Merge pull request #529 from MattDavis00/feature-sqlite-e2e-tests

Added E2E tests using the SQLiteKIM Runs the current E2E `all_providers::normal` tests. Doesn't run multitenancy etc. Closes #516 Signed-off-by: Matt Davis <matt.davis@arm.com>
parallaxsecond · Sep 21, 2021 · 28dd22d · 28dd22d
2 parents c64c2f1 + ed65304
commit 28dd22d
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 7 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -96,6 +96,19 @@ jobs:
  # When running the container built on the CI
  # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test
 
+ sqlite-kim:
+ name: SQLiteKIM E2E tests on all providers
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ # Use the following step when updating the `parsec-service-test-all` image
+ # - name: Build the container
+ # run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
+ - name: Run the container to execute the test script
+ run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh sqlite-kim
+ # When running the container built on the CI
+ # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh sqlite-kim
+
  # Disabled due to the issue discussed in https://github.com/parallaxsecond/parsec/issues/514
  # fuzz-test-checker:
  # name: Check that the fuzz testing framework is still working

diff --git a/ci.sh b/ci.sh
@@ -41,6 +41,7 @@ where PROVIDER_NAME can be one of:
  - cryptoauthlib
  - all
  - coverage
+ - sqlite-kim
 "
 }
 
@@ -117,18 +118,20 @@ while [ "$#" -gt 0 ]; do
  --no-stress-test )
  NO_STRESS_TEST="True"
  ;;
- mbed-crypto | pkcs11 | tpm | trusted-service | cryptoauthlib | all | cargo-check)
+ mbed-crypto | pkcs11 | tpm | trusted-service | cryptoauthlib | all | cargo-check | sqlite-kim)
  if [ -n "$PROVIDER_NAME" ]; then
  error_msg "Only one provider name must be given"
  fi
  PROVIDER_NAME=$1
 
  # If running anything but cargo-check, copy config
- if [ "$PROVIDER_NAME" != "cargo-check" ]; then
+ if [ "$PROVIDER_NAME" != "cargo-check" ] && [ "$PROVIDER_NAME" != "sqlite-kim" ]; then
  cp $(pwd)/e2e_tests/provider_cfg/$1/config.toml $CONFIG_PATH
+ elif [ "$PROVIDER_NAME" = "sqlite-kim" ]; then
+ cp $(pwd)/e2e_tests/provider_cfg/all/sqlite-kim-all-providers.toml $CONFIG_PATH
  fi
 
- if [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "cargo-check" ]; then
+ if [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "cargo-check" ] || [ "$PROVIDER_NAME" = "sqlite-kim" ]; then
  FEATURES="--features=all-providers,all-authenticators"
  TEST_FEATURES="--features=all-providers"
  else
@@ -153,7 +156,7 @@ fi
 
 trap cleanup EXIT
 
-if [ "$PROVIDER_NAME" = "tpm" ] || [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "coverage" ]; then
+if [ "$PROVIDER_NAME" = "tpm" ] || [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "coverage" ] || [ "$PROVIDER_NAME" = "sqlite-kim" ]; then
  # Copy the NVChip for previously stored state. This is needed for the key mappings test.
  cp /tmp/NVChip .
  # Start and configure TPM server
@@ -165,7 +168,7 @@ if [ "$PROVIDER_NAME" = "tpm" ] || [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_
  tpm2_startup -T mssim
 fi
 
-if [ "$PROVIDER_NAME" = "pkcs11" ] || [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "coverage" ]; then
+if [ "$PROVIDER_NAME" = "pkcs11" ] || [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "coverage" ] || [ "$PROVIDER_NAME" = "sqlite-kim" ]; then
  pushd e2e_tests
  # This command suppose that the slot created by the container will be the first one that appears
  # when printing all the available slots.
@@ -220,7 +223,7 @@ if [ "$PROVIDER_NAME" = "coverage" ]; then
  exit 0
 fi
 
-if [ "$PROVIDER_NAME" = "all" ]; then
+if [ "$PROVIDER_NAME" = "all" ] || [ "$PROVIDER_NAME" = "sqlite-kim" ]; then
  # Start SPIRE server and agent
  pushd /tmp/spire-0.11.1
  ./bin/spire-server run -config conf/server/server.conf &
@@ -238,6 +241,22 @@ if [ "$PROVIDER_NAME" = "all" ]; then
  popd
 fi
 
+# Test the SQLite KIM
+if [ "$PROVIDER_NAME" = "sqlite-kim" ]; then
+ echo "Start Parsec for end-to-end tests with sqlite-kim"
+ RUST_LOG=info RUST_BACKTRACE=1 cargo run --release $FEATURES -- --config $CONFIG_PATH &
+ # Sleep time needed to make sure Parsec is ready before launching the tests.
+ wait_for_service
+
+ echo "Execute all-providers sqlite-kim normal tests"
+ RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml all_providers::normal
+
+ echo "Shutdown Parsec"
+ stop_service
+
+ exit 0
+fi
+
 echo "Build test"
 
 if [ "$PROVIDER_NAME" = "cargo-check" ]; then

diff --git a/e2e_tests/provider_cfg/all/sqlite-kim-all-providers.toml b/e2e_tests/provider_cfg/all/sqlite-kim-all-providers.toml
@@ -0,0 +1,53 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+timeout = 200 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+admins = [ { name = "list_clients test" }, { name = "1000" }, { name = "client1" }, { name = "spiffe://example.org/parsec-client-1" } ]
+#workload_endpoint="unix:///tmp/agent.sock"
+
+[[key_manager]]
+name = "sqlite-manager"
+manager_type = "SQLite"
+database_path = "./kim-mappings/sqlite/sqlite-key-info-manager.sqlite3"
+
+[[provider]]
+provider_type = "MbedCrypto"
+key_info_manager = "sqlite-manager"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "sqlite-manager"
+tcti = "mssim"
+owner_hierarchy_auth = "tpm_pass"
+
+[[provider]]
+provider_type = "Pkcs11"
+key_info_manager = "sqlite-manager"
+library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
+user_pin = "123456"
+# The slot_number mandatory field is going to replace the following line with a valid number
+# slot_number
+
+[[provider]]
+provider_type = "CryptoAuthLib"
+key_info_manager = "sqlite-manager"
+device_type = "always-success"
+iface_type = "test-interface"
+# wake_delay = 1500
+# rx_retries = 20
+# # i2c parameters for i2c-pseudo proxy
+# slave_address = 0xc0
+# bus = 1
+# baud = 400000
diff --git a/e2e_tests/tests/all_providers/normal.rs b/e2e_tests/tests/all_providers/normal.rs
@@ -246,7 +246,7 @@ fn list_and_delete_clients() {
 
  client.set_default_auth(Some(all_providers_user.clone()));
  client
- .generate_rsa_sign_key("all-providers-user-key".to_string())
+ .generate_rsa_sign_key(format!("{}-all-providers-user-key", provider.id))
  .unwrap();
 
  client.set_default_auth(Some(format!("user_{}", provider.id)));