fix cr + change scan result handaling

Signed-off-by: idohu <[email protected]>

Author: idohuber

servicehandler/portsscan.go

@@ -14,26 +14,21 @@ type Port struct {
 	sessionLayer      string
 	presentationLayer string
 	applicationLayer  string
-	authenticated     bool
+	authenticated     *bool
 }
 
 func (port *Port) scan(ctx context.Context, ip string) {
 	result, err := cmd.ScanTargets(ctx, ip, port.port)
+	if err != nil {
+		logger.L().Ctx(ctx).Error(err.Error())
+		return
+	}
+
 	port.applicationLayer = result.ApplicationLayer
 	port.presentationLayer = result.PresentationLayer
 	port.sessionLayer = result.SessionLayer
-	port.authenticated = result.IsAuthenticated
-
-	if result.ApplicationLayer == "" {
-		// if we can't get the application layer, then we change to Unknown
-		port.authenticated = true
-	}
-
-	if err != nil {
-		//if we have an error, we log it and set all layers to Unknown
-		logger.L().Ctx(ctx).Error(err.Error())
-		port.applicationLayer = "failed_to_scan"
-		port.authenticated = false
+	if result.ApplicationLayer != "" {
+		port.authenticated = &result.IsAuthenticated
 	}
 }
 

servicehandler/servicediscovery.go

@@ -59,6 +59,7 @@ func deleteServices(ctx context.Context, client dynamic.NamespaceableResourceInt
 			err := client.Namespace(service.GetNamespace()).Delete(ctx, service.GetName(), metav1.DeleteOptions{})
 			if err != nil {
 				logger.L().Ctx(ctx).Error(err.Error())
+				continue
 			}
 			logger.L().Ctx(ctx).Info("Authentication Service " + service.GetName() + " in namespace " + service.GetNamespace() + " deleted")
 		}
@@ -91,20 +92,21 @@ func (sra serviceAuthentication) unstructured() (*unstructured.Unstructured, err
 	return &unstructured.Unstructured{Object: a}, err
 }
 
-func (sra *serviceAuthentication) applyCrd(ctx context.Context, client dynamic.NamespaceableResourceInterface) {
+func (sra *serviceAuthentication) applyCrd(ctx context.Context, client dynamic.NamespaceableResourceInterface) error {
 	serviceObj, structuredErr := sra.unstructured()
 	if structuredErr != nil {
 		logger.L().Ctx(ctx).Error(structuredErr.Error())
-		return
+		return nil
 	}
 
 	_, applyErr := client.Namespace(sra.metadata.namespace).Apply(ctx, sra.metadata.name, serviceObj, metav1.ApplyOptions{FieldManager: fieldManager})
 	if applyErr != nil {
-		logger.L().Ctx(ctx).Error(applyErr.Error())
+		return applyErr
 	}
-
+	return nil
 }
-func (sra *serviceAuthentication) serviceScan(ctx context.Context, client dynamic.NamespaceableResourceInterface) {
+
+func (sra *serviceAuthentication) serviceScan(ctx context.Context, client dynamic.NamespaceableResourceInterface) error {
 	// get all ports , each port equal different address
 	for idx := range sra.spec.ports {
 
@@ -119,7 +121,7 @@ func (sra *serviceAuthentication) serviceScan(ctx context.Context, client dynami
 		pr.scan(ctx, srvDnsName)
 	}
 
-	sra.applyCrd(ctx, client)
+	return sra.applyCrd(ctx, client)
 }
 
 func getClusterServices(ctx context.Context, regularClient kubernetes.Interface) (*v1.ServiceList, error) {
@@ -161,9 +163,15 @@ func discoveryService(ctx context.Context, regularClient kubernetes.Interface, d
 
 	scanWg := sync.WaitGroup{}
 	p, err := ants.NewPoolWithFunc(workerNum, func(i interface{}) {
-		sra := i.(serviceAuthentication)
-		sra.serviceScan(ctx, dynamicClient.Resource(ServiceScanSchema))
-		scanWg.Done()
+		defer scanWg.Done()
+		sra, ok := i.(serviceAuthentication)
+		if !ok {
+			return
+		}
+		scanErr := sra.serviceScan(ctx, dynamicClient.Resource(ServiceScanSchema))
+		if scanErr != nil {
+			logger.L().Ctx(ctx).Error(scanErr.Error())
+		}
 	})
 
 	if err != nil {

servicehandler/servicediscovery_test.go

@@ -7,12 +7,14 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	dynamicFake "k8s.io/client-go/dynamic/fake"
 	kubernetesFake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/utils/ptr"
 )
 
 var TestAuthentications = serviceAuthentication{
@@ -29,15 +31,15 @@ var TestAuthentications = serviceAuthentication{
 				port:              80,
 				protocol:          "TCP",
 				applicationLayer:  "sql",
-				authenticated:     true,
+				authenticated:     ptr.To(true),
 				sessionLayer:      "tcp",
 				presentationLayer: "http",
 			},
 			{
 				port:              443,
 				protocol:          "TCP",
 				applicationLayer:  "kafka",
-				authenticated:     true,
+				authenticated:     ptr.To(true),
 				sessionLayer:      "tcp",
 				presentationLayer: "http",
 			},
@@ -111,6 +113,7 @@ func Test_translate(t *testing.T) {
 func TestDiscoveryServiceHandler(t *testing.T) {
 	//write a component test that creates fake client and test the service discovery and see if it creates a crd
 	//and if it deletes the crd
+	//IMPORTANT: fake cilent doesnt have an Apply option like the real client so we need to create the crd and check if it exists -it will blog errors but will pass
 	testCases := []struct {
 		name     string
 		services []runtime.Object
@@ -163,15 +166,15 @@ func TestDiscoveryServiceHandler(t *testing.T) {
 					"metadata": map[string]interface{}{"name": "service1", "namespace": "test1"},
 					"spec": map[string]interface{}{"clusterIP": "",
 						"ports": []interface{}{
-							map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""},
-							map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(443), "presentationLayer": "", "protocol": "UDP", "sessionLayer": ""},
+							map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""},
+							map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(443), "presentationLayer": "", "protocol": "UDP", "sessionLayer": ""},
 						}}}},
 				{Object: map[string]interface{}{"apiVersion": "kubescape.io/v1", "kind": "ServiceScanResult",
 					"metadata": map[string]interface{}{"name": "service2", "namespace": "test2"},
 					"spec": map[string]interface{}{"clusterIP": "",
 						"ports": []interface{}{
-							map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""},
-							map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(443), "presentationLayer": "", "protocol": "UDP", "sessionLayer": ""},
+							map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""},
+							map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(443), "presentationLayer": "", "protocol": "UDP", "sessionLayer": ""},
 						}}}},
 			},
 		},
@@ -207,8 +210,8 @@ func TestDiscoveryServiceHandler(t *testing.T) {
 					"metadata": map[string]interface{}{"name": "service1", "namespace": "test1"},
 					"spec": map[string]interface{}{"clusterIP": "",
 						"ports": []interface{}{
-							map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""},
-							map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(443), "presentationLayer": "", "protocol": "UDP", "sessionLayer": ""},
+							map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""},
+							map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(443), "presentationLayer": "", "protocol": "UDP", "sessionLayer": ""},
 						}}}},
 			},
 		},
@@ -261,7 +264,7 @@ func TestDiscoveryServiceHandler(t *testing.T) {
 			want: []unstructured.Unstructured{
 				{Object: map[string]interface{}{"apiVersion": "kubescape.io/v1", "kind": "ServiceScanResult",
 					"metadata": map[string]interface{}{"name": "service1", "namespace": "test1"},
-					"spec":     map[string]interface{}{"clusterIP": "", "ports": []interface{}{map[string]interface{}{"applicationLayer": "", "authenticated": false, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""}}}}},
+					"spec":     map[string]interface{}{"clusterIP": "", "ports": []interface{}{map[string]interface{}{"applicationLayer": "", "authenticated": nil, "port": int64(80), "presentationLayer": "", "protocol": "TCP", "sessionLayer": ""}}}}},
 			},
 			delete: []runtime.Object{
 				&v1.Service{
@@ -301,12 +304,12 @@ func TestDiscoveryServiceHandler(t *testing.T) {
 			for i := 0; i < 10; i++ {
 				services, _ := serviceExtractor(ctx, regClient)
 				for _, service := range services {
-					existObj, _ := dynamicClient.Resource(ServiceScanSchema).Namespace(service.metadata.namespace).Get(ctx, service.metadata.name, metav1.GetOptions{})
-					if existObj == nil {
-						obj, _ := service.unstructured()
-						_, err := dynamicClient.Resource(ServiceScanSchema).Namespace(service.metadata.namespace).Create(ctx, obj, metav1.CreateOptions{})
+					obj, _ := service.unstructured()
+					_, err := dynamicClient.Resource(ServiceScanSchema).Namespace(service.metadata.namespace).Create(ctx, obj, metav1.CreateOptions{})
+					if !errors.IsAlreadyExists(err) {
 						require.NoError(t, err)
 					}
+
 				}
 
 				err := discoveryService(context.Background(), regClient, dynamicClient)
@@ -315,7 +318,9 @@ func TestDiscoveryServiceHandler(t *testing.T) {
 				crds, _ = dynamicClient.Resource(ServiceScanSchema).List(ctx, metav1.ListOptions{})
 				if tc.delete != nil {
 					for _, delService := range tc.delete {
-						_ = regClient.CoreV1().Services(delService.(*v1.Service).Namespace).Delete(ctx, delService.(*v1.Service).Name, metav1.DeleteOptions{})
+						err = regClient.CoreV1().Services(delService.(*v1.Service).Namespace).Delete(ctx, delService.(*v1.Service).Name, metav1.DeleteOptions{})
+						require.NoError(t, err)
+						tc.delete = nil
 					}
 				}
 			}