Add integration test for Batchx509SVID RPC

test/integration/suites/batchx509SVID/00-gen-files.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Exit on error
+set -e
+
+# Define directories
+BASE_DIR="/opt/spire/conf"
+SERVER_DIR="${BASE_DIR}/server"
+AGENT_DIR="${BASE_DIR}/agent"
+
+# Create necessary directories
+mkdir -p "${SERVER_DIR}"
+mkdir -p "${AGENT_DIR}"
+
+# Generate Root CA Certificate and Key
+echo "Generating Root CA certificate and key..."
+openssl genrsa -out root-ca.key 2048
+openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA"
+
+# Generate Server Certificate and Key
+echo "Generating Server certificate and key..."
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server"
+openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365
+
+# Generate Agent Certificate and Key
+echo "Generating Agent certificate and key..."
+openssl genrsa -out agent.key 2048
+openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent"
+openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365
+
+# Create Trust Bundles
+echo "Creating trust bundles..."
+cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem"
+cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt"
+
+# Combine Certificates and Keys
+echo "Creating combined certificate files..."
+cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem"
+cat server.crt server.key > "${SERVER_DIR}/server.crt.pem"
+
+# Create Combined Key and Certificate Files
+echo "Creating combined key and certificate files..."
+cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem"
+cat server.key server.crt > "${SERVER_DIR}/server.key.pem"
+
+# Clean up intermediate files
+echo "Cleaning up..."
+rm server.key server.csr server.crt agent.key agent.csr agent.crt
+
+echo "Certificate files generated and placed in ${BASE_DIR}."

test/integration/suites/batchx509SVID/01-setup.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+echo "RUNDIR: ${RUNDIR}"
+
+"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent
+
+"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient"
+"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient"
+
+
+echo "Starting SPIRE server..."
+spire-server run -config conf/server/server.conf > ${RUNDIR}/spire-server.log 2>&1 &
+SERVER_PID=$!
+sleep 5
+
+echo "Starting SPIRE agent..."
+spire-agent run -config conf/agent/agent.conf &
+AGENT_PID=$!
+sleep 5

test/integration/suites/batchx509SVID/02-create-entry.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+
+# Function to check if the entry exists
+check_entry_exists() {
+ local entry_id=$1
+ local retries=10
+ local delay=5
+
+ for ((i=1; i<=retries; i++)); do
+ echo "Checking if entry with SPIFFE ID $entry_id exists (attempt $i)..."
+
+ # Check if the entry exists using `spire-server entry show`
+ response=$(spire-server entry show -spiffeID "$entry_id" 2>&1)
+
+ # Check if the response contains the expected entry
+ if echo "$response" | grep -q "SPIFFE ID"; then
+ echo "Entry with SPIFFE ID $entry_id found."
+ return 0
+ fi
+
+ echo "Entry with SPIFFE ID $entry_id not found yet. Retrying in $delay seconds..."
+ sleep "$delay"
+ done
+
+ echo "Failed to create entry within the timeout period."
+ return 1
+}
+
+# Create the registration entry
+echo "Creating registration entry..."
+spire-server entry create -parentID spiffe://example.org/spire/agent/x509pop/agent1 \
+ -spiffeID spiffe://example.org/workload \
+ -selector unix:uid:1000 \
+ -x509SVIDTTL 3600 \
+ -jwtSVIDTTL 3600 \
+ -downstream
+
+# Check if the entry exists
+check_entry_exists "spiffe://example.org/workload"

test/integration/suites/batchx509SVID/03-test-batchx509svid.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Define the SPIRE server address
+SPIRE_SERVER_ADDRESS="localhost:8081"
+
+# Define the correct API endpoint for Batchx509SVID
+API_ENDPOINT="${SPIRE_SERVER_ADDRESS}/v1/batchx509svid"
+
+# Wait for SPIRE server to be ready
+echo "Waiting for SPIRE server to be ready..."
+for i in {1..10}; do
+ response=$(curl -s -o /dev/null -w "%{http_code}" "${SPIRE_SERVER_ADDRESS}")
+ if [ "$response" -eq 200 ]; then
+ echo "SPIRE server is ready."
+ break
+ fi
+ sleep 2
+done
+
+# Make a request to the Batchx509SVID endpoint
+echo "Testing Batchx509SVID RPC..."
+response=$(curl -s -o /dev/null -w "%{http_code}" "${API_ENDPOINT}")
+
+# Check if the response code is 200 (OK)
+if [ "$response" -ne 200 ]; then
+ echo "Error: Expected HTTP 200 OK but received HTTP $response"
+ exit 1
+else
+ echo "Batchx509SVID RPC is working as expected."
+fi

test/integration/suites/batchx509SVID/README.md

@@ -0,0 +1,17 @@
+# Batchx509SVID RPC Integration Test
+
+## Overview
+
+This test ensures the continued operation of the `Batchx509SVID` RPC in Open Source SPIRE.
+
+## Test Steps
+
+1. **Setup**
+
+ - Starts SPIRE server and agent.
+ - Configures necessary registration entries.
+
+ Run the setup script:
+
+ ```bash
+ sudo ./test/integration/suites/batchx509svid/01-setup.sh

test/integration/suites/batchx509SVID/conf/agent/agent.conf

@@ -0,0 +1,31 @@
+agent {
+ data_dir = "/opt/spire/data/agent"
+ log_level = "DEBUG"
+ server_address = "spire-server"
+ server_port = "8081"
+ socket_path = "/tmp/spire-agent/public/api.sock"
+ trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt"
+ trust_domain = "example.org"
+ admin_socket_path = "/opt/debug.sock"
+ experimental {
+ x509_svid_cache_max_size = 8
+ }
+}
+
+plugins {
+ NodeAttestor "x509pop" {
+ plugin_data {
+ private_key_path = "/opt/spire/conf/agent/agent.key.pem"
+ certificate_path = "/opt/spire/conf/agent/agent.crt.pem"
+ }
+ }
+ KeyManager "disk" {
+ plugin_data {
+ directory = "/opt/spire/data/agent"
+ }
+ }
+ WorkloadAttestor "unix" {
+ plugin_data {
+ }
+ }
+}

test/integration/suites/batchx509SVID/conf/server/server.conf

@@ -0,0 +1,26 @@
+server {
+ bind_address = "0.0.0.0"
+ bind_port = "8081"
+ trust_domain = "example.org"
+ data_dir = "/opt/spire/data/server"
+ log_level = "DEBUG"
+ ca_ttl = "1h"
+ default_x509_svid_ttl = "10m"
+}
+
+plugins {
+ DataStore "sql" {
+ plugin_data {
+ database_type = "sqlite3"
+ connection_string = "/opt/spire/data/server/datastore.sqlite3"
+ }
+ }
+ NodeAttestor "x509pop" {
+ plugin_data {
+ ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem"
+ }
+ }
+ KeyManager "memory" {
+ plugin_data = {}
+ }
+}

test/integration/suites/batchx509SVID/teardown

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+echo "Bringing down services..."
+
+# Stop the SPIRE server
+if pgrep spire-server > /dev/null; then
+ echo "Stopping SPIRE server..."
+ sudo kill -9 $(pgrep spire-server) || true
+fi
+
+# Stop the SPIRE agent
+if pgrep spire-agent > /dev/null; then
+ echo "Stopping SPIRE agent..."
+ sudo kill -9 $(pgrep spire-agent) || true
+fi
+
+# Remove temporary directories if needed
+echo "Cleaning up..."
+rm -rf /opt/spire/data
+rm -rf /opt/spire/conf
+
+echo "Teardown complete."