From 1d2725664259b90786914338567a76db0df8d7e6 Mon Sep 17 00:00:00 2001 From: Thiago Valverde de Souza Date: Sun, 18 Aug 2024 19:12:25 -0300 Subject: [PATCH] Add integration test for Batchx509SVID RPC --- .../suites/batchx509SVID/00-gen-files.sh | 51 +++++++++++++++++++ .../suites/batchx509SVID/01-setup.sh | 21 ++++++++ .../suites/batchx509SVID/02-create-entry.sh | 40 +++++++++++++++ .../batchx509SVID/03-test-batchx509svid.sh | 30 +++++++++++ .../suites/batchx509SVID/README.md | 17 +++++++ .../batchx509SVID/conf/agent/agent.conf | 31 +++++++++++ .../batchx509SVID/conf/server/server.conf | 26 ++++++++++ .../integration/suites/batchx509SVID/teardown | 24 +++++++++ 8 files changed, 240 insertions(+) create mode 100755 test/integration/suites/batchx509SVID/00-gen-files.sh create mode 100755 test/integration/suites/batchx509SVID/01-setup.sh create mode 100755 test/integration/suites/batchx509SVID/02-create-entry.sh create mode 100755 test/integration/suites/batchx509SVID/03-test-batchx509svid.sh create mode 100644 test/integration/suites/batchx509SVID/README.md create mode 100644 test/integration/suites/batchx509SVID/conf/agent/agent.conf create mode 100644 test/integration/suites/batchx509SVID/conf/server/server.conf create mode 100755 test/integration/suites/batchx509SVID/teardown diff --git a/test/integration/suites/batchx509SVID/00-gen-files.sh b/test/integration/suites/batchx509SVID/00-gen-files.sh new file mode 100755 index 0000000000..1d4f77b62d --- /dev/null +++ b/test/integration/suites/batchx509SVID/00-gen-files.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Exit on error +set -e + +# Define directories +BASE_DIR="/opt/spire/conf" +SERVER_DIR="${BASE_DIR}/server" +AGENT_DIR="${BASE_DIR}/agent" + +# Create necessary directories +mkdir -p "${SERVER_DIR}" +mkdir -p "${AGENT_DIR}" + +# Generate Root CA Certificate and Key +echo "Generating Root CA certificate and key..." +openssl genrsa -out root-ca.key 2048 +openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA" + +# Generate Server Certificate and Key +echo "Generating Server certificate and key..." +openssl genrsa -out server.key 2048 +openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server" +openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365 + +# Generate Agent Certificate and Key +echo "Generating Agent certificate and key..." +openssl genrsa -out agent.key 2048 +openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent" +openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365 + +# Create Trust Bundles +echo "Creating trust bundles..." +cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem" +cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt" + +# Combine Certificates and Keys +echo "Creating combined certificate files..." +cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem" +cat server.crt server.key > "${SERVER_DIR}/server.crt.pem" + +# Create Combined Key and Certificate Files +echo "Creating combined key and certificate files..." +cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem" +cat server.key server.crt > "${SERVER_DIR}/server.key.pem" + +# Clean up intermediate files +echo "Cleaning up..." +rm server.key server.csr server.crt agent.key agent.csr agent.crt + +echo "Certificate files generated and placed in ${BASE_DIR}." diff --git a/test/integration/suites/batchx509SVID/01-setup.sh b/test/integration/suites/batchx509SVID/01-setup.sh new file mode 100755 index 0000000000..0e76475346 --- /dev/null +++ b/test/integration/suites/batchx509SVID/01-setup.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +echo "RUNDIR: ${RUNDIR}" + +"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent + +"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient" +"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient" + + +echo "Starting SPIRE server..." +spire-server run -config conf/server/server.conf > ${RUNDIR}/spire-server.log 2>&1 & +SERVER_PID=$! +sleep 5 + +echo "Starting SPIRE agent..." +spire-agent run -config conf/agent/agent.conf & +AGENT_PID=$! +sleep 5 \ No newline at end of file diff --git a/test/integration/suites/batchx509SVID/02-create-entry.sh b/test/integration/suites/batchx509SVID/02-create-entry.sh new file mode 100755 index 0000000000..27ca4ba8e5 --- /dev/null +++ b/test/integration/suites/batchx509SVID/02-create-entry.sh @@ -0,0 +1,40 @@ +#!/bin/bash +set -e + +# Function to check if the entry exists +check_entry_exists() { + local entry_id=$1 + local retries=10 + local delay=5 + + for ((i=1; i<=retries; i++)); do + echo "Checking if entry with SPIFFE ID $entry_id exists (attempt $i)..." + + # Check if the entry exists using `spire-server entry show` + response=$(spire-server entry show -spiffeID "$entry_id" 2>&1) + + # Check if the response contains the expected entry + if echo "$response" | grep -q "SPIFFE ID"; then + echo "Entry with SPIFFE ID $entry_id found." + return 0 + fi + + echo "Entry with SPIFFE ID $entry_id not found yet. Retrying in $delay seconds..." + sleep "$delay" + done + + echo "Failed to create entry within the timeout period." + return 1 +} + +# Create the registration entry +echo "Creating registration entry..." +spire-server entry create -parentID spiffe://example.org/spire/agent/x509pop/agent1 \ + -spiffeID spiffe://example.org/workload \ + -selector unix:uid:1000 \ + -x509SVIDTTL 3600 \ + -jwtSVIDTTL 3600 \ + -downstream + +# Check if the entry exists +check_entry_exists "spiffe://example.org/workload" diff --git a/test/integration/suites/batchx509SVID/03-test-batchx509svid.sh b/test/integration/suites/batchx509SVID/03-test-batchx509svid.sh new file mode 100755 index 0000000000..d584f69818 --- /dev/null +++ b/test/integration/suites/batchx509SVID/03-test-batchx509svid.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Define the SPIRE server address +SPIRE_SERVER_ADDRESS="localhost:8081" + +# Define the correct API endpoint for Batchx509SVID +API_ENDPOINT="${SPIRE_SERVER_ADDRESS}/v1/batchx509svid" + +# Wait for SPIRE server to be ready +echo "Waiting for SPIRE server to be ready..." +for i in {1..10}; do + response=$(curl -s -o /dev/null -w "%{http_code}" "${SPIRE_SERVER_ADDRESS}") + if [ "$response" -eq 200 ]; then + echo "SPIRE server is ready." + break + fi + sleep 2 +done + +# Make a request to the Batchx509SVID endpoint +echo "Testing Batchx509SVID RPC..." +response=$(curl -s -o /dev/null -w "%{http_code}" "${API_ENDPOINT}") + +# Check if the response code is 200 (OK) +if [ "$response" -ne 200 ]; then + echo "Error: Expected HTTP 200 OK but received HTTP $response" + exit 1 +else + echo "Batchx509SVID RPC is working as expected." +fi diff --git a/test/integration/suites/batchx509SVID/README.md b/test/integration/suites/batchx509SVID/README.md new file mode 100644 index 0000000000..4ab958b3d8 --- /dev/null +++ b/test/integration/suites/batchx509SVID/README.md @@ -0,0 +1,17 @@ +# Batchx509SVID RPC Integration Test + +## Overview + +This test ensures the continued operation of the `Batchx509SVID` RPC in Open Source SPIRE. + +## Test Steps + +1. **Setup** + + - Starts SPIRE server and agent. + - Configures necessary registration entries. + + Run the setup script: + + ```bash + sudo ./test/integration/suites/batchx509svid/01-setup.sh \ No newline at end of file diff --git a/test/integration/suites/batchx509SVID/conf/agent/agent.conf b/test/integration/suites/batchx509SVID/conf/agent/agent.conf new file mode 100644 index 0000000000..ae7cd42947 --- /dev/null +++ b/test/integration/suites/batchx509SVID/conf/agent/agent.conf @@ -0,0 +1,31 @@ +agent { + data_dir = "/opt/spire/data/agent" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/tmp/spire-agent/public/api.sock" + trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" + trust_domain = "example.org" + admin_socket_path = "/opt/debug.sock" + experimental { + x509_svid_cache_max_size = 8 + } +} + +plugins { + NodeAttestor "x509pop" { + plugin_data { + private_key_path = "/opt/spire/conf/agent/agent.key.pem" + certificate_path = "/opt/spire/conf/agent/agent.crt.pem" + } + } + KeyManager "disk" { + plugin_data { + directory = "/opt/spire/data/agent" + } + } + WorkloadAttestor "unix" { + plugin_data { + } + } +} diff --git a/test/integration/suites/batchx509SVID/conf/server/server.conf b/test/integration/suites/batchx509SVID/conf/server/server.conf new file mode 100644 index 0000000000..6eb500fd24 --- /dev/null +++ b/test/integration/suites/batchx509SVID/conf/server/server.conf @@ -0,0 +1,26 @@ +server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/opt/spire/data/server" + log_level = "DEBUG" + ca_ttl = "1h" + default_x509_svid_ttl = "10m" +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/opt/spire/data/server/datastore.sqlite3" + } + } + NodeAttestor "x509pop" { + plugin_data { + ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" + } + } + KeyManager "memory" { + plugin_data = {} + } +} diff --git a/test/integration/suites/batchx509SVID/teardown b/test/integration/suites/batchx509SVID/teardown new file mode 100755 index 0000000000..1e396dfe6f --- /dev/null +++ b/test/integration/suites/batchx509SVID/teardown @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +echo "Bringing down services..." + +# Stop the SPIRE server +if pgrep spire-server > /dev/null; then + echo "Stopping SPIRE server..." + sudo kill -9 $(pgrep spire-server) || true +fi + +# Stop the SPIRE agent +if pgrep spire-agent > /dev/null; then + echo "Stopping SPIRE agent..." + sudo kill -9 $(pgrep spire-agent) || true +fi + +# Remove temporary directories if needed +echo "Cleaning up..." +rm -rf /opt/spire/data +rm -rf /opt/spire/conf + +echo "Teardown complete."