test(06-01): create test infrastructure for Lab 05 Database & RDS
Test Scripts (7 files, 1000+ lines): - 01-database-creation-test.sh: PostgreSQL creation and initialization - 02-private-network-test.sh: Private network isolation (INF-02) - 03-persistence-test.sh: Data persistence verification (INF-04) - 04-security-test.sh: Security compliance (INF-01, INF-02, INF-03) - 99-final-verification.sh: End-to-end student verification - run-all-tests.sh: Test orchestration with fail-fast - quick-test.sh: Quick validation (< 30s) Tests verify: - PostgreSQL in private network → RDS in VPC - Named volume → EBS volume - Resource limits → DB instance class - All INF requirements (01-04) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Luca Sacchi Ricciardi
177
labs/lab-05-database/tests/04-security-test.sh
Executable file
177
labs/lab-05-database/tests/04-security-test.sh
Executable file
@@ -0,0 +1,177 @@
|
||||
#!/bin/bash
|
||||
# Lab 05 - Database & RDS
|
||||
# Test 04: Security Compliance (INF-01, INF-02, INF-03)
|
||||
# Verifica conformità sicurezza: non-root, no host ports, resource limits
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Colori per output
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
NC='\033[0m'
|
||||
|
||||
# Contatori
|
||||
pass_count=0
|
||||
fail_count=0
|
||||
skip_count=0
|
||||
|
||||
# Funzioni helper
|
||||
inc_pass() { ((pass_count++)) || true; }
|
||||
inc_fail() { ((fail_count++)) || true; }
|
||||
inc_skip() { ((skip_count++)) || true; }
|
||||
|
||||
echo "=========================================="
|
||||
echo "Lab 05 - Test 04: Security Compliance"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
|
||||
# Verifica che docker-compose.yml esista
|
||||
echo -n "[TEST] Verifica docker-compose.yml esista... "
|
||||
if [ -f "docker-compose.yml" ]; then
|
||||
echo -e "${GREEN}PASS${NC}"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${YELLOW}SKIP${NC} (docker-compose.yml non trovato)"
|
||||
inc_skip
|
||||
echo ""
|
||||
echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== INF-01: Nessun container gira come root ==="
|
||||
|
||||
# PostgreSQL official image runs as postgres user, not root
|
||||
echo -n "[TEST] Verifica immagine PostgreSQL (ufficiale gira come postgres)... "
|
||||
if grep -q "image: postgres" docker-compose.yml; then
|
||||
echo -e "${GREEN}PASS${NC} (PostgreSQL ufficiale non gira come root)"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${YELLOW}WARN${NC} (immagine diversa da PostgreSQL ufficiale)"
|
||||
inc_skip
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== INF-02: Reti private non espongono porte sull'host ==="
|
||||
|
||||
# Verifica che il database NON esponga porte
|
||||
echo -n "[TEST] Verifica database NON espone porte (INF-02)... "
|
||||
if grep -A 30 "database:" docker-compose.yml | grep -q "ports:"; then
|
||||
# Se ci sono porte, devono essere 127.0.0.1 solo
|
||||
if grep -A 30 "database:" docker-compose.yml | grep -A 5 "ports:" | grep -q "127.0.0.1"; then
|
||||
echo -e "${YELLOW}WARN${NC} (porta su 127.0.0.1 - RDS reale non espone porte)"
|
||||
inc_skip
|
||||
else
|
||||
echo -e "${RED}FAIL${NC} (porta esposta su host)"
|
||||
inc_fail
|
||||
echo "INF-02 VIOLATION: database in rete privata non deve esporre porte"
|
||||
fi
|
||||
else
|
||||
echo -e "${GREEN}PASS${NC} (nessuna porta esposta)"
|
||||
inc_pass
|
||||
fi
|
||||
|
||||
# Verifica che il database sia in rete privata
|
||||
echo -n "[TEST] Verifica database in rete privata... "
|
||||
if grep -A 20 "database:" docker-compose.yml | grep -q "vpc-private"; then
|
||||
echo -e "${GREEN}PASS${NC}"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${RED}FAIL${NC} (database non in rete privata)"
|
||||
inc_fail
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== INF-03: Tutti i container hanno limiti risorse ==="
|
||||
|
||||
# Verifica limiti CPU
|
||||
echo -n "[TEST] Verifica limiti CPU configurati... "
|
||||
if grep -A 30 "database:" docker-compose.yml | grep -q "cpus:"; then
|
||||
echo -e "${GREEN}PASS${NC}"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${RED}FAIL${NC} (nessun limite CPU)"
|
||||
inc_fail
|
||||
echo "INF-03 VIOLATION: database deve avere limiti risorse"
|
||||
fi
|
||||
|
||||
# Verifica limiti memoria
|
||||
echo -n "[TEST] Verifica limiti memoria configurati... "
|
||||
if grep -A 30 "database:" docker-compose.yml | grep -q "memory:"; then
|
||||
echo -e "${GREEN}PASS${NC}"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${RED}FAIL${NC} (nessun limite memoria)"
|
||||
inc_fail
|
||||
echo "INF-03 VIOLATION: database deve avere limiti memoria"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== Validazione limiti risorse ==="
|
||||
|
||||
# Se i container non sono in esecuzione, skip i test dinamici
|
||||
echo -n "[TEST] Verifica container database in esecuzione... "
|
||||
if ! docker ps --format '{{{{Names}}}}' | grep -q "^lab05-db$"; then
|
||||
echo -e "${YELLOW}SKIP${NC} (container non in esecuzione)"
|
||||
inc_skip
|
||||
echo -e "${YELLOW}Avviare i container con: docker-compose up -d${NC}"
|
||||
echo ""
|
||||
echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo -e "${GREEN}PASS${NC}"
|
||||
inc_pass
|
||||
|
||||
# Verifica limiti con docker stats
|
||||
echo -n "[TEST] Verifica limiti con docker stats... "
|
||||
if docker stats lab05-db --no-stream --format "{{.CPUPerc}},{{.MemUsage}}" &>/dev/null; then
|
||||
echo -e "${GREEN}PASS${NC}"
|
||||
inc_pass
|
||||
|
||||
# Mostra utilizzo attuale
|
||||
cpu_usage=$(docker stats lab05-db --no-stream --format "{{.CPUPerc}}")
|
||||
mem_usage=$(docker stats lab05-db --no-stream --format "{{.MemUsage}}")
|
||||
echo " CPU: $cpu_usage, Memoria: $mem_usage"
|
||||
else
|
||||
echo -e "${YELLOW}WARN${NC} (impossibile ottenere statistiche)"
|
||||
inc_skip
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== Verifica utente container ==="
|
||||
|
||||
# Verifica che il container NON giri come root
|
||||
echo -n "[TEST] Verifica container NON gira come root... "
|
||||
container_user=$(docker exec lab05-db whoami 2>/dev/null || echo "unknown")
|
||||
if [ "$container_user" = "postgres" ] || [ "$container_user" != "root" ]; then
|
||||
echo -e "${GREEN}PASS${NC} (utente: $container_user)"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${RED}FAIL${NC} (container gira come root)"
|
||||
inc_fail
|
||||
echo "INF-01 VIOLATION: nessun container deve girare come root"
|
||||
fi
|
||||
|
||||
# Verifica UID del container
|
||||
echo -n "[TEST] Verifica container UID != 0... "
|
||||
container_uid=$(docker exec lab05-db id -u 2>/dev/null || echo "0")
|
||||
if [ "$container_uid" != "0" ]; then
|
||||
echo -e "${GREEN}PASS${NC} (UID: $container_uid)"
|
||||
inc_pass
|
||||
else
|
||||
echo -e "${RED}FAIL${NC} (UID: 0 = root)"
|
||||
inc_fail
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP"
|
||||
echo "=========================================="
|
||||
|
||||
if [ $fail_count -gt 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
Reference in New Issue
Block a user