Testing/568 add key persistence tests for ts provider

ci.sh

@@ -104,25 +104,36 @@ run_old_e2e_tests() {
 }
 
 run_key_mappings_tests() {
-    echo "Execute key mappings tests"
-    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml key_mappings
+    # There is no keys generated for CryptoAuthLib yet.
+    # This condition should be removed when the keys are generated for the CAL provider
+    if ! [[ "$PROVIDER_NAME" = "cryptoauthlib" ]]; then
+        echo "Execute key mappings tests"
+        RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml key_mappings
+    fi
 }
 
 setup_mappings() {
     # Add the Docker image's mappings in this Parsec service for the key mappings
     # test.
     # The key mappings test in e2e_tests/tests/per_provider/key_mappings.rs will try
     # to use the key generated via the generate-keys.sh script in the test image.
-    cp -r /tmp/mappings/ .
+    # As mock Trusted Service saves its keys on the current directory we need to move them
+    # as well.
+    if [ "$PROVIDER_NAME" = "trusted-service" ]; then
+        # Copy the generated mappings and keys of the Trusted service
+        cp -r /tmp/ts-keys/* .
+    else
+        cp -r /tmp/mappings/ .
+        # As Mbed Crypto saves its keys on the current directory we need to move them
+        # as well.
+        if [ "$PROVIDER_NAME" = "mbed-crypto" ]; then
+            cp /tmp/*.psa_its .
+        fi
+    fi
     # Add the fake mappings for the key mappings test as well. The test will check that
     # those keys have successfully been deleted.
-    # TODO: add fake mappings for the Trusted Service and CryptoAuthLib providers.
+    # TODO: add fake mappings for the CryptoAuthLib provider.
     cp -r $(pwd)/e2e_tests/fake_mappings/* mappings
-    # As Mbed Crypto saves its keys on the current directory we need to move them
-    # as well.
-    if [ "$PROVIDER_NAME" = "mbed-crypto" ]; then
-        cp /tmp/*.psa_its .
-    fi
 
     reload_service
 }
@@ -237,13 +248,15 @@ if [ "$PROVIDER_NAME" = "coverage" ]; then
         cp $(pwd)/e2e_tests/provider_cfg/$provider/config.toml $CONFIG_PATH
         mkdir -p reports/$provider
 
-        cp -r /tmp/mappings/ .
-        cp -r $(pwd)/e2e_tests/fake_mappings/* mappings
-        if [ "$PROVIDER_NAME" = "mbed-crypto" ]; then
-            cp /tmp/*.psa_its .
-        elif [ "$PROVIDER_NAME" = "trusted-service" ]; then
-            rm -f ./*.psa_its
+        if [ "$PROVIDER_NAME" = "trusted-service" ]; then
+            cp -r /tmp/ts-keys/* .
+        else
+            cp -r /tmp/mappings/ .
+            if [ "$PROVIDER_NAME" = "mbed-crypto" ]; then
+                cp /tmp/*.psa_its .
+            fi
         fi
+        cp -r $(pwd)/e2e_tests/fake_mappings/* mappings
 
         # Start service
         RUST_LOG=info cargo +1.57.0 tarpaulin --out Xml --forward --command build --exclude-files="$EXCLUDES" \
@@ -336,8 +349,9 @@ fi
 echo "Unit, doc and integration tests"
 RUST_BACKTRACE=1 cargo test $FEATURES
 
-# Removing any mappings left over from integration tests
+# Removing any mappings or on disk keys left over from integration tests
 rm -rf mappings/
+rm -f *.psa_its
 
 echo "Start Parsec for end-to-end tests"
 RUST_LOG=info RUST_BACKTRACE=1 cargo run --release $FEATURES -- --config $CONFIG_PATH &

e2e_tests/docker_image/generate-keys.sh

@@ -8,30 +8,66 @@
 
 set -xeuf -o pipefail
 
+wait_for_process() {
+    while [ -z "$(pgrep $1)" ]; do
+        sleep 0.1
+    done
+    pgrep $1 > /dev/null
+}
+wait_for_file() {
+    until [ -e $1 ];
+    do
+        sleep 0.1
+    done
+}
+
+wait_for_killprocess() {
+    while [ -n "$(pgrep $1)" ]; do
+        sleep 0.1
+    done
+}
+# Install an old version mock Trusted Services compatible with old parsec 0.7.0
+# used in generate_key.sh script
+git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch integration
+pushd trusted-services && git reset --hard 35c6d643b5f0c0387702e22bf742dd4878ca5ddd && popd
+# Install correct python dependencies
+pip3 install -r trusted-services/requirements.txt
+pushd /tmp/trusted-services/deployments/libts/linux-pc/
+cmake .
+make
+cp libts.so nanopb_install/lib/libprotobuf-nanopb.a mbedcrypto_install/lib/libmbedcrypto.a /usr/local/lib/
+popd
+rm -rf /tmp/trusted-services
+
 mkdir /tmp/create_keys
 
 # Use an old version of the Parsec service to make sure keys can still be used
 # with today's version.
 git clone https://github.com/parallaxsecond/parsec.git --branch 0.7.0 /tmp/create_keys/parsec
 cd /tmp/create_keys/parsec
+git submodule update --init --recursive
+
+# We use the Parsec Tool to create one RSA and one ECC key per provider,
+# when it is possible.
+cargo install parsec-tool
+
+# Build service with all providers (trusted-service-provider isn't included)
 cargo build --features "all-providers, all-authenticators"
 
-# Start the service with all providers
+# Start the service with all providers (trusted-service-provider isn't included)
 tpm_server &
-sleep 5
+wait_for_process "tpm_server"
 tpm2_startup -c -T mssim
-sleep 2
 tpm2_changeauth -c owner tpm_pass -T mssim
 tpm2_changeauth -c endorsement endorsement_pass -T mssim
 cd /tmp/create_keys/parsec/e2e_tests
 SLOT_NUMBER=`softhsm2-util --show-slots | head -n2 | tail -n1 | cut -d " " -f 2`
 find . -name "*toml" -not -name "Cargo.toml" -exec sed -i "s/^# slot_number.*$/slot_number = $SLOT_NUMBER/" {} \;
 cd ../
 ./target/debug/parsec -c e2e_tests/provider_cfg/all/config.toml &
-
-# We use the Parsec Tool to create one RSA and one ECC key per provider,
-# when it is possible.
-cargo install parsec-tool
+wait_for_process "parsec"
+wait_for_file "/tmp/parsec.sock"
+# Generate keys for all providers (trusted-service-provider isn't included)
 parsec-tool -p 1 create-rsa-key -k rsa
 parsec-tool -p 1 create-ecc-key -k ecc
 parsec-tool -p 2 create-rsa-key -k rsa
@@ -40,20 +76,39 @@ parsec-tool -p 2 create-rsa-key -k rsa
 #parsec-tool -p 2 create-ecc-key -k ecc
 parsec-tool -p 3 create-rsa-key -k rsa
 parsec-tool -p 3 create-ecc-key -k ecc
-#TODO: add keys in the Trusted Service and CryptoAuthLib providers
+#TODO: add keys in the CryptoAuthLib providers
 #TODO: when possible.
 
 pkill parsec
+wait_for_killprocess "parsec"
+rm -rf /tmp/parsec.sock
 tpm2_shutdown -T mssim
-sleep 2
 pkill tpm_server
+wait_for_killprocess "tpm_server"
 
-# Cleanup to reduce image's size
-cargo uninstall parsec-tool
-cp -r /tmp/create_keys/parsec/mappings /tmp
 # Mbed Crypto creates keys in the current directory.
-cp -r /tmp/create_keys/parsec/0000000000000002.psa_its /tmp
-cp -r /tmp/create_keys/parsec/0000000000000003.psa_its /tmp
+mv /tmp/create_keys/parsec/mappings /tmp
+mv /tmp/create_keys/parsec/0000000000000002.psa_its /tmp
+mv /tmp/create_keys/parsec/0000000000000003.psa_its /tmp
 # The TPM server state needs to be passed to the tested service
-cp -r /tmp/create_keys/parsec/NVChip /tmp
+mv /tmp/create_keys/parsec/NVChip /tmp
+
+# Build the service with trusted service provider
+cargo build --features "trusted-service-provider, all-authenticators"
+# Start the service with trusted service provider
+./target/debug/parsec -c e2e_tests/provider_cfg/trusted-service/config.toml &
+wait_for_process "parsec"
+wait_for_file "/tmp/parsec.sock"
+# We use the Parsec Tool to create one RSA and one ECC key using trusted service provider.
+parsec-tool create-rsa-key -k rsa
+parsec-tool create-ecc-key -k ecc
+
+mkdir /tmp/ts-keys
+cp -r /tmp/create_keys/parsec/mappings /tmp/ts-keys
+# Trusted service creates keys in the current directory.
+cp -r /tmp/create_keys/parsec/0000000000000002.psa_its /tmp/ts-keys
+cp -r /tmp/create_keys/parsec/0000000000000003.psa_its /tmp/ts-keys
+
+# Cleanup to reduce image's size
+cargo uninstall parsec-tool
 rm -rf /tmp/create_keys

e2e_tests/docker_image/parsec-service-test-all.Dockerfile

@@ -15,6 +15,7 @@ RUN apt install -y iproute2 build-essential git pkg-config gcc libtool automake
 RUN apt install -y --fix-missing wget python3 cmake clang
 RUN apt install -y libini-config-dev libcurl4-openssl-dev curl libgcc1
 RUN apt install -y python3-distutils libclang-6.0-dev protobuf-compiler python3-pip
+RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata
 
 WORKDIR /tmp
 
@@ -84,20 +85,9 @@ RUN cd nanopb-0.4.4-linux-x86 \
 	&& make install
 RUN rm -rf nanopb-0.4.4-linux-x86 nanopb-0.4.4-linux-x86.tar.gz
 
-# Install mock Trusted Services
 # Setup git config for patching dependencies
 RUN git config --global user.email "some@email.com"
 RUN git config --global user.name "Parsec Team"
-RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch integration \
-	&& cd trusted-services \
-	&& git reset --hard 389b50624f25dae860bbbf8b16f75b32f1589c8d
-# Install correct python dependencies
-RUN pip3 install -r trusted-services/requirements.txt
-RUN cd trusted-services/deployments/libts/linux-pc/ \
-	&& cmake . \
-	&& make \
-	&& cp libts.so* nanopb_install/lib/libprotobuf-nanopb.a mbedtls_install/lib/libmbedcrypto.a /usr/local/lib/
-RUN rm -rf trusted-services
 
 # Create a new token in a new slot. The slot number assigned will be random
 # and is found with the find_slot_number script.
@@ -131,10 +121,25 @@ ENV PARSEC_SERVICE_ENDPOINT="unix:/tmp/parsec.sock"
 COPY generate-keys.sh /tmp/
 RUN ./generate-keys.sh
 
+# Install mock Trusted Services
+RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch integration \
+	&& cd trusted-services \
+	&& git reset --hard 1b0c520279445fc4d85fc582eda5e5ff5f380c39
+# Install correct python dependencies
+RUN pip3 install -r trusted-services/requirements.txt
+RUN cd trusted-services/deployments/libts/linux-pc/ \
+	&& cmake . \
+	&& make \
+	&& cp libts.so* nanopb_install/lib/libprotobuf-nanopb.a mbedtls_install/lib/libmbedcrypto.a /usr/local/lib/
+RUN rm -rf trusted-services
+
 # Import an old version of the e2e tests
 COPY import-old-e2e-tests.sh /tmp/
 RUN ./import-old-e2e-tests.sh
 
 # Download the SPIRE server and agent
 RUN curl -s -N -L https://github.com/spiffe/spire/releases/download/v0.11.1/spire-0.11.1-linux-x86_64-glibc.tar.gz | tar xz
 ENV SPIFFE_ENDPOINT_SOCKET="unix:///tmp/agent.sock"
+
+# Add safe.directory configuration to access repos freely
+RUN git config --global --add safe.directory '*'

e2e_tests/tests/per_provider/key_mappings.rs

@@ -27,6 +27,7 @@ fn use_and_check() -> Result<()> {
     client.set_default_auth(Some(String::from("parsec-tool")));
 
     let keys = client.list_keys()?;
+    assert!(!keys.is_empty());
 
     for key in keys {
         if key.name == "rsa" {