-
Notifications
You must be signed in to change notification settings - Fork 140
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add integration tests for build wrapper against vault container (#59)
- Loading branch information
Showing
13 changed files
with
309 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
name: CI | ||
|
||
on: [push, pull_request] | ||
|
||
jobs: | ||
build: | ||
name: Build on Jenkins ${{ matrix.jenkins-version }}, JDK ${{ matrix.java }} and ${{ matrix.os }} | ||
runs-on: ${{ matrix.os }} | ||
strategy: | ||
matrix: | ||
java: [1.8, 11] | ||
jenkins-version: [2.138.4, 2.190.1] | ||
os: [ubuntu-latest, windows-latest] | ||
include: | ||
- jenkins-version: '2.190.1' | ||
flags: '-Djenkins.version=2.190.1 -Dslf4jVersion=1.7.26' | ||
exclude: | ||
- java: '11' | ||
jenkins-version: '2.138.4' | ||
|
||
steps: | ||
- uses: actions/checkout@v1 | ||
- name: Set up JDK ${{ matrix.java }} | ||
uses: actions/setup-java@v1 | ||
with: | ||
java-version: ${{ matrix.java }} | ||
- name: Build with Maven | ||
run: | | ||
mvn install -B -V --no-transfer-progress ${{ matrix.flags }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,4 +8,3 @@ work/ | |
.settings/ | ||
*.sublime* | ||
tmp/ | ||
ssl/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
146 changes: 146 additions & 0 deletions
146
src/test/java/com/datapipe/jenkins/vault/it/buildwrapper/SSLTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
package com.datapipe.jenkins.vault.it.buildwrapper; | ||
|
||
import com.bettercloud.vault.SslConfig; | ||
import com.bettercloud.vault.VaultConfig; | ||
import com.cloudbees.plugins.credentials.CredentialsProvider; | ||
import com.cloudbees.plugins.credentials.CredentialsScope; | ||
import com.cloudbees.plugins.credentials.domains.Domain; | ||
import com.datapipe.jenkins.vault.configuration.GlobalVaultConfiguration; | ||
import com.datapipe.jenkins.vault.configuration.VaultConfiguration; | ||
import com.datapipe.jenkins.vault.credentials.VaultTokenCredential; | ||
import com.datapipe.jenkins.vault.util.TestConstants; | ||
import com.datapipe.jenkins.vault.util.VaultContainer; | ||
import hudson.model.Result; | ||
import hudson.util.Secret; | ||
import java.io.File; | ||
import java.io.FileInputStream; | ||
import java.io.FileOutputStream; | ||
import java.io.IOException; | ||
import java.security.KeyStore; | ||
import java.security.cert.CertificateFactory; | ||
import java.security.cert.X509Certificate; | ||
import org.apache.commons.io.IOUtils; | ||
import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition; | ||
import org.jenkinsci.plugins.workflow.job.WorkflowJob; | ||
import org.jenkinsci.plugins.workflow.job.WorkflowRun; | ||
import org.junit.BeforeClass; | ||
import org.junit.ClassRule; | ||
import org.junit.Rule; | ||
import org.junit.Test; | ||
import org.junit.contrib.java.lang.system.RestoreSystemProperties; | ||
import org.junit.rules.TemporaryFolder; | ||
import org.jvnet.hudson.test.JenkinsRule; | ||
import org.mockito.Mockito; | ||
|
||
import static com.datapipe.jenkins.vault.util.VaultTestUtil.hasDockerDaemon; | ||
import static org.junit.Assume.assumeTrue; | ||
import static org.mockito.Mockito.when; | ||
|
||
public class SSLTest implements TestConstants { | ||
|
||
@ClassRule | ||
public static VaultContainer container = VaultContainer.createVaultContainer(); | ||
|
||
@ClassRule | ||
public static JenkinsRule j = new JenkinsRule(); | ||
|
||
@Rule | ||
public final RestoreSystemProperties restoreSystemProperties = new RestoreSystemProperties(); | ||
|
||
@Rule | ||
public TemporaryFolder testFolder = new TemporaryFolder(); | ||
|
||
private static WorkflowJob pipeline; | ||
private static final String credentialsId = "vaultToken"; | ||
|
||
@BeforeClass | ||
public static void setupClass() throws IOException, InterruptedException { | ||
assumeTrue(hasDockerDaemon()); | ||
container.initAndUnsealVault(); | ||
container.setBasicSecrets(); | ||
|
||
pipeline = j.createProject(WorkflowJob.class, "Pipeline"); | ||
String pipelineText = IOUtils.toString(TestConstants.class.getResourceAsStream("pipeline.groovy")); | ||
pipeline.setDefinition(new CpsFlowDefinition(pipelineText, true)); | ||
|
||
VaultTokenCredential c = new VaultTokenCredential(CredentialsScope.GLOBAL, | ||
credentialsId, "fake description", Secret.fromString(container.getRootToken())); | ||
CredentialsProvider.lookupStores(j.jenkins).iterator().next() | ||
.addCredentials(Domain.global(), c); | ||
} | ||
|
||
@Test | ||
public void SSLError() throws Exception { | ||
GlobalVaultConfiguration globalVaultConfiguration = GlobalVaultConfiguration.get(); | ||
VaultConfiguration vaultConfiguration = new VaultConfiguration(); | ||
vaultConfiguration.setVaultUrl(container.getAddress()); | ||
vaultConfiguration.setVaultCredentialId(credentialsId); | ||
vaultConfiguration.setTimeout(1); | ||
globalVaultConfiguration.setConfiguration(vaultConfiguration); | ||
|
||
WorkflowRun build = pipeline.scheduleBuild2(0).get(); | ||
|
||
j.assertBuildStatus(Result.FAILURE, build); | ||
j.assertLogContains("javax.net.ssl.SSLHandshakeException", build); | ||
} | ||
|
||
@Test | ||
public void SSLOk() throws Exception { | ||
File store = testFolder.newFile("cacerts.keystore"); | ||
File certificate = new File(CERT_PEMFILE); | ||
createKeyStore(store, certificate); | ||
|
||
GlobalVaultConfiguration globalVaultConfiguration = GlobalVaultConfiguration.get(); | ||
VaultConfiguration vaultConfiguration = Mockito.mock(VaultConfiguration.class); | ||
when(vaultConfiguration.getVaultUrl()).thenReturn(container.getAddress()); | ||
when(vaultConfiguration.getVaultCredentialId()).thenReturn(credentialsId); | ||
when(vaultConfiguration.getEngineVersion()).thenReturn(1); | ||
when(vaultConfiguration.getTimeout()).thenReturn(5); | ||
globalVaultConfiguration.setConfiguration(vaultConfiguration); | ||
|
||
VaultConfig config = new VaultConfig() | ||
.address(vaultConfiguration.getVaultUrl()) | ||
.engineVersion(vaultConfiguration.getEngineVersion()) | ||
.sslConfig(new SslConfig() | ||
.trustStoreFile(store) | ||
.verify(true) | ||
.build() | ||
); | ||
when(vaultConfiguration.getVaultConfig()).thenReturn(config); | ||
|
||
WorkflowRun build = pipeline.scheduleBuild2(0).get(); | ||
|
||
j.assertBuildStatus(Result.SUCCESS, build); | ||
j.assertLogContains("****", build); | ||
} | ||
|
||
@Test | ||
public void SSLSkipVerify() throws Exception { | ||
GlobalVaultConfiguration globalVaultConfiguration = GlobalVaultConfiguration.get(); | ||
VaultConfiguration vaultConfiguration = new VaultConfiguration(); | ||
vaultConfiguration.setVaultUrl(container.getAddress()); | ||
vaultConfiguration.setVaultCredentialId(credentialsId); | ||
vaultConfiguration.setEngineVersion(1); | ||
vaultConfiguration.setTimeout(5); | ||
vaultConfiguration.setSkipSslVerification(true); | ||
globalVaultConfiguration.setConfiguration(vaultConfiguration); | ||
|
||
WorkflowRun build = pipeline.scheduleBuild2(0).get(); | ||
|
||
j.assertBuildStatus(Result.SUCCESS, build); | ||
j.assertLogContains("****", build); | ||
} | ||
|
||
private void createKeyStore(File store, File certificate) throws Exception { | ||
KeyStore keyStore = KeyStore.getInstance("JKS"); | ||
CertificateFactory fact = CertificateFactory.getInstance("X.509"); | ||
FileInputStream is = new FileInputStream(certificate); | ||
X509Certificate cer = (X509Certificate) fact.generateCertificate(is); | ||
is.close(); | ||
keyStore.load(null, null); | ||
keyStore.setCertificateEntry("dockerCert", cer); | ||
try (FileOutputStream o = new FileOutputStream(store)) { | ||
keyStore.store(o, "changeit".toCharArray()); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 8 additions & 0 deletions
8
src/test/resources/com/datapipe/jenkins/vault/util/gencert.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Create a CA root certificate and key | ||
openssl req -newkey rsa:2048 -days 3650 -x509 -nodes -out root-cert.pem -keyout root-privkey.pem -subj '/C=DK/ST=Denmark/L=Copenhagen/O=Jenkins/CN=localhost' | ||
# Create a private key, and a certificate-signing request | ||
openssl req -newkey rsa:1024 -nodes -out vault-csr.pem -keyout vault-privkey.pem -subj '/C=DK/ST=Denmark/L=Copenhagen/O=Jenkins/CN=localhost' | ||
# Create an X509 certificate for the Vault server | ||
echo 000a > serialfile | ||
touch certindex | ||
openssl ca -batch -config libressl.conf -notext -in vault-csr.pem -out vault-cert.pem |
20 changes: 20 additions & 0 deletions
20
src/test/resources/com/datapipe/jenkins/vault/util/ssl/root-cert.pem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIDMDCCAhgCCQDcqGwmfGnq4jANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJE | ||
SzEQMA4GA1UECAwHRGVubWFyazETMBEGA1UEBwwKQ29wZW5oYWdlbjEQMA4GA1UE | ||
CgwHSmVua2luczESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MTAwOTA4MjMzMloX | ||
DTI5MTAwNjA4MjMzMlowWjELMAkGA1UEBhMCREsxEDAOBgNVBAgMB0Rlbm1hcmsx | ||
EzARBgNVBAcMCkNvcGVuaGFnZW4xEDAOBgNVBAoMB0plbmtpbnMxEjAQBgNVBAMM | ||
CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+7VkUv | ||
jfVOoTD/CZYegTUr6PitAvU0l9gXXb1ncCO7gg/MPayUL06KlitomO+uBjQo4CWB | ||
OaScjoM/2hmEZYQERY/O0UVOMhudjcf/RbjsJE1jvyghrRgWegC+Ib8IuH9DfDe7 | ||
yKvgfo181oIVNlW6dXlbI+itQMLo94aVXJGgOZIm1Ngm49hv6Dq6MIgimmdI9QFr | ||
p0Gc1/OknNRvDpKSAK4q2O+zzGvhwPJTSj/8V4hUgeMEazeNU1FAsz7bnLGQj2ru | ||
VP9oiHJAh3lFjdjBiD4b1buAJHw4l2YX98E0idJUEp0sucoEZQI8u/MUjUHoraUt | ||
zseOS8oLBjx6Mc8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAoC3bmhOJPvwlN8Ny | ||
ciOwF3OEA9CpbfMveEkZKnfQzIKlMii1+q6i60F00230CG8vhU9G/AQz/MFLLwyu | ||
yp8wNjDeEW1/bQCw3pfKvRrdDyV5WbPID48VsJfyeTqAqF14ZMJJG4wGxQkyXwwD | ||
Ykz6qmFOrm8rxOSVptw/TxK7AAJyF/9YPotH1KL5GRnkwgvHWW6FuyNzpTSc4KwC | ||
DbW2zlndQzP80vidyXD5An1Lc6tkseMQ5jWjhys3nPL5XT7/i4LureBfK9ynxQJ8 | ||
aRvuWcPvhmBfQKvUk0ZU3Ions4t5ySOvGBt0jLUtX4DaOh0X4oBqth7LZa9MWDiD | ||
pYABpQ== | ||
-----END CERTIFICATE----- |
Oops, something went wrong.