Add integration tests for foreign trust domain admin ids update (#3761)

Add integration tests for foreign trust domain admin ids update

Signed-off-by: Guilherme Carvalho <[email protected]>

Author: guilhermocc

test/integration/setup/adminclient/client.go

@@ -224,8 +224,8 @@ func mintJWTSVID(ctx context.Context, c *itclient.Client) error {
 		return errors.New("missing exp")
 	case claimsMap["iat"] == 0:
 		return errors.New("missing iat")
-	case claimsMap["sub"] != "spiffe://domain.test/new_workload":
-		return fmt.Errorf("unexpected sub: %q", claimsMap["sub"])
+	case claimsMap["sub"] != fmt.Sprintf("spiffe://%s/new_workload", c.Td.String()):
+		return fmt.Errorf("unexpected sub: %q, %s", claimsMap["sub"], fmt.Sprintf("spiffe://%q/new_workload", c.Td))
 	}
 
 	return nil
@@ -397,7 +397,7 @@ func countBundles(ctx context.Context, c *itclient.Client) error {
 		return validatePermissionError(err)
 	case err != nil:
 		return err
-	case resp.Count != 3:
+	case resp.Count != 4:
 		return fmt.Errorf("unexpected bundle count: %d", resp.Count)
 	}
 	return nil
@@ -410,7 +410,7 @@ func listFederatedBundles(ctx context.Context, c *itclient.Client) error {
 		return validatePermissionError(err)
 	case err != nil:
 		return err
-	case len(resp.Bundles) != 2:
+	case len(resp.Bundles) != 3:
 		return fmt.Errorf("unexpected bundles size: %d", len(resp.Bundles))
 	}
 
@@ -525,7 +525,7 @@ func countEntries(ctx context.Context, c *itclient.Client) error {
 		return validatePermissionError(err)
 	case err != nil:
 		return err
-	case resp.Count != 3:
+	case resp.Count < 3:
 		return fmt.Errorf("unexpected entry count: %d", resp.Count)
 	}
 	return nil
@@ -534,6 +534,7 @@ func countEntries(ctx context.Context, c *itclient.Client) error {
 func listEntries(ctx context.Context, c *itclient.Client) error {
 	expectedSpiffeIDs := []*types.SPIFFEID{
 		{TrustDomain: c.Td.String(), Path: "/admin"},
+		{TrustDomain: c.Td.String(), Path: "/agent-alias"},
 		{TrustDomain: c.Td.String(), Path: "/workload"},
 		{TrustDomain: c.Td.String(), Path: "/bar"},
 	}
@@ -543,7 +544,7 @@ func listEntries(ctx context.Context, c *itclient.Client) error {
 		return validatePermissionError(err)
 	case err != nil:
 		return err
-	case len(resp.Entries) != 3:
+	case len(resp.Entries) < 3:
 		return fmt.Errorf("unexpected entries size: %d", len(resp.Entries))
 	}
 
@@ -558,7 +559,7 @@ func listEntries(ctx context.Context, c *itclient.Client) error {
 
 	for _, e := range resp.Entries {
 		if !containsFunc(e.SpiffeId) {
-			return fmt.Errorf("unexpected entry: %v", e)
+			return fmt.Errorf("unexpected entry: %v", e.SpiffeId)
 		}
 	}
 

test/integration/suites/admin-endpoints/00-setup

@@ -1,6 +1,7 @@
 #!/bin/bash
 
-"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent
-
-"${ROOTDIR}/setup/adminclient/build.sh" "${RUNDIR}/conf/agent/adminclient"
+"${ROOTDIR}/setup/x509pop/setup.sh" conf/domain-a/server conf/domain-a/agent
+"${ROOTDIR}/setup/x509pop/setup.sh" conf/domain-b/server conf/domain-b/agent
 
+"${ROOTDIR}/setup/adminclient/build.sh" "${RUNDIR}/conf/domain-a/agent/adminclient"
+"${ROOTDIR}/setup/adminclient/build.sh" "${RUNDIR}/conf/domain-b/agent/adminclient"

test/integration/suites/admin-endpoints/01-start-server

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-docker-up spire-server
+docker-up spire-server-a spire-server-b

test/integration/suites/admin-endpoints/02-bootstrap-agent

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+docker-up spire-server-a spire-server-b
+
+log-debug "bootstrapping bundle from server b to server a..."
+docker-compose exec -T spire-server-b \
+    /opt/spire/bin/spire-server bundle show -format spiffe > conf/domain-a/server/downstream-domain.test.bundle
+docker-compose exec -T spire-server-a \
+    /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://domain-b.test -path /opt/spire/conf/server/downstream-domain.test.bundle
+
+log-debug "bootstrapping bundle from server a to server b..."
+docker-compose exec -T spire-server-a \
+    /opt/spire/bin/spire-server bundle show -format spiffe > conf/domain-b/server/downstream-domain.test.bundle
+docker-compose exec -T spire-server-b \
+    /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://domain-a.test -path /opt/spire/conf/server/downstream-domain.test.bundle

test/integration/suites/admin-endpoints/02-bootstrap-federation-bundles

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+log-debug "bootstrapping agent a..."
+docker-compose exec -T spire-server-a \
+    /opt/spire/bin/spire-server bundle show > conf/domain-a/agent/bootstrap.crt
+
+log-debug "bootstrapping agent b..."
+docker-compose exec -T spire-server-b \
+    /opt/spire/bin/spire-server bundle show > conf/domain-b/agent/bootstrap.crt

test/integration/suites/admin-endpoints/03-bootstrap-agent

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker-up spire-agent-a spire-agent-b

test/integration/suites/admin-endpoints/03-start-agent

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+log-debug "creating admin registration entry on server a..."
+docker-compose exec -T spire-server-a \
+    /opt/spire/bin/spire-server entry create \
+    -parentID "spiffe://domain-a.test/spire/agent/x509pop/$(fingerprint conf/domain-a/agent/agent.crt.pem)" \
+    -spiffeID "spiffe://domain-a.test/admin" \
+    -selector "unix:uid:1001" \
+    -admin \
+    -ttl 0
+check-synced-entry "spire-agent-a" "spiffe://domain-a.test/admin"
+
+log-debug "creating foreign admin registration entry..."
+docker-compose exec -T spire-server-b \
+    /opt/spire/bin/spire-server entry create \
+    -parentID "spiffe://domain-b.test/spire/agent/x509pop/$(fingerprint conf/domain-b/agent/agent.crt.pem)" \
+    -spiffeID "spiffe://domain-b.test/admin" \
+    -selector "unix:uid:1003" \
+    -federatesWith "spiffe://domain-a.test" \
+    -ttl 0
+check-synced-entry "spire-agent-b" "spiffe://domain-b.test/admin"
+
+log-debug "creating regular registration entry..."
+docker-compose exec -T spire-server-a \
+    /opt/spire/bin/spire-server entry create \
+    -parentID "spiffe://domain-a.test/spire/agent/x509pop/$(fingerprint conf/domain-a/agent/agent.crt.pem)" \
+    -spiffeID "spiffe://domain-a.test/workload" \
+    -selector "unix:uid:1002" \
+    -ttl 0
+check-synced-entry "spire-agent-a" "spiffe://domain-a.test/workload"

test/integration/suites/admin-endpoints/04-create-registration-entries

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+log-debug "test admin workload..."
+docker-compose exec -u 1001 -T spire-agent-a \
+	/opt/spire/conf/agent/adminclient -trustDomain domain-a.test -serverAddr spire-server-a:8081 || fail-now "failed to check admin endpoints"
+
+log-debug "test foreign admin workload..."
+docker-compose exec -u 1003 -T spire-agent-b \
+  /opt/spire/conf/agent/adminclient -trustDomain domain-a.test -serverAddr spire-server-a:8081 || fail-now "failed to check admin foreign td endpoints"
+
+log-debug "test regular workload..."
+docker-compose exec -u 1002 -T spire-agent-a \
+	/opt/spire/conf/agent/adminclient -trustDomain domain-a.test -serverAddr spire-server-a:8081 -expectErrors || fail-now "failed to check admin endpoints"

test/integration/suites/admin-endpoints/04-start-agent

@@ -1,10 +1,10 @@
 agent {
     data_dir = "/opt/spire/data/agent"
     log_level = "DEBUG"
-    server_address = "spire-server"
+    server_address = "spire-server-a"
     server_port = "8081"
     trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt"
-    trust_domain = "domain.test"
+    trust_domain = "domain-a.test"
 }
 
 plugins {

test/integration/suites/admin-endpoints/05-create-registration-entries

@@ -0,0 +1,39 @@
+server {
+	bind_address = "0.0.0.0"
+	bind_port = "8081"
+	trust_domain = "domain-a.test"
+	data_dir = "/opt/spire/data/server"
+	log_level = "DEBUG"
+	ca_ttl = "1h"
+	default_x509_svid_ttl = "10m"
+	admin_ids = ["spiffe://domain-b.test/admin"]
+	federation {
+		bundle_endpoint {
+			address = "0..0.0"
+			port = 8082
+		}
+		federates_with "domain-b" {
+			bundle_endpoint_url = "https://spire-server-b:8082"
+			bundle_endpoint_profile "https_spiffe" {
+				endpoint_spiffe_id = "spiffe://domain-b/spire/server"
+			}
+		}
+	}
+}
+
+plugins {
+	DataStore "sql" {
+		plugin_data {
+			database_type = "sqlite3"
+			connection_string = "/opt/spire/data/server/datastore.sqlite3"
+		}
+	}
+	NodeAttestor "x509pop" {
+		plugin_data {
+			ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem"
+		}
+	}
+	KeyManager "memory" {
+		plugin_data = {}
+	}
+}

test/integration/suites/admin-endpoints/05-test-endpoints

@@ -0,0 +1,26 @@
+agent {
+    data_dir = "/opt/spire/data/agent"
+    log_level = "DEBUG"
+    server_address = "spire-server-b"
+    server_port = "8081"
+    trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt"
+    trust_domain = "domain-b.test"
+}
+
+plugins {
+    NodeAttestor "x509pop" {
+        plugin_data {
+            private_key_path = "/opt/spire/conf/agent/agent.key.pem"
+            certificate_path = "/opt/spire/conf/agent/agent.crt.pem"
+        }
+    }
+    KeyManager "disk" {
+        plugin_data {
+            directory = "/opt/spire/data/agent"
+        }
+    }
+    WorkloadAttestor "unix" {
+        plugin_data {
+        }
+    }
+}

test/integration/suites/admin-endpoints/06-test-endpoints

@@ -1,11 +1,23 @@
 server {
 	bind_address = "0.0.0.0"
 	bind_port = "8081"
-	trust_domain = "domain.test"
+	trust_domain = "domain-b.test"
 	data_dir = "/opt/spire/data/server"
 	log_level = "DEBUG"
 	ca_ttl = "1h"
 	default_x509_svid_ttl = "10m"
+	federation {
+		bundle_endpoint {
+			address = "0.0.0.0"
+			port = 8082
+		}
+		federates_with "domain-a.test" {
+			bundle_endpoint_url = "https://spire-server-a:8082"
+			bundle_endpoint_profile "https_spiffe" {
+				endpoint_spiffe_id = "spiffe://domain-a.test/spire/server"
+			}
+		}
+	}
 }
 
 plugins {

test/integration/suites/admin-endpoints/conf/agent/agent.conf test/integration/suites/admin-endpoints/conf/domain-a/agent/agent.conf

@@ -1,15 +1,28 @@
 version: '3'
 services:
-  spire-server:
+  spire-server-a:
     image: spire-server-scratch:latest-local
     hostname: spire-server
     volumes:
-      - ./conf/server:/opt/spire/conf/server
+      - ./conf/domain-a/server:/opt/spire/conf/server
     command: ["-config", "/opt/spire/conf/server/server.conf"]
-  spire-agent:
+  spire-agent-a:
     image: spire-agent-scratch:latest-local
     hostname: spire-agent
-    depends_on: ["spire-server"]
+    depends_on: [ "spire-server-a" ]
     volumes:
-      - ./conf/agent:/opt/spire/conf/agent
-    command: ["-config", "/opt/spire/conf/agent/agent.conf"]
+      - ./conf/domain-a/agent:/opt/spire/conf/agent
+    command: [ "-config", "/opt/spire/conf/agent/agent.conf" ]
+  spire-server-b:
+    image: spire-server-scratch:latest-local
+    hostname: spire-server-foreign-td
+    volumes:
+      - ./conf/domain-b/server:/opt/spire/conf/server
+    command: [ "-config", "/opt/spire/conf/server/server.conf" ]
+  spire-agent-b:
+    image: spire-agent-scratch:latest-local
+    hostname: spire-agent-foreign-td
+    depends_on: [ "spire-server-b" ]
+    volumes:
+      - ./conf/domain-b/agent:/opt/spire/conf/agent
+    command: [ "-config", "/opt/spire/conf/agent/agent.conf" ]

test/integration/suites/admin-endpoints/conf/domain-a/server/server.conf

@@ -99,7 +99,7 @@ if [ ${#steps[@]} -eq 0 ]; then
     fail-now "test suite has no steps"
 fi
 for step in "${steps[@]}"; do
-    if ! run-step "$step"; then 
+    if ! run-step "$step"; then
         fail-now "step $(basename "$step") failed"
     fi
 done