spiffe · valverdethiago · Aug 5, 2024 · Aug 18, 2024 · Aug 18, 2024 · Aug 22, 2024
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent
+
+"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient"
+"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient"
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker-up spire-server
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+log-debug "bootstrapping agent..."
+docker compose exec -T spire-server \
+    /opt/spire/bin/spire-server bundle show > conf/agent/bootstrap.crt
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker-up spire-agent
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+SIZE=10
+
+# Create entries for uid 1001
+for ((m=1;m<=$SIZE;m++)); do
+  log-debug "creating registration entry: $m"
+  docker compose exec -T spire-server \
+    /opt/spire/bin/spire-server entry create \
+    -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
+    -spiffeID "spiffe://domain.test/workload-$m" \
+    -selector "unix:uid:1001" \
+    -ttl 0 &
+done
+
+for ((m=1;m<=$SIZE;m++)); do
+  check-synced-entry "spire-agent" "spiffe://domain.test/workload-$m"
+done
@@ -0,0 +1,94 @@
+#!/bin/bash
+
+# Ensure the script exits on errors
+set -e
+
+# Variables
+SPIRE_SERVER="http://localhost:8081"
+EXPECTED_SVID="spiffe://domain.test/workload"
+RETRY_COUNT=10
+RETRY_DELAY=2  # Seconds to wait between retries
+SIZE=10
+
+# Function to list entries
+list_entries() {
+    local response
+
+    response=$(curl -s -X GET "$SPIRE_SERVER/v1/entries")
+
+    echo "$response"
+}
+
+# Function to call GetAuthorizedEntries
+call_get_authorized_entries() {
+    local response
+
+    response=$(curl -s -X POST "$SPIRE_SERVER/v1/entries/authorized" -H "Content-Type: application/json" -d '{}')
+
+    echo "$response"
+}
+
+# Function to verify the GetAuthorizedEntries response
+verify_get_authorized_entries() {
+  local response=$1
+
+  for ((m=1;m<=$SIZE;m++)); do
+
+      if echo "$response" | grep -q "$EXPECTED_SVID-$m"; then
+          echo "GetAuthorizedEntries response includes expected SVID $EXPECTED_SVID."
+          return 0
+      else
+          echo "GetAuthorizedEntries response does not include expected SVID $EXPECTED_SVID."
+          echo "Response details:"
+          echo "$response"
+          return 1
+      fi
+  done
+}
+
+# Function to verify registration entry
+verify_registration_entry() {
+    local response
+
+    response=$(list_entries)
+
+    if echo "$response" | grep -q "$EXPECTED_SVID"; then
+        echo "Registration entry with SVID $EXPECTED_SVID exists."
+        return 0
+    else
+        echo "Registration entry with SVID $EXPECTED_SVID does not exist."
+        echo "Entries details:"
+        echo "$response"
+        return 1
+    fi
+}
+
+# Prepare the test data
+echo "Setting up test data..."
+# (Include any commands to set up test data here)
-# Prepare the test data
-echo "Setting up test data..."
-# (Include any commands to set up test data here)
-# Prepare the test data
-echo "Setting up test data..."
-# (Include any commands to set up test data here)
+
+# Verify the registration entry
+echo "Verifying registration entry..."
+if ! verify_registration_entry; then
+    echo "Registration entry verification failed."
+    exit 1
+fi
+
+# Wait for the entries to become available
+echo "Waiting for entries to become available..."
+attempt=0
+while [ $attempt -lt $RETRY_COUNT ]; do
+    response=$(call_get_authorized_entries)
+
+    if verify_get_authorized_entries "$response"; then
+        echo "Test passed!"
+        exit 0
+    fi
+
+    attempt=$((attempt + 1))
+    echo "Entries not available yet. Waiting for $RETRY_DELAY seconds... (Attempt $attempt)"
+    sleep $RETRY_DELAY
+done
+
+echo "Failed to verify entries after $RETRY_COUNT attempts."
+exit 1
@@ -0,0 +1,38 @@
+# Integration Test Suite: Get Authorized Entries
+
+This test suite validates the functionality of getting authorized entries from the SPIRE server. It includes setup, execution, and cleanup of the test environment.
+
+## Overview
+
+The "Get Authorized Entries" test suite ensures that the SPIRE server and agent are correctly configured to handle and authorize entries. The suite involves setting up SPIRE, creating registration entries, running the test, and cleaning up after the test.
+
+## Test Steps
+
+1. **Setup (`01-setup.sh`)**
+    - Generates required certificates and keys.
+    - Starts the SPIRE server and agent.
+
+2. **Create Registration (`02-create_registration.sh`)**
+    - Creates necessary registration entries for testing.
+
+3. **Assert Entities Creation (`03-assert-entities-created.sh`)**
+   - Creates necessary registration entries for testing.
-   - Creates necessary registration entries for testing.
+   - Checks necessary registration entries are retrieveable.
-   - Creates necessary registration entries for testing.
+   - Checks necessary registration entries are retrieveable.
+
+4. **Teardown (`teardown`)**
+    - Stops the SPIRE server and agent.
+    - Cleans up any remaining artifacts.
+
+## Prerequisites
+
+- Ensure you have SPIRE installed and configured.
+- The `spire-server` and `spire-agent` binaries should be in your `PATH`.
+- Ensure Docker and Rancher are installed if applicable for your environment.
+
+## Running the Tests
+
+1. **Run the Test Suite**
+
+   To execute the test suite, run the following command:
+
+   ```bash
+   ./test/integration/test-one.sh ./test/integration/suites/get-authorized-entries\
@@ -0,0 +1,31 @@
+agent {
+    data_dir = "/opt/spire/data/agent"
+    log_level = "DEBUG"
+    server_address = "spire-server"
+    server_port = "8081"
+    socket_path = "/opt/spire/sockets/workload_api.sock"
+    trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt"
+    trust_domain = "domain.test"
+    admin_socket_path = "/opt/debug.sock"
+    experimental {
+        x509_svid_cache_max_size = 8
+    }
+}
+
+plugins {
+    NodeAttestor "x509pop" {
+        plugin_data {
+            private_key_path = "/opt/spire/conf/agent/agent.key.pem"
+            certificate_path = "/opt/spire/conf/agent/agent.crt.pem"
+        }
+    }
+    KeyManager "disk" {
+        plugin_data {
+            directory = "/opt/spire/data/agent"
+        }
+    }
+    WorkloadAttestor "unix" {
+        plugin_data {
+        }
+    }
+}
@@ -0,0 +1,26 @@
+server {
+	bind_address = "0.0.0.0"
+	bind_port = "8081"
+	trust_domain = "domain.test"
+	data_dir = "/opt/spire/data/server"
+	log_level = "DEBUG"
+	ca_ttl = "1h"
+	default_x509_svid_ttl = "10m"
+}
+
+plugins {
+	DataStore "sql" {
+		plugin_data {
+			database_type = "sqlite3"
+			connection_string = "/opt/spire/data/server/datastore.sqlite3"
+		}
+	}
+	NodeAttestor "x509pop" {
+		plugin_data {
+			ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem"
+		}
+	}
+	KeyManager "memory" {
+		plugin_data = {}
+	}
+}
@@ -0,0 +1,14 @@
+services:
+  spire-server:
+    image: spire-server:latest-local
+    hostname: spire-server
+    volumes:
+      - ./conf/server:/opt/spire/conf/server
+    command: ["-config", "/opt/spire/conf/server/server.conf"]
+  spire-agent:
+    image: spire-agent:latest-local
+    hostname: spire-agent
+    depends_on: ["spire-server"]
+    volumes:
+      - ./conf/agent:/opt/spire/conf/agent
+    command: ["-config", "/opt/spire/conf/agent/agent.conf"]
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+echo "Bringing down services..."
+
+## Stop the SPIRE server
+#if pgrep spire-server > /dev/null; then
+#    echo "Stopping SPIRE server..."
+#    sudo kill -9 $(pgrep spire-server) || true
+#fi
+#
+## Stop the SPIRE agent
+#if pgrep spire-agent > /dev/null; then
+#    echo "Stopping SPIRE agent..."
+#    sudo kill -9 $(pgrep spire-agent) || true
+#fi
+#
+## Remove temporary directories if needed
+#echo "Cleaning up..."
+#rm -rf /tmp/spire/data
+#rm -rf /tmp/spire/conf
+
+echo "Teardown complete."