From d280f25315d05a70d78ce1aee65c9ba8e6e0699d Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Mon, 15 Jan 2024 15:20:13 +0100 Subject: [PATCH 1/4] Fix: helm: notus-data uses a tar.gz file Within the latest changes of the notus-feed it was decided that an image contains just the tar.gz file, forcing us to utilize the init.sh script. Since the same is planned for vulnerability-tests the deployment is also changed to utilize the init.sh script instead of doing that as a command. --- charts/openvasd/templates/deployment.yaml | 26 ++++++++++++------- .../tls/Self-Signed mTLS Method/Makefile | 21 +++++++++++++++ 2 files changed, 38 insertions(+), 9 deletions(-) create mode 100644 rust/examples/tls/Self-Signed mTLS Method/Makefile diff --git a/charts/openvasd/templates/deployment.yaml b/charts/openvasd/templates/deployment.yaml index 7f1a4aa1e..030bf5165 100644 --- a/charts/openvasd/templates/deployment.yaml +++ b/charts/openvasd/templates/deployment.yaml @@ -59,22 +59,30 @@ spec: volumeMounts: - name: nasl-plugins mountPath: /mnt/nasl - command: ['sh', '-c'] - args: ['cp -rv /var/lib/openvas/22.04/vt-data/nasl/* /mnt/nasl/'] - - name: notus-advisories - image: "{{ .Values.notusdata.repository }}:{{ .Values.notusdata.tag }}" + env: + - name: MOUNT_PATH + value: "/mnt/nasl" + - name: normalize-nasl-feed + image: "{{ .Values.vulnerabilitytests.repository }}:{{ .Values.vulnerabilitytests.tag }}" imagePullPolicy: Always volumeMounts: - - name: notus-data - mountPath: /mnt/notus - command: ['cp', '-rv', '/var/lib/notus/advisories', '/mnt/notus/'] - - name: notus-products + - name: nasl-plugins + mountPath: /mnt/nasl + command: ['/bin/sh', '-c'] + # flatten nasl data + args: + - mv -vf /mnt/nasl/22.04/vt-data/nasl/* /mnt/nasl/; + rm -r /mnt/nasl/22.04; + rm -r /mnt/nasl/21.04; + - name: notus-data image: "{{ .Values.notusdata.repository }}:{{ .Values.notusdata.tag }}" imagePullPolicy: Always volumeMounts: - name: notus-data mountPath: /mnt/notus - command: ['cp', '-rv', '/var/lib/notus/products', '/mnt/notus/'] + env: + - name: MOUNT_PATH + value: "/mnt/notus" - name: mqtt-broker-openvas-fix image: "{{ .Values.ospd.repository }}:{{ .Values.ospd.tag }}" imagePullPolicy: Always diff --git a/rust/examples/tls/Self-Signed mTLS Method/Makefile b/rust/examples/tls/Self-Signed mTLS Method/Makefile new file mode 100644 index 000000000..7db6ec47c --- /dev/null +++ b/rust/examples/tls/Self-Signed mTLS Method/Makefile @@ -0,0 +1,21 @@ +all: server client + +.PHONY: namespace deploy + +server: server.pem server.rsa + sh server_certificates.sh +client: client.pem client.rsa + sh client_certificates.sh + +namespace: + kubectl create namespace openvasd | true + +deploy: namespace server client + kubectl create secret generic server-private-key \ + --from-file=key.pem=./server.rsa \ + --from-file=certs.pem=./server.pem \ + --namespace openvasd + kubectl create secret generic client-certs \ + --from-file=client1.pem=./client.pem \ + --namespace openvasd + From 26f5bc9dc70c6a581de717c3b993e37e38fcfa15 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Mon, 15 Jan 2024 15:49:19 +0100 Subject: [PATCH 2/4] Change: helm: rename server-private-key to ingress-certificate To be more inline with internal naming-schemes server-private-key is renamed to ingress-certificate. --- .github/workflows/helm-build-chart.yml | 11 +-------- charts/openvasd/README.md | 4 ++-- charts/openvasd/templates/deployment.yaml | 6 ++--- .../tls/Self-Signed mTLS Method/Makefile | 24 ++++++++++++------- 4 files changed, 21 insertions(+), 24 deletions(-) diff --git a/.github/workflows/helm-build-chart.yml b/.github/workflows/helm-build-chart.yml index 8485d7364..8ca99f9fe 100644 --- a/.github/workflows/helm-build-chart.yml +++ b/.github/workflows/helm-build-chart.yml @@ -19,16 +19,7 @@ jobs: - name: deploy openvasd run: | cd rust/examples/tls/Self-Signed\ mTLS\ Method - sh server_certificates.sh - sh client_certificates.sh - kubectl create namespace openvasd || true - kubectl create secret generic server-private-key \ - --from-file=key.pem=./server.rsa \ - --from-file=certs.pem=./server.pem \ - --namespace openvasd - kubectl create secret generic client-certs \ - --from-file=client1.pem=./client.pem \ - --namespace openvasd + make delete deploy cd - helm uninstall openvasd --namespace openvasd|| true helm install --namespace openvasd --create-namespace openvasd charts/openvasd/ --values charts/openvasd/values.yaml --values charts/openvasd/mtls-wo-ingress.yaml diff --git a/charts/openvasd/README.md b/charts/openvasd/README.md index f642502f1..ba3be8315 100644 --- a/charts/openvasd/README.md +++ b/charts/openvasd/README.md @@ -6,12 +6,12 @@ This Helm chart is tested with k3s and Traefik. Note that other options may requ ## mTLS (Enabled by Default) -To use mTLS, store the server certificate and key as a secret named 'server-private-key', containing key.pem and certs.pem. For example, deploying `openvasd` into the 'openvasd' namespace with a generated certificate: +To use mTLS, store the server certificate and key as a secret named 'ingress-certificate', containing key.pem and certs.pem. For example, deploying `openvasd` into the 'openvasd' namespace with a generated certificate: ```bash cd ../../rust/examples/tls/Self-Signed\ mTLS\ Method sh server_certificates.sh -kubectl create secret generic server-private-key \ +kubectl create secret generic ingress-certificate \ --from-file=key.pem=./server.rsa \ --from-file=certs.pem=./server.pem \ --namespace openvasd diff --git a/charts/openvasd/templates/deployment.yaml b/charts/openvasd/templates/deployment.yaml index 030bf5165..e7bcdfd85 100644 --- a/charts/openvasd/templates/deployment.yaml +++ b/charts/openvasd/templates/deployment.yaml @@ -43,9 +43,9 @@ spec: - name: ospd-logs emptyDir: {} {{- if eq .Values.openvasd.tls.certificates.deploy_server true }} - - name: server-private-key + - name: ingress-certificate secret: - secretName: server-private-key + secretName: ingress-certificate {{ end }} {{- if eq .Values.openvasd.tls.certificates.deploy_client true }} - name: client-certs @@ -160,7 +160,7 @@ spec: mountPath: /run/ospd/ {{- if eq .Values.openvasd.tls.certificates.deploy_server true }} - mountPath: "/etc/openvasd/tls/" - name: server-private-key + name: ingress-certificate readOnly: true {{ end }} {{- if eq .Values.openvasd.tls.certificates.deploy_client true }} diff --git a/rust/examples/tls/Self-Signed mTLS Method/Makefile b/rust/examples/tls/Self-Signed mTLS Method/Makefile index 7db6ec47c..341706ffd 100644 --- a/rust/examples/tls/Self-Signed mTLS Method/Makefile +++ b/rust/examples/tls/Self-Signed mTLS Method/Makefile @@ -1,17 +1,23 @@ -all: server client +.PHONY: client server namespace delete deploy -.PHONY: namespace deploy - -server: server.pem server.rsa - sh server_certificates.sh -client: client.pem client.rsa - sh client_certificates.sh +server: + # only when server.rsa is not available + [ ! -f server.rsa ] && sh server_certificates.sh || true +client: + # only when client.rsa is not available + [ ! -f client.rsa ] && sh client_certificates.sh || true namespace: - kubectl create namespace openvasd | true + kubectl create namespace openvasd || true + +delete: + kubectl delete secret ingress-certificate --namespace openvasd || true + kubectl delete secret client-certs --namespace openvasd || true + + deploy: namespace server client - kubectl create secret generic server-private-key \ + kubectl create secret generic ingress-certificate \ --from-file=key.pem=./server.rsa \ --from-file=certs.pem=./server.pem \ --namespace openvasd From 657acf3a50e3af43cd50b176825d3768582ad9eb Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Mon, 15 Jan 2024 15:56:44 +0100 Subject: [PATCH 3/4] Change: clippy warnings Remvoves clippy warnings from newer clippy version --- rust/dep-graph/benches/dep_graph.rs | 4 ++-- rust/dep-graph/src/lib.rs | 4 ++-- rust/infisto/src/bincode.rs | 2 +- rust/infisto/src/serde.rs | 2 +- rust/nasl-builtin-misc/src/lib.rs | 2 +- rust/nasl-builtin-string/src/lib.rs | 18 +++++++++--------- rust/nasl-cli/src/feed/mod.rs | 2 +- rust/nasl-syntax/benches/parse.rs | 12 ++++++++++-- 8 files changed, 27 insertions(+), 19 deletions(-) diff --git a/rust/dep-graph/benches/dep_graph.rs b/rust/dep-graph/benches/dep_graph.rs index f06a7f3be..929d5aba6 100644 --- a/rust/dep-graph/benches/dep_graph.rs +++ b/rust/dep-graph/benches/dep_graph.rs @@ -35,12 +35,12 @@ fn add_layer(index: usize, count: usize) -> Vec> { pub fn parallel_benchmark(c: &mut Criterion) { const NUM_LAYERS: usize = 20; #[cfg(feature = "parallel")] - fn par_no_op(nodes: &Vec>) { + fn par_no_op(nodes: &[Node]) { DepGraph::new(nodes) .into_par_iter() .for_each(|_node| thread::sleep(Duration::from_nanos(100))) } - fn seq_no_op(nodes: &Vec>) { + fn seq_no_op(nodes: &[Node]) { DepGraph::new(nodes) .into_iter() .for_each(|_node| thread::sleep(Duration::from_nanos(100))) diff --git a/rust/dep-graph/src/lib.rs b/rust/dep-graph/src/lib.rs index 09f706082..59cf96e22 100644 --- a/rust/dep-graph/src/lib.rs +++ b/rust/dep-graph/src/lib.rs @@ -269,8 +269,8 @@ mod tests { #[test] fn iter_thousand_graph() { let mut nodes: Vec> = (0..1000).map(|i| Node::new(format!("{}", i))).collect(); - for i in 1..1000 { - nodes[i].add_dep("0".to_string()); + for item in nodes.iter_mut().take(1000).skip(1) { + item.add_dep("0".to_string()); } let r = DepGraph::new(&nodes); diff --git a/rust/infisto/src/bincode.rs b/rust/infisto/src/bincode.rs index 0f4dc6563..c49ac49ad 100644 --- a/rust/infisto/src/bincode.rs +++ b/rust/infisto/src/bincode.rs @@ -101,7 +101,7 @@ mod test { store.append(key, serialized).unwrap(); let results: Vec> = store.by_range(key, Range::All).unwrap(); assert_eq!(results.len(), 1); - let test2 = match results.get(0).unwrap() { + let test2 = match results.first().unwrap() { super::Serialization::Deserialized(t) => t.clone(), _ => panic!("Serialization::try_from failed"), }; diff --git a/rust/infisto/src/serde.rs b/rust/infisto/src/serde.rs index d1e971d2d..b303b3ca3 100644 --- a/rust/infisto/src/serde.rs +++ b/rust/infisto/src/serde.rs @@ -103,7 +103,7 @@ mod test { store.append(key, serialized).unwrap(); let results: Vec> = store.by_range(key, Range::All).unwrap(); assert_eq!(results.len(), 1); - let test2 = match results.get(0).unwrap() { + let test2 = match results.first().unwrap() { super::Serialization::Deserialized(t) => t.clone(), _ => panic!("Serialization::try_from failed"), }; diff --git a/rust/nasl-builtin-misc/src/lib.rs b/rust/nasl-builtin-misc/src/lib.rs index f280fda22..cb0c48419 100644 --- a/rust/nasl-builtin-misc/src/lib.rs +++ b/rust/nasl-builtin-misc/src/lib.rs @@ -286,7 +286,7 @@ where { let positional = resolve_positional_arguments(register); - Ok(match positional.get(0) { + Ok(match positional.first() { Some(NaslValue::String(x)) => match register.named(x) { Some(ContextType::Function(_, _)) => true.into(), _ => ctx.nasl_fn_defined(x).into(), diff --git a/rust/nasl-builtin-string/src/lib.rs b/rust/nasl-builtin-string/src/lib.rs index 536233347..bfbf12d40 100644 --- a/rust/nasl-builtin-string/src/lib.rs +++ b/rust/nasl-builtin-string/src/lib.rs @@ -141,7 +141,7 @@ fn write_nasl_string_value(s: &mut String, value: &NaslValue) -> Result<(), Func /// If this function retrieves anything but a string it returns NULL fn toupper(register: &Register, _: &Context) -> Result { let positional = resolve_positional_arguments(register); - Ok(match positional.get(0) { + Ok(match positional.first() { Some(NaslValue::String(x)) => x.to_uppercase().into(), Some(NaslValue::Data(x)) => x .iter() @@ -158,7 +158,7 @@ fn toupper(register: &Register, _: &Context) -> Result(register: &Register, _: &Context) -> Result { let positional = resolve_positional_arguments(register); - Ok(match positional.get(0) { + Ok(match positional.first() { Some(NaslValue::String(x)) => x.to_lowercase().into(), Some(NaslValue::Data(x)) => x .iter() @@ -175,7 +175,7 @@ fn tolower(register: &Register, _: &Context) -> Result(register: &Register, _: &Context) -> Result { let positional = resolve_positional_arguments(register); - Ok(match positional.get(0) { + Ok(match positional.first() { Some(NaslValue::String(x)) => x.len().into(), Some(NaslValue::Data(x)) => x.len().into(), _ => 0_i64.into(), @@ -224,7 +224,7 @@ fn hexstr(register: &Register, _: &Context) -> Result hexler(x), Some(NaslValue::Data(x)) => hexler(&x.iter().map(|x| *x as char).collect::()), _ => Ok(NaslValue::Null), @@ -235,7 +235,7 @@ fn hexstr(register: &Register, _: &Context) -> Result(register: &Register, _: &Context) -> Result { - match resolve_positional_arguments(register).get(0) { + match resolve_positional_arguments(register).first() { Some(NaslValue::String(x)) => match decode_hex(x) { Ok(y) => Ok(NaslValue::Data(y)), Err(_) => Err(( @@ -259,7 +259,7 @@ fn hexstr_to_data(register: &Register, _: &Context) -> Result(register: &Register, _: &Context) -> Result { - match resolve_positional_arguments(register).get(0) { + match resolve_positional_arguments(register).first() { Some(NaslValue::Data(x)) => Ok(encode_hex(x)?.into()), Some(x) => Err(("first positional argument", "data", x.to_string().as_str()).into()), None => Err("0".into()), @@ -285,7 +285,7 @@ fn crap(register: &Register, _: &Context) -> Result { let positional = resolve_positional_arguments(register); - match positional.get(0) { + match positional.first() { Some(NaslValue::Number(x)) => Ok(NaslValue::String(data.repeat(*x as usize))), x => Err(("0", "numeric", x).into()), } @@ -302,7 +302,7 @@ fn crap(register: &Register, _: &Context) -> Result(register: &Register, _: &Context) -> Result { let positional = resolve_positional_arguments(register); - match positional.get(0) { + match positional.first() { Some(NaslValue::String(x)) => Ok(x.trim_end().to_owned().into()), Some(NaslValue::Data(x)) => Ok(x .iter() @@ -322,7 +322,7 @@ fn chomp(register: &Register, _: &Context) -> Result(register: &Register, _: &Context) -> Result { let positional = resolve_positional_arguments(register); - let haystack = match positional.get(0) { + let haystack = match positional.first() { Some(NaslValue::String(x)) => x, x => return Err(("0", "string", x).into()), }; diff --git a/rust/nasl-cli/src/feed/mod.rs b/rust/nasl-cli/src/feed/mod.rs index a25895966..029287233 100644 --- a/rust/nasl-cli/src/feed/mod.rs +++ b/rust/nasl-cli/src/feed/mod.rs @@ -3,7 +3,7 @@ use std::{io, path::PathBuf}; use clap::{arg, value_parser, ArgAction, Command}; // re-export to work around name conflict -pub use feed::transpile; + use storage::StorageError; use crate::{get_path_from_openvas, read_openvas_config, CliError, CliErrorKind}; diff --git a/rust/nasl-syntax/benches/parse.rs b/rust/nasl-syntax/benches/parse.rs index 4e8790735..a4eb7fbb1 100644 --- a/rust/nasl-syntax/benches/parse.rs +++ b/rust/nasl-syntax/benches/parse.rs @@ -8,14 +8,22 @@ use nasl_syntax::parse; pub fn simple_parse_benchmark(c: &mut Criterion) { let code = include_str!("simple_parse.nasl"); c.bench_function("simple_parse", |b| { - b.iter(|| parse(black_box(&code)).map(|x| x.unwrap()).count()) + b.iter(|| { + if let Some(err) = parse(black_box(code)).find_map(|x| x.err()) { + panic!("Unexpected error: {err}"); + } + }) }); } pub fn parse_large_benchmark(c: &mut Criterion) { let code = include_str!("smb_nt.inc"); c.bench_function(&format!("smb_nt.inc {}", code.len()), |b| { - b.iter(|| parse(black_box(&code)).map(|x| x.unwrap()).count()) + b.iter(|| { + if let Some(err) = parse(black_box(code)).find_map(|x| x.err()) { + panic!("Unexpected error: {err}"); + } + }) }); } From daee77237f56f7b48666b8f8fddb1b0be6a5b2c4 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Tue, 16 Jan 2024 13:03:53 +0100 Subject: [PATCH 4/4] Fix: install libhiredis on openvas image instead of using gvm-libs --- .docker/prod.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/.docker/prod.Dockerfile b/.docker/prod.Dockerfile index d71dba379..d05e735b6 100644 --- a/.docker/prod.Dockerfile +++ b/.docker/prod.Dockerfile @@ -38,6 +38,7 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge libcurl4 \ libcurl3-gnutls \ zlib1g \ + libhiredis0.14 \ && rm -rf /var/lib/apt/lists/* COPY .docker/openvas.conf /etc/openvas/ # must be pre built within the rust dir and moved to the bin dir