From 88582664abb8178b3d7951d5979e1061adbf514f Mon Sep 17 00:00:00 2001 From: Mengyi Wang Date: Thu, 13 Apr 2023 09:43:19 +0200 Subject: [PATCH 1/2] Remove secrets-config proxy tests --- test/suites/edgexfoundry/proxy_test.go | 161 ------------------------- 1 file changed, 161 deletions(-) delete mode 100644 test/suites/edgexfoundry/proxy_test.go diff --git a/test/suites/edgexfoundry/proxy_test.go b/test/suites/edgexfoundry/proxy_test.go deleted file mode 100644 index db74f8cf..00000000 --- a/test/suites/edgexfoundry/proxy_test.go +++ /dev/null @@ -1,161 +0,0 @@ -package test - -import ( - "crypto/tls" - "edgex-snap-testing/test/utils" - "encoding/json" - "fmt" - "net/http" - "os" - "strings" - "testing" - "time" - - "github.com/stretchr/testify/require" -) - -// Test seeding a custom TLS certificate using snap options -// https://docs.edgexfoundry.org/2.2/getting-started/Ch-GettingStartedSnapUsers/#changing-tls-certificates -func TestTLSCert(t *testing.T) { - t.Skip("Disabled in order to implement breaking changes to secrets-config for microservice token authentication ADR") - t.Cleanup(func() { - utils.SnapUnset(t, platformSnap, "apps") - }) - - t.Logf("Generate CA and server certificates") - _, caCertFile, _, serverKeyFile, serverCertFile := generateCerts(t) - - serverKey, err := os.ReadFile(serverKeyFile) - require.NoError(t, err) - serverCert, err := os.ReadFile(serverCertFile) - require.NoError(t, err) - - t.Logf("Add the self-signed certificate") - // The options must be set together - utils.Exec(t, fmt.Sprintf( - "sudo snap set %s apps.secrets-config.proxy.tls.key='%s' apps.secrets-config.proxy.tls.cert='%s'", - platformSnap, - serverKey, - serverCert, - )) - - t.Logf("Verify certificate installation by querying Kong's Admin API") - resp, err := http.Get("http://localhost:8001/certificates") - require.NoError(t, err) - defer resp.Body.Close() - - var res struct{ Data []struct{ Cert string } } - err = json.NewDecoder(resp.Body).Decode(&res) - require.NoError(t, err) - require.Len(t, res.Data, 1) - require.Equal(t, res.Data[0].Cert, string(serverCert)) - - // Note: Certificate installation doesn't imply that the server immediately starts using it for serving requests - time.Sleep(10 * time.Second) - - t.Logf("Query a service via the proxy to verify the use of new certificate") - // A success response should return status 401 because the endpoint is protected. - // Note: %% is a literal percent sign - code, _, _ := utils.Exec(t, fmt.Sprintf("curl --show-error --silent --include --output /dev/null --write-out '%%{http_code}' --cacert %s 'https://localhost:8443/core-data/api/v2/ping'", - caCertFile)) - require.Equal(t, "401", strings.TrimSpace(code)) -} - -// Test seeding an admin user using snap options -// https://docs.edgexfoundry.org/2.2/getting-started/Ch-GettingStartedSnapUsers/#adding-api-gateway-users -func TestAddProxyUser(t *testing.T) { - t.Skip("Disabled in order to implement breaking changes to secrets-config for microservice token authentication ADR") - t.Cleanup(func() { - utils.SnapUnset(t, platformSnap, "apps") - }) - - t.Log("Generate private and public keys") - publicKeyFile, privateKeyFile := generateKeyPair(t) - - t.Log("Add the public key for admin user") - publicKey, err := os.ReadFile(publicKeyFile) - require.NoError(t, err) - - utils.SnapSet(t, platformSnap, "apps.secrets-config.proxy.admin.public-key", string(publicKey)) - - t.Log("Generate a JWT token for the admin user") - // The seedable "admin" has id 1 - jwt, _, _ := utils.Exec(t, - fmt.Sprintf("edgexfoundry.secrets-config proxy jwt --algorithm ES256 --private_key %s --id 1 --expiration=1h", privateKeyFile)) - - t.Log("Call an API on behalf of admin user") - req, err := http.NewRequest(http.MethodGet, "https://localhost:8443/core-data/api/v2/ping", nil) - require.NoError(t, err) - req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", strings.TrimSpace(jwt))) - - // InsecureSkipVerify because the proxy uses the built-in self-signed certificate - client := http.Client{Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - }} - resp, err := client.Do(req) - require.NoError(t, err) - defer resp.Body.Close() - require.Equal(t, 200, resp.StatusCode) -} - -// generateCerts generates CA private key, CA cert, -// server private key, server signing request, server cert -func generateCerts(t *testing.T) (caKeyFile, caCertFile, serverCsrFile, serverKeyFile, serverCertFile string) { - const tmpDir = "./tmp" - - // start clean - require.NoError(t, os.RemoveAll(tmpDir)) - - t.Cleanup(func() { - require.NoError(t, os.RemoveAll(tmpDir)) - }) - - // Create temp dir for certificates and keys - require.NoError(t, os.Mkdir(tmpDir, 0755)) - - caKeyFile = tmpDir + "/ca.key" - caCertFile = tmpDir + "/ca.crt" - serverCsrFile = tmpDir + "/server.csr" - serverKeyFile = tmpDir + "/server.key" - serverCertFile = tmpDir + "/server.crt" - - // Generate the Certificate Authority (CA) Private Key - utils.Exec(t, fmt.Sprintf("openssl ecparam -name prime256v1 -genkey -noout -out %s", - caKeyFile)) - // Generate the Certificate Authority Certificate - utils.Exec(t, fmt.Sprintf("openssl req -new -x509 -sha256 -key %s -out %s -subj '/CN=snap-testing-ca'", - caKeyFile, caCertFile)) - - // Generate the Server Certificate Private Keys - utils.Exec(t, fmt.Sprintf("openssl ecparam -name prime256v1 -genkey -noout -out %s", - serverKeyFile)) - // Generate the Server Certificate Signing Request - utils.Exec(t, fmt.Sprintf("openssl req -new -sha256 -key %s -out %s -subj '/CN=localhost'", - serverKeyFile, serverCsrFile)) - // Generate the Server Certificate - utils.Exec(t, fmt.Sprintf("openssl x509 -req -in %s -CA %s -CAkey %s -CAcreateserial -out %s -days 1 -sha256", - serverCsrFile, caCertFile, caKeyFile, serverCertFile)) - - return -} - -func generateKeyPair(t *testing.T) (publicKeyFile, privateKeyFile string) { - const tmpDir = "./tmp" - - // start clean - require.NoError(t, os.RemoveAll(tmpDir)) - - t.Cleanup(func() { - require.NoError(t, os.RemoveAll(tmpDir)) - }) - - publicKeyFile = tmpDir + "/public.pem" - privateKeyFile = tmpDir + "/private.pem" - - require.NoError(t, os.Mkdir(tmpDir, 0755)) - - utils.Exec(t, fmt.Sprintf("openssl ecparam -genkey -name prime256v1 -noout -out %s", privateKeyFile)) - utils.Exec(t, fmt.Sprintf("openssl ec -in %s -pubout -out %s", privateKeyFile, publicKeyFile)) - - return -} From bb7519b53ef4e0773ab32ede94efe4e57974dc90 Mon Sep 17 00:00:00 2001 From: Mengyi Wang Date: Thu, 13 Apr 2023 09:45:43 +0200 Subject: [PATCH 2/2] Update example in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1357f5f0..89ca21f5 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ This requires developer access; see `snap install -h` for details. #### Run only one test from a suite ``` -go test -v ./test/suites/edgexfoundry --run=TestAddProxyUser +go test -v ./test/suites/edgexfoundry --run=TestCommon ``` ``` go test -v ./test/suites/edgex-config-provider -run=TestConfigProvider/device-virtual