MCO-2110: Migrate security tests

Author: sergiordlr

cmd/machine-config-tests-ext/main.go

@@ -41,15 +41,6 @@ func applyLabelFilters(specs et.ExtensionTestSpecs) {
 			}
 		}
 	})
-
-	// Exclude tests with "Exclude:REASON" labels
-	specs.Walk(func(spec *et.ExtensionTestSpec) {
-		for label := range spec.Labels {
-			if strings.HasPrefix(label, "Exclude:") {
-				spec.Exclude("true")
-			}
-		}
-	})
 }
 
 func main() {
@@ -92,6 +83,12 @@ func main() {
 		panic(fmt.Sprintf("couldn't build extension test specs from ginkgo: %+v", err.Error()))
 	}
 
+	// Exclude tests with "Exclude:REASON" labels
+	specs = specs.MustFilter([]string{
+		`!labels.exists(l, l.startsWith("Exclude:"))`,
+	})
+
+	// Configure environment flags filters
 	applyLabelFilters(specs)
 
 	ext.AddSpecs(specs)

test/extended-priv/configmap.go

@@ -6,6 +6,7 @@ import (
 
 	o "github.com/onsi/gomega"
 	exutil "github.com/openshift/machine-config-operator/test/extended-priv/util"
+	logger "github.com/openshift/machine-config-operator/test/extended-priv/util/logext"
 )
 
 // ConfigMap struct encapsulates the functionalities regarding ocp configmaps
@@ -28,7 +29,23 @@ func NewConfigMapList(oc *exutil.CLI, namespace string) *ConfigMapList {
 	return &ConfigMapList{ResourceList: *NewNamespacedResourceList(oc, "ConfigMap", namespace)}
 }
 
-// GetDataValue returns the value of a specific key in the .data field
+// HasKey returns if a key is present in "data"
+func (cm *ConfigMap) HasKey(key string) (string, bool, error) {
+	dataMap, err := cm.GetDataMap()
+
+	if err != nil {
+		return "", false, err
+	}
+
+	data, ok := dataMap[key]
+	if !ok {
+		return "", false, nil
+	}
+
+	return data, true, nil
+}
+
+// GetDataValue return the value of a key stored in "data".
 func (cm *ConfigMap) GetDataValue(key string) (string, error) {
 	// We cant use the "resource.Get" method, because exutil.client will trim the output, removing spaces and newlines that could be important in a configuration.
 	dataMap, err := cm.GetDataMap()
@@ -44,6 +61,7 @@ func (cm *ConfigMap) GetDataValue(key string) (string, error) {
 	}
 
 	return data, nil
+
 }
 
 // GetDataMap returns the valus in the .data field as a map[string][string]
@@ -61,7 +79,7 @@ func (cm *ConfigMap) GetDataMap() (map[string]string, error) {
 	return data, nil
 }
 
-// GetDataValueOrFail returns the value of a specific key in the .data field and fails the test if any error happens
+// GetDataValueOrFail return the value of a key stored in "data" and fails the test if the value cannot be retreived. If the "key" does not exist, it returns an empty string but does not fail
 func (cm *ConfigMap) GetDataValueOrFail(key string) string {
 	value, err := cm.GetDataValue(key)
 	o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred(),
@@ -71,6 +89,52 @@ func (cm *ConfigMap) GetDataValueOrFail(key string) string {
 	return value
 }
 
+// SetData update the configmap with the given values. Same as "oc set data cm/..."
+func (cm *ConfigMap) SetData(arg string, args ...string) error {
+	params := []string{"data"}
+	params = append(params, cm.Resource.getCommonParams()...)
+	params = append(params, arg)
+	if len(args) > 0 {
+		params = append(params, args...)
+	}
+
+	return cm.Resource.oc.WithoutNamespace().Run("set").Args(params...).Execute()
+}
+
+// RemoveDataKey removes a key from the configmap data values
+func (cm *ConfigMap) RemoveDataKey(key string) error {
+	return cm.Patch("json", `[{"op": "remove", "path": "/data/`+key+`"}]`)
+}
+
+// CreateConfigMapWithRandomCert creates a configmap that stores a random CA in it
+func CreateConfigMapWithRandomCert(oc *exutil.CLI, cmNamespace, cmName, certKey string) (*ConfigMap, error) {
+	_, caPath, err := createCA(createTmpDir(), certKey)
+	if err != nil {
+		return nil, err
+	}
+
+	err = oc.WithoutNamespace().Run("create").Args("cm", "-n", cmNamespace, cmName, "--from-file", caPath).Execute()
+
+	if err != nil {
+		return nil, err
+	}
+
+	return NewConfigMap(oc, cmNamespace, cmName), nil
+}
+
+// GetCloudProviderConfigMap will return the CloudProviderConfigMap or nil if it is not defined in the infrastructure resource
+func GetCloudProviderConfigMap(oc *exutil.CLI) *ConfigMap {
+	infra := NewResource(oc, "infrastructure", "cluster")
+	cmName := infra.GetOrFail(`{.spec.cloudConfig.name}`)
+
+	if cmName == "" {
+		logger.Infof("CloudProviderConfig ConfigMap is not defined in the infrastructure resource: %s", infra.PrettyString())
+		return nil
+	}
+
+	return NewConfigMap(oc, "openshift-config", cmName)
+}
+
 // GetAll returns a []*ConfigMap list with all existing pinnedimageset sorted by creation timestamp
 func (cml *ConfigMapList) GetAll() ([]*ConfigMap, error) {
 	cml.ResourceList.SortByTimestamp()

test/extended-priv/const.go

@@ -60,6 +60,17 @@ const (
 	// ExtensionsChangeIncWait extra minutes that MCPs will wait per node if we change the extensions in a configuration
 	ExtensionsChangeIncWait = 5
 
+	// ImageRegistryCertificatesDir is the path were the image registry certificates will be stored in a node. Example: /etc/docker/certs.d/mycertname/ca.crt
+	ImageRegistryCertificatesDir = "/etc/docker/certs.d"
+
+	// ImageRegistryCertificatesFileName is the name of the image registry certificates. Example: /etc/docker/certs.d/mycertname/ca.crt
+	ImageRegistryCertificatesFileName = "ca.crt"
+
+	// SecurePort is the tls secured port to serve ignition configs
+	IgnitionSecurePort = 22623
+	// InsecurePort is the port to serve ignition configs w/o tls
+	IgnitionInsecurePort = 22624
+
 	// MachineAPINamespace is the MachineAPI namespace
 	MachineAPINamespace = "openshift-machine-api"
 
@@ -87,6 +98,8 @@ const (
 	BusyBoxImage = "quay.io/openshifttest/busybox@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
 	// AlpineImage the multiplatform alpine image stored in openshifttest
 	AlpineImage = "quay.io/openshifttest/alpine@sha256:dc1536cbff0ba235d4219462aeccd4caceab9def96ae8064257d049166890083"
+	// TestSSLImage the testssl image stored in openshiftest
+	TestSSLImage = "quay.io/openshifttest/testssl@sha256:ad6fb8002cb9cfce3ddc8829fd6e7e0d997aeb1faf972650f3e5d7603f90c6ef"
 
 	// Constants for NodeDisruptionPolicy
 	NodeDisruptionPolicyActionNone         = "None"
@@ -107,4 +120,13 @@ const (
 	SkewEnforcementAutomaticMode = "Automatic"
 	// SkewEnforcementNoneMode indicates boot image skew enforcement is disabled
 	SkewEnforcementNoneMode = "None"
+
+	// MachineConfigServer mcs container name
+	MachineConfigServer = "machine-config-server"
+
+	// TLS Security Version
+	VersionTLS10 = 0x0301
+	VersionTLS11 = 0x0302
+	VersionTLS12 = 0x0303
+	VersionTLS13 = 0x0304
 )

test/extended-priv/controllerconfig.go

@@ -0,0 +1,177 @@
+package extended
+
+import (
+	"encoding/json"
+	"fmt"
+
+	b64 "encoding/base64"
+
+	exutil "github.com/openshift/machine-config-operator/test/extended-priv/util"
+	logger "github.com/openshift/machine-config-operator/test/extended-priv/util/logext"
+	"github.com/tidwall/gjson"
+)
+
+// ControllerConfig struct is used to handle ControllerConfig resources in OCP
+type ControllerConfig struct {
+	Resource
+}
+
+// CertificateInfo stores the information regarding a given certificate
+type CertificateInfo struct {
+	// subject is the cert subject
+	Subject string `json:"subject"`
+
+	// signer is the  cert Issuer
+	Signer string `json:"signer"`
+
+	// Date fields have been temporarily removed by devs:  https://github.com/openshift/machine-config-operator/pull/3866
+	// notBefore is the lower boundary for validity
+	NotBefore string `json:"notBefore"`
+
+	// notAfter is the upper boundary for validity
+	NotAfter string `json:"notAfter"`
+
+	// bundleFile is the larger bundle a cert comes from
+	BundleFile string `json:"bundleFile"`
+}
+
+// NewControllerConfig create a ControllerConfig struct
+func NewControllerConfig(oc *exutil.CLI, name string) *ControllerConfig {
+	return &ControllerConfig{Resource: *NewResource(oc, "ControllerConfig", name)}
+}
+
+// GetKubeAPIServerServingCAData return the base64 decoded value of the kubeAPIServerServingCAData bundle stored in the ControllerConfig
+func (cc *ControllerConfig) GetKubeAPIServerServingCAData() (string, error) {
+	b64KubeAPIServerServingData, err := cc.Get(`{.spec.kubeAPIServerServingCAData}`)
+	if err != nil {
+		return "", err
+	}
+
+	kubeAPIServerServingCAData, err := b64.StdEncoding.DecodeString(b64KubeAPIServerServingData)
+	if err != nil {
+		return "", err
+	}
+	return string(kubeAPIServerServingCAData), err
+}
+
+// GetRootCAData return the base64 decoded value of the rootCA bundle stored in the ControllerConfig
+func (cc *ControllerConfig) GetRootCAData() (string, error) {
+	b64RootCAData, err := cc.Get(`{.spec.rootCAData}`)
+	if err != nil {
+		return "", err
+	}
+
+	rootCAData, err := b64.StdEncoding.DecodeString(b64RootCAData)
+	if err != nil {
+		return "", err
+	}
+	return string(rootCAData), err
+}
+
+// GetImageRegistryBundleData returns a map[string]string containing the filenames and values of the image registry bundle data
+func (cc *ControllerConfig) GetImageRegistryBundleData() (map[string]string, error) {
+	return cc.GetImageRegistryBundle("imageRegistryBundleData")
+}
+
+// GetImageRegistryBundleUserData returns a map[string]string containing the filenames and values of the image registry bundle user data
+func (cc *ControllerConfig) GetImageRegistryBundleUserData() (map[string]string, error) {
+	return cc.GetImageRegistryBundle("imageRegistryBundleUserData")
+}
+
+// GetImageRegistryBundle returns a map[string]string containing the filenames and values of the image registry certificates in a Bundle field
+func (cc *ControllerConfig) GetImageRegistryBundle(bundleField string) (map[string]string, error) {
+	certs := map[string]string{}
+
+	bundleData, err := cc.Get(`{.spec.` + bundleField + `}`)
+	if err != nil {
+		return nil, err
+	}
+
+	parsedBundleData := gjson.Parse(bundleData)
+
+	var b64Err error
+	parsedBundleData.ForEach(func(_, item gjson.Result) bool {
+		file := item.Get("file").String()
+		data64 := item.Get("data").String()
+
+		data, b64Err := b64.StdEncoding.DecodeString(data64)
+		if err != nil {
+			logger.Infof("Error decoding data for image registry bundle file %s: %s", file, b64Err)
+			return false // stop iterating
+		}
+
+		certs[file] = string(data)
+		return true // keep iterating
+	})
+	if b64Err != nil {
+		return nil, b64Err
+	}
+
+	return certs, nil
+}
+
+// GetImageRegistryBundleByFileName returns the image registry bundle searching by bundle filename
+func (cc *ControllerConfig) GetImageRegistryBundleDataByFileName(fileName string) (string, error) {
+	certs, err := cc.GetImageRegistryBundleData()
+	if err != nil {
+		return "", err
+	}
+
+	data, ok := certs[fileName]
+	if !ok {
+		return "", fmt.Errorf("There is no image registry bundle with file name %s", fileName)
+	}
+
+	return data, nil
+}
+
+// GetImageRegistryUserBundleByFileName returns the image registry bundle searching by bundle filename
+func (cc *ControllerConfig) GetImageRegistryBundleUserDataByFileName(fileName string) (string, error) {
+	certs, err := cc.GetImageRegistryBundleUserData()
+	if err != nil {
+		return "", err
+	}
+
+	data, ok := certs[fileName]
+	if !ok {
+		return "", fmt.Errorf("There is no image registry bundle with file name %s", fileName)
+	}
+
+	return data, nil
+}
+
+// Returns a list of CertificateInfo structs with the information of all the certificates tracked by ControllerConfig
+func (cc *ControllerConfig) GetCertificatesInfo() ([]CertificateInfo, error) {
+	certsInfoString := cc.GetOrFail(`{.status.controllerCertificates}`)
+
+	logger.Debugf("CERTIFICATES: %s", certsInfoString)
+
+	var certsInfo []CertificateInfo
+
+	jsonerr := json.Unmarshal([]byte(certsInfoString), &certsInfo)
+
+	if jsonerr != nil {
+		return nil, jsonerr
+	}
+
+	return certsInfo, nil
+}
+
+func (cc *ControllerConfig) GetCertificatesInfoByBundleFileName(bundleFile string) ([]CertificateInfo, error) {
+
+	var certsInfo []CertificateInfo
+
+	allCertsInfo, err := cc.GetCertificatesInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, ciLoop := range allCertsInfo {
+		ci := ciLoop
+		if ci.BundleFile == bundleFile {
+			certsInfo = append(certsInfo, ci)
+		}
+	}
+
+	return certsInfo, nil
+}