Merge pull request #5 from siemens/docker-entrypoint

ralienpp · web-flow · commit 9cc43fb2c321 · 2025-04-22T16:07:42.000+02:00
Add Docker entrypoint
diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml
@@ -1,10 +1,12 @@
-# SPDX-FileCopyrightText: Copyright 2024 Siemens AG
+# SPDX-FileCopyrightText: Copyright 2025 Siemens AG
 #
 # SPDX-License-Identifier: Apache-2.0
 
 # This produces base image that contains the dependencies required for the test
 # suite, including the build environment for liboqs; and a dev image, which is
-# used to run code quality checks in the CI pipeline
+# used to run code quality checks in the CI pipeline. It also builds the
+# production image, which is meant to be invoked by end-users who want to test
+# their CAs.
 
 name: Build and push base docker images
 
@@ -50,9 +52,12 @@ jobs:
             -f data/dockerfiles/Dockerfile.dev .
 
       - name: Build and push the production test suite Docker image
+      # This one is meant to be directly invoked by end-users who don't want to get into the details
+      # of how the test suite works, they just want to run it to test their CA. For their convenience,
+      # we give it a short name, to be invoked as `docker run --rm -it ghcr.io/siemens/cmp-test`
         run: |
           docker buildx build \
-            --tag ghcr.io/${{ github.repository_owner }}/cmp-test-prod:latest \
+            --tag ghcr.io/${{ github.repository_owner }}/cmp-test:latest \
             --build-arg BASE_IMAGE=ghcr.io/${{ github.repository_owner }}/cmp-test-base:latest \
             --push \
             -f data/dockerfiles/Dockerfile.tests .
diff --git a/.github/workflows/check_quality.yml b/.github/workflows/check_quality.yml
@@ -43,7 +43,9 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: RobotFramework style check
-        run: robocop --report rules_by_error_type
+        run: robocop check
+    # We haven't settled on a style for RobotFramework yet, enforce check when consensus is reached
+    continue-on-error: true
 
   spelling_check:
     runs-on: ubuntu-22.04
diff --git a/data/dockerfiles/Dockerfile.tests b/data/dockerfiles/Dockerfile.tests
@@ -14,6 +14,7 @@ WORKDIR /app
 
 COPY . /app
 
-# TODO: Devise a procedure to make it easy to add user-specific tests that will
-#       be executed along with the basic ones.
-CMD ["sh", "-c", "robot --pythonpath=./ --outputdir=reports/ scripts/smoke.robot"]
+# Run the entry point script, it takes care of command line argument parsing and
+# displaying documentation.
+ENTRYPOINT ["scripts/docker_entrypoint.py"]
+CMD ["--smoke"]
diff --git a/mock_ca/ca_handler.py b/mock_ca/ca_handler.py
@@ -434,7 +434,7 @@ def handle_issuing() -> bytes:
         data = request.get_data()
         pki_message, _rest = decoder.decode(data, asn1Spec=rfc9480.PKIMessage())
         pki_message = handler.process_normal_request(pki_message)
-        logging.warning(f"Response: %s", pki_message.prettyPrint())
+        logging.warning("Response: %s", pki_message.prettyPrint())
         response_data = encoder.encode(pki_message)
         return Response(response_data, content_type="application/octet-stream")
     except Exception as e:
diff --git a/readme.md b/readme.md
@@ -25,8 +25,18 @@ the server and how the responses were processed.
 
 The [contribution guidelines](CONTRIBUTING.md) explain how to contribute to the project.
 
+# Quick start with Docker
+On a system where [Docker is available](https://docs.docker.com/engine/install/), the easiest way to run the test suite is `docker run --rm -it ghcr.io/siemens/cmp-test`. This will invoke a smoke test just to confirm that the basics are in place. Add `--help` to learn about what other commands are available.
 
-# Configuration
+To run a minimal test against an actual CA, try `docker run --rm -it ghcr.io/siemens/cmp-test --minimal http://example.com --ephemeral` (replace the URL with your CMP endpoint).
+
+A thorough evaluation that covers all the features of CMP requires a configuration file, where you specify preshared passwords, keys, algorithms to use, etc. (see `--customconfig` for details).
+
+
+# Advanced usage
+While the Docker-based approach makes it easy to get started, it essentially treats the test suite as a black box. However, if you want to customize, extend or debug it, it is necessary to dive deeper and understand how it works "under the hood".
+
+## Configuration
 Create a Python virtual environment by installing the dependencies from `requirements.txt`:
 
 1. Create a virtual environment: `python -m venv venv-cmp-tests`
@@ -38,12 +48,12 @@ Create a Python virtual environment by installing the dependencies from `require
 
 
 
-# Usage
+## Usage
 1. Adjust the settings in the `config/local.robot` file to match your environment.
 2. Run `robot --variable environment:local tests` to run everything in `tests/` against the `local` environment.
 3. Explore `report.html` to see the results.
 
-## Advanced usage examples
+## Additional RobotFramework commands
 You can run specific tests on specific environments by adjusting command line options. Consider this example:
 `robot --outputdir=out --variable environment:cloudpki --include crypto tests`
 
diff --git a/scripts/docker_entrypoint.py b/scripts/docker_entrypoint.py
@@ -0,0 +1,236 @@
+#!/bin/python3
+
+# SPDX-FileCopyrightText: Copyright 2025 Siemens AG
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# pylint: disable=invalid-name
+
+"""Entry point script for running the CMP test suite in a Docker container.
+
+It aims to simplify the user experience, by exposing a minimal command line interface
+for doing simple things (e.g., run smoke tests), while also allowing complex use cases,
+when necessary (e.g., run all tests with a custom configuration).
+"""
+
+import argparse
+import logging
+import os
+import subprocess
+import sys
+from pathlib import Path
+from urllib.parse import urlparse
+
+log = logging.getLogger("cmptest")
+
+
+def valid_url(arg):
+    """Check whether the given URL is valid."""
+    url = urlparse(arg)
+    if all((url.scheme, url.netloc)):
+        return arg
+    raise argparse.ArgumentTypeError("Invalid URL")
+
+
+def run_robot_command(command, verbose=False):
+    """Run the robot command and return its exit code."""
+    if verbose:
+        log.info("Run: %s", command)
+    try:
+        with subprocess.Popen(
+            command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True
+        ) as process:
+            # Stream output in real-time
+            while True:
+                stdout_line = process.stdout.readline()
+                stderr_line = process.stderr.readline()
+
+                if stdout_line:
+                    log.info(stdout_line.strip())
+                if stderr_line:
+                    log.error(stderr_line.strip())
+
+                if not stdout_line and not stderr_line and process.poll() is not None:
+                    break
+
+            exit_code = process.poll()
+            log.info("Command completed with exit code: %s", exit_code)
+            return exit_code
+    except OSError as e:
+        log.error("Error executing command: %s", e)
+        return 1
+
+
+class CustomConfigAction(argparse.Action):
+    """
+    Custom argparse action to handle the --customconfig argument.
+
+    Distinguishes between explicit usage (with or without a value) and complete omission of the argument.
+    """
+
+    def __call__(self, parser, namespace, values, option_string=None):  # noqa: D102 no docstring
+        setattr(namespace, self.dest, values if values else Path("config/"))
+        setattr(namespace, f"{self.dest}_explicit", True)
+
+
+def prepare_parser():
+    """Parse command line arguments."""
+    parser = argparse.ArgumentParser(
+        description="CMP test suite tool",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""Examples of usage, assume the docker image is called `image`:
+
+1. Default behavior (no additional arguments):
+   docker run --rm -it ghcr.io/siemens/cmp-test
+   Executes: robot --pythonpath=./ --outputdir=/report --include smoke scripts/smoke.robot tests/
+   Does not require any configuration, runs the smoke test and any other test with the `smoke` tag.
+
+2. Passing a minimal URL:
+   docker run --rm -it ghcr.io/siemens/cmp-test --minimal http://example.com
+   Executes: robot --pythonpath=./ --outputdir=/report --include minimal --variable SERVER_URL:http://example.com tests/
+   Runs only tests tagged `minimal`, which only require the server's address and nothing else.
+
+3. Using a custom configuration:
+   docker run --rm -it ghcr.io/siemens/cmp-test -v ./reports:/report -v ./config:/config image --customconfig
+   Runs all tests with the custom configuration given in a directory mounted to config/, will save reports to /reports.
+
+4. Passing arbitrary arguments to robot (note the `--`):
+   docker run --rm -it ghcr.io/siemens/cmp-test --minimal http://example.com -- --dryrun
+   Runs: robot --pythonpath=./ --outputdir=/report --include minimal --variable SERVER_URL:http://example.com tests/ \
+    --dryrun
+""",
+    )
+
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument("--smoke", action="store_true", help="Run smoke tests that don't require any configuration")
+    group.add_argument("--minimal", help="Run tests that only need a CMP URL endpoint", type=valid_url, metavar="URL")
+    group.add_argument(
+        "--customconfig",
+        help="Use custom configuration directory and run all tests",
+        type=Path,
+        nargs="?",
+        default=Path("config/"),
+        metavar="DIR",
+        action=CustomConfigAction,
+    )
+    parser.add_argument("--tags", help="Run only tests with the given tags", type=str, nargs="+", default=[])
+    parser.add_argument(
+        "--ephemeral",
+        help="Discard the detailed report generated by the test suite, the results printed on the screen are enough",
+        action="store_true",
+        default=False,
+    )
+    parser.add_argument(
+        "--verbose", help="Display additional debugging information", action="store_true", default=False
+    )
+
+    parser.add_argument(
+        "robot_args", nargs=argparse.REMAINDER, help="Optional arguments to pass directlyto Robot Framework."
+    )
+
+    # Add a flag to track explicit usage of --customconfig, to differentiate between
+    # when it was provided with a value, without a value, or not at all
+    parser.set_defaults(customconfig_explicit=False)
+
+    return parser
+
+
+def verify_report_directory(ephemeral, smoke, verbose):
+    """Check if the report directory exists and enforce some checks based on settings.
+
+    Args:
+        ephemeral (bool): If True, we don't care about potentially losing the detailed report.
+        smoke (bool): If True, we only run smoke tests.
+        verbose (bool): If True, additional information will be logged.
+
+    """
+    if os.path.exists("/report"):
+        if verbose:
+            log.info("Report will be saved to /report (inside your container)")
+    else:
+        if ephemeral or smoke:
+            log.info(
+                "Running in ephemeral mode, only brief results on screen, no file report. Consider running the "
+                "container with `-v /path/on/host:/report` to ensure the report is saved."
+            )
+        else:
+            log.warning(
+                "The /report directory does not exist, the detailed test report will be lost after "
+                "the container is removed. Run with --ephemeral to ignore this and only consider the "
+                "results shown on stdout, or run the container with `-v /path/on/host:/report` to "
+                "ensure the report is saved."
+            )
+            sys.exit(1)
+
+
+def main():
+    """Run the CMP test suite."""
+    parser = prepare_parser()
+    args = parser.parse_args()
+
+    if args.verbose:
+        log.debug(args)
+
+    verify_report_directory(args.ephemeral, args.smoke, args.verbose)
+
+    if args.robot_args:
+        # One can pass additional arguments to RobotFramework by adding -- <robot args> at the end
+        # of the command line, e.g. `docker run image --minimal http://example.com -- --dryrun`.
+        # We prepare this piece here because we might need to add it later.
+        additional_args = " " + " ".join(args.robot_args[1:])  # omit the "--" itself
+    else:
+        additional_args = ""
+
+    if args.smoke:
+        # Run the smoke test in scripts/smoke.robot, as well as any other test with the `smoke` tag
+        command = "robot --pythonpath=./ --outputdir=/report --include smoke scripts/smoke.robot"
+    elif args.minimal:
+        # A minimal batch of tests that only need to know the server's address and nothing else, it is the easiest
+        # way to get a taste of what the test suite can do while still doing some actual work with a real server.
+        command = f"robot --pythonpath=./ --outputdir=/report --include minimal --variable CA_CMP_URL:{args.minimal}"
+
+    elif args.customconfig_explicit:
+        # The script was started with --customconfig, there are several possibilities:
+        # [A] --customconfig without a specific path, so the default one is implied
+        # [B] --customconfig with a specific path to a custom directory
+        if args.customconfig == parser.get_default("customconfig"):
+            # case [A], load the config from /config, where we expect it to be mounted when running within docker.
+            config_path = Path("/config")
+        else:
+            # case [B], load the config from the path given by the user
+            config_path = args.customconfig
+
+        if not os.path.exists(config_path / "custom.robot"):
+            config_guide = """It must be mounted to /config in the docker container (override with --customconfig)
+and follow this structure:
+/config
+├── custom.robot   -  set the relevant variables, follow the examples given in config/ in the repo
+├── data/          -  a directory with data files (keys, certificates, etc.) needed by your custom.robot"""
+            log.warning("The configuration directory does not exist or is not structured correctly. %s", config_guide)
+            sys.exit(1)
+
+        # If we end up here, it means that the user took the time to set up a configuration directory and adjust
+        # it to the specifics of their CMP server. We'll run all tests and rely on the given configuration and
+        # data (e.g., certificates, keypairs, preshared passwords, etc.)
+        if args.tags:
+            included_tags = "--include " + " --include ".join(args.tags)
+        else:
+            included_tags = ""
+
+        command = f"robot --pythonpath=./ --outputdir=/report --variable environment:custom {included_tags}"
+    else:
+        log.debug("No actionable command line arguments given, nothing to do")
+        sys.exit(0)
+
+    # Prepare the final command, appending additional arguments, if any, and ensuring that test/ is in
+    # the end.
+    command = f"{command} {additional_args} tests/"
+
+    run_robot_command(command)
+
+
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.DEBUG, format="%(asctime)s %(levelname)5s - %(message)s")
+
+    log.info("Starting CMP test suite")
+    main()
diff --git a/tests/basic.robot b/tests/basic.robot
@@ -28,7 +28,7 @@ CA Must Reject Malformed Request
     ...    a client-side error in the supplied input data. Ref: "3.3. General Form", "All applicable
     ...    "Client Error 4xx" or "Server Error 5xx" status codes MAY be used to inform the client
     ...    about errors."
-    [Tags]    negative    rfc6712    robot:skip-on-failure    status
+    [Tags]    negative    rfc6712    robot:skip-on-failure    status    minimal
     ${response}=    Exchange Data With CA    this dummy input is not a valid PKIMessage
     Should Be Equal
     ...    ${response.status_code}
