From 8a8168b5ad9cd2ef2675edea61a3facf29d81634 Mon Sep 17 00:00:00 2001 From: Thiago Valverde de Souza Date: Mon, 5 Aug 2024 11:51:43 -0300 Subject: [PATCH 1/4] Add integration test for GetAuthorizedEntries RPC including join token and alias entry creation Signed-off-by: Thiago Valverde de Souza d Please enter the commit message for your changes. Lines starting --- ...get_authorized_entries_integration_test.go | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 test/integration/get_authorized_entries_integration_test.go diff --git a/test/integration/get_authorized_entries_integration_test.go b/test/integration/get_authorized_entries_integration_test.go new file mode 100644 index 0000000000..a64bf71479 --- /dev/null +++ b/test/integration/get_authorized_entries_integration_test.go @@ -0,0 +1,60 @@ +package integration + +import ( + "context" + "testing" + "time" + + "github.com/spiffe/spire/pkg/common/pb" + "github.com/spiffe/spire/test/integration/setup" + "github.com/stretchr/testify/require" +) + +func TestGetAuthorizedEntries(t *testing.T) { + // Setup SPIRE server and agent + srv := setup.NewSpireServer(t) + defer srv.Stop() + + agent := setup.NewSpireAgent(t, srv) + defer agent.Stop() + + // Create a Join Token + joinToken := "test-join-token" + _, err := srv.CreateJoinToken(&pb.JoinToken{ + Token: joinToken, + Ttl: 600, // Token validity in seconds + }) + require.NoError(t, err) + + // Attest the agent using the join token + err = agent.AttestWithJoinToken(joinToken) + require.NoError(t, err) + + // Create a Node-Alias-based registration entry + parentID := "spiffe://example/spire/agent/tpm/xxxxx" + spiffeID := "spiffe://example/nodename/foo" + _, err = srv.CreateRegistrationEntry(&pb.RegistrationEntry{ + ParentId: parentID, + SpiffeId: spiffeID, + Selectors: []*pb.Selector{ + {Type: "tpm", Value: "pub_hash:xxxxx"}, + }, + }) + require.NoError(t, err) + + // Enable event-driven cache validation on SPIRE server + srv.EnableEventDrivenCacheValidation() + + // Wait for the cache to update + time.Sleep(2 * time.Second) + + // Test the GetAuthorizedEntries RPC + client := srv.NewClient() + resp, err := client.GetAuthorizedEntries(context.Background(), &pb.GetAuthorizedEntriesRequest{}) + require.NoError(t, err) + + // Validate the response + require.NotNil(t, resp) + require.Len(t, resp.Entries, 1) + require.Equal(t, spiffeID, resp.Entries[0].SpiffeId) +} From bced4a6a72fc1262de2d4fd9ffcb1896ab90f221 Mon Sep 17 00:00:00 2001 From: Thiago Valverde de Souza Date: Sun, 18 Aug 2024 17:44:47 -0300 Subject: [PATCH 2/4] Changing get-authorized-entities test to the standard sh integration test --- ...get_authorized_entries_integration_test.go | 60 ------------------- .../get-authorized-entries/00-gen-files.sh | 51 ++++++++++++++++ .../suites/get-authorized-entries/01-setup.sh | 19 ++++++ .../02-create_registration.sh | 5 ++ .../suites/get-authorized-entries/README.md | 35 +++++++++++ .../conf/agent/agent.conf | 31 ++++++++++ .../conf/server/server.conf | 26 ++++++++ .../suites/get-authorized-entries/teardown | 24 ++++++++ 8 files changed, 191 insertions(+), 60 deletions(-) delete mode 100644 test/integration/get_authorized_entries_integration_test.go create mode 100755 test/integration/suites/get-authorized-entries/00-gen-files.sh create mode 100755 test/integration/suites/get-authorized-entries/01-setup.sh create mode 100755 test/integration/suites/get-authorized-entries/02-create_registration.sh create mode 100644 test/integration/suites/get-authorized-entries/README.md create mode 100644 test/integration/suites/get-authorized-entries/conf/agent/agent.conf create mode 100644 test/integration/suites/get-authorized-entries/conf/server/server.conf create mode 100755 test/integration/suites/get-authorized-entries/teardown diff --git a/test/integration/get_authorized_entries_integration_test.go b/test/integration/get_authorized_entries_integration_test.go deleted file mode 100644 index a64bf71479..0000000000 --- a/test/integration/get_authorized_entries_integration_test.go +++ /dev/null @@ -1,60 +0,0 @@ -package integration - -import ( - "context" - "testing" - "time" - - "github.com/spiffe/spire/pkg/common/pb" - "github.com/spiffe/spire/test/integration/setup" - "github.com/stretchr/testify/require" -) - -func TestGetAuthorizedEntries(t *testing.T) { - // Setup SPIRE server and agent - srv := setup.NewSpireServer(t) - defer srv.Stop() - - agent := setup.NewSpireAgent(t, srv) - defer agent.Stop() - - // Create a Join Token - joinToken := "test-join-token" - _, err := srv.CreateJoinToken(&pb.JoinToken{ - Token: joinToken, - Ttl: 600, // Token validity in seconds - }) - require.NoError(t, err) - - // Attest the agent using the join token - err = agent.AttestWithJoinToken(joinToken) - require.NoError(t, err) - - // Create a Node-Alias-based registration entry - parentID := "spiffe://example/spire/agent/tpm/xxxxx" - spiffeID := "spiffe://example/nodename/foo" - _, err = srv.CreateRegistrationEntry(&pb.RegistrationEntry{ - ParentId: parentID, - SpiffeId: spiffeID, - Selectors: []*pb.Selector{ - {Type: "tpm", Value: "pub_hash:xxxxx"}, - }, - }) - require.NoError(t, err) - - // Enable event-driven cache validation on SPIRE server - srv.EnableEventDrivenCacheValidation() - - // Wait for the cache to update - time.Sleep(2 * time.Second) - - // Test the GetAuthorizedEntries RPC - client := srv.NewClient() - resp, err := client.GetAuthorizedEntries(context.Background(), &pb.GetAuthorizedEntriesRequest{}) - require.NoError(t, err) - - // Validate the response - require.NotNil(t, resp) - require.Len(t, resp.Entries, 1) - require.Equal(t, spiffeID, resp.Entries[0].SpiffeId) -} diff --git a/test/integration/suites/get-authorized-entries/00-gen-files.sh b/test/integration/suites/get-authorized-entries/00-gen-files.sh new file mode 100755 index 0000000000..1d4f77b62d --- /dev/null +++ b/test/integration/suites/get-authorized-entries/00-gen-files.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Exit on error +set -e + +# Define directories +BASE_DIR="/opt/spire/conf" +SERVER_DIR="${BASE_DIR}/server" +AGENT_DIR="${BASE_DIR}/agent" + +# Create necessary directories +mkdir -p "${SERVER_DIR}" +mkdir -p "${AGENT_DIR}" + +# Generate Root CA Certificate and Key +echo "Generating Root CA certificate and key..." +openssl genrsa -out root-ca.key 2048 +openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA" + +# Generate Server Certificate and Key +echo "Generating Server certificate and key..." +openssl genrsa -out server.key 2048 +openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server" +openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365 + +# Generate Agent Certificate and Key +echo "Generating Agent certificate and key..." +openssl genrsa -out agent.key 2048 +openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent" +openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365 + +# Create Trust Bundles +echo "Creating trust bundles..." +cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem" +cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt" + +# Combine Certificates and Keys +echo "Creating combined certificate files..." +cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem" +cat server.crt server.key > "${SERVER_DIR}/server.crt.pem" + +# Create Combined Key and Certificate Files +echo "Creating combined key and certificate files..." +cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem" +cat server.key server.crt > "${SERVER_DIR}/server.key.pem" + +# Clean up intermediate files +echo "Cleaning up..." +rm server.key server.csr server.crt agent.key agent.csr agent.crt + +echo "Certificate files generated and placed in ${BASE_DIR}." diff --git a/test/integration/suites/get-authorized-entries/01-setup.sh b/test/integration/suites/get-authorized-entries/01-setup.sh new file mode 100755 index 0000000000..88b3385cfe --- /dev/null +++ b/test/integration/suites/get-authorized-entries/01-setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent + +"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient" +"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient" + + +echo "Starting SPIRE server..." +spire-server run -config conf/server/server.conf & +SERVER_PID=$! +sleep 5 + +echo "Starting SPIRE agent..." +spire-agent run -config conf/agent/agent.conf & +AGENT_PID=$! +sleep 5 \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/02-create_registration.sh b/test/integration/suites/get-authorized-entries/02-create_registration.sh new file mode 100755 index 0000000000..46a81d2446 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/02-create_registration.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -e + +echo "Creating Node-Alias registration entry..." +spire-server entry create -spiffeID spiffe://example.org/workload -parentID spiffe://example.org/spire/agent/x509pop/agent1 -selector "node-alias:node-alias-value" diff --git a/test/integration/suites/get-authorized-entries/README.md b/test/integration/suites/get-authorized-entries/README.md new file mode 100644 index 0000000000..e53cc87741 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/README.md @@ -0,0 +1,35 @@ +# Integration Test Suite: Get Authorized Entries + +This test suite validates the functionality of getting authorized entries from the SPIRE server. It includes setup, execution, and cleanup of the test environment. + +## Overview + +The "Get Authorized Entries" test suite ensures that the SPIRE server and agent are correctly configured to handle and authorize entries. The suite involves setting up SPIRE, creating registration entries, running the test, and cleaning up after the test. + +## Test Steps + +1. **Setup (`01-setup.sh`)** + - Generates required certificates and keys. + - Starts the SPIRE server and agent. + +2. **Create Registration (`02-create_registration.sh`)** + - Creates necessary registration entries for testing. + +3**Teardown (`teardown`)** + - Stops the SPIRE server and agent. + - Cleans up any remaining artifacts. + +## Prerequisites + +- Ensure you have SPIRE installed and configured. +- The `spire-server` and `spire-agent` binaries should be in your `PATH`. +- Ensure Docker and Rancher are installed if applicable for your environment. + +## Running the Tests + +1. **Run the Test Suite** + + To execute the test suite, run the following command: + + ```bash + sudo ./test/integration/suites/get-authorized-entries/test.sh diff --git a/test/integration/suites/get-authorized-entries/conf/agent/agent.conf b/test/integration/suites/get-authorized-entries/conf/agent/agent.conf new file mode 100644 index 0000000000..ae7cd42947 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/conf/agent/agent.conf @@ -0,0 +1,31 @@ +agent { + data_dir = "/opt/spire/data/agent" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/tmp/spire-agent/public/api.sock" + trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" + trust_domain = "example.org" + admin_socket_path = "/opt/debug.sock" + experimental { + x509_svid_cache_max_size = 8 + } +} + +plugins { + NodeAttestor "x509pop" { + plugin_data { + private_key_path = "/opt/spire/conf/agent/agent.key.pem" + certificate_path = "/opt/spire/conf/agent/agent.crt.pem" + } + } + KeyManager "disk" { + plugin_data { + directory = "/opt/spire/data/agent" + } + } + WorkloadAttestor "unix" { + plugin_data { + } + } +} diff --git a/test/integration/suites/get-authorized-entries/conf/server/server.conf b/test/integration/suites/get-authorized-entries/conf/server/server.conf new file mode 100644 index 0000000000..6eb500fd24 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/conf/server/server.conf @@ -0,0 +1,26 @@ +server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/opt/spire/data/server" + log_level = "DEBUG" + ca_ttl = "1h" + default_x509_svid_ttl = "10m" +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/opt/spire/data/server/datastore.sqlite3" + } + } + NodeAttestor "x509pop" { + plugin_data { + ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" + } + } + KeyManager "memory" { + plugin_data = {} + } +} diff --git a/test/integration/suites/get-authorized-entries/teardown b/test/integration/suites/get-authorized-entries/teardown new file mode 100755 index 0000000000..1e396dfe6f --- /dev/null +++ b/test/integration/suites/get-authorized-entries/teardown @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +echo "Bringing down services..." + +# Stop the SPIRE server +if pgrep spire-server > /dev/null; then + echo "Stopping SPIRE server..." + sudo kill -9 $(pgrep spire-server) || true +fi + +# Stop the SPIRE agent +if pgrep spire-agent > /dev/null; then + echo "Stopping SPIRE agent..." + sudo kill -9 $(pgrep spire-agent) || true +fi + +# Remove temporary directories if needed +echo "Cleaning up..." +rm -rf /opt/spire/data +rm -rf /opt/spire/conf + +echo "Teardown complete." From ad281c4c812a1a3f0052c7875e43d37d62f66ab9 Mon Sep 17 00:00:00 2001 From: Thiago Valverde de Souza Date: Wed, 21 Aug 2024 23:32:51 -0300 Subject: [PATCH 3/4] Addressing PR comments --- .../02-create_registration.sh | 6 +++++- .../03-assert-entities-created.sh | 17 +++++++++++++++++ .../suites/get-authorized-entries/README.md | 7 +++++-- 3 files changed, 27 insertions(+), 3 deletions(-) create mode 100755 test/integration/suites/get-authorized-entries/03-assert-entities-created.sh diff --git a/test/integration/suites/get-authorized-entries/02-create_registration.sh b/test/integration/suites/get-authorized-entries/02-create_registration.sh index 46a81d2446..f09a8ec299 100755 --- a/test/integration/suites/get-authorized-entries/02-create_registration.sh +++ b/test/integration/suites/get-authorized-entries/02-create_registration.sh @@ -2,4 +2,8 @@ set -e echo "Creating Node-Alias registration entry..." -spire-server entry create -spiffeID spiffe://example.org/workload -parentID spiffe://example.org/spire/agent/x509pop/agent1 -selector "node-alias:node-alias-value" +spire-server entry create -spiffeID spiffe://example.org/workload -parentID spiffe://example.org/spire/agent/x509pop/agent1 -selector "node-alias:node-alias-value" & +ENTRY_PID=$! + +# Wait for the entry creation process to finish +wait $ENTRY_PID \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/03-assert-entities-created.sh b/test/integration/suites/get-authorized-entries/03-assert-entities-created.sh new file mode 100755 index 0000000000..c17594390e --- /dev/null +++ b/test/integration/suites/get-authorized-entries/03-assert-entities-created.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +SPIFFE_ID="spiffe://example.org/workload" + +echo "Checking if entry with SPIFFE ID ${SPIFFE_ID} exists..." +OUTPUT=$(spire-server entry show -spiffeID "${SPIFFE_ID}" 2>&1) + +if echo "$OUTPUT" | grep -q "Error"; then + echo "Error: Entry with SPIFFE ID ${SPIFFE_ID} not found." + exit 1 +else + echo "Entry with SPIFFE ID ${SPIFFE_ID} exists." +fi + +echo "Entry checked successfully." +exit 0 \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/README.md b/test/integration/suites/get-authorized-entries/README.md index e53cc87741..12e7bec796 100644 --- a/test/integration/suites/get-authorized-entries/README.md +++ b/test/integration/suites/get-authorized-entries/README.md @@ -15,7 +15,10 @@ The "Get Authorized Entries" test suite ensures that the SPIRE server and agent 2. **Create Registration (`02-create_registration.sh`)** - Creates necessary registration entries for testing. -3**Teardown (`teardown`)** +3. **Assert Entities Creation (`03-assert-entities-created.sh`)** + - Creates necessary registration entries for testing. + +4. **Teardown (`teardown`)** - Stops the SPIRE server and agent. - Cleans up any remaining artifacts. @@ -32,4 +35,4 @@ The "Get Authorized Entries" test suite ensures that the SPIRE server and agent To execute the test suite, run the following command: ```bash - sudo ./test/integration/suites/get-authorized-entries/test.sh + ./test/integration/test-one.sh ./test/integration/suites/get-authorized-entries\ From 4a862bb20c084c98ae614da72f337ea990198aa4 Mon Sep 17 00:00:00 2001 From: Thiago Valverde de Souza Date: Mon, 2 Sep 2024 22:06:58 -0300 Subject: [PATCH 4/4] Addressing PR comments --- .../get-authorized-entries/00-gen-files.sh | 51 ---------- .../{01-setup.sh => 00-setup} | 13 --- .../get-authorized-entries/01-start-server | 3 + .../get-authorized-entries/02-bootstrap-agent | 5 + .../02-create_registration.sh | 9 -- .../03-assert-entities-created.sh | 17 ---- .../get-authorized-entries/03-start-agent | 3 + .../04-create_registration | 19 ++++ .../05-assert-entities-created | 94 +++++++++++++++++++ .../conf/agent/agent.conf | 4 +- .../conf/server/server.conf | 2 +- .../docker-compose.yaml | 14 +++ .../suites/get-authorized-entries/teardown | 32 +++---- 13 files changed, 157 insertions(+), 109 deletions(-) delete mode 100755 test/integration/suites/get-authorized-entries/00-gen-files.sh rename test/integration/suites/get-authorized-entries/{01-setup.sh => 00-setup} (50%) create mode 100755 test/integration/suites/get-authorized-entries/01-start-server create mode 100755 test/integration/suites/get-authorized-entries/02-bootstrap-agent delete mode 100755 test/integration/suites/get-authorized-entries/02-create_registration.sh delete mode 100755 test/integration/suites/get-authorized-entries/03-assert-entities-created.sh create mode 100755 test/integration/suites/get-authorized-entries/03-start-agent create mode 100755 test/integration/suites/get-authorized-entries/04-create_registration create mode 100755 test/integration/suites/get-authorized-entries/05-assert-entities-created create mode 100644 test/integration/suites/get-authorized-entries/docker-compose.yaml diff --git a/test/integration/suites/get-authorized-entries/00-gen-files.sh b/test/integration/suites/get-authorized-entries/00-gen-files.sh deleted file mode 100755 index 1d4f77b62d..0000000000 --- a/test/integration/suites/get-authorized-entries/00-gen-files.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -# Exit on error -set -e - -# Define directories -BASE_DIR="/opt/spire/conf" -SERVER_DIR="${BASE_DIR}/server" -AGENT_DIR="${BASE_DIR}/agent" - -# Create necessary directories -mkdir -p "${SERVER_DIR}" -mkdir -p "${AGENT_DIR}" - -# Generate Root CA Certificate and Key -echo "Generating Root CA certificate and key..." -openssl genrsa -out root-ca.key 2048 -openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA" - -# Generate Server Certificate and Key -echo "Generating Server certificate and key..." -openssl genrsa -out server.key 2048 -openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server" -openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365 - -# Generate Agent Certificate and Key -echo "Generating Agent certificate and key..." -openssl genrsa -out agent.key 2048 -openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent" -openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365 - -# Create Trust Bundles -echo "Creating trust bundles..." -cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem" -cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt" - -# Combine Certificates and Keys -echo "Creating combined certificate files..." -cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem" -cat server.crt server.key > "${SERVER_DIR}/server.crt.pem" - -# Create Combined Key and Certificate Files -echo "Creating combined key and certificate files..." -cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem" -cat server.key server.crt > "${SERVER_DIR}/server.key.pem" - -# Clean up intermediate files -echo "Cleaning up..." -rm server.key server.csr server.crt agent.key agent.csr agent.crt - -echo "Certificate files generated and placed in ${BASE_DIR}." diff --git a/test/integration/suites/get-authorized-entries/01-setup.sh b/test/integration/suites/get-authorized-entries/00-setup similarity index 50% rename from test/integration/suites/get-authorized-entries/01-setup.sh rename to test/integration/suites/get-authorized-entries/00-setup index 88b3385cfe..c1fb18218e 100755 --- a/test/integration/suites/get-authorized-entries/01-setup.sh +++ b/test/integration/suites/get-authorized-entries/00-setup @@ -1,19 +1,6 @@ #!/bin/bash -set -e - "${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent "${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient" "${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient" - - -echo "Starting SPIRE server..." -spire-server run -config conf/server/server.conf & -SERVER_PID=$! -sleep 5 - -echo "Starting SPIRE agent..." -spire-agent run -config conf/agent/agent.conf & -AGENT_PID=$! -sleep 5 \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/01-start-server b/test/integration/suites/get-authorized-entries/01-start-server new file mode 100755 index 0000000000..a3e999b264 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/01-start-server @@ -0,0 +1,3 @@ +#!/bin/bash + +docker-up spire-server diff --git a/test/integration/suites/get-authorized-entries/02-bootstrap-agent b/test/integration/suites/get-authorized-entries/02-bootstrap-agent new file mode 100755 index 0000000000..8ee7d32c26 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/02-bootstrap-agent @@ -0,0 +1,5 @@ +#!/bin/bash + +log-debug "bootstrapping agent..." +docker compose exec -T spire-server \ + /opt/spire/bin/spire-server bundle show > conf/agent/bootstrap.crt diff --git a/test/integration/suites/get-authorized-entries/02-create_registration.sh b/test/integration/suites/get-authorized-entries/02-create_registration.sh deleted file mode 100755 index f09a8ec299..0000000000 --- a/test/integration/suites/get-authorized-entries/02-create_registration.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -set -e - -echo "Creating Node-Alias registration entry..." -spire-server entry create -spiffeID spiffe://example.org/workload -parentID spiffe://example.org/spire/agent/x509pop/agent1 -selector "node-alias:node-alias-value" & -ENTRY_PID=$! - -# Wait for the entry creation process to finish -wait $ENTRY_PID \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/03-assert-entities-created.sh b/test/integration/suites/get-authorized-entries/03-assert-entities-created.sh deleted file mode 100755 index c17594390e..0000000000 --- a/test/integration/suites/get-authorized-entries/03-assert-entities-created.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -e - -SPIFFE_ID="spiffe://example.org/workload" - -echo "Checking if entry with SPIFFE ID ${SPIFFE_ID} exists..." -OUTPUT=$(spire-server entry show -spiffeID "${SPIFFE_ID}" 2>&1) - -if echo "$OUTPUT" | grep -q "Error"; then - echo "Error: Entry with SPIFFE ID ${SPIFFE_ID} not found." - exit 1 -else - echo "Entry with SPIFFE ID ${SPIFFE_ID} exists." -fi - -echo "Entry checked successfully." -exit 0 \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/03-start-agent b/test/integration/suites/get-authorized-entries/03-start-agent new file mode 100755 index 0000000000..ac36d05f0d --- /dev/null +++ b/test/integration/suites/get-authorized-entries/03-start-agent @@ -0,0 +1,3 @@ +#!/bin/bash + +docker-up spire-agent diff --git a/test/integration/suites/get-authorized-entries/04-create_registration b/test/integration/suites/get-authorized-entries/04-create_registration new file mode 100755 index 0000000000..58e477c218 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/04-create_registration @@ -0,0 +1,19 @@ +#!/bin/bash +set -e + +SIZE=10 + +# Create entries for uid 1001 +for ((m=1;m<=$SIZE;m++)); do + log-debug "creating registration entry: $m" + docker compose exec -T spire-server \ + /opt/spire/bin/spire-server entry create \ + -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \ + -spiffeID "spiffe://domain.test/workload-$m" \ + -selector "unix:uid:1001" \ + -ttl 0 & +done + +for ((m=1;m<=$SIZE;m++)); do + check-synced-entry "spire-agent" "spiffe://domain.test/workload-$m" +done \ No newline at end of file diff --git a/test/integration/suites/get-authorized-entries/05-assert-entities-created b/test/integration/suites/get-authorized-entries/05-assert-entities-created new file mode 100755 index 0000000000..e9d31bd801 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/05-assert-entities-created @@ -0,0 +1,94 @@ +#!/bin/bash + +# Ensure the script exits on errors +set -e + +# Variables +SPIRE_SERVER="http://localhost:8081" +EXPECTED_SVID="spiffe://domain.test/workload" +RETRY_COUNT=10 +RETRY_DELAY=2 # Seconds to wait between retries +SIZE=10 + +# Function to list entries +list_entries() { + local response + + response=$(curl -s -X GET "$SPIRE_SERVER/v1/entries") + + echo "$response" +} + +# Function to call GetAuthorizedEntries +call_get_authorized_entries() { + local response + + response=$(curl -s -X POST "$SPIRE_SERVER/v1/entries/authorized" -H "Content-Type: application/json" -d '{}') + + echo "$response" +} + +# Function to verify the GetAuthorizedEntries response +verify_get_authorized_entries() { + local response=$1 + + for ((m=1;m<=$SIZE;m++)); do + + if echo "$response" | grep -q "$EXPECTED_SVID-$m"; then + echo "GetAuthorizedEntries response includes expected SVID $EXPECTED_SVID." + return 0 + else + echo "GetAuthorizedEntries response does not include expected SVID $EXPECTED_SVID." + echo "Response details:" + echo "$response" + return 1 + fi + done +} + +# Function to verify registration entry +verify_registration_entry() { + local response + + response=$(list_entries) + + if echo "$response" | grep -q "$EXPECTED_SVID"; then + echo "Registration entry with SVID $EXPECTED_SVID exists." + return 0 + else + echo "Registration entry with SVID $EXPECTED_SVID does not exist." + echo "Entries details:" + echo "$response" + return 1 + fi +} + +# Prepare the test data +echo "Setting up test data..." +# (Include any commands to set up test data here) + +# Verify the registration entry +echo "Verifying registration entry..." +if ! verify_registration_entry; then + echo "Registration entry verification failed." + exit 1 +fi + +# Wait for the entries to become available +echo "Waiting for entries to become available..." +attempt=0 +while [ $attempt -lt $RETRY_COUNT ]; do + response=$(call_get_authorized_entries) + + if verify_get_authorized_entries "$response"; then + echo "Test passed!" + exit 0 + fi + + attempt=$((attempt + 1)) + echo "Entries not available yet. Waiting for $RETRY_DELAY seconds... (Attempt $attempt)" + sleep $RETRY_DELAY +done + +echo "Failed to verify entries after $RETRY_COUNT attempts." +exit 1 diff --git a/test/integration/suites/get-authorized-entries/conf/agent/agent.conf b/test/integration/suites/get-authorized-entries/conf/agent/agent.conf index ae7cd42947..bdbc803a95 100644 --- a/test/integration/suites/get-authorized-entries/conf/agent/agent.conf +++ b/test/integration/suites/get-authorized-entries/conf/agent/agent.conf @@ -3,9 +3,9 @@ agent { log_level = "DEBUG" server_address = "spire-server" server_port = "8081" - socket_path = "/tmp/spire-agent/public/api.sock" + socket_path = "/opt/spire/sockets/workload_api.sock" trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" - trust_domain = "example.org" + trust_domain = "domain.test" admin_socket_path = "/opt/debug.sock" experimental { x509_svid_cache_max_size = 8 diff --git a/test/integration/suites/get-authorized-entries/conf/server/server.conf b/test/integration/suites/get-authorized-entries/conf/server/server.conf index 6eb500fd24..b6b82f9371 100644 --- a/test/integration/suites/get-authorized-entries/conf/server/server.conf +++ b/test/integration/suites/get-authorized-entries/conf/server/server.conf @@ -1,7 +1,7 @@ server { bind_address = "0.0.0.0" bind_port = "8081" - trust_domain = "example.org" + trust_domain = "domain.test" data_dir = "/opt/spire/data/server" log_level = "DEBUG" ca_ttl = "1h" diff --git a/test/integration/suites/get-authorized-entries/docker-compose.yaml b/test/integration/suites/get-authorized-entries/docker-compose.yaml new file mode 100644 index 0000000000..288be5fd27 --- /dev/null +++ b/test/integration/suites/get-authorized-entries/docker-compose.yaml @@ -0,0 +1,14 @@ +services: + spire-server: + image: spire-server:latest-local + hostname: spire-server + volumes: + - ./conf/server:/opt/spire/conf/server + command: ["-config", "/opt/spire/conf/server/server.conf"] + spire-agent: + image: spire-agent:latest-local + hostname: spire-agent + depends_on: ["spire-server"] + volumes: + - ./conf/agent:/opt/spire/conf/agent + command: ["-config", "/opt/spire/conf/agent/agent.conf"] diff --git a/test/integration/suites/get-authorized-entries/teardown b/test/integration/suites/get-authorized-entries/teardown index 1e396dfe6f..0bb73d69ba 100755 --- a/test/integration/suites/get-authorized-entries/teardown +++ b/test/integration/suites/get-authorized-entries/teardown @@ -4,21 +4,21 @@ set -e echo "Bringing down services..." -# Stop the SPIRE server -if pgrep spire-server > /dev/null; then - echo "Stopping SPIRE server..." - sudo kill -9 $(pgrep spire-server) || true -fi - -# Stop the SPIRE agent -if pgrep spire-agent > /dev/null; then - echo "Stopping SPIRE agent..." - sudo kill -9 $(pgrep spire-agent) || true -fi - -# Remove temporary directories if needed -echo "Cleaning up..." -rm -rf /opt/spire/data -rm -rf /opt/spire/conf +## Stop the SPIRE server +#if pgrep spire-server > /dev/null; then +# echo "Stopping SPIRE server..." +# sudo kill -9 $(pgrep spire-server) || true +#fi +# +## Stop the SPIRE agent +#if pgrep spire-agent > /dev/null; then +# echo "Stopping SPIRE agent..." +# sudo kill -9 $(pgrep spire-agent) || true +#fi +# +## Remove temporary directories if needed +#echo "Cleaning up..." +#rm -rf /tmp/spire/data +#rm -rf /tmp/spire/conf echo "Teardown complete."