spiffe · valverdethiago · Aug 18, 2024 · Aug 22, 2024 · Aug 22, 2024 · Aug 25, 2024
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Exit on error
+set -e
+
+# Define directories
+BASE_DIR="/opt/spire/conf"
+SERVER_DIR="${BASE_DIR}/server"
+AGENT_DIR="${BASE_DIR}/agent"
+
+# Create necessary directories
+mkdir -p "${SERVER_DIR}"
+mkdir -p "${AGENT_DIR}"
+
+# Generate Root CA Certificate and Key
+echo "Generating Root CA certificate and key..."
+openssl genrsa -out root-ca.key 2048
+openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA"
+
+# Generate Server Certificate and Key
+echo "Generating Server certificate and key..."
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server"
+openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365
+
+# Generate Agent Certificate and Key
+echo "Generating Agent certificate and key..."
+openssl genrsa -out agent.key 2048
+openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent"
+openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365
+
+# Create Trust Bundles
+echo "Creating trust bundles..."
+cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem"
+cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt"
+
+# Combine Certificates and Keys
+echo "Creating combined certificate files..."
+cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem"
+cat server.crt server.key > "${SERVER_DIR}/server.crt.pem"
+
+# Create Combined Key and Certificate Files
+echo "Creating combined key and certificate files..."
+cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem"
+cat server.key server.crt > "${SERVER_DIR}/server.key.pem"
+
+# Clean up intermediate files
+echo "Cleaning up..."
+rm server.key server.csr server.crt agent.key agent.csr agent.crt
+
+echo "Certificate files generated and placed in ${BASE_DIR}."
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent
+
+"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient"
+"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient"
+
+
+echo "Starting SPIRE server..."
+spire-server run -config conf/server/server.conf > ${RUNDIR}/spire-server.log 2>&1 &
+SERVER_PID=$!
+sleep 5
+
+echo "Starting SPIRE agent..."
+spire-agent run -config conf/agent/agent.conf &
+AGENT_PID=$!
+sleep 5
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+
+ENTRIES_FILE="${RUNDIR}/data.json"
+
+# Start the entry creation process in the background
+spire-server entry create -data "${ENTRIES_FILE}" &
+ENTRY_PID=$!
+
+# Wait for the entry creation process to finish
+wait $ENTRY_PID
+
+echo "Entries uploaded successfully."
+
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+ENTRIES_FILE="${RUNDIR}/data.json"
+
+# Parse the JSON file and extract SPIFFE IDs
+echo "Checking entries from ${ENTRIES_FILE}..."
+
+# Extract SPIFFE IDs using jq
+SPIFFE_IDS=$(jq -r '.entries[].spiffe_id' "$ENTRIES_FILE")
+
+# Check each entry's existence
+for SPIFFE_ID in $SPIFFE_IDS; do
+    echo "Checking if entry with SPIFFE ID ${SPIFFE_ID} exists..."
+    OUTPUT=$(spire-server entry show -spiffeID "${SPIFFE_ID}" 2>&1)
+
+    if echo "$OUTPUT" | grep -q "Error"; then
+        echo "Error: Entry with SPIFFE ID ${SPIFFE_ID} not found."
+        exit 1
+    else
+        echo "Entry with SPIFFE ID ${SPIFFE_ID} exists."
+    fi
+done
+
+echo "All entries checked successfully."
+exit 0
@@ -0,0 +1,26 @@
+# Batchx509SVID RPC Integration Test
+
+## Overview
+
+This test ensures the continued operation of the `Batchx509SVID` RPC in Open Source SPIRE.
+
+## Test Steps
+
+1. **Setup (`01-setup.sh`)**
+   - Generates required certificates and keys.
+   - Starts the SPIRE server and agent.
+
+2. **Create Registration (`02-create_entries.sh`)**
+   - Creates necessary registration entries for testing.
+
+2. **Check entries creation (`03-test-batchx509svid.sh`)**
+   - Verifies necessary registration entries for testing.
+
+3. **Teardown (`teardown.sh`)**
+- Stops the SPIRE server and agent.
+- Cleans up any remaining artifacts.
+
+   Run the setup script:
+
+   ```bash
+   ./test/integration/test-one.sh ./test/integration/suites/batchx509SVID
@@ -0,0 +1,31 @@
+agent {
+    data_dir = "/opt/spire/data/agent"
+    log_level = "DEBUG"
+    server_address = "spire-server"
+    server_port = "8081"
+    socket_path = "/tmp/spire-agent/public/api.sock"
+    trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt"
+    trust_domain = "example.org"
+    admin_socket_path = "/opt/debug.sock"
+    experimental {
+        x509_svid_cache_max_size = 8
+    }
+}
+
+plugins {
+    NodeAttestor "x509pop" {
+        plugin_data {
+            private_key_path = "/opt/spire/conf/agent/agent.key.pem"
+            certificate_path = "/opt/spire/conf/agent/agent.crt.pem"
+        }
+    }
+    KeyManager "disk" {
+        plugin_data {
+            directory = "/opt/spire/data/agent"
+        }
+    }
+    WorkloadAttestor "unix" {
+        plugin_data {
+        }
+    }
+}
@@ -0,0 +1,26 @@
+server {
+	bind_address = "0.0.0.0"
+	bind_port = "8081"
+	trust_domain = "example.org"
+	data_dir = "/opt/spire/data/server"
+	log_level = "DEBUG"
+	ca_ttl = "1h"
+	default_x509_svid_ttl = "10m"
+}
+
+plugins {
+	DataStore "sql" {
+		plugin_data {
+			database_type = "sqlite3"
+			connection_string = "/opt/spire/data/server/datastore.sqlite3"
+		}
+	}
+	NodeAttestor "x509pop" {
+		plugin_data {
+			ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem"
+		}
+	}
+	KeyManager "memory" {
+		plugin_data = {}
+	}
+}
@@ -0,0 +1,82 @@
+{
+  "entries": [
+    {
+      "spiffe_id": "spiffe://example.org/workload1",
+      "parent_id": "spiffe://example.org/parent1",
+      "selectors": [
+        {
+          "type": "unix",
+          "value": "user:root"
+        }
+      ],
+      "x509_svid_ttl": 3600,
+      "jwt_svid_ttl": 7200,
+      "federates_with": [
+        "spiffe://example.org/another-trust-domain"
+      ],
+      "entry_id": "entry-1",
+      "admin": false,
+      "downstream": false,
+      "entryExpiry": 1710000000,
+      "dns_names": [
+        "service1.example.org"
+      ],
+      "revision_number": 1,
+      "store_svid": true,
+      "hint": "primary entry",
+      "created_at": 1710000000
+    },
+    {
+      "spiffe_id": "spiffe://example.org/workload2",
+      "parent_id": "spiffe://example.org/parent2",
+      "selectors": [
+        {
+          "type": "unix",
+          "value": "user:admin"
+        }
+      ],
+      "x509_svid_ttl": 1800,
+      "jwt_svid_ttl": 3600,
+      "federates_with": [
+        "spiffe://example.org/another-trust-domain"
+      ],
+      "entry_id": "entry-2",
+      "admin": true,
+      "downstream": true,
+      "entryExpiry": 1710003600,
+      "dns_names": [
+        "service2.example.org"
+      ],
+      "revision_number": 2,
+      "store_svid": false,
+      "hint": "admin entry",
+      "created_at": 1710003600
+    },
+    {
+      "spiffe_id": "spiffe://example.org/workload3",
+      "parent_id": "spiffe://example.org/parent3",
+      "selectors": [
+        {
+          "type": "unix",
+          "value": "user:service"
+        }
+      ],
+      "x509_svid_ttl": 7200,
+      "jwt_svid_ttl": 14400,
+      "federates_with": [
+        "spiffe://example.org/another-trust-domain"
+      ],
+      "entry_id": "entry-3",
+      "admin": false,
+      "downstream": false,
+      "entryExpiry": 1710007200,
+      "dns_names": [
+        "service3.example.org"
+      ],
+      "revision_number": 3,
+      "store_svid": true,
+      "hint": "secondary entry",
+      "created_at": 1710007200
+    }
+  ]
+}
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+echo "Bringing down services..."
+
+# Stop the SPIRE server
+if pgrep spire-server > /dev/null; then
+    echo "Stopping SPIRE server..."
+    sudo kill -9 $(pgrep spire-server) || true
+fi
+
+# Stop the SPIRE agent
+if pgrep spire-agent > /dev/null; then
+    echo "Stopping SPIRE agent..."
+    sudo kill -9 $(pgrep spire-agent) || true
+fi
+
+# Remove temporary directories if needed
+echo "Cleaning up..."
+rm -rf /opt/spire/data
+rm -rf /opt/spire/conf
+
+echo "Teardown complete."