#!/bin/bash # ================================================================================== # Script de VerificaciΓ³n de Seguridad # ================================================================================== # # Este script verifica que la configuraciΓ³n segura estΓ© correctamente implementada # # Uso: # ./verify_security.sh # # ================================================================================== set -e # Colores RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color TOTAL_CHECKS=0 PASSED_CHECKS=0 FAILED_CHECKS=0 echo -e "${BLUE}==================================" echo -e "πŸ” VerificaciΓ³n de Seguridad" echo -e "==================================${NC}\n" # FunciΓ³n para verificar check() { local test_name="$1" local command="$2" local expected="$3" TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) echo -n "Verificando: $test_name... " if eval "$command" > /dev/null 2>&1; then if [ "$expected" = "pass" ]; then echo -e "${GREEN}βœ… PASS${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) return 0 else echo -e "${RED}❌ FAIL${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) return 1 fi else if [ "$expected" = "fail" ]; then echo -e "${GREEN}βœ… PASS${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) return 0 else echo -e "${RED}❌ FAIL${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) return 1 fi fi } # Verificar que docker-compose estΓ‘ instalado if ! command -v docker-compose &> /dev/null; then echo -e "${RED}❌ docker-compose no estΓ‘ instalado${NC}" exit 1 fi echo -e "${YELLOW}πŸ“‹ Verificando configuraciΓ³n de red...${NC}\n" # Verificar que las redes estΓ‘n creadas check "Red frontend existe" "docker network inspect rss2_frontend" "pass" check "Red backend existe" "docker network inspect rss2_backend" "pass" check "Red monitoring existe" "docker network inspect rss2_monitoring" "pass" echo "" echo -e "${YELLOW}πŸ“‹ Verificando servicios en ejecuciΓ³n...${NC}\n" # Verificar servicios crΓ­ticos check "Contenedor DB corriendo" "docker ps | grep rss2_db" "pass" check "Contenedor Redis corriendo" "docker ps | grep rss2_redis" "pass" check "Contenedor Web corriendo" "docker ps | grep rss2_web" "pass" check "Contenedor Nginx corriendo" "docker ps | grep rss2_nginx" "pass" check "Contenedor Qdrant corriendo" "docker ps | grep rss2_qdrant" "pass" echo "" echo -e "${YELLOW}πŸ“‹ Verificando exposiciΓ³n de puertos...${NC}\n" # Verificar que puertos internos NO estΓ‘n expuestos check "Qdrant NO expuesto pΓΊblicamente" "! docker ps | grep '0.0.0.0:6333'" "pass" check "Prometheus NO expuesto pΓΊblicamente" "! docker ps | grep '0.0.0.0:9090'" "pass" check "cAdvisor NO expuesto pΓΊblicamente" "! docker ps | grep '0.0.0.0:8081'" "pass" # Verificar que puerto web SÍ estΓ‘ expuesto check "Nginx expuesto en puerto 8001" "docker ps | grep '0.0.0.0:8001->80'" "pass" echo "" echo -e "${YELLOW}πŸ“‹ Verificando variables de entorno...${NC}\n" # Verificar .env existe if [ ! -f .env ]; then echo -e "${RED}❌ Archivo .env no existe${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) else echo -e "${GREEN}βœ… Archivo .env existe${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) # Verificar que las credenciales han sido cambiadas if grep -q "POSTGRES_PASSWORD=x" .env 2>/dev/null; then echo -e "${RED}❌ POSTGRES_PASSWORD sigue siendo 'x' (INSEGURO)${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) else echo -e "${GREEN}βœ… POSTGRES_PASSWORD ha sido cambiado${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) fi TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) if grep -q "SECRET_KEY=secret" .env 2>/dev/null; then echo -e "${RED}❌ SECRET_KEY sigue siendo 'secret' (INSEGURO)${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) else echo -e "${GREEN}βœ… SECRET_KEY ha sido cambiado${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) fi TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) if grep -q "REDIS_PASSWORD" .env 2>/dev/null; then echo -e "${GREEN}βœ… REDIS_PASSWORD estΓ‘ configurado${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) else echo -e "${RED}❌ REDIS_PASSWORD no estΓ‘ configurado${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) fi TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) fi echo "" echo -e "${YELLOW}πŸ“‹ Verificando lΓ­mites de recursos...${NC}\n" # Verificar que hay lΓ­mites de recursos configurados if docker-compose config 2>/dev/null | grep -q "limits:" ; then echo -e "${GREEN}βœ… LΓ­mites de recursos configurados${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) else echo -e "${RED}❌ No hay lΓ­mites de recursos configurados${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) fi TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) echo "" echo -e "${YELLOW}πŸ“‹ Verificando conectividad de servicios...${NC}\n" # Verificar que el sitio web responde if curl -s http://localhost:8001 > /dev/null 2>&1; then echo -e "${GREEN}βœ… Sitio web responde correctamente${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) else echo -e "${RED}❌ Sitio web no responde${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) fi TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) # Verificar Redis con autenticaciΓ³n (si estΓ‘ configurado) if docker exec rss2_web python3 -c " import os import redis try: password = os.getenv('REDIS_PASSWORD') config = {'host': 'redis', 'port': 6379} if password: config['password'] = password r = redis.Redis(**config) r.ping() print('OK') except Exception as e: print(f'ERROR: {e}') exit(1) " 2>&1 | grep -q "OK"; then echo -e "${GREEN}βœ… Redis autenticado funciona correctamente${NC}" PASSED_CHECKS=$((PASSED_CHECKS + 1)) else echo -e "${RED}❌ Redis no responde correctamente${NC}" FAILED_CHECKS=$((FAILED_CHECKS + 1)) fi TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) echo "" echo -e "${BLUE}==================================" echo -e "πŸ“Š Resultados de la VerificaciΓ³n" echo -e "==================================${NC}\n" echo -e "Total de verificaciones: $TOTAL_CHECKS" echo -e "${GREEN}βœ… Pasadas: $PASSED_CHECKS${NC}" echo -e "${RED}❌ Fallidas: $FAILED_CHECKS${NC}" PERCENTAGE=$((PASSED_CHECKS * 100 / TOTAL_CHECKS)) echo -e "\nPorcentaje de Γ©xito: ${GREEN}${PERCENTAGE}%${NC}\n" if [ $FAILED_CHECKS -eq 0 ]; then echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" echo -e "${GREEN}πŸŽ‰ Β‘Todas las verificaciones pasaron correctamente!${NC}" echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" echo -e "\n${GREEN}βœ… El sistema estΓ‘ configurado de forma segura${NC}\n" exit 0 else echo -e "${RED}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" echo -e "${RED}⚠️ Algunas verificaciones fallaron${NC}" echo -e "${RED}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" echo -e "\n${YELLOW}πŸ“– Revisa SECURITY_GUIDE.md para solucionar los problemas${NC}\n" exit 1 fi