Skip to content

Commit

Permalink
rename variables to be consistent
Browse files Browse the repository at this point in the history
Signed-off-by: Marcos Yacob <[email protected]>
  • Loading branch information
MarcosDY committed Sep 28, 2024
1 parent 5373843 commit b22951a
Show file tree
Hide file tree
Showing 9 changed files with 61 additions and 89 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,23 @@ check-logs() {
}

# Fetch old authority ID
oldAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \
old_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \
/opt/spire/bin/spire-server \
localauthority x509 show -output json | jq .old.authority_id -r) || fail-now "Failed to fetch old authority ID"

# Taint the old authority
docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \
/opt/spire/bin/spire-server \
localauthority x509 taint -authorityID "${oldAuthority}" || fail-now "Failed to taint old authority"
localauthority x509 taint -authorityID "${old_authority}" || fail-now "Failed to taint old authority"

# Root server logs
check-logs root-server \
"X\.509 authority tainted successfully|local_authority_id=${oldAuthority}" \
"X\.509 authority tainted successfully|local_authority_id=${old_authority}" \
"Server SVID signed using a tainted authority, forcing rotation of the Server SVID"

# Root agent logs
check-logs root-agent \
"New tainted X.509 authorities found|subject_key_ids=${oldAuthority}" \
"New tainted X.509 authorities found|subject_key_ids=${old_authority}" \
"Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=3" \
"Agent SVID is tainted by a root authority, forcing rotation"

Expand All @@ -36,7 +36,7 @@ check-logs intermediateA-server \
"Current root CA is signed by a tainted upstream authority, preparing rotation" \
"Server SVID signed using a tainted authority, forcing rotation of the Server SVID"
check-logs intermediateA-agent \
"New tainted X\.509 authorities found|subject_key_ids=${oldAuthority}" \
"New tainted X\.509 authorities found|subject_key_ids=${old_authority}" \
"Scheduled rotation for SVID entries due to tainted X.509 authorities|count=2" \
"Agent SVID is tainted by a root authority, forcing rotation"

Expand All @@ -45,7 +45,7 @@ check-logs intermediateB-server \
"Current root CA is signed by a tainted upstream authority, preparing rotation" \
"Server SVID signed using a tainted authority, forcing rotation of the Server SVID"
check-logs intermediateB-agent \
"New tainted X\.509 authorities found|subject_key_ids=${oldAuthority}" \
"New tainted X\.509 authorities found|subject_key_ids=${old_authority}" \
"Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=2" \
"Agent SVID is tainted by a root authority, forcing rotation"

Expand All @@ -54,7 +54,7 @@ check-logs leafA-server \
"Current root CA is signed by a tainted upstream authority, preparing rotation" \
"Server SVID signed using a tainted authority, forcing rotation of the Server SVID"
check-logs leafA-agent \
"New tainted X.509 authorities found|subject_key_ids=${oldAuthority}" \
"New tainted X.509 authorities found|subject_key_ids=${old_authority}" \
"Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=1" \
"Agent SVID is tainted by a root authority, forcing rotation"

Expand All @@ -63,6 +63,6 @@ check-logs leafB-server \
"Current root CA is signed by a tainted upstream authority, preparing rotation" \
"Server SVID signed using a tainted authority, forcing rotation of the Server SVID"
check-logs leafB-agent \
"New tainted X.509 authorities found|subject_key_ids=${oldAuthority}" \
"New tainted X.509 authorities found|subject_key_ids=${old_authority}" \
"Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=1" \
"Agent SVID is tainted by a root authority, forcing rotation"
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ check-tainted-authorities() {
local agent=$2
local agent_dir=$3

x509Authorities=$(fetch-x509-authorities "$server")
log-debug "Checking tainted authorities for $server and $agent"
x509_authorities=$(fetch-x509-authorities "$server")

taintedFound=$(echo "$x509Authorities" | jq '.[] | select(.tainted == true)') || fail-now "Tainted authority not found"
echo "$x509_authorities" | jq '.[] | select(.tainted == true)' || fail-now "Tainted authority not found"
non_tainted_found=$(echo "$x509_authorities" | jq '.[] | select(.tainted == false)') || fail-now "Non-tainted authority not found"

nonTaintedFound=$(echo "$x509Authorities" | jq '.[] | select(.tainted == false)') || fail-now "Non-tainted authority not found"

echo "$nonTaintedFound" | jq -r .asn1 | base64 -d | openssl x509 -inform der > "$agent_dir/agent/non-tainted.pem"
echo "$non_tainted_found" | jq -r .asn1 | base64 -d | openssl x509 -inform der > "$agent_dir/agent/non-tainted.pem"

RETRY_COUNT=0

Expand All @@ -45,7 +45,7 @@ check-tainted-authorities() {
break
else
RETRY_COUNT=$((RETRY_COUNT + 1))
echo "Verification failed, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)"
log-debug "Verification failed, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)"
sleep $RETRY_DELAY
fi

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,59 +8,53 @@ get-x509-authorities-count() {
docker compose exec -T $server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities | length'
}

check-log-line() {
local server=$1
local pattern=$2
docker compose logs $server | grep -qE "$pattern" || fail-now "Log line not found on $server: $pattern"
}

oldAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \
old_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \
/opt/spire/bin/spire-server localauthority x509 show -output json | jq .old.authority_id -r) || fail-now "Failed to get old authority"

log-debug "Old authority: $oldAuthority"
log-debug "Old authority: $old_authority"

x509AuthoritiesCount=$(get-x509-authorities-count root-server)
x509_authorities_count=$(get-x509-authorities-count root-server)

if [ $x509AuthoritiesCount -eq 2 ]; then
if [ $x509_authorities_count -eq 2 ]; then
log-debug "Two X.509 Authorities found"
else
fail-now "Expected to be two X.509 Authorities. Found $x509AuthoritiesCount."
fail-now "Expected to be two X.509 Authorities. Found $x509_authorities_count."
fi

taintedFound=$(docker compose exec -T root-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)')
tainted_found=$(docker compose exec -T root-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)')

if [[ -z "$taintedFound" ]]; then
if [[ -z "$tainted_found" ]]; then
fail-now "Tainted authority expected"
fi

docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \
/opt/spire/bin/spire-server localauthority x509 revoke -authorityID $oldAuthority -output json || fail-now "Failed to revoke authority"
/opt/spire/bin/spire-server localauthority x509 revoke -authorityID $old_authority -output json || fail-now "Failed to revoke authority"

check-log-line root-server "X\.509 authority revoked successfully|local_authority_id=$oldAuthority"
check-log-line intermediateA-server "X\.509 authority revoked|subject_key_id=$oldAuthority"
check-log-line intermediateB-server "X\.509 authority revoked|subject_key_id=$oldAuthority"
check-log-line leafA-server "X\.509 authority revoked|subject_key_id=$oldAuthority"
check-log-line leafB-server "X\.509 authority revoked|subject_key_id=$oldAuthority"
check-log-line root-server "X\.509 authority revoked successfully|local_authority_id=$old_authority"
check-log-line intermediateA-server "X\.509 authority revoked|subject_key_id=$old_authority"
check-log-line intermediateB-server "X\.509 authority revoked|subject_key_id=$old_authority"
check-log-line leafA-server "X\.509 authority revoked|subject_key_id=$old_authority"
check-log-line leafB-server "X\.509 authority revoked|subject_key_id=$old_authority"

servers=("root-server" "intermediateA-server" "intermediateB-server" "leafA-server" "leafB-server")

for server in "${servers[@]}"; do
RETRY_COUNT=0
while [[ $RETRY_COUNT -lt $MAX_RETRIES ]]; do
retry_count=0
while [[ $retry_count -lt $MAX_RETRIES ]]; do
log-debug "Checking if X.509 Authority is revoked on $server"
x509AuthoritiesCount=$(get-x509-authorities-count $server)
x509_authorities_count=$(get-x509-authorities-count $server)

if [ $x509AuthoritiesCount -eq 1 ]; then
if [ $x509_authorities_count -eq 1 ]; then
log-debug "Revoked X.509 Authority successfully on $server"
break
else
RETRY_COUNT=$((RETRY_COUNT + 1))
echo "Revocation is not propagated on $server, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)"
retry_count=$((retry_count + 1))
echo "Revocation is not propagated on $server, retrying in $RETRY_DELAY seconds... ($retry_count/$MAX_RETRIES)"
sleep $RETRY_DELAY
fi

# Fail if retries exceed the maximum
if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then
if [ $retry_count -eq $MAX_RETRIES ]; then
fail-now "Revocation is not propagated on $server failed after $MAX_RETRIES attempts."
fi
done
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ validate-agent() {
docker compose exec -u 1001 -T $agent \
/opt/spire/bin/spire-agent api fetch x509 \
-socketPath /opt/spire/sockets/workload_api.sock \
-write /tmp || fail_now "x509-SVID check failed for $agent"
-write /tmp || fail-now "x509-SVID check failed for $agent"

local bundle_count=$(docker compose exec -T $agent \
openssl storeutl -noout -text -certs /tmp/bundle.0.pem | grep -c "Certificate:")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,22 +7,8 @@ docker compose exec -T spire-server \
-spiffeID "spiffe://domain.test/workload" \
-selector "unix:uid:0" \
-x509SVIDTTL 0

# Check at most 30 times (with one second in between) that the agent has
# successfully synced down the workload entry.
MAXCHECKS=30
CHECKINTERVAL=1
for ((i=1;i<=MAXCHECKS;i++)); do
log-info "checking for synced workload entry ($i of $MAXCHECKS max)..."
docker compose logs spire-agent
if docker compose logs spire-agent | grep "spiffe://domain.test/workload"; then
exit 0
fi
sleep "${CHECKINTERVAL}"
done

fail-now "timed out waiting for agent to sync down entry"
check-synced-entry "spire-agent" "spiffe://domain.test/workload"

log-info "checking X509-SVID"
docker compose exec -T spire-agent \
/opt/spire/bin/spire-agent api fetch x509 || fail-now "SVID check failed"
/opt/spire/bin/spire-agent api fetch x509 || fail-now "SVID check failed"
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
#!/bin/bash

# Constants
MAXCHECKS=30
RETRY_DELAY=1

# Initial check for x509 authorities in spire-server
x509_authorities=$(docker compose exec -T spire-server \
/opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities' -c)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,20 @@ check-tainted-authorities() {
local agent=$2
local agent_dir=$3

x509Authorities=$(fetch-x509-authorities "$server")
echo "$x509Authorities" | jq '.[] | select(.tainted == true)' || fail-now "Tainted authority not found"
x509_authorities=$(fetch-x509-authorities "$server")
echo "$x509_authorities" | jq '.[] | select(.tainted == true)' || fail-now "Tainted authority not found"

RETRY_COUNT=0
retry_count=0

while [[ $RETRY_COUNT -lt $MAX_RETRIES ]]; do
while [[ $retry_count -lt $MAX_RETRIES ]]; do
verify-svid "$agent" "$agent_dir"

if [ $? -eq 0 ]; then
log-info "SVID rotated"
break
else
RETRY_COUNT=$((RETRY_COUNT + 1))
log-debug "Verification failed, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)"
retry_count=$((retry_count + 1))
log-debug "Verification failed, retrying in $RETRY_DELAY seconds... ($retry_count/$MAX_RETRIES)"
sleep $RETRY_DELAY
fi

Expand Down
Original file line number Diff line number Diff line change
@@ -1,38 +1,35 @@
#!/bin/bash

MAX_RETRIES=10
RETRY_DELAY=1 # seconds between retries

get-x509-authorities-count() {
local server=$1
}

oldUpstreamAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \
old_upstream_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \
/opt/spire/bin/spire-server \
localauthority x509 show -output json | jq -r .old.upstream_authority_subject_key_id) || fail-now "Failed to fetch old upstrem authority ID"

log-debug "Old authority: $oldUpstreamAuthority"
log-debug "Old authority: $old_upstream_authority"


x509AuthoritiesCount=$(docker compose exec -T spire-server \
x509_authorities_count=$(docker compose exec -T spire-server \
/opt/spire/bin/spire-server bundle \
show -output json | jq '.x509_authorities | length')

if [ $x509AuthoritiesCount -eq 2 ]; then
if [ $x509_authorities_count -eq 2 ]; then
log-debug "Two X.509 Authorities found"
else
fail-now "Expected to be two X.509 Authorities. Found $x509AuthoritiesCount."
fail-now "Expected to be two X.509 Authorities. Found $x509_authorities_count."
fi

taintedFound=$(docker compose exec -T spire-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)')
tainted_found=$(docker compose exec -T spire-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)')

if [[ -z "$taintedFound" ]]; then
if [[ -z "$tainted_found" ]]; then
fail-now "Tainted authority expected"
fi

docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \
/opt/spire/bin/spire-server upstreamauthority \
revoke -subjectKeyID $oldUpstreamAuthority -output json || fail-now "Failed to revoke upstream authority"
revoke -subjectKeyID $old_upstream_authority -output json || fail-now "Failed to revoke upstream authority"

check-log-line spire-server "X\.509 upstream authority successfully revoked|subject_key_id=$oldUpstreamAuthority"
check-log-line spire-server "X\.509 upstream authority successfully revoked|subject_key_id=$old_upstream_authority"

Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
#!/bin/bash

MAX_RETRIES=10
RETRY_DELAY=2 # seconds between retries
max_retries=10
retry_delay=2 # seconds between retries

validate-agent() {
local agent=$1
local retry_count=0

while [[ $retry_count -lt $MAX_RETRIES ]]; do
while [[ $retry_count -lt $max_retries ]]; do
docker compose exec -T $agent \
/opt/spire/bin/spire-agent api fetch x509 \
-write /opt/spire/conf/agent || fail-now "x509-SVID check failed for $agent"
Expand All @@ -17,13 +17,13 @@ validate-agent() {
log-debug "Validation successful for $agent: There is exactly one certificate in the chain."
return 0
else
log-debug "Validation failed for $agent: Expected 1 certificate, but found $bundle_count. Retrying in $RETRY_DELAY seconds... ($retry_count/$MAX_RETRIES)"
log-debug "Validation failed for $agent: Expected 1 certificate, but found $bundle_count. Retrying in $retry_delay seconds... ($retry_count/$max_retries)"
fi

retry_count=$((retry_count + 1))
sleep $RETRY_DELAY
sleep $retry_delay

if [ $retry_count -eq $MAX_RETRIES ]; then
if [ $retry_count -eq $max_retries ]; then
fail-now "Validation failed for $agent: Expected 1 certificate, but found $bundle_count."
fi
done
Expand All @@ -43,12 +43,11 @@ check_ski() {
fi
}

activeUpstreamAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \
active_upstream_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \
/opt/spire/bin/spire-server \
localauthority x509 show -output json | jq -r .active.upstream_authority_subject_key_id) || fail-now "Failed to fetch old upstrem authority ID"

log-debug "Active upstream authority: $activeUpstreamAuthority"
log-debug "Active upstream authority: $active_upstream_authority"

validate-agent spire-agent
check_ski spire-agent "$activeUpstreamAuthority"

check_ski spire-agent "$active_upstream_authority"

0 comments on commit b22951a

Please sign in to comment.