Skip to content

Commit

Permalink
HSM Functional Tests
Browse files Browse the repository at this point in the history
Signed-off-by: Mauricio Harley <[email protected]>
  • Loading branch information
xek authored and Mauricio Harley committed Jan 6, 2025
1 parent 4e2c883 commit 3c1bd68
Show file tree
Hide file tree
Showing 4 changed files with 149 additions and 56 deletions.
107 changes: 88 additions & 19 deletions tests/functional/barbican_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
. "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers"

barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1"
"github.com/openstack-k8s-operators/barbican-operator/controllers"
controllers "github.com/openstack-k8s-operators/barbican-operator/controllers"
"github.com/openstack-k8s-operators/barbican-operator/pkg/barbican"
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
mariadb_test "github.com/openstack-k8s-operators/mariadb-operator/api/test/helpers"
Expand Down Expand Up @@ -434,11 +434,13 @@ var _ = Describe("Barbican controller", func() {

When("A Barbican with HSM is created", func() {
BeforeEach(func() {
DeferCleanup(k8sClient.Delete, ctx, CreateHSMLoginSecret(barbicanTest.Instance.Namespace, HSMLoginSecret))
DeferCleanup(k8sClient.Delete, ctx, CreateHSMCertsSecret(barbicanTest.Instance.Namespace, HSMCertsSecret))

DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec()))
DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName))
DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec()))
infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
// keystoneAPI := keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)
DeferCleanup(
mariadb.DeleteDBService,
mariadb.CreateDBService(
Expand All @@ -449,12 +451,12 @@ var _ = Describe("Barbican controller", func() {
},
),
)
infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
// DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPI)
DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec()))
th.SimulateJobSuccess(barbicanTest.BarbicanP11Prep)
})

It("Creates BarbicanAPI", func() {
Expand All @@ -473,7 +475,7 @@ var _ = Describe("Barbican controller", func() {
// Check the resulting deployment fields
Expect(int(*d.Spec.Replicas)).To(Equal(1))

Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(3))
Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(4))
Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2))

container := d.Spec.Template.Spec.Containers[1]
Expand All @@ -482,28 +484,95 @@ var _ = Describe("Barbican controller", func() {
Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
})

It("Should have the right configuration contents", func() {
/*keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint)
mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)*/
It("Verifies the PKCS11 struct is in good shape", func() {
Barbican := GetBarbican(barbicanTest.Instance)
Expect(Barbican.Spec.EnabledSecretStores).Should(Equal([]barbicanv1beta1.SecretStore{"pkcs11"}))
Expect(Barbican.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11")))

pkcs11 := Barbican.Spec.PKCS11
Expect(pkcs11.SlotId).Should(Equal(HSMSlotID))
Expect(pkcs11.LibraryPath).Should(Equal(HSMLibraryPath))
Expect(pkcs11.CertificatesMountPoint).Should(Equal(HSMCertificatesMountPoint))
Expect(pkcs11.LoginSecret).Should(Equal(HSMLoginSecret))
Expect(pkcs11.CertificatesSecret).Should(Equal(HSMCertsSecret))
Expect(pkcs11.MKEKLabel).Should(Equal(HSMMKEKLabel))
Expect(pkcs11.HMACLabel).Should(Equal(HSMHMACLabel))
Expect(pkcs11.ServerAddress).Should(Equal(HSMServerAddress))
Expect(pkcs11.ClientAddress).Should(Equal(HSMClientAddress))
Expect(pkcs11.Type).Should(Equal(HSMType))
})

cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
Expect(cf).ShouldNot(BeNil())
confChrystoki := cf.Data["Chrystoki.conf"]
Expect(confChrystoki).To(
ContainSubstring("Luna = {\n DefaultTimeOut = 500000;\n PEDTimeout1 = 100000;\n PEDTimeout2 = 200000;"))
confDefault := cf.Data["00-default.conf"]
Expect(confDefault).To(
It("Checks if the two relevant secrets have the right contents", func() {
hsmSecret := th.GetSecret(barbicanTest.BarbicanHSMLoginSecret)
Expect(hsmSecret).ShouldNot(BeNil())
confHSM := hsmSecret.Data["hsmLogin"]
Expect(confHSM).To(
ContainSubstring("12345678"))

certsSecret := th.GetSecret(barbicanTest.BarbicanHSMCertsSecret)
Expect(certsSecret).ShouldNot(BeNil())
confCA := certsSecret.Data["CACert.pem"]
Expect(confCA).To(
ContainSubstring("dummy-data"))
confServer := certsSecret.Data[HSMServerAddress+"Server.pem"]
Expect(confServer).To(
ContainSubstring("dummy-data"))
confClient := certsSecret.Data[HSMClientAddress+"Client.pem"]
Expect(confClient).To(
ContainSubstring("dummy-data"))
confKey := certsSecret.Data[HSMClientAddress+"Client.key"]
Expect(confKey).To(
ContainSubstring("dummy-data"))
})

It("Verifies if Chrystoki.conf and 00-default.conf have the right contents.", func() {
confSecret := th.GetSecret(barbicanTest.BarbicanConfigSecret)
Expect(confSecret).ShouldNot(BeNil())

conf := confSecret.Data["Chrystoki.conf"]
Expect(conf).To(
ContainSubstring("Chrystoki2"))
Expect(conf).To(
ContainSubstring("LunaSA Client"))
Expect(conf).To(
ContainSubstring("ProtectedAuthenticationPathFlagStatus = 0"))

conf = confSecret.Data["00-default.conf"]
Expect(conf).To(
ContainSubstring("[secretstore:pkcs11]"))
Expect(conf).To(
ContainSubstring("plugin_name = PKCS11"))
Expect(conf).To(
ContainSubstring("slot_id = " + HSMSlotID))
})

It("Should have the relevant conditions in the right state", func() {
It("Checks if the P11PreJob successfully executed", func() {
BarbicanExists(barbicanTest.Instance)

th.ExpectCondition(
barbicanTest.Instance,
ConditionGetterFunc(BarbicanConditionGetter),
controllers.P11PrepReadyCondition,
corev1.ConditionTrue,
)

// Checking if both, the volume mount name and its mount path match the specified values.
volumeMounts := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts
elemNum := 0
for index, mount := range volumeMounts {
if mount.Name == barbican.LunaVolume {
elemNum = index
break
}
}

volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].Name
mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].MountPath

Eventually(func(g Gomega) {
g.Expect(volume).To(Equal(barbican.LunaVolume))
g.Expect(mountPath).To(Equal(HSMCertificatesMountPoint))
}, timeout, interval).Should(Succeed())
})
})

Expand Down
16 changes: 16 additions & 0 deletions tests/functional/barbican_test_data.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ type BarbicanTestData struct {
BarbicanDatabaseName types.NamespacedName
BarbicanDatabaseAccount types.NamespacedName
BarbicanDBSync types.NamespacedName
BarbicanP11Prep types.NamespacedName
BarbicanAPI types.NamespacedName
BarbicanRole types.NamespacedName
BarbicanRoleBinding types.NamespacedName
Expand All @@ -65,6 +66,8 @@ type BarbicanTestData struct {
BarbicanServiceInternal types.NamespacedName
BarbicanConfigSecret types.NamespacedName
BarbicanAPIConfigSecret types.NamespacedName
BarbicanHSMLoginSecret types.NamespacedName
BarbicanHSMCertsSecret types.NamespacedName
BarbicanConfigScripts types.NamespacedName
BarbicanConfigMapData types.NamespacedName
BarbicanScheduler types.NamespacedName
Expand Down Expand Up @@ -97,6 +100,10 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData {
Namespace: barbicanName.Namespace,
Name: fmt.Sprintf("%s-db-sync", barbicanName.Name),
},
BarbicanP11Prep: types.NamespacedName{
Namespace: barbicanName.Namespace,
Name: fmt.Sprintf("%s-p11-prep", barbicanName.Name),
},
BarbicanAPI: types.NamespacedName{
Namespace: barbicanName.Namespace,
Name: fmt.Sprintf("%s-api-api", barbicanName.Name),
Expand Down Expand Up @@ -141,6 +148,15 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData {
BarbicanAPIConfigSecret: types.NamespacedName{
Namespace: barbicanName.Namespace,
Name: fmt.Sprintf("%s-%s", barbicanName.Name, "api-config-data"),
// This secret stores the password to connect to the HSM.
BarbicanHSMLoginSecret: types.NamespacedName{
Namespace: barbicanName.Namespace,
Name: "hsm-login",
},
// This secret stores the certificates used to interact with the HSM.
BarbicanHSMCertsSecret: types.NamespacedName{
Namespace: barbicanName.Namespace,
Name: "hsm-certs",
},
BarbicanConfigScripts: types.NamespacedName{
Namespace: barbicanName.Namespace,
Expand Down
64 changes: 35 additions & 29 deletions tests/functional/base_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,17 +43,6 @@ func CreateKeystoneAPISecret(namespace string, name string) *corev1.Secret {
)
}

func CreateHSMSecret(namespace string, name string) *corev1.Secret {
return th.CreateSecret(
types.NamespacedName{Namespace: namespace, Name: name},
map[string][]byte{
"AdminPassword": []byte("12345678"),
"BarbicanPassword": []byte("12345678"),
"KeystoneDatabasePassword": []byte("12345678"),
},
)
}

func GetDefaultBarbicanSpec() map[string]interface{} {
return map[string]interface{}{
"databaseInstance": "openstack",
Expand Down Expand Up @@ -134,6 +123,14 @@ func BarbicanKeystoneListenerNotExists(name types.NamespacedName) {
}, timeout, interval).Should(Succeed())
}

func BarbicanExists(name types.NamespacedName) {
Consistently(func(g Gomega) {
instance := &barbicanv1.Barbican{}
err := k8sClient.Get(ctx, name, instance)
g.Expect(k8s_errors.IsNotFound(err)).To(BeFalse())
}, timeout, interval).Should(Succeed())
}

func BarbicanAPIConditionGetter(name types.NamespacedName) condition.Conditions {
instance := GetBarbicanAPI(name)
return instance.Status.Conditions
Expand Down Expand Up @@ -187,33 +184,30 @@ func GetTLSBarbicanAPISpec() map[string]interface{} {

// ========== HSM Stuff ============
func GetHSMBarbicanSpec() map[string]interface{} {
return map[string]interface{}{
"databaseInstance": "openstack",
"secret": SecretName,
"simpleCryptoBackendSecret": SecretName,
"barbicanAPI": GetHSMBarbicanAPISpec(),
}
}

func GetHSMBarbicanAPISpec() map[string]interface{} {
spec := GetDefaultBarbicanAPISpec()
spec := GetDefaultBarbicanSpec()
maps.Copy(spec, map[string]interface{}{
"enabledSecretStores": []string{"pkcs11"},
"globalDefaultSecretStore": "pkcs11",
"pkcs11": map[string]interface{}{
"type": HSMType,
"libraryPath": HSMLibraryPath,
"slotId": HSMSlotID,
"MKEKLabel": HSMMKEKLabel,
"HMACLabel": HSMHMACLabel,
"serverAddress": HSMServerAddress,
"clientAddress": HSMClientAddress,
"loginSecret": HSMLoginSecret,
"slotId": HSMSlotID,
"libraryPath": HSMLibraryPath,
"certificatesMountPoint": HSMCertificatesMountPoint,
"loginSecret": HSMLoginSecret,
"certificatesSecret": HSMCertsSecret,
"MKEKLabel": HSMMKEKLabel,
"HMACLabel": HSMHMACLabel,
"serverAddress": HSMServerAddress,
"clientAddress": HSMClientAddress,
"type": HSMType,
},
})
return spec
}

func GetHSMBarbicanAPISpec() map[string]interface{} {
return GetDefaultBarbicanAPISpec()
}

func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret {
return th.CreateSecret(
types.NamespacedName{Namespace: namespace, Name: name},
Expand All @@ -223,6 +217,18 @@ func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret {
)
}

func CreateHSMCertsSecret(namespace string, name string) *corev1.Secret {
return th.CreateSecret(
types.NamespacedName{Namespace: namespace, Name: name},
map[string][]byte{
"CACert.pem": []byte("dummy-data"),
HSMServerAddress + "Server.pem": []byte("dummy-data"),
HSMClientAddress + "Client.pem": []byte("dummy-data"),
HSMClientAddress + "Client.key": []byte("dummy-data"),
},
)
}

// ========== End of HSM Stuff ============

func GetDefaultBarbicanAPISpec() map[string]interface{} {
Expand Down
18 changes: 10 additions & 8 deletions tests/functional/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,14 +71,16 @@ const (
interval = time.Millisecond * 200

// HSM Constants
HSMType = "luna" // Using them Luna model without any specific selection criteria.
HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so"
HSMSlotID = "1"
HSMMKEKLabel = "MKEKLabel"
HSMHMACLabel = "HMACLabel"
HSMServerAddress = "192.168.0.1"
HSMClientAddress = "192.168.0.2"
HSMLoginSecret = "hsm-secret"
HSMType = "luna" // Using them Luna model without any specific selection criteria.
HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so"
HSMCertificatesMountPoint = "/usr/local/luna/config/certs"
HSMSlotID = "1"
HSMMKEKLabel = "MKEKLabel"
HSMHMACLabel = "HMACLabel"
HSMServerAddress = "192.168.0.1"
HSMClientAddress = "192.168.0.2"
HSMLoginSecret = "hsm-login"
HSMCertsSecret = "hsm-certs"
)

func TestAPIs(t *testing.T) {
Expand Down

0 comments on commit 3c1bd68

Please sign in to comment.