From 3239ece5fa40edf2a7b78a0bd1395545c28e14ef Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Mon, 9 Jan 2017 14:17:56 +0100
Subject: [PATCH 1/3] Add action which verify service is only listening on
 localhost.

---
 ...erify_service_only_listens_on_localhost.sh | 31 +++++++++++++++++++
 ...ify_service_only_listens_on_localhost.yaml | 12 +++++++
 2 files changed, 43 insertions(+)
 create mode 100644 actions/verify_service_only_listens_on_localhost.sh
 create mode 100644 actions/verify_service_only_listens_on_localhost.yaml

diff --git a/actions/verify_service_only_listens_on_localhost.sh b/actions/verify_service_only_listens_on_localhost.sh
new file mode 100644
index 0000000..110462b
--- /dev/null
+++ b/actions/verify_service_only_listens_on_localhost.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Script which verifies that service running on the provided port is only bound
+# to localhost (127.0.0.1)
+
+PORT=$1
+
+OUTPUT=$(sudo netstat -tlpn | grep \:\:\:${PORT}| wc -l)
+if [ ${OUTPUT} -eq 1 ]; then
+    echo "Service for port ${PORT} is bound on all the interfaces"
+    echo ""
+    echo $(sudo netstat -tlpn | grep \:\:\:${PORT})
+    exit 1
+fi
+
+OUTPUT=$(sudo netstat -tlpn | grep 127.0.0.1\:${PORT}| wc -l)
+if [ ${OUTPUT} -ne 1 ]; then
+    echo "Service not listening on 127.0.0.1:${PORT}"
+    exit 1
+fi
+
+OUTPUT=$(sudo netstat -tlpn | grep \:${PORT}| wc -l)
+if [ ${OUTPUT} -ne 1 ]; then
+    echo "Service listening on multiple interfaces / addresses for port ${PORT}"
+    echo ""
+    echo $(sudo netstat -tlpn | grep \:${PORT})
+    exit 1
+fi
+
+echo "All good, service only listening on 127.0.0.1:${PORT}"
+exit 0
diff --git a/actions/verify_service_only_listens_on_localhost.yaml b/actions/verify_service_only_listens_on_localhost.yaml
new file mode 100644
index 0000000..76465a7
--- /dev/null
+++ b/actions/verify_service_only_listens_on_localhost.yaml
@@ -0,0 +1,12 @@
+---
+  name: "verify_service_only_listens_on_localhost"
+  runner_type: "run-remote-script"
+  description: "Verify that the service listening on the provided port is only bound / listening on localhost."
+  enabled: true
+  entry_point: "verify_service_only_listens_on_localhost.sh"
+  parameters:
+    port:
+      type: "integer"
+      description: "Port to check for."
+      required: true
+      position: 0

From e34f0e5486bbe90e09bd4d7290f45a15bdf6eb68 Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Mon, 9 Jan 2017 14:24:06 +0100
Subject: [PATCH 2/3] Add checks which verify that mongodb, rabbit and
 postgresql are only listening on localhost.

---
 actions/workflows/st2_pkg_e2e_test.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/actions/workflows/st2_pkg_e2e_test.yaml b/actions/workflows/st2_pkg_e2e_test.yaml
index ece4a85..0c7336a 100755
--- a/actions/workflows/st2_pkg_e2e_test.yaml
+++ b/actions/workflows/st2_pkg_e2e_test.yaml
@@ -125,6 +125,27 @@ st2ci.st2_pkg_e2e_test:
                     version_str: <%
                         task(get_installed_version).result.versions.items().select(
                             $[0] + "=" + $[1]).join("\n\t") %>
+            on-success:
+                - verify_mongodb_only_listening_on_localhost
+        verify_mongodb_only_listening_on_localhost:
+            action: st2cd.verify_service_only_listens_on_localhost
+            input:
+                hosts: <% $.vm_info.private_ip_address %>
+                port: 27017
+            on-success:
+                - verify_rabbitmq_only_listening_on_localhost
+        verify_rabbitmq_only_listening_on_localhost:
+            action: st2cd.verify_service_only_listens_on_localhost
+            input:
+                hosts: <% $.vm_info.private_ip_address %>
+                port: 5672
+            on-success:
+                - verify_postgresql_only_listening_on_localhost
+        verify_postgresql_only_listening_on_localhost:
+            action: st2cd.verify_service_only_listens_on_localhost
+            input:
+                hosts: <% $.vm_info.private_ip_address %>
+                port: 5432
             on-success:
                 - run_e2e_tests
         run_e2e_tests:

From 1b663aab8992ff1c60d530558e162c57ee1117ae Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Mon, 9 Jan 2017 15:32:06 +0100
Subject: [PATCH 3/3] Use sudo.

---
 actions/verify_service_only_listens_on_localhost.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/actions/verify_service_only_listens_on_localhost.yaml b/actions/verify_service_only_listens_on_localhost.yaml
index 76465a7..bc9d70a 100644
--- a/actions/verify_service_only_listens_on_localhost.yaml
+++ b/actions/verify_service_only_listens_on_localhost.yaml
@@ -10,3 +10,5 @@
       description: "Port to check for."
       required: true
       position: 0
+    sudo:
+      default: true