diff --git a/test/integration/suites/batchx509SVID/00-gen-files.sh b/test/integration/suites/batchx509SVID/00-gen-files.sh new file mode 100755 index 0000000000..1d4f77b62d --- /dev/null +++ b/test/integration/suites/batchx509SVID/00-gen-files.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Exit on error +set -e + +# Define directories +BASE_DIR="/opt/spire/conf" +SERVER_DIR="${BASE_DIR}/server" +AGENT_DIR="${BASE_DIR}/agent" + +# Create necessary directories +mkdir -p "${SERVER_DIR}" +mkdir -p "${AGENT_DIR}" + +# Generate Root CA Certificate and Key +echo "Generating Root CA certificate and key..." +openssl genrsa -out root-ca.key 2048 +openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA" + +# Generate Server Certificate and Key +echo "Generating Server certificate and key..." +openssl genrsa -out server.key 2048 +openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server" +openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365 + +# Generate Agent Certificate and Key +echo "Generating Agent certificate and key..." +openssl genrsa -out agent.key 2048 +openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent" +openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365 + +# Create Trust Bundles +echo "Creating trust bundles..." +cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem" +cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt" + +# Combine Certificates and Keys +echo "Creating combined certificate files..." +cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem" +cat server.crt server.key > "${SERVER_DIR}/server.crt.pem" + +# Create Combined Key and Certificate Files +echo "Creating combined key and certificate files..." +cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem" +cat server.key server.crt > "${SERVER_DIR}/server.key.pem" + +# Clean up intermediate files +echo "Cleaning up..." +rm server.key server.csr server.crt agent.key agent.csr agent.crt + +echo "Certificate files generated and placed in ${BASE_DIR}." diff --git a/test/integration/suites/batchx509SVID/01-setup.sh b/test/integration/suites/batchx509SVID/01-setup.sh new file mode 100755 index 0000000000..e5c1cd0caf --- /dev/null +++ b/test/integration/suites/batchx509SVID/01-setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent + +"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient" +"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient" + + +echo "Starting SPIRE server..." +spire-server run -config conf/server/server.conf > ${RUNDIR}/spire-server.log 2>&1 & +SERVER_PID=$! +sleep 5 + +echo "Starting SPIRE agent..." +spire-agent run -config conf/agent/agent.conf & +AGENT_PID=$! +sleep 5 \ No newline at end of file diff --git a/test/integration/suites/batchx509SVID/02-create-entries.sh b/test/integration/suites/batchx509SVID/02-create-entries.sh new file mode 100755 index 0000000000..ed294446ed --- /dev/null +++ b/test/integration/suites/batchx509SVID/02-create-entries.sh @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +ENTRIES_FILE="${RUNDIR}/data.json" + +# Start the entry creation process in the background +spire-server entry create -data "${ENTRIES_FILE}" & +ENTRY_PID=$! + +# Wait for the entry creation process to finish +wait $ENTRY_PID + +echo "Entries uploaded successfully." + diff --git a/test/integration/suites/batchx509SVID/03-test-batchx509svid.sh b/test/integration/suites/batchx509SVID/03-test-batchx509svid.sh new file mode 100755 index 0000000000..e4762f3622 --- /dev/null +++ b/test/integration/suites/batchx509SVID/03-test-batchx509svid.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +ENTRIES_FILE="${RUNDIR}/data.json" + +# Parse the JSON file and extract SPIFFE IDs +echo "Checking entries from ${ENTRIES_FILE}..." + +# Extract SPIFFE IDs using jq +SPIFFE_IDS=$(jq -r '.entries[].spiffe_id' "$ENTRIES_FILE") + +# Check each entry's existence +for SPIFFE_ID in $SPIFFE_IDS; do + echo "Checking if entry with SPIFFE ID ${SPIFFE_ID} exists..." + OUTPUT=$(spire-server entry show -spiffeID "${SPIFFE_ID}" 2>&1) + + if echo "$OUTPUT" | grep -q "Error"; then + echo "Error: Entry with SPIFFE ID ${SPIFFE_ID} not found." + exit 1 + else + echo "Entry with SPIFFE ID ${SPIFFE_ID} exists." + fi +done + +echo "All entries checked successfully." +exit 0 \ No newline at end of file diff --git a/test/integration/suites/batchx509SVID/README.md b/test/integration/suites/batchx509SVID/README.md new file mode 100644 index 0000000000..d9ce3f354b --- /dev/null +++ b/test/integration/suites/batchx509SVID/README.md @@ -0,0 +1,26 @@ +# Batchx509SVID RPC Integration Test + +## Overview + +This test ensures the continued operation of the `Batchx509SVID` RPC in Open Source SPIRE. + +## Test Steps + +1. **Setup (`01-setup.sh`)** + - Generates required certificates and keys. + - Starts the SPIRE server and agent. + +2. **Create Registration (`02-create_entries.sh`)** + - Creates necessary registration entries for testing. + +2. **Check entries creation (`03-test-batchx509svid.sh`)** + - Verifies necessary registration entries for testing. + +3. **Teardown (`teardown.sh`)** +- Stops the SPIRE server and agent. +- Cleans up any remaining artifacts. + + Run the setup script: + + ```bash + ./test/integration/test-one.sh ./test/integration/suites/batchx509SVID diff --git a/test/integration/suites/batchx509SVID/conf/agent/agent.conf b/test/integration/suites/batchx509SVID/conf/agent/agent.conf new file mode 100644 index 0000000000..ae7cd42947 --- /dev/null +++ b/test/integration/suites/batchx509SVID/conf/agent/agent.conf @@ -0,0 +1,31 @@ +agent { + data_dir = "/opt/spire/data/agent" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/tmp/spire-agent/public/api.sock" + trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" + trust_domain = "example.org" + admin_socket_path = "/opt/debug.sock" + experimental { + x509_svid_cache_max_size = 8 + } +} + +plugins { + NodeAttestor "x509pop" { + plugin_data { + private_key_path = "/opt/spire/conf/agent/agent.key.pem" + certificate_path = "/opt/spire/conf/agent/agent.crt.pem" + } + } + KeyManager "disk" { + plugin_data { + directory = "/opt/spire/data/agent" + } + } + WorkloadAttestor "unix" { + plugin_data { + } + } +} diff --git a/test/integration/suites/batchx509SVID/conf/server/server.conf b/test/integration/suites/batchx509SVID/conf/server/server.conf new file mode 100644 index 0000000000..6eb500fd24 --- /dev/null +++ b/test/integration/suites/batchx509SVID/conf/server/server.conf @@ -0,0 +1,26 @@ +server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/opt/spire/data/server" + log_level = "DEBUG" + ca_ttl = "1h" + default_x509_svid_ttl = "10m" +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/opt/spire/data/server/datastore.sqlite3" + } + } + NodeAttestor "x509pop" { + plugin_data { + ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" + } + } + KeyManager "memory" { + plugin_data = {} + } +} diff --git a/test/integration/suites/batchx509SVID/data.json b/test/integration/suites/batchx509SVID/data.json new file mode 100644 index 0000000000..a7f8df0aaf --- /dev/null +++ b/test/integration/suites/batchx509SVID/data.json @@ -0,0 +1,82 @@ +{ + "entries": [ + { + "spiffe_id": "spiffe://example.org/workload1", + "parent_id": "spiffe://example.org/parent1", + "selectors": [ + { + "type": "unix", + "value": "user:root" + } + ], + "x509_svid_ttl": 3600, + "jwt_svid_ttl": 7200, + "federates_with": [ + "spiffe://example.org/another-trust-domain" + ], + "entry_id": "entry-1", + "admin": false, + "downstream": false, + "entryExpiry": 1710000000, + "dns_names": [ + "service1.example.org" + ], + "revision_number": 1, + "store_svid": true, + "hint": "primary entry", + "created_at": 1710000000 + }, + { + "spiffe_id": "spiffe://example.org/workload2", + "parent_id": "spiffe://example.org/parent2", + "selectors": [ + { + "type": "unix", + "value": "user:admin" + } + ], + "x509_svid_ttl": 1800, + "jwt_svid_ttl": 3600, + "federates_with": [ + "spiffe://example.org/another-trust-domain" + ], + "entry_id": "entry-2", + "admin": true, + "downstream": true, + "entryExpiry": 1710003600, + "dns_names": [ + "service2.example.org" + ], + "revision_number": 2, + "store_svid": false, + "hint": "admin entry", + "created_at": 1710003600 + }, + { + "spiffe_id": "spiffe://example.org/workload3", + "parent_id": "spiffe://example.org/parent3", + "selectors": [ + { + "type": "unix", + "value": "user:service" + } + ], + "x509_svid_ttl": 7200, + "jwt_svid_ttl": 14400, + "federates_with": [ + "spiffe://example.org/another-trust-domain" + ], + "entry_id": "entry-3", + "admin": false, + "downstream": false, + "entryExpiry": 1710007200, + "dns_names": [ + "service3.example.org" + ], + "revision_number": 3, + "store_svid": true, + "hint": "secondary entry", + "created_at": 1710007200 + } + ] +} diff --git a/test/integration/suites/batchx509SVID/teardown b/test/integration/suites/batchx509SVID/teardown new file mode 100755 index 0000000000..1e396dfe6f --- /dev/null +++ b/test/integration/suites/batchx509SVID/teardown @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +echo "Bringing down services..." + +# Stop the SPIRE server +if pgrep spire-server > /dev/null; then + echo "Stopping SPIRE server..." + sudo kill -9 $(pgrep spire-server) || true +fi + +# Stop the SPIRE agent +if pgrep spire-agent > /dev/null; then + echo "Stopping SPIRE agent..." + sudo kill -9 $(pgrep spire-agent) || true +fi + +# Remove temporary directories if needed +echo "Cleaning up..." +rm -rf /opt/spire/data +rm -rf /opt/spire/conf + +echo "Teardown complete."