/test-jupyter-vm.yml | 4 +--
tests/test-simple-node.yml | 2 +-
utils/Dockerfile | 41 +++-------------------------
utils/Jenkinsfile | 51 +++++++++++++++++++++++++++++++++++
utils/script.py | 3 ++-
10 files changed, 73 insertions(+), 69 deletions(-)
create mode 100644 utils/Jenkinsfile
diff --git a/defaults/main.yml b/defaults/main.yml
index fcbbd79..1b8463d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,5 +1,6 @@
---
# defaults file for paas-ci
paas_ci_orchestrator_url: https://paas.cloud.infn.it/orchestrator
+paas_ci_iam_group: admins/cicd
paas_ci_workdir: "{{ lookup('env','WORKSPACE') }}"
-python3_script_path: 'python3 /home/gmp/.ansible/roles/paas-ci/utils/script.py'
+paas_ci_scan_script_path: '/opt/scan.py'
diff --git a/tasks/1-create-deployment.yml b/tasks/1-create-deployment.yml
index 90830b7..65a2ab4 100644
--- a/tasks/1-create-deployment.yml
+++ b/tasks/1-create-deployment.yml
@@ -1,3 +1,4 @@
+---
- name: Get template
get_url:
url: "{{ paas_ci_test.template_url }}"
@@ -5,7 +6,7 @@
- name: Deployment command
set_fact:
- depcreate_cmd: "orchent depcreate --ojson template.yaml -g admins/beta-testers {{ paas_ci_test.inputs }}"
+ depcreate_cmd: "orchent depcreate --ojson template.yaml -g {{ paas_ci_iam_group }} {{ paas_ci_test.inputs }}"
- name: Create the deployment
command: "{{ depcreate_cmd }}"
diff --git a/tasks/2-scan.yml b/tasks/2-scan.yml
index 247dd25..eced4af 100644
--- a/tasks/2-scan.yml
+++ b/tasks/2-scan.yml
@@ -1,29 +1,13 @@
-- name: "Ping scans"
- shell:
- cmd: "ping -c1 -w 2 {{ pinging_host }}"
- register: pingged_host
- ignore_errors: yes
- with_items:
- - scans.cloud.infn.it
- loop_control:
- loop_var: pinging_host
-
-- name: "Result ping"
- debug:
- var: pingged_host
-
-- name: " ***Ip ping"
- debug:
- msg: "{{ pingged_host.results|map(attribute='rc')|list }}"
+---
- name: Set SSH tunnel
- command: ssh -f -N -L localhost:9390:192.168.187.162:9390 jenkins@scans.cloud.infn.it
+ command: ssh -o StrictHostKeyChecking=no -f -N -L localhost:9390:192.168.187.162:9390 jenkins@scans.cloud.infn.it
- debug:
- var: endpoints_to_scan
+ var: paas_ci_test.endpoints_to_scan
- name: Run scan
- command: "{{ python3_script_path }} {{ endpoints_to_scan }} {{ paas_ci_workdir + '/dep.json'}} {{ paas_ci_workdir }}"
+ command: "python3 {{ paas_ci_scan_script_path }} {{ paas_ci_test.endpoints_to_scan }} {{ paas_ci_workdir + '/dep.json'}} {{ paas_ci_workdir }}"
register: scan_output
- name: Find report files
@@ -32,10 +16,10 @@
patterns: '*report.txt'
register: report_files
-- name: Show reports
- debug:
- msg: "{{lookup('file', item.path)}}"
- with_items: "{{report_files.files}}"
+# - name: Show reports
+# debug:
+# msg: "{{lookup('file', item.path)}}"
+# with_items: "{{report_files.files}}"
- name: get Severity file content
shell: cat "{{ paas_ci_workdir + '/severity.json'}}"
diff --git a/tasks/3-clean.yml b/tasks/3-clean.yml
index f716042..3cc84ab 100644
--- a/tasks/3-clean.yml
+++ b/tasks/3-clean.yml
@@ -1,3 +1,4 @@
+---
- set_fact:
deployment: "{{ lookup('file', paas_ci_workdir + '/dep.json') }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 1e8fdd3..870726a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,7 +11,7 @@
when: paas_ci_test_step == 'create_deployment'
- include: 2-scan.yml
- when: paas_ci_test_step == 'scan'
+ when: paas_ci_test_step == 'scan' and paas_ci_test.endpoints_to_scan is defined
- include: 3-clean.yml
when: paas_ci_test_step == 'clean'
\ No newline at end of file
diff --git a/tests/test-jupyter-vm.yml b/tests/test-jupyter-vm.yml
index 7f93420..bb346a7 100644
--- a/tests/test-jupyter-vm.yml
+++ b/tests/test-jupyter-vm.yml
@@ -13,6 +13,6 @@
paas_ci_test:
template_url: https://baltig.infn.it/infn-cloud/tosca-templates/-/raw/master/jupyter/jupyter_vm.yaml
inputs: |
- '{ "users": [{"os_user_add_to_sudoers": true, "os_user_name": "scans", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQvE3sXtg4D/KYzhCdP6cICvy5foeSkHenKTisxdGJK8L0cDmV+4k7fIah1GIXrldjQBGWHSTbIj1qRTXG2OPWFxeDoXIN1FyKxwdOgwIfzIRtVq18VZEqt9eOiNUXN8jGoEAgcU7obqXuPqKAndk4tyOnSDuVnfnZWAiesVvWK16GEq0PAxBhJoX3eq501ilsNnJZDMEnvQEgtFuIbADEanrhRV3yaEca+9vFyOQRkyxDF8Gn6P/wZ4oe35bdgXxi/hg8JVKYbDCLlT+Fdi+OC3trRhwCcBSvDFD0ZQ8oLemzUk+732TqR+I8gVjPE9fiNF+/mrj5OX55SDr8Qgf scans"}]}'
+ '{ "enable_monitoring": "true", "users": [{"os_user_add_to_sudoers": true, "os_user_name": "scans", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQvE3sXtg4D/KYzhCdP6cICvy5foeSkHenKTisxdGJK8L0cDmV+4k7fIah1GIXrldjQBGWHSTbIj1qRTXG2OPWFxeDoXIN1FyKxwdOgwIfzIRtVq18VZEqt9eOiNUXN8jGoEAgcU7obqXuPqKAndk4tyOnSDuVnfnZWAiesVvWK16GEq0PAxBhJoX3eq501ilsNnJZDMEnvQEgtFuIbADEanrhRV3yaEca+9vFyOQRkyxDF8Gn6P/wZ4oe35bdgXxi/hg8JVKYbDCLlT+Fdi+OC3trRhwCcBSvDFD0ZQ8oLemzUk+732TqR+I8gVjPE9fiNF+/mrj5OX55SDr8Qgf scans"}]}'
endpoints_to_scan: |
- jupyter_notebook,grafana_endpoint
\ No newline at end of file
+ jupyter_endpoint,grafana_endpoint
\ No newline at end of file
diff --git a/tests/test-simple-node.yml b/tests/test-simple-node.yml
index 764c65f..908d5f1 100644
--- a/tests/test-simple-node.yml
+++ b/tests/test-simple-node.yml
@@ -13,4 +13,4 @@
paas_ci_test:
template_url: https://baltig.infn.it/infn-cloud/tosca-templates/-/raw/master/single-vm/single_vm.yaml
inputs: |
- '{ "users": [{"os_user_add_to_sudoers": true, "os_user_name": "antonacci", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE887DQ8WcX5f8d9/MakzMhG/QovKzjrgDzJ0CwjxKm3kUYildhPcUtj7k73WdcP06st6cWpxQ+7HmFseuX+1GASorENAqMHbOvoT0K6pkNlgwgyDOYdR5JSnXIEfR7gTE391SuYN8lbLEvFCscNHYP6814tYochO+sSlpa3XJ2nHvvVp4Ikt/X2Q+zidkKzuMUwFeGf4MZz93Nlwcbg3UM+ENEjjksb7Rqxx2WtYAv8Gn6Jr1X3PmvMoaO9HBgZaosp7NXh20LRHJW+aiEKcr+vzFlgUjTcd/h2CrkgS6+AhjKqpMNS1sS/QuOvPVMUNr1dSOkmAR5EwfHcXpY9RL marica@MacBook-Air-di-marica.local"}]}'
+ '{ "users": [{"os_user_add_to_sudoers": true, "os_user_name": "scans", "os_user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQvE3sXtg4D/KYzhCdP6cICvy5foeSkHenKTisxdGJK8L0cDmV+4k7fIah1GIXrldjQBGWHSTbIj1qRTXG2OPWFxeDoXIN1FyKxwdOgwIfzIRtVq18VZEqt9eOiNUXN8jGoEAgcU7obqXuPqKAndk4tyOnSDuVnfnZWAiesVvWK16GEq0PAxBhJoX3eq501ilsNnJZDMEnvQEgtFuIbADEanrhRV3yaEca+9vFyOQRkyxDF8Gn6P/wZ4oe35bdgXxi/hg8JVKYbDCLlT+Fdi+OC3trRhwCcBSvDFD0ZQ8oLemzUk+732TqR+I8gVjPE9fiNF+/mrj5OX55SDr8Qgf scans"}]}'
\ No newline at end of file
diff --git a/utils/Dockerfile b/utils/Dockerfile
index e75e4ce..5727b85 100644
--- a/utils/Dockerfile
+++ b/utils/Dockerfile
@@ -1,48 +1,13 @@
FROM jenkins/ssh-agent:4.1.0
ARG ORCHENT_VERSION=1.2.9
-ARG LIBQRENCODE_PATH=/tmp/libqrencode.deb
RUN DEBIAN_FRONTEND=noninteractive apt-get update \
- && DEBIAN_FRONTEND=noninteractive apt-get install -y \
- gnupg2 \
- apt-utils \
- software-properties-common \
- wget \
- git \
- ansible \
- python3-pip \
- iproute2 \
- net-tools \
- dialog \
- vim \
- openssh-client \
- && apt-get clean && rm -rf /var/lib/apt/lists/*
-
-RUN DEBIAN_FRONTEND=noninteractive \
- && wget -O ${LIBQRENCODE_PATH} http://archive.ubuntu.com/ubuntu/pool/universe/q/qrencode/libqrencode3_3.4.4-1build1_amd64.deb \
- && dpkg -i ${LIBQRENCODE_PATH} && rm -f ${LIBQRENCODE_PATH} \
- && apt-key adv --keyserver hkp://pgp.surfnet.nl --recv-keys ACDFB08FDC962044D87FF00B512839863D487A87 \
- && add-apt-repository "deb http://repo.data.kit.edu/ubuntu/bionic ./"
-
-RUN DEBIAN_FRONTEND=noninteractive \
- && apt-get update \
- && apt-get install -y oidc-agent \
+ && apt-get install -y wget git ansible python3-pip iproute2 iputils-ping \
&& wget https://github.com/indigo-dc/orchent/releases/download/v${ORCHENT_VERSION}/orchent_${ORCHENT_VERSION}_amd64.deb \
&& dpkg -i orchent_${ORCHENT_VERSION}_amd64.deb \
- && pip install gvm-tools jq yq \
&& apt-get clean && rm -rf /var/lib/apt/lists/*
-RUN useradd -ms /bin/bash gmp \
- && mkdir /home/gmp/.ssh
+RUN pip install gvm-tools jq yq
-RUN chown -R gmp:gmp /home/gmp /tmp \
- && chown gmp:gmp /etc/environment \
- && export PATH=$PATH:~/.local/bin
-
-USER gmp
-
-RUN eval `oidc-agent-service start`
-
-WORKDIR /home/gmp
-
+COPY script.py /opt/scan.py
\ No newline at end of file
diff --git a/utils/Jenkinsfile b/utils/Jenkinsfile
new file mode 100644
index 0000000..88f4f26
--- /dev/null
+++ b/utils/Jenkinsfile
@@ -0,0 +1,51 @@
+pipeline {
+ agent { label 'docker-paas-agent' }
+
+ options {
+ timestamps()
+ }
+
+ environment {
+ ORCHENT_AGENT_ACCOUNT='infn-cloud'
+ ORCHENT_URL='https://my.cloud.infn.it/orchestrator'
+ }
+
+ stages {
+ stage ('Create test deployment'){
+ steps {
+ sh '''#!/bin/bash
+ wget -O site.yaml "${PLAYBOOK_URL}"
+ ansible-playbook site.yaml --extra-vars "paas_ci_test_step='create_deployment'"
+
+ '''
+ }
+ }
+ stage ('Scan endpoints'){
+ steps {
+ withCredentials([
+ sshUserPrivateKey(credentialsId: "ssh_scans", keyFileVariable: 'keyfile'),
+ usernamePassword(credentialsId: "jenkins_scans_creds", usernameVariable: 'GMP_USER', passwordVariable: 'GMP_PASSWORD')
+ ]) {
+ sh '''#!/bin/bash
+ cp ${keyfile} /home/jenkins/.ssh/id_rsa
+ ansible-playbook site.yaml --extra-vars "paas_ci_test_step='scan'"
+
+ '''
+ }
+ }
+ post {
+ failure {
+ archiveArtifacts artifacts: '*report.txt', allowEmptyArchive: true
+ emailext attachmentsPattern: '*report.txt', body: '$DEFAULT_CONTENT', subject: '$PROJECT_NAME - Build # $BUILD_NUMBER: Vulnerabilities detected!', to: '$DEFAULT_RECIPIENTS'
+ }
+ }
+ }
+ }
+ post {
+ always {
+ sh '''#!/bin/bash
+ ansible-playbook site.yaml --extra-vars "paas_ci_test_step='clean'"
+ '''
+ }
+ }
+}
\ No newline at end of file
diff --git a/utils/script.py b/utils/script.py
index d181f83..253eee6 100644
--- a/utils/script.py
+++ b/utils/script.py
@@ -399,7 +399,8 @@ auth_name = os.getenv('GMP_USER')
auth_passwd = os.getenv('GMP_PASSWORD')
print(auth_name, auth_passwd)
logging.basicConfig(filename='debug.log', level=logging.DEBUG)
-local_ip = socket.gethostbyname(socket.gethostname())
+#local_ip = socket.gethostbyname(socket.gethostname())
+local_ip = '127.0.0.1'
connection = TLSConnection(hostname=local_ip)
transform = EtreeTransform()
config = {'id':"9866edc1-8869-4e80-acac-d15d5647b4d9"}
--
GitLab