Adds integration tests for mysql, postgres and go client-server. (#72)

* Adds integration tests for mysql, postgres and go client-server. Signed-off-by: JU4N98 <[email protected]> * Fixes spiffe-helper dockerfile. Signed-off-by: JU4N98 <[email protected]> * Adds integration tests to workflows. Signed-off-by: JU4N98 <[email protected]> * Adds build-matrix job Signed-off-by: FedeNQ <[email protected]> * Add strategy to integration test (#9) * adds strategy Signed-off-by: FedeNQ <[email protected]> * changes bash command Signed-off-by: FedeNQ <[email protected]> --------- Signed-off-by: FedeNQ <[email protected]> * Fix strategy matrix (#11) * Change location of test files Signed-off-by: FedeNQ <[email protected]> * Change location of restore-entry-test Signed-off-by: FedeNQ <[email protected]> * Change location of restore-entry-test Signed-off-by: FedeNQ <[email protected]> * Adds shell in Run tests Signed-off-by: FedeNQ <[email protected]> --------- Signed-off-by: FedeNQ <[email protected]> * Changes exit code in tests (#12) Signed-off-by: FedeNQ <[email protected]> * change on max_attempts Signed-off-by: FedeNQ <[email protected]> * change max_attempts on build.sh Signed-off-by: FedeNQ <[email protected]> * increase ttl and attemps Signed-off-by: FedeNQ <[email protected]> * Move IT folder into .github folder (#15) * Move IT folder to .github folder Signed-off-by: FedeNQ <[email protected]> * Add ./.github/it to working directory Signed-off-by: FedeNQ <[email protected]> * Change target_dir in tests Signed-off-by: FedeNQ <[email protected]> * Change target_dir Signed-off-by: FedeNQ <[email protected]> * Change target_dir Signed-off-by: FedeNQ <[email protected]> * Add /.github in path Signed-off-by: FedeNQ <[email protected]> * change on docker-compose Signed-off-by: FedeNQ <[email protected]> * change target_dir in run-postgres-test Signed-off-by: FedeNQ <[email protected]> --------- Signed-off-by: FedeNQ <[email protected]> * move IT to tests folder Signed-off-by: FedeNQ <[email protected]> * change pr_build Signed-off-by: FedeNQ <[email protected]> * Change target_dir on tests Signed-off-by: FedeNQ <[email protected]> * Change release_build.yaml Signed-off-by: FedeNQ <[email protected]> * Change ttl & retries Signed-off-by: FedeNQ <[email protected]> --------- Signed-off-by: JU4N98 <[email protected]> Signed-off-by: FedeNQ <[email protected]> Co-authored-by: JU4N98 <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
spiffe · Jul 20, 2023 · 68f73c1 · 68f73c1
1 parent a3f3ed3
commit 68f73c1
Show file tree

Hide file tree

Showing 41 changed files with 1,008 additions and 1 deletion.
diff --git a/.github/tests/change-entry-test.sh b/.github/tests/change-entry-test.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Define the target directory path
+target_dir="./it"
+
+# Check if the target directory exists
+if [ ! -d "$target_dir" ]; then
+  echo "Error: The target directory '$target_dir' does not exist."
+  exit 1
+fi
+
+# Change to the target directory
+cd "$target_dir" || exit
+
+bash change-entry-client-test.sh 1
diff --git a/.github/tests/it/build.sh b/.github/tests/it/build.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+fingerprint () {
+	# calculate the SHA1 digest of the DER bytes of the certificate using the
+	# "coreutils" output format (`-r`) to provide uniform output from
+	# `openssl sha1` on macOS and linux.
+	openssl x509 -in "$1" -outform DER | openssl sha1 -r | awk '{print $1}'
+}
+
+wait () {
+	max_attempts=40
+
+	for ((attempt = 1; attempt <= max_attempts; attempt++)); do
+		if docker compose exec "$1" test -s "$2"; then
+			break
+		else
+			sleep 1
+		fi
+	done
+}
+
+# set ups spire server and create postgres, mysql and go entries 
+docker compose up spire-server -d
+
+docker compose exec -it spire-server ./bin/spire-server bundle show > ./spire/agent/bootstrap.crt
+
+FINGERPRINT="$(fingerprint ./spire/agent/agent.crt.pem)"
+
+docker compose exec spire-server ./bin/spire-server entry create \
+    -parentID "spiffe://example.org/spire/agent/x509pop/${FINGERPRINT}" \
+    -spiffeID spiffe://example.org/postgres-db \
+    -selector unix:uid:70 \
+	-ttl 60
+
+docker compose exec spire-server ./bin/spire-server entry create \
+	-parentID "spiffe://example.org/spire/agent/x509pop/${FINGERPRINT}" \
+    -spiffeID spiffe://example.org/mysql-db \
+    -selector unix:uid:0 \
+    -ttl 60
+
+docker compose exec spire-server ./bin/spire-server entry create \
+    -parentID "spiffe://example.org/spire/agent/x509pop/${FINGERPRINT}" \
+    -spiffeID spiffe://example.org/client \
+    -selector unix:uid:72 \
+	-dns client \
+	-ttl 100
+
+docker compose exec spire-server ./bin/spire-server entry create \
+    -parentID "spiffe://example.org/spire/agent/x509pop/${FINGERPRINT}" \
+    -spiffeID spiffe://example.org/go-server \
+    -selector unix:uid:73 \
+	-dns go-server \
+	-ttl 3600
+
+# set ups spire agent
+docker compose up spire-agent -d
+
+docker compose build spiffe-helper
+
+# set ups and postgres-db
+docker compose up postgres-db -d
+wait postgres-db /run/postgresql/certs/svid.crt
+docker compose exec postgres-db su postgres -c "pg_ctl start -D /var/lib/postgresql/data"
+docker compose exec postgres-db su postgres -c "psql -U postgres -f /var/lib/postgresql/data/init.sql"
+
+# set ups and mysql-db
+docker compose up mysql-db -d
+docker compose exec mysql-db /etc/init.d/mysql start
+docker compose exec mysql-db su root -c "mysql < /var/lib/mysql/data/init.sql"
+
+# set ups go-server
+docker compose up go-server -d
+wait go-server /run/go-server/certs/svid.crt
+docker compose exec go-server su go-server -c "/opt/go-server/server &"
+
+#set ups client
+docker compose up client -d
+wait client /run/client/certs/svid.crt
diff --git a/.github/tests/it/change-entry-client-test.sh b/.github/tests/it/change-entry-client-test.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+
+MAX_RETRIES=400
+
+restore-entry(){
+    # This test restores the original values of the entry both connection tests should succeed
+    docker compose exec spire-server ./bin/spire-server entry show -spiffeID spiffe://example.org/client > /tmp/entryFound
+    ENTRYID=$( grep 'Entry ID         :' /tmp/entryFound | awk '{print $4}')
+    PARENTID=$( grep 'Parent ID        :' /tmp/entryFound | awk '{print $4}')
+
+    rows_count_client=$(docker compose logs client | grep -c "SVID updated")
+    ((rows_count_client+=2))
+    docker compose exec spire-server ./bin/spire-server entry update \
+        -entryID $ENTRYID \
+        -parentID $PARENTID \
+        -spiffeID spiffe://example.org/client \
+        -selector unix:uid:72 \
+        -ttl 100 \
+        -dns client
+
+    echo "Entry restored"
+
+    for((i=0; i<MAX_RETRIES; i++))
+    do
+        rows_count_client_now=$(docker compose logs client | grep -c "SVID updated") 
+        if [ $rows_count_client -lt $rows_count_client_now ]; then
+            bash run-postgres-test.sh client 0
+            exit_code_postgres=$?
+            bash run-mysql-test.sh client 0
+            exit_code_mysql=$?
+            if [ $exit_code_postgres == 0 ] && [ $exit_code_mysql == 0 ] ; then
+                exit 0
+            else
+                exit 1
+            fi
+        else
+            sleep 1
+        fi
+    done
+    exit 1
+}
+
+bad-entry(){
+    #This test changes the values of the entry so both connection tests should fail
+    docker compose exec spire-server ./bin/spire-server entry show -spiffeID spiffe://example.org/client > /tmp/entryFound
+    ENTRYID=$( grep 'Entry ID         :' /tmp/entryFound | awk '{print $4}')
+    PARENTID=$( grep 'Parent ID        :' /tmp/entryFound | awk '{print $4}')
+
+    rows_count_client=$(docker compose logs client | grep -c "SVID updated")
+    ((rows_count_client+=2))
+
+    docker compose exec spire-server ./bin/spire-server entry update \
+        -entryID $ENTRYID \
+        -parentID $PARENTID \
+        -spiffeID spiffe://example.org/client \
+        -selector unix:uid:72 \
+        -ttl 100 \
+        -dns testuser1
+
+    echo "Entry changed, now with dns=testuser1"
+
+    for((i=0; i<MAX_RETRIES; i++))
+    do
+        rows_count_client_now=$(docker compose logs client | grep -c "SVID updated") 
+        if [ $rows_count_client -lt $rows_count_client_now ]; then
+            bash run-postgres-test.sh client 1
+            exit_code_postgres=$?
+            bash run-mysql-test.sh client 1
+            exit_code_mysql=$?
+            if [ $exit_code_postgres == 0 ] && [ $exit_code_mysql == 0 ] ; then
+                exit 0
+            else
+                exit 1
+            fi
+        else
+            sleep 1
+        fi
+    done
+    exit 1
+}
+
+# with parameter 1 will change the entry to one that should make it fail
+# otherwise will restore a valid entry
+
+if [ "$1" == "1" ]; then
+    bad-entry
+else
+    restore-entry
+fi
diff --git a/.github/tests/it/client/Dockerfile b/.github/tests/it/client/Dockerfile
@@ -0,0 +1,31 @@
+FROM golang:1.17-alpine AS builder
+COPY ./client.go /service/client.go
+WORKDIR /service
+RUN go build -tags netgo -a -v -o /service/client ./client.go
+
+FROM ubuntu:22.04 AS mysql
+RUN addgroup -gid 72 client
+RUN useradd -u 72 -g client client
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt update && apt install postgresql mysql-client -y
+
+RUN mkdir -p /run/client/certs
+COPY ./postgres-connect.sh /run/client/postgres-connect.sh
+COPY ./mysql-connect.sh /run/client/mysql-connect.sh
+COPY ./assert.sh /run/client/assert.sh
+
+RUN touch /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt
+RUN chmod +x /run/client/postgres-connect.sh /run/client/mysql-connect.sh /run/client/assert.sh
+RUN chmod 600 /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt
+RUN chown client:client \
+    /run/client/postgres-connect.sh \
+    /run/client/mysql-connect.sh \
+    /run/client/assert.sh \
+    /run/client/certs/svid.crt \
+    /run/client/certs/svid.key \
+    /run/client/certs/root.crt
+
+USER root
+COPY --from=it-spiffe-helper /service/spiffe-helper /opt/helper/spiffe-helper
+COPY --from=builder /service/client /opt/go-client/client
diff --git a/.github/tests/it/client/assert.sh b/.github/tests/it/client/assert.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "SVID updated"
diff --git a/.github/tests/it/client/client.go b/.github/tests/it/client/client.go
@@ -0,0 +1,77 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io"
+	"log"
+	"net/http"
+	"os"
+)
+
+func main() {
+	cert, err := tls.LoadX509KeyPair("/run/client/certs/svid.crt", "/run/client/certs/svid.key")
+	if err != nil {
+		log.Println(err)
+		os.Exit(1)
+	}
+
+	ca, err := os.ReadFile("/run/client/certs/root.crt")
+	if err != nil {
+		log.Println(err)
+		os.Exit(1)
+	}
+	caPool := x509.NewCertPool()
+	caPool.AppendCertsFromPEM(ca)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				RootCAs:      caPool,
+				Certificates: []tls.Certificate{cert},
+			},
+		},
+	}
+
+	var r *http.Response
+	var body []byte
+
+	if os.Args[1] == "0" {
+		r, err = client.Get("https://go-server:8080/getMail")
+		if err != nil {
+			log.Println(err)
+			if r != nil {
+				r.Body.Close()
+			}
+			os.Exit(1)
+		}
+		body, err = io.ReadAll(r.Body)
+		r.Body.Close()
+		if err != nil {
+			log.Println(err)
+			os.Exit(1)
+		}
+	} else {
+		r, err = http.Get("https://go-server:8080/getMail")
+		if err != nil {
+			log.Println(err)
+			if r != nil {
+				r.Body.Close()
+			}
+			os.Exit(1)
+		}
+		body, err = io.ReadAll(r.Body)
+		r.Body.Close()
+		if err != nil {
+			log.Println(err)
+			os.Exit(1)
+		}
+	}
+
+	if string(body) == "[email protected]" {
+		os.Exit(0)
+	} else {
+		os.Exit(1)
+	}
+}
diff --git a/.github/tests/it/client/helper.conf b/.github/tests/it/client/helper.conf
@@ -0,0 +1,8 @@
+agentAddress = "/var/run/api.sock"
+cmd = "/run/client/assert.sh"
+cmdArgs = ""
+certDir = "/run/client/certs/"
+renewSignal = "SIGUSR1"
+svidFileName = "svid.crt"
+svidKeyFileName = "svid.key"
+svidBundleFileName = "root.crt"
diff --git a/.github/tests/it/client/mysql-connect.sh b/.github/tests/it/client/mysql-connect.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+query () {
+    # Directory to store the certificate, key and bundle fetched from the Workload API
+    SVIDS_DIR=/run/client/certs
+
+    # Connect to mysql using the certificates fetched
+    mysql -h mysql-db -u $1 --ssl-key $SVIDS_DIR/svid.key --ssl-cert $SVIDS_DIR/svid.crt --ssl-ca $SVIDS_DIR/root.crt -e "SELECT * FROM test_db.mail;" 2>/dev/null
+}
+
+query $1
diff --git a/.github/tests/it/client/postgres-connect.sh b/.github/tests/it/client/postgres-connect.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+query () {
+    # Directory to store the certificate, key and bundle fetched from the Workload API
+    SVIDS_DIR=/run/client/certs
+
+    # Connect to postgres using the certificates fetched
+    psql "port=5432 host=postgres-db user=$1 dbname=test_db sslcert=$SVIDS_DIR/svid.crt sslkey=$SVIDS_DIR/svid.key sslrootcert=$SVIDS_DIR/root.crt sslmode=verify-ca" -c "SELECT * FROM mail;" 2>/dev/null
+}
+
+query $1