From b22951a4b30a344eefc0ea674be6345324988ceb Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Sat, 28 Sep 2024 20:48:01 -0300 Subject: [PATCH] rename variables to be consistent Signed-off-by: Marcos Yacob --- .../12-taint-x509authority | 16 +++---- .../13-verify-svids-rotates | 12 ++--- .../14-revoke-x509authority | 46 ++++++++----------- .../15-verify-revoked-x509authority | 2 +- .../04-create-workload-entry | 18 +------- .../06-prepare-x509-authority | 4 -- .../09-verify-svid-rotation | 12 ++--- .../10-revoke-upstream-authority | 21 ++++----- .../11-verify-revoked-upstream-authority | 19 ++++---- 9 files changed, 61 insertions(+), 89 deletions(-) diff --git a/test/integration/suites/force-rotation-self-signed/12-taint-x509authority b/test/integration/suites/force-rotation-self-signed/12-taint-x509authority index 679c1341d9..fca9c966c1 100755 --- a/test/integration/suites/force-rotation-self-signed/12-taint-x509authority +++ b/test/integration/suites/force-rotation-self-signed/12-taint-x509authority @@ -9,23 +9,23 @@ check-logs() { } # Fetch old authority ID -oldAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \ +old_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \ /opt/spire/bin/spire-server \ localauthority x509 show -output json | jq .old.authority_id -r) || fail-now "Failed to fetch old authority ID" # Taint the old authority docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \ /opt/spire/bin/spire-server \ - localauthority x509 taint -authorityID "${oldAuthority}" || fail-now "Failed to taint old authority" + localauthority x509 taint -authorityID "${old_authority}" || fail-now "Failed to taint old authority" # Root server logs check-logs root-server \ - "X\.509 authority tainted successfully|local_authority_id=${oldAuthority}" \ + "X\.509 authority tainted successfully|local_authority_id=${old_authority}" \ "Server SVID signed using a tainted authority, forcing rotation of the Server SVID" # Root agent logs check-logs root-agent \ - "New tainted X.509 authorities found|subject_key_ids=${oldAuthority}" \ + "New tainted X.509 authorities found|subject_key_ids=${old_authority}" \ "Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=3" \ "Agent SVID is tainted by a root authority, forcing rotation" @@ -36,7 +36,7 @@ check-logs intermediateA-server \ "Current root CA is signed by a tainted upstream authority, preparing rotation" \ "Server SVID signed using a tainted authority, forcing rotation of the Server SVID" check-logs intermediateA-agent \ - "New tainted X\.509 authorities found|subject_key_ids=${oldAuthority}" \ + "New tainted X\.509 authorities found|subject_key_ids=${old_authority}" \ "Scheduled rotation for SVID entries due to tainted X.509 authorities|count=2" \ "Agent SVID is tainted by a root authority, forcing rotation" @@ -45,7 +45,7 @@ check-logs intermediateB-server \ "Current root CA is signed by a tainted upstream authority, preparing rotation" \ "Server SVID signed using a tainted authority, forcing rotation of the Server SVID" check-logs intermediateB-agent \ - "New tainted X\.509 authorities found|subject_key_ids=${oldAuthority}" \ + "New tainted X\.509 authorities found|subject_key_ids=${old_authority}" \ "Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=2" \ "Agent SVID is tainted by a root authority, forcing rotation" @@ -54,7 +54,7 @@ check-logs leafA-server \ "Current root CA is signed by a tainted upstream authority, preparing rotation" \ "Server SVID signed using a tainted authority, forcing rotation of the Server SVID" check-logs leafA-agent \ - "New tainted X.509 authorities found|subject_key_ids=${oldAuthority}" \ + "New tainted X.509 authorities found|subject_key_ids=${old_authority}" \ "Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=1" \ "Agent SVID is tainted by a root authority, forcing rotation" @@ -63,6 +63,6 @@ check-logs leafB-server \ "Current root CA is signed by a tainted upstream authority, preparing rotation" \ "Server SVID signed using a tainted authority, forcing rotation of the Server SVID" check-logs leafB-agent \ - "New tainted X.509 authorities found|subject_key_ids=${oldAuthority}" \ + "New tainted X.509 authorities found|subject_key_ids=${old_authority}" \ "Scheduled rotation for SVID entries due to tainted X\.509 authorities|count=1" \ "Agent SVID is tainted by a root authority, forcing rotation" diff --git a/test/integration/suites/force-rotation-self-signed/13-verify-svids-rotates b/test/integration/suites/force-rotation-self-signed/13-verify-svids-rotates index 7f5410946f..31ccc5e0e0 100755 --- a/test/integration/suites/force-rotation-self-signed/13-verify-svids-rotates +++ b/test/integration/suites/force-rotation-self-signed/13-verify-svids-rotates @@ -27,13 +27,13 @@ check-tainted-authorities() { local agent=$2 local agent_dir=$3 - x509Authorities=$(fetch-x509-authorities "$server") + log-debug "Checking tainted authorities for $server and $agent" + x509_authorities=$(fetch-x509-authorities "$server") - taintedFound=$(echo "$x509Authorities" | jq '.[] | select(.tainted == true)') || fail-now "Tainted authority not found" + echo "$x509_authorities" | jq '.[] | select(.tainted == true)' || fail-now "Tainted authority not found" + non_tainted_found=$(echo "$x509_authorities" | jq '.[] | select(.tainted == false)') || fail-now "Non-tainted authority not found" - nonTaintedFound=$(echo "$x509Authorities" | jq '.[] | select(.tainted == false)') || fail-now "Non-tainted authority not found" - - echo "$nonTaintedFound" | jq -r .asn1 | base64 -d | openssl x509 -inform der > "$agent_dir/agent/non-tainted.pem" + echo "$non_tainted_found" | jq -r .asn1 | base64 -d | openssl x509 -inform der > "$agent_dir/agent/non-tainted.pem" RETRY_COUNT=0 @@ -45,7 +45,7 @@ check-tainted-authorities() { break else RETRY_COUNT=$((RETRY_COUNT + 1)) - echo "Verification failed, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)" + log-debug "Verification failed, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)" sleep $RETRY_DELAY fi diff --git a/test/integration/suites/force-rotation-self-signed/14-revoke-x509authority b/test/integration/suites/force-rotation-self-signed/14-revoke-x509authority index 2ee6b4be9f..7d8aeb8d01 100755 --- a/test/integration/suites/force-rotation-self-signed/14-revoke-x509authority +++ b/test/integration/suites/force-rotation-self-signed/14-revoke-x509authority @@ -8,59 +8,53 @@ get-x509-authorities-count() { docker compose exec -T $server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities | length' } -check-log-line() { - local server=$1 - local pattern=$2 - docker compose logs $server | grep -qE "$pattern" || fail-now "Log line not found on $server: $pattern" -} - -oldAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \ +old_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \ /opt/spire/bin/spire-server localauthority x509 show -output json | jq .old.authority_id -r) || fail-now "Failed to get old authority" -log-debug "Old authority: $oldAuthority" +log-debug "Old authority: $old_authority" -x509AuthoritiesCount=$(get-x509-authorities-count root-server) +x509_authorities_count=$(get-x509-authorities-count root-server) -if [ $x509AuthoritiesCount -eq 2 ]; then +if [ $x509_authorities_count -eq 2 ]; then log-debug "Two X.509 Authorities found" else - fail-now "Expected to be two X.509 Authorities. Found $x509AuthoritiesCount." + fail-now "Expected to be two X.509 Authorities. Found $x509_authorities_count." fi -taintedFound=$(docker compose exec -T root-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)') +tainted_found=$(docker compose exec -T root-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)') -if [[ -z "$taintedFound" ]]; then +if [[ -z "$tainted_found" ]]; then fail-now "Tainted authority expected" fi docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation root-server \ - /opt/spire/bin/spire-server localauthority x509 revoke -authorityID $oldAuthority -output json || fail-now "Failed to revoke authority" + /opt/spire/bin/spire-server localauthority x509 revoke -authorityID $old_authority -output json || fail-now "Failed to revoke authority" -check-log-line root-server "X\.509 authority revoked successfully|local_authority_id=$oldAuthority" -check-log-line intermediateA-server "X\.509 authority revoked|subject_key_id=$oldAuthority" -check-log-line intermediateB-server "X\.509 authority revoked|subject_key_id=$oldAuthority" -check-log-line leafA-server "X\.509 authority revoked|subject_key_id=$oldAuthority" -check-log-line leafB-server "X\.509 authority revoked|subject_key_id=$oldAuthority" +check-log-line root-server "X\.509 authority revoked successfully|local_authority_id=$old_authority" +check-log-line intermediateA-server "X\.509 authority revoked|subject_key_id=$old_authority" +check-log-line intermediateB-server "X\.509 authority revoked|subject_key_id=$old_authority" +check-log-line leafA-server "X\.509 authority revoked|subject_key_id=$old_authority" +check-log-line leafB-server "X\.509 authority revoked|subject_key_id=$old_authority" servers=("root-server" "intermediateA-server" "intermediateB-server" "leafA-server" "leafB-server") for server in "${servers[@]}"; do - RETRY_COUNT=0 - while [[ $RETRY_COUNT -lt $MAX_RETRIES ]]; do + retry_count=0 + while [[ $retry_count -lt $MAX_RETRIES ]]; do log-debug "Checking if X.509 Authority is revoked on $server" - x509AuthoritiesCount=$(get-x509-authorities-count $server) + x509_authorities_count=$(get-x509-authorities-count $server) - if [ $x509AuthoritiesCount -eq 1 ]; then + if [ $x509_authorities_count -eq 1 ]; then log-debug "Revoked X.509 Authority successfully on $server" break else - RETRY_COUNT=$((RETRY_COUNT + 1)) - echo "Revocation is not propagated on $server, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)" + retry_count=$((retry_count + 1)) + echo "Revocation is not propagated on $server, retrying in $RETRY_DELAY seconds... ($retry_count/$MAX_RETRIES)" sleep $RETRY_DELAY fi # Fail if retries exceed the maximum - if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then + if [ $retry_count -eq $MAX_RETRIES ]; then fail-now "Revocation is not propagated on $server failed after $MAX_RETRIES attempts." fi done diff --git a/test/integration/suites/force-rotation-self-signed/15-verify-revoked-x509authority b/test/integration/suites/force-rotation-self-signed/15-verify-revoked-x509authority index 855edf047c..58aee486c6 100755 --- a/test/integration/suites/force-rotation-self-signed/15-verify-revoked-x509authority +++ b/test/integration/suites/force-rotation-self-signed/15-verify-revoked-x509authority @@ -16,7 +16,7 @@ validate-agent() { docker compose exec -u 1001 -T $agent \ /opt/spire/bin/spire-agent api fetch x509 \ -socketPath /opt/spire/sockets/workload_api.sock \ - -write /tmp || fail_now "x509-SVID check failed for $agent" + -write /tmp || fail-now "x509-SVID check failed for $agent" local bundle_count=$(docker compose exec -T $agent \ openssl storeutl -noout -text -certs /tmp/bundle.0.pem | grep -c "Certificate:") diff --git a/test/integration/suites/force-rotation-upstream-authority/04-create-workload-entry b/test/integration/suites/force-rotation-upstream-authority/04-create-workload-entry index f0d56b7e66..661c0ea6d8 100755 --- a/test/integration/suites/force-rotation-upstream-authority/04-create-workload-entry +++ b/test/integration/suites/force-rotation-upstream-authority/04-create-workload-entry @@ -7,22 +7,8 @@ docker compose exec -T spire-server \ -spiffeID "spiffe://domain.test/workload" \ -selector "unix:uid:0" \ -x509SVIDTTL 0 - -# Check at most 30 times (with one second in between) that the agent has -# successfully synced down the workload entry. -MAXCHECKS=30 -CHECKINTERVAL=1 -for ((i=1;i<=MAXCHECKS;i++)); do - log-info "checking for synced workload entry ($i of $MAXCHECKS max)..." - docker compose logs spire-agent - if docker compose logs spire-agent | grep "spiffe://domain.test/workload"; then - exit 0 - fi - sleep "${CHECKINTERVAL}" -done - -fail-now "timed out waiting for agent to sync down entry" +check-synced-entry "spire-agent" "spiffe://domain.test/workload" log-info "checking X509-SVID" docker compose exec -T spire-agent \ - /opt/spire/bin/spire-agent api fetch x509 || fail-now "SVID check failed" \ No newline at end of file + /opt/spire/bin/spire-agent api fetch x509 || fail-now "SVID check failed" diff --git a/test/integration/suites/force-rotation-upstream-authority/06-prepare-x509-authority b/test/integration/suites/force-rotation-upstream-authority/06-prepare-x509-authority index b394569af9..ca93138840 100755 --- a/test/integration/suites/force-rotation-upstream-authority/06-prepare-x509-authority +++ b/test/integration/suites/force-rotation-upstream-authority/06-prepare-x509-authority @@ -1,9 +1,5 @@ #!/bin/bash -# Constants -MAXCHECKS=30 -RETRY_DELAY=1 - # Initial check for x509 authorities in spire-server x509_authorities=$(docker compose exec -T spire-server \ /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities' -c) diff --git a/test/integration/suites/force-rotation-upstream-authority/09-verify-svid-rotation b/test/integration/suites/force-rotation-upstream-authority/09-verify-svid-rotation index d71e9a9b26..c85536ba31 100755 --- a/test/integration/suites/force-rotation-upstream-authority/09-verify-svid-rotation +++ b/test/integration/suites/force-rotation-upstream-authority/09-verify-svid-rotation @@ -25,20 +25,20 @@ check-tainted-authorities() { local agent=$2 local agent_dir=$3 - x509Authorities=$(fetch-x509-authorities "$server") - echo "$x509Authorities" | jq '.[] | select(.tainted == true)' || fail-now "Tainted authority not found" + x509_authorities=$(fetch-x509-authorities "$server") + echo "$x509_authorities" | jq '.[] | select(.tainted == true)' || fail-now "Tainted authority not found" - RETRY_COUNT=0 + retry_count=0 - while [[ $RETRY_COUNT -lt $MAX_RETRIES ]]; do + while [[ $retry_count -lt $MAX_RETRIES ]]; do verify-svid "$agent" "$agent_dir" if [ $? -eq 0 ]; then log-info "SVID rotated" break else - RETRY_COUNT=$((RETRY_COUNT + 1)) - log-debug "Verification failed, retrying in $RETRY_DELAY seconds... ($RETRY_COUNT/$MAX_RETRIES)" + retry_count=$((retry_count + 1)) + log-debug "Verification failed, retrying in $RETRY_DELAY seconds... ($retry_count/$MAX_RETRIES)" sleep $RETRY_DELAY fi diff --git a/test/integration/suites/force-rotation-upstream-authority/10-revoke-upstream-authority b/test/integration/suites/force-rotation-upstream-authority/10-revoke-upstream-authority index 1966337880..4262106736 100755 --- a/test/integration/suites/force-rotation-upstream-authority/10-revoke-upstream-authority +++ b/test/integration/suites/force-rotation-upstream-authority/10-revoke-upstream-authority @@ -1,38 +1,35 @@ #!/bin/bash -MAX_RETRIES=10 -RETRY_DELAY=1 # seconds between retries - get-x509-authorities-count() { local server=$1 } -oldUpstreamAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \ +old_upstream_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \ /opt/spire/bin/spire-server \ localauthority x509 show -output json | jq -r .old.upstream_authority_subject_key_id) || fail-now "Failed to fetch old upstrem authority ID" -log-debug "Old authority: $oldUpstreamAuthority" +log-debug "Old authority: $old_upstream_authority" -x509AuthoritiesCount=$(docker compose exec -T spire-server \ +x509_authorities_count=$(docker compose exec -T spire-server \ /opt/spire/bin/spire-server bundle \ show -output json | jq '.x509_authorities | length') -if [ $x509AuthoritiesCount -eq 2 ]; then +if [ $x509_authorities_count -eq 2 ]; then log-debug "Two X.509 Authorities found" else - fail-now "Expected to be two X.509 Authorities. Found $x509AuthoritiesCount." + fail-now "Expected to be two X.509 Authorities. Found $x509_authorities_count." fi -taintedFound=$(docker compose exec -T spire-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)') +tainted_found=$(docker compose exec -T spire-server /opt/spire/bin/spire-server bundle show -output json | jq '.x509_authorities[] | select(.tainted == true)') -if [[ -z "$taintedFound" ]]; then +if [[ -z "$tainted_found" ]]; then fail-now "Tainted authority expected" fi docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \ /opt/spire/bin/spire-server upstreamauthority \ - revoke -subjectKeyID $oldUpstreamAuthority -output json || fail-now "Failed to revoke upstream authority" + revoke -subjectKeyID $old_upstream_authority -output json || fail-now "Failed to revoke upstream authority" -check-log-line spire-server "X\.509 upstream authority successfully revoked|subject_key_id=$oldUpstreamAuthority" +check-log-line spire-server "X\.509 upstream authority successfully revoked|subject_key_id=$old_upstream_authority" diff --git a/test/integration/suites/force-rotation-upstream-authority/11-verify-revoked-upstream-authority b/test/integration/suites/force-rotation-upstream-authority/11-verify-revoked-upstream-authority index 9a81a63746..3419ad430f 100755 --- a/test/integration/suites/force-rotation-upstream-authority/11-verify-revoked-upstream-authority +++ b/test/integration/suites/force-rotation-upstream-authority/11-verify-revoked-upstream-authority @@ -1,13 +1,13 @@ #!/bin/bash -MAX_RETRIES=10 -RETRY_DELAY=2 # seconds between retries +max_retries=10 +retry_delay=2 # seconds between retries validate-agent() { local agent=$1 local retry_count=0 - while [[ $retry_count -lt $MAX_RETRIES ]]; do + while [[ $retry_count -lt $max_retries ]]; do docker compose exec -T $agent \ /opt/spire/bin/spire-agent api fetch x509 \ -write /opt/spire/conf/agent || fail-now "x509-SVID check failed for $agent" @@ -17,13 +17,13 @@ validate-agent() { log-debug "Validation successful for $agent: There is exactly one certificate in the chain." return 0 else - log-debug "Validation failed for $agent: Expected 1 certificate, but found $bundle_count. Retrying in $RETRY_DELAY seconds... ($retry_count/$MAX_RETRIES)" + log-debug "Validation failed for $agent: Expected 1 certificate, but found $bundle_count. Retrying in $retry_delay seconds... ($retry_count/$max_retries)" fi retry_count=$((retry_count + 1)) - sleep $RETRY_DELAY + sleep $retry_delay - if [ $retry_count -eq $MAX_RETRIES ]; then + if [ $retry_count -eq $max_retries ]; then fail-now "Validation failed for $agent: Expected 1 certificate, but found $bundle_count." fi done @@ -43,12 +43,11 @@ check_ski() { fi } -activeUpstreamAuthority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \ +active_upstream_authority=$(docker compose exec -T -e SPIRE_SERVER_FFLAGS=forced_rotation spire-server \ /opt/spire/bin/spire-server \ localauthority x509 show -output json | jq -r .active.upstream_authority_subject_key_id) || fail-now "Failed to fetch old upstrem authority ID" -log-debug "Active upstream authority: $activeUpstreamAuthority" +log-debug "Active upstream authority: $active_upstream_authority" validate-agent spire-agent -check_ski spire-agent "$activeUpstreamAuthority" - +check_ski spire-agent "$active_upstream_authority"