Logstash filter for Robot Framework

We are currently working on CI/CD -setup at work. As part of that, the tests need to be able to be implemented as a part of the pipeline.
Generally, the pipeline consists of steps/stages done with jenkins pipeline. The benefit on this is that the whole process and definition of the stages (Deploy, test etc) will be done by the developer team and stored in the teams own repository and is therefore controlled by the team also. Which is definitely a great step towards for the teams having more freedom and more responsibility when it comes to deliver the applications/solutions to the production. Needless to say it will also affect to the visibility of the quality and to the need of tests.

Plus that it will definitely keep the test team on their toes. Keeping ahead becomes a really neat challenge 😀

Now that does add more requirements also on the testing tools. First of all, the tools we use should be able to be used from containers. Which means that everything is dockerized. Well, the test code itself is in the repository, but the engines running the tests are in the containers.
We use, whenever we can, a general docker images from dockerhub.
Sometimes it won’t work like that. So we end up re-inventing the wheel.

That was the case with logstash. We will need to be able to filter the Robot Framework’s output.xml and send it to elasticsearch. There was two possibilities to do that; logstash filtering or xml parsing. The xml-parsing remains to be done still (I am going to do it), but I did manage to create the logstash -filter. It is not completely flawless, not even the most elegant, but at the moment it seems to be working as it should. To be honest, I was aiming to have a one more blunt instrument for our test needs.

The filter:

robot-results.conf

input {
 file {
 path => [ "/output.xml"]
 }
}

filter {
 xml
 {
 source => "message"
 store_xml => true
 target => "doc"
 xpath =>
 [

"msg", "doc.msg",
 "arguments", "doc.args",
 "kw", "doc.keyword",
 "status", "doc.status",
 "status/@status", "doc.test.status",
 "robot", "doc.robot",
 "errors", "doc.errors",
 "statistics", "doc.statistics",
 "suite", "doc.suite",
 "tag", "doc.tag",
 "total", "doc.total",
 "/kw", "leftovers",
 "/arguments", "leftovers"

]



}
}



output {
 elasticsearch {
 hosts => ["elastic"]
 index => "logstash-%{+YYYY.MM.dd}"
 }
}

Dockerfile:

FROM logstash

ADD robot-results.conf /etc/logstash/conf.d/robot/results.conf
CMD logstash -f /etc/logstash/conf.d/robot/

Running the container:

docker run --add-host=elastic:127.0.0.1 janmat/logstash-robot

 

Install Secure Lab Tools in Fedora 26

I am working my way to dive in to the world of security testing. We have been going through the tasks on 30 days of security testing from Ministry Of Testing Dojo. The themed tasks is actually a really good way to keep up in learning new topics and deepening your knowledge on different issues at hand. Ministry Of Testing has a nice series of themed months on the catalogue and I warmly recommend to check them out.

We have been doing the themed months a bit differently. First of all, we accept the fact that there is weekends and people do not have to live, breathe and urinate testing. Even though it does help from time to time. So, our approach has been mainly to do 30 days of testing during the weekdays. Which means that instead of 4 weeks, we’ll accomplish it in approximately 6 weeks.

Anyhow, one of the things beside the security testing challenge has been us having a course on Ethical Hacking. The course is available in Udemy and it is reasonably priced, so I recommend that, at least if you’re not familiar with penetration testing and hacking techniques in general.

So, we go through tools and techniques and use Kali Linux for that. Which seems to be powerful to use. As I am running Fedora 26 on my workstation, I am running the penetration test stuff on Fedora Boxes (more stable than VirtualBox), but I noticed that it would actually be nice to have the tools on my actual workstation, too.

So I went and googled a bit and as I knew, someone had already solved my issue.  As I am using Finnish language on the laptop, my installation command was like this:

# sudo dnf groupinstall Turvallisuuslaboratorio

For most of the people who do not have the capability to understand Finnish, it would make sense to use something more, how to put it, understandable language, like English.

So, in that case I suppose the command should work like this:

# sudo dnf groupinstall security-lab


By the way, while writing this, I did write the Kali Linux on a USB disk. It actually feels better to have it there than fooling around with virtual machines (in this case). Even though I’ll have to reboot the computer if I want to run it.

Install jMeter in Fedora

I was a bit surprised for Fedora not having jmeter in the repository, but then I thought I could as well do the thingy in the old way 😀

First of all, we need to get the release:

wget http://apache.mirrors.spacedump.net//jmeter/binaries/apache-jmeter-3.1.tgz

Then we need to extract it:

sudo tar -xzf apache-jmeter-3.1.tgz -C /opt/

After that, we create the symlink to the jmeter -binary:

sudo ln -s /opt/apache-jmeter-3.1/bin/jmeter /usr/local/bin/jmeter

And as last, we create a desktop shortcut:

vi ~/.local/share/applications/jmeter.desktop

[Desktop Entry]
Type=Application
Encoding=UTF-8
Name=JMeter
Comment=JMeter
Exec=/usr/local/bin/jmeter
Icon=/opt/apache-jmeter-3.1/docs/images/jmeter_square.png
Terminal=false

 

That’s it. We’re done 😀

 

Run docker without sudo in Fedora 25

Sometimes things get weird. One could imagine that the documentation on docker (https://docs.docker.com/engine/installation/linux/fedora/) could be up to date. And when it comes to installation itself, it actually is.

The problem is/was that I was forced to run the docker with sudo (reasons are explained on both pages linked here, I’m not going to repeat them), and while both sites gave a solution, the docs.docker.com -instructions did not actually work. So I googled a bit more:
https://developer.fedoraproject.org/tools/docker/docker-installation.html

According to developer.fedoraproject.org, you’ll have to run the following two commands in order to get docker executed without sudoing.
Basically you’ll add a docker -group and add yourself to it.

$ sudo groupadd docker && sudo gpasswd -a ${USER} docker && sudo systemctl restart docker
 $ newgrp docker

Fail to start the day with

When after logging in to a service you get to see this:

fail20160831

It is not working. Well, or it is, but not as it should. Besides, the error message is not the most user friendly, either. Besides, for a hacker this type of error message reveals easily the system the service is built on, which is always a security risk.

After pressing refresh, though, the page is loaded.

BTW, WordPress has a bug in their category handling -field. In case you write a comma to the field (id=”newcategory”), the word before the comma is not listed at all after pressing enter. Like this:

  1. Write “Errors, fails and bugs” to the id=”newcategory” -field
  2. Press enter

Expected:

  1. You get to see the string Errors, fails and bugs” in category list

Actual:

  1. “fails and bugs” is listed. Word “Errors” is not listed anywhere

Now, the reason for this might be that the field on the same page (id=”new-tag-post_tag” ) handles the commas to store separate tags, and that works as specified. Perhaps the category -field handling just uses the same functionality. And looks like to me that it is a copy-paste accident. Perhaps not tested, or then again maybe tested, but results are neglected due to well known reasons: it’s not important, user won’t do that etc.Well, this user did 😉

Now, where to report WordPress -bugs?

You pick the right tool

 

As you can see, it is sometimes crucial to select a right tool. Even to stick to it, regardless on how awkward and painful it might feel. I just had to open with this scene, it is anyhow from one of my all time favorite movies. The book it is based on, is definitely one of my top 5:s.

We’ve all been there. It’s late night, we’re out in the park, having fun and all we have left is bottle of wine. And of course the corkscrew is nowhere to be found. So you start using your imagination. You might have a normal screw and a screwdriver, maybe a pair of tongs, too, you might be carrying a multi-tool, for what I know. Or not. The cork stays in the bottle.

You go through your pockets again, ask your friends, someone says that all he’g got is a pen, other one offers you a rock.

You see where I’m going here? A pen is mightier than a rock? Well, at least now it is.

Now you could open the bottle by smashing the head to a rock. Or smashing the rock to the head of the bottle. That might work, too. In the other hand, there’s always risks of getting bottle broken so, that the glass gets inside the bottle. Besides, that will create a mess in the grass and I a devoted dog owner and animal lover hate when people break bottles or other glass and leave the stuff there. Besides, people can get hurt too, for real.

So that leaves you the pen, right. You could write a letter – I know, it’s old school, but it’s nice sometimes, for real – to someone with a corkscrew to drop by. What’s there to loose? You got the whole weekend ahead of you (Did I mention it is a Friday night?) Or you could rob a corkscrew store with it, not the world’s best idea, though, giving it to be late night and the stores are all closed.

You could also take the pen and push the cork inside the bottle. That actually does work. You might get to spill some, but then again, at least there isn’t going to be shattered glass anywhere for the paws of the two to four legged friends. Notice I left a place for three legged dogs or cats, even squirrels.

So, you take the pen and grab the bottle. Your hands are getting a bit sweaty so you what your sleeve around the bottle. It keeps it in its place. Not completely, but firm enough. You take a breath.

You push the pen against the cork and push. Nothing happens, except the veins in your temples seems to be exploding, your face turns to red and the pen hurts your palm. A lot. You let go for awhile, and try again. No change to the situation. Cork is till on and you seem to be screwed.

A friend of yours, the one that has taken one more than you, mumbles something and offers you the stone from his hand. You look at him and smile and are about to shake your head, but change your mind and take the stone.

It is smooth on the other side, the side agains your palms has some edges and it feels, if not cold, then at least cool. You take the stone, push the bottle against the ground and hold it between your feet and hold the pen on your other hand against the cork. Then you slowly but firmly hammer the pen inside the bottle with the stone and finally, you’re done. Everything’s fine again, you drink the wine, get in to the night and wake up next morning with a hangover and some blurry memories. You might even end up having fun, who knows.

What I mean here is that you should choose your tools, for real. First of all you need to know that you have a need for a tool, then you need to check what requirements you have for it, then you need to find it. Thanks to the interwebs, it is fairly easy nowadays. After finding the tools, take several, and use them for awhile in the situation needed. So to say, evaluate them.

If you run into problems with the tool (you should, for real, even a sledgehammer needs some maintenance), try to find out if anybody has had the same issues. Most likely you’re not alone.

Check the maintenance costs. If you use more time maintaining the tool than the flaky tests, you probably have the wrong tool. Regardless on how good it looks, sounds or feels.

And once and for all; don’t get stuck with the first evaluation, don’t get stuck with your evaluation choice, either. In case the tool loses its focus and usability, make sure you can move away from it.

I myself are at the moment in that kind of situation: using a multitool with a gentle learning curve, but the maintenance and the license is starting to feel bad. It was a tool I was familiar with, a tool I’ve used for years in the previous companies, and it used to be an open source tool. They ended the open source path last year (if I remember correctly) and otherwise turned the usability a bit more worse, too.

So I’m considering moving the tests to another multitool, an open source based tool with steeper learning curve, but a considerably larger user group. Actually, I’ve done my consideration, all I need to do now is to transfer and modify the current tests from the first tool to the second one.

Install XMind to Fedora

I’ve been using XMind a lot for mindmapping. It has fulfilled my needs somewhat well, at least I cannot come up with anything to nag about from the top of my head.

Except that there is only *.deb -package available for Linux. For the love of <pick your favorite deity here>. Not all of us are using Ubuntu. Don’t get me wrong, Ubuntu is ok to use. I’m not using it due to our servers are running CentOS. To get to know the issues you might run into when dealing with production, you should be using same (or at least one that is based on the same architecture) operating system on your workstation. So i do have Fedora, which is not CentOS, but close enough. I do admit being lazy here, there is CentOS -desktop available, but to get the tools needed to work with that is so much harder than with Fedora, that I did not even try this time. I might do that in the future, though.

Enough for OS rant.

  1. Download Xmind for linux from vendor site
  2. Uncompress the deb -package with ar
    1. [bluntinstrument@testing Downloads]$ ar -x xmind-x.y-xyz-linux_amd64.deb
  3. There will be 2 tarballs extracted, data.tar.gz & control.tar.gz
  4. Untar data.tar.gz:
    1. [bluntinstrument@testing Downloads]$ tar xf data.tar.gz
    2. You get a subfolder usr/
  5. [bluntinstrument@testing Downloads]$ sudo cp -r usr/bin/ /opt/xmind/
  6. [bluntinstrument@testing Downloads]$ sudo cp -r usr/lib/ /usr/
  7. [bluntinstrument@testing Downloads]$ sudo cp -r usr/share/ /usr/
  8. Untar control.tar.gz:
    1. [bluntinstrument@testing Downloads]$ tar xf control.tar.gz
    2. You get a script ‘postinst’
  9. [bluntinstrument@testing Downloads]$ sudo sh postinst
  10. Create symlink for XMind:
    1. sudo ln -s /opt/xmind/bin/XMind /usr/local/bin/XMind

And you’re good to go 😀

I used this guide as a reference: http://www.xmind.net/m/JKm6/