From 41ab66abc64dff94abef55c1091982d93dbaa34a Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Fri, 18 Nov 2022 18:45:45 -0300 Subject: [PATCH 1/9] Create integration tests for windows service support Signed-off-by: Guilherme Carvalho --- test/integration/README.md | 1 + .../windows-service/00-setup.sh | 4 ++ .../windows-service/01-start-server-service | 8 +++ .../windows-service/02-bootstrap-agent | 5 ++ .../windows-service/03-start-agent-service | 6 ++ .../04-create-registration-entries | 12 ++++ .../windows-service/05-test-fetch-svid | 9 +++ .../windows-service/06-test-graceful-shutdown | 10 +++ .../07-test-service-failing-to-start | 8 +++ .../suites-windows/windows-service/Dockerfile | 13 ++++ .../suites-windows/windows-service/README.md | 19 ++++++ .../suites-windows/windows-service/common | 66 +++++++++++++++++++ .../windows-service/conf/agent/agent.conf | 25 +++++++ .../windows-service/conf/server/server.conf | 25 +++++++ .../windows-service/docker-compose.yaml | 10 +++ .../suites-windows/windows-service/teardown | 6 ++ 16 files changed, 227 insertions(+) create mode 100644 test/integration/suites-windows/windows-service/00-setup.sh create mode 100644 test/integration/suites-windows/windows-service/01-start-server-service create mode 100644 test/integration/suites-windows/windows-service/02-bootstrap-agent create mode 100644 test/integration/suites-windows/windows-service/03-start-agent-service create mode 100644 test/integration/suites-windows/windows-service/04-create-registration-entries create mode 100644 test/integration/suites-windows/windows-service/05-test-fetch-svid create mode 100644 test/integration/suites-windows/windows-service/06-test-graceful-shutdown create mode 100644 test/integration/suites-windows/windows-service/07-test-service-failing-to-start create mode 100644 test/integration/suites-windows/windows-service/Dockerfile create mode 100644 test/integration/suites-windows/windows-service/README.md create mode 100644 test/integration/suites-windows/windows-service/common create mode 100644 test/integration/suites-windows/windows-service/conf/agent/agent.conf create mode 100644 test/integration/suites-windows/windows-service/conf/server/server.conf create mode 100644 test/integration/suites-windows/windows-service/docker-compose.yaml create mode 100644 test/integration/suites-windows/windows-service/teardown diff --git a/test/integration/README.md b/test/integration/README.md index db59f00c3f..34bc1bee91 100644 --- a/test/integration/README.md +++ b/test/integration/README.md @@ -89,3 +89,4 @@ The following environment variables are available to the teardown script: * [Self Test](suites/self-test/README.md) * [SPIRE Server CLI](suites/spire-server-cli/README.md) * [Upgrade](suites/upgrade/README.md) +* [Windows Service](suites-windows/windows-service/README.md) diff --git a/test/integration/suites-windows/windows-service/00-setup.sh b/test/integration/suites-windows/windows-service/00-setup.sh new file mode 100644 index 0000000000..81c7eb8554 --- /dev/null +++ b/test/integration/suites-windows/windows-service/00-setup.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +pwd +"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent diff --git a/test/integration/suites-windows/windows-service/01-start-server-service b/test/integration/suites-windows/windows-service/01-start-server-service new file mode 100644 index 0000000000..9136072e40 --- /dev/null +++ b/test/integration/suites-windows/windows-service/01-start-server-service @@ -0,0 +1,8 @@ +#!/bin/bash +source ./common + +docker-up spire-base + +create-service spire-server C:\\spire\\bin\\spire-server.exe +start-service spire-server run -config C:/spire/conf/server/server.conf +assert-service-status spire-server RUNNING diff --git a/test/integration/suites-windows/windows-service/02-bootstrap-agent b/test/integration/suites-windows/windows-service/02-bootstrap-agent new file mode 100644 index 0000000000..854f34a1fa --- /dev/null +++ b/test/integration/suites-windows/windows-service/02-bootstrap-agent @@ -0,0 +1,5 @@ +#!/bin/bash + +log-debug "bootstrapping agent..." +docker-compose exec -T spire-base \ + c:/spire/bin/spire-server bundle show > conf/agent/bootstrap.crt || fail-now "failed to bootstrap agent" diff --git a/test/integration/suites-windows/windows-service/03-start-agent-service b/test/integration/suites-windows/windows-service/03-start-agent-service new file mode 100644 index 0000000000..4297bce4dc --- /dev/null +++ b/test/integration/suites-windows/windows-service/03-start-agent-service @@ -0,0 +1,6 @@ +#!/bin/bash +source ./common + +create-service spire-agent C:\\spire\\bin\\spire-agent.exe +start-service spire-agent run -config C:/spire/conf/agent/agent.conf +assert-service-status spire-agent RUNNING diff --git a/test/integration/suites-windows/windows-service/04-create-registration-entries b/test/integration/suites-windows/windows-service/04-create-registration-entries new file mode 100644 index 0000000000..b447fac32c --- /dev/null +++ b/test/integration/suites-windows/windows-service/04-create-registration-entries @@ -0,0 +1,12 @@ +#!/bin/bash +source ./common + +log-debug "creating regular registration entry..." +docker-compose exec -T spire-base \ + c:/spire/bin/spire-server entry create \ + -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \ + -spiffeID "spiffe://domain.test/workload" \ + -selector "windows:user_name:User Manager\ContainerUser" \ + -ttl 0 + +assert-synced-entry "spiffe://domain.test/workload" diff --git a/test/integration/suites-windows/windows-service/05-test-fetch-svid b/test/integration/suites-windows/windows-service/05-test-fetch-svid new file mode 100644 index 0000000000..8b01e11751 --- /dev/null +++ b/test/integration/suites-windows/windows-service/05-test-fetch-svid @@ -0,0 +1,9 @@ +#!/bin/bash + +log-debug "test fetch x509 SVID..." +docker-compose exec -T -u ContainerUser spire-base \ + c:/spire/bin/spire-agent api fetch x509 || fail-now "failed to fetch x509" + +log-debug "test fetch JWT SVID..." +docker-compose exec -T -u ContainerUser spire-base \ + c:/spire/bin/spire-agent api fetch jwt -audience mydb fail-now "failed to fetch x509" diff --git a/test/integration/suites-windows/windows-service/06-test-graceful-shutdown b/test/integration/suites-windows/windows-service/06-test-graceful-shutdown new file mode 100644 index 0000000000..934c052a8a --- /dev/null +++ b/test/integration/suites-windows/windows-service/06-test-graceful-shutdown @@ -0,0 +1,10 @@ +#!/bin/bash +source ./common + +stop-service spire-agent +assert-service-status spire-agent STOPPED +assert-graceful-shutdown agent + +stop-service spire-server +assert-service-status spire-server STOPPED +assert-graceful-shutdown server diff --git a/test/integration/suites-windows/windows-service/07-test-service-failing-to-start b/test/integration/suites-windows/windows-service/07-test-service-failing-to-start new file mode 100644 index 0000000000..91516615d9 --- /dev/null +++ b/test/integration/suites-windows/windows-service/07-test-service-failing-to-start @@ -0,0 +1,8 @@ +#!/bin/bash +source ./common + +start-service spire-server run -config invalid-config-path +assert-service-status spire-server STOPPED + +start-service spire-agent run -config invalid-config-path +assert-service-status spire-agent STOPPED diff --git a/test/integration/suites-windows/windows-service/Dockerfile b/test/integration/suites-windows/windows-service/Dockerfile new file mode 100644 index 0000000000..80414f976b --- /dev/null +++ b/test/integration/suites-windows/windows-service/Dockerfile @@ -0,0 +1,13 @@ +FROM spire-agent-windows:latest-local as spire-agent-windows + +FROM spire-server-windows:latest-local as spire-base + +COPY --from=spire-agent-windows C:/spire/bin/spire-agent.exe C:/spire/bin/spire-agent.exe + +ENTRYPOINT [ "cmd" ] + + + + + + diff --git a/test/integration/suites-windows/windows-service/README.md b/test/integration/suites-windows/windows-service/README.md new file mode 100644 index 0000000000..611bab0c6a --- /dev/null +++ b/test/integration/suites-windows/windows-service/README.md @@ -0,0 +1,19 @@ +# SPIRE Server CLI Suite + +## Description + +This suite validates that we can run both spire agent and spire server natively on Windows OS, asserting that spire +components can run as a [windows service application](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications#service-applications-vs-other-visual-studio-applications), +and perform [service state transitions](https://learn.microsoft.com/en-us/windows/win32/services/service-status-transitions). + +The suite steps are structured as follows: + +1. Spire server and agent are installed as Windows services. +2. Spire server and agent services are started, their respective status are asserted as **_RUNNING_**, +the node attestation is performed with x509pop. +3. Workload registration entries are created. +4. The feature of fetching SVIDs (x509 and JWT) is asserted with the running spire agent service. +5. Spire server and agent services are stopped, their respective status are asserted as **_STOPPED_**, and graceful +shutdown is verified via application logs. +6. Spire server and agent services are started again, but this time with an invalid config, their respective status are +asserted as **_STOPPED_**. diff --git a/test/integration/suites-windows/windows-service/common b/test/integration/suites-windows/windows-service/common new file mode 100644 index 0000000000..f177cd7b19 --- /dev/null +++ b/test/integration/suites-windows/windows-service/common @@ -0,0 +1,66 @@ +#!/bin/bash + +assert-synced-entry() { + # Check at most 30 times (with one second in between) that the agent has + # successfully synced down the workload entry. + MAXCHECKS=30 + CHECKINTERVAL=1 + for ((i=1;i<=MAXCHECKS;i++)); do + log-info "checking for synced entry ($i of $MAXCHECKS max)..." + if grep -wq "$1" conf/agent/logs.txt; then + return 0 + fi + sleep "${CHECKINTERVAL}" + done + + fail-now "timed out waiting for agent to sync down entry" +} + +assert-service-status() { + MAXCHECKS=10 + CHECKINTERVAL=1 + for ((i=1;i<=MAXCHECKS;i++)); do + log-info "checking for $1 service $2 ($i of $MAXCHECKS max)..." + scCommand=$([ "$2" == "STOPPED" ] && echo "query" || echo "interrogate") + if docker-compose exec -T -u ContainerAdministrator spire-base sc "$scCommand" "$1" | grep -wq "$2"; then + log-info "$1 is in $2 state" + return 0 + fi + sleep "${CHECKINTERVAL}" + done + + fail-now "$1 service failed to reach $2 state" +} + +assert-graceful-shutdown() { + MAXCHECKS=10 + CHECKINTERVAL=1 + for ((i=1;i<=MAXCHECKS;i++)); do + log-info "checking for graceful shutdown ($i of $MAXCHECKS max)..." + if grep -wq "stopped gracefully" conf/"$1"/logs.txt; then + log-info "$1 stopped gracefully" + return 0 + fi + sleep "${CHECKINTERVAL}" + done + + fail-now "timed out waiting for $1 graceful shutdown" +} + +create-service() { + log-info "creating $1 service..." + docker-compose exec -T -u ContainerAdministrator spire-base \ + sc create "$1" binPath="$2" || grep "STOPPED" fail-now "failed to create $1 service" +} + +stop-service() { + log-info "stopping $1 service..." + docker-compose exec -T -u ContainerAdministrator spire-base \ + sc stop "$1" || fail-now "failed to stop $1 service" +} + +start-service(){ + log-info "starting $1 service..." + docker-compose exec -T -u ContainerAdministrator spire-base \ + sc start "$@" | grep "START_PENDING" || fail-now "failed to start $1 service" +} diff --git a/test/integration/suites-windows/windows-service/conf/agent/agent.conf b/test/integration/suites-windows/windows-service/conf/agent/agent.conf new file mode 100644 index 0000000000..d0111f8076 --- /dev/null +++ b/test/integration/suites-windows/windows-service/conf/agent/agent.conf @@ -0,0 +1,25 @@ +agent { + data_dir = "c:/spire/data/agent" + log_level = "DEBUG" + server_address = "127.0.0.1" + log_file ="c:/spire/conf/agent/logs.txt" + server_port = "8081" + trust_bundle_path = "c:/spire/conf/agent/bootstrap.crt" + trust_domain = "domain.test" +} + +plugins { + NodeAttestor "x509pop" { + plugin_data { + private_key_path = "c:/spire/conf/agent/agent.key.pem" + certificate_path = "c:/spire/conf/agent/agent.crt.pem" + } + } + KeyManager "disk" { + plugin_data { + directory = "c:/spire/data/agent" + } + } + WorkloadAttestor "windows" { + } +} diff --git a/test/integration/suites-windows/windows-service/conf/server/server.conf b/test/integration/suites-windows/windows-service/conf/server/server.conf new file mode 100644 index 0000000000..526b320e9f --- /dev/null +++ b/test/integration/suites-windows/windows-service/conf/server/server.conf @@ -0,0 +1,25 @@ +server { + bind_address = "127.0.0.1" + bind_port = "8081" + trust_domain = "domain.test" + log_file ="c:/spire/conf/server/logs.txt" + data_dir = "c:/spire/data/server" + log_level = "DEBUG" +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "c:/spire/data/server/datastore.sqlite3" + } + } + NodeAttestor "x509pop" { + plugin_data { + ca_bundle_path = "c:/spire/conf/server/agent-cacert.pem" + } + } + KeyManager "memory" { + plugin_data = {} + } +} diff --git a/test/integration/suites-windows/windows-service/docker-compose.yaml b/test/integration/suites-windows/windows-service/docker-compose.yaml new file mode 100644 index 0000000000..36b395ee67 --- /dev/null +++ b/test/integration/suites-windows/windows-service/docker-compose.yaml @@ -0,0 +1,10 @@ +version: '3' +services: + spire-base: + image: spire-base:latest + volumes: + - ./conf/server:c:/spire/conf/server + - ./conf/agent:c:/spire/conf/agent + user: ContainerAdministrator + command: + - cmd /c ping -t localhost > NUL diff --git a/test/integration/suites-windows/windows-service/teardown b/test/integration/suites-windows/windows-service/teardown new file mode 100644 index 0000000000..9953dcd3f9 --- /dev/null +++ b/test/integration/suites-windows/windows-service/teardown @@ -0,0 +1,6 @@ +#!/bin/bash + +if [ -z "$SUCCESS" ]; then + docker-compose logs +fi +docker-down From 57bed44d07b7dffaf261dd8ede3758d24e62e7b0 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Fri, 18 Nov 2022 19:27:40 -0300 Subject: [PATCH 2/9] Build spire-base image on test setup Signed-off-by: Guilherme Carvalho --- test/integration/suites-windows/windows-service/00-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/integration/suites-windows/windows-service/00-setup.sh b/test/integration/suites-windows/windows-service/00-setup.sh index 81c7eb8554..8e8d7b3af3 100644 --- a/test/integration/suites-windows/windows-service/00-setup.sh +++ b/test/integration/suites-windows/windows-service/00-setup.sh @@ -2,3 +2,5 @@ pwd "${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent + +docker build --target spire-base -t spire-base . From f3b2b5259d477c3e4ce1765209724426ef1955f3 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Wed, 4 Jan 2023 15:51:01 -0300 Subject: [PATCH 3/9] Use custom IsWindowsService function to make it work with windows containers Signed-off-by: Guilherme Carvalho --- pkg/common/entrypoint/entrypoint_windows.go | 48 +++++++++++++++++-- .../suites-windows/windows-service/common | 2 +- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/pkg/common/entrypoint/entrypoint_windows.go b/pkg/common/entrypoint/entrypoint_windows.go index a7694c1ce3..5ed94a3cfb 100644 --- a/pkg/common/entrypoint/entrypoint_windows.go +++ b/pkg/common/entrypoint/entrypoint_windows.go @@ -7,6 +7,10 @@ import ( "context" "fmt" "os" + "strings" + "unsafe" + + "golang.org/x/sys/windows" "golang.org/x/sys/windows/svc" ) @@ -20,7 +24,10 @@ type systemCall struct { } func (s *systemCall) IsWindowsService() (bool, error) { - return svc.IsWindowsService() + // We are using a custom function because the svc.IsWindowsService() one still has an open issue in which it states + // that it is not working properly in Windows containers: https://github.com/golang/go/issues/56335. Soon as we have + // a fix for that, we can use the original function. + return isWindowsService() } func (s *systemCall) Run(name string, handler svc.Handler) error { @@ -51,11 +58,11 @@ func (e *EntryPoint) Main() int { // Determining if SPIRE is running as a Windows service is done // with a best-effort approach. If there is an error, just fallback // to the behavior of not running as a Windows service. - isWindowsService, err := e.sc.IsWindowsService() + isWindowsSvc, err := e.sc.IsWindowsService() if err != nil { fmt.Fprintf(os.Stderr, "Could not determine if running as a Windows service: %v", err) } - if isWindowsService { + if isWindowsSvc { errChan := make(chan error) go func() { // Since the service runs in its own process, the service name is ignored. @@ -71,3 +78,38 @@ func (e *EntryPoint) Main() int { return e.runCmdFn(context.Background(), os.Args[1:]) } + +// isWindowsService is a copy of the svc.IsWindowsService() function, but without the parentProcess.SessionID == 0 check +// that is causing the issue in Windows containers, this logic is exactly the same from .NET runtime (>= 6.0.10). +func isWindowsService() (bool, error) { + // The below technique looks a bit hairy, but it's actually + // exactly what the .NET runtime (>= 6.0.10) does for the similarly named function: + // https://github.com/dotnet/runtime/blob/36bf84fc4a89209f4fdbc1fc201e81afd8be49b0/src/libraries/Microsoft.Extensions.Hosting.WindowsServices/src/WindowsServiceHelpers.cs#L20-L33 + // Specifically, it looks up whether the parent process is called "services". + + var currentProcess windows.PROCESS_BASIC_INFORMATION + infoSize := uint32(unsafe.Sizeof(currentProcess)) + err := windows.NtQueryInformationProcess(windows.CurrentProcess(), windows.ProcessBasicInformation, unsafe.Pointer(¤tProcess), infoSize, &infoSize) + if err != nil { + return false, err + } + var parentProcess *windows.SYSTEM_PROCESS_INFORMATION + for infoSize = uint32((unsafe.Sizeof(*parentProcess) + unsafe.Sizeof(uintptr(0))) * 1024); ; { + parentProcess = (*windows.SYSTEM_PROCESS_INFORMATION)(unsafe.Pointer(&make([]byte, infoSize)[0])) + err = windows.NtQuerySystemInformation(windows.SystemProcessInformation, unsafe.Pointer(parentProcess), infoSize, &infoSize) + if err == nil { + break + } else if err != windows.STATUS_INFO_LENGTH_MISMATCH { + return false, err + } + } + for ; ; parentProcess = (*windows.SYSTEM_PROCESS_INFORMATION)(unsafe.Pointer(uintptr(unsafe.Pointer(parentProcess)) + uintptr(parentProcess.NextEntryOffset))) { + if parentProcess.UniqueProcessID == currentProcess.InheritedFromUniqueProcessId { + return strings.EqualFold("services.exe", parentProcess.ImageName.String()), nil + } + if parentProcess.NextEntryOffset == 0 { + break + } + } + return false, nil +} diff --git a/test/integration/suites-windows/windows-service/common b/test/integration/suites-windows/windows-service/common index f177cd7b19..adc15da887 100644 --- a/test/integration/suites-windows/windows-service/common +++ b/test/integration/suites-windows/windows-service/common @@ -62,5 +62,5 @@ stop-service() { start-service(){ log-info "starting $1 service..." docker-compose exec -T -u ContainerAdministrator spire-base \ - sc start "$@" | grep "START_PENDING" || fail-now "failed to start $1 service" + sc start "$@" | grep -wq "START_PENDING" || fail-now "failed to start $1 service" } From da87566139c40d155d5392098fd26fce0101e7c2 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Wed, 4 Jan 2023 21:35:18 -0300 Subject: [PATCH 4/9] Remove empty lines from Dockerfile Signed-off-by: Guilherme Carvalho --- test/integration/suites-windows/windows-service/Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/test/integration/suites-windows/windows-service/Dockerfile b/test/integration/suites-windows/windows-service/Dockerfile index 80414f976b..a3b5c37808 100644 --- a/test/integration/suites-windows/windows-service/Dockerfile +++ b/test/integration/suites-windows/windows-service/Dockerfile @@ -5,9 +5,3 @@ FROM spire-server-windows:latest-local as spire-base COPY --from=spire-agent-windows C:/spire/bin/spire-agent.exe C:/spire/bin/spire-agent.exe ENTRYPOINT [ "cmd" ] - - - - - - From 0a3f51d78da1facda928108332a400e90d6a3291 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Thu, 5 Jan 2023 08:50:14 -0300 Subject: [PATCH 5/9] Fix grammatical errors Signed-off-by: Guilherme Carvalho --- test/integration/suites-windows/windows-service/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/integration/suites-windows/windows-service/README.md b/test/integration/suites-windows/windows-service/README.md index 611bab0c6a..0f92d683c7 100644 --- a/test/integration/suites-windows/windows-service/README.md +++ b/test/integration/suites-windows/windows-service/README.md @@ -9,11 +9,11 @@ and perform [service state transitions](https://learn.microsoft.com/en-us/window The suite steps are structured as follows: 1. Spire server and agent are installed as Windows services. -2. Spire server and agent services are started, their respective status are asserted as **_RUNNING_**, -the node attestation is performed with x509pop. +2. Spire server and agent services starts, their respective status is asserted as **_RUNNING_**, and the node +attestation is performed with x509pop. 3. Workload registration entries are created. 4. The feature of fetching SVIDs (x509 and JWT) is asserted with the running spire agent service. -5. Spire server and agent services are stopped, their respective status are asserted as **_STOPPED_**, and graceful +5. Spire server and agent services are stopped, their respective status is asserted as **_STOPPED_**, and graceful shutdown is verified via application logs. -6. Spire server and agent services are started again, but this time with an invalid config, their respective status are +6. Spire server and agent services are started again, but this time with an invalid config; their respective status is asserted as **_STOPPED_**. From 1c4b1129c3e0315d21e4924b6c8c6db7cf76adac Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Thu, 5 Jan 2023 10:23:38 -0300 Subject: [PATCH 6/9] Fix markdown lint Signed-off-by: Guilherme Carvalho --- test/integration/suites-windows/windows-service/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/integration/suites-windows/windows-service/README.md b/test/integration/suites-windows/windows-service/README.md index 0f92d683c7..0a001f6f79 100644 --- a/test/integration/suites-windows/windows-service/README.md +++ b/test/integration/suites-windows/windows-service/README.md @@ -2,15 +2,15 @@ ## Description -This suite validates that we can run both spire agent and spire server natively on Windows OS, asserting that spire -components can run as a [windows service application](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications#service-applications-vs-other-visual-studio-applications), +This suite validates that we can run both spire agent and spire server natively on Windows OS, asserting that spire components +can run as a [windows service application](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications#service-applications-vs-other-visual-studio-applications), and perform [service state transitions](https://learn.microsoft.com/en-us/windows/win32/services/service-status-transitions). The suite steps are structured as follows: 1. Spire server and agent are installed as Windows services. -2. Spire server and agent services starts, their respective status is asserted as **_RUNNING_**, and the node -attestation is performed with x509pop. +2. Spire server and agent services starts, their respective status is asserted as **_RUNNING_**, and the node attestation +is performed with x509pop. 3. Workload registration entries are created. 4. The feature of fetching SVIDs (x509 and JWT) is asserted with the running spire agent service. 5. Spire server and agent services are stopped, their respective status is asserted as **_STOPPED_**, and graceful From 4e04cd9532d41451b4e1574d00da58384eb93655 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Thu, 5 Jan 2023 11:19:26 -0300 Subject: [PATCH 7/9] Fix windows lint Signed-off-by: Guilherme Carvalho --- pkg/common/entrypoint/entrypoint_windows.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/common/entrypoint/entrypoint_windows.go b/pkg/common/entrypoint/entrypoint_windows.go index 5ed94a3cfb..eb9d3697cb 100644 --- a/pkg/common/entrypoint/entrypoint_windows.go +++ b/pkg/common/entrypoint/entrypoint_windows.go @@ -5,6 +5,7 @@ package entrypoint import ( "context" + "errors" "fmt" "os" "strings" @@ -99,7 +100,7 @@ func isWindowsService() (bool, error) { err = windows.NtQuerySystemInformation(windows.SystemProcessInformation, unsafe.Pointer(parentProcess), infoSize, &infoSize) if err == nil { break - } else if err != windows.STATUS_INFO_LENGTH_MISMATCH { + } else if !errors.Is(err, windows.STATUS_INFO_LENGTH_MISMATCH) { return false, err } } From 3310ac8ceca2da67e36a96fbe25c9a438d081b37 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Tue, 17 Jan 2023 18:47:05 -0300 Subject: [PATCH 8/9] Refactor tests Signed-off-by: Guilherme Carvalho --- .../suites-windows/windows-service/00-setup.sh | 3 --- .../windows-service/01-start-server-service | 4 ++-- .../windows-service/02-bootstrap-agent | 2 +- .../windows-service/03-start-agent-service | 4 +++- .../04-create-registration-entries | 2 +- .../windows-service/05-test-fetch-svid | 4 ++-- .../suites-windows/windows-service/common | 10 +++++----- .../windows-service/conf/agent/agent.conf | 2 +- .../windows-service/conf/server/server.conf | 2 +- .../windows-service/docker-compose.yaml | 18 ++++++++++++++++-- 10 files changed, 32 insertions(+), 19 deletions(-) diff --git a/test/integration/suites-windows/windows-service/00-setup.sh b/test/integration/suites-windows/windows-service/00-setup.sh index 8e8d7b3af3..49c69db23c 100644 --- a/test/integration/suites-windows/windows-service/00-setup.sh +++ b/test/integration/suites-windows/windows-service/00-setup.sh @@ -1,6 +1,3 @@ #!/bin/bash -pwd "${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent - -docker build --target spire-base -t spire-base . diff --git a/test/integration/suites-windows/windows-service/01-start-server-service b/test/integration/suites-windows/windows-service/01-start-server-service index 9136072e40..a00e0458d3 100644 --- a/test/integration/suites-windows/windows-service/01-start-server-service +++ b/test/integration/suites-windows/windows-service/01-start-server-service @@ -1,8 +1,8 @@ #!/bin/bash source ./common -docker-up spire-base +docker-up spire-server -create-service spire-server C:\\spire\\bin\\spire-server.exe +create-service spire-server C:/spire/bin/spire-server.exe start-service spire-server run -config C:/spire/conf/server/server.conf assert-service-status spire-server RUNNING diff --git a/test/integration/suites-windows/windows-service/02-bootstrap-agent b/test/integration/suites-windows/windows-service/02-bootstrap-agent index 854f34a1fa..3ff7ec941b 100644 --- a/test/integration/suites-windows/windows-service/02-bootstrap-agent +++ b/test/integration/suites-windows/windows-service/02-bootstrap-agent @@ -1,5 +1,5 @@ #!/bin/bash log-debug "bootstrapping agent..." -docker-compose exec -T spire-base \ +docker-compose exec -T spire-server \ c:/spire/bin/spire-server bundle show > conf/agent/bootstrap.crt || fail-now "failed to bootstrap agent" diff --git a/test/integration/suites-windows/windows-service/03-start-agent-service b/test/integration/suites-windows/windows-service/03-start-agent-service index 4297bce4dc..d024e8aad5 100644 --- a/test/integration/suites-windows/windows-service/03-start-agent-service +++ b/test/integration/suites-windows/windows-service/03-start-agent-service @@ -1,6 +1,8 @@ #!/bin/bash source ./common -create-service spire-agent C:\\spire\\bin\\spire-agent.exe +docker-up spire-agent + +create-service spire-agent C:/spire/bin/spire-agent.exe start-service spire-agent run -config C:/spire/conf/agent/agent.conf assert-service-status spire-agent RUNNING diff --git a/test/integration/suites-windows/windows-service/04-create-registration-entries b/test/integration/suites-windows/windows-service/04-create-registration-entries index b447fac32c..890c9385f2 100644 --- a/test/integration/suites-windows/windows-service/04-create-registration-entries +++ b/test/integration/suites-windows/windows-service/04-create-registration-entries @@ -2,7 +2,7 @@ source ./common log-debug "creating regular registration entry..." -docker-compose exec -T spire-base \ +docker-compose exec -T spire-server \ c:/spire/bin/spire-server entry create \ -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \ -spiffeID "spiffe://domain.test/workload" \ diff --git a/test/integration/suites-windows/windows-service/05-test-fetch-svid b/test/integration/suites-windows/windows-service/05-test-fetch-svid index 8b01e11751..d20484b6de 100644 --- a/test/integration/suites-windows/windows-service/05-test-fetch-svid +++ b/test/integration/suites-windows/windows-service/05-test-fetch-svid @@ -1,9 +1,9 @@ #!/bin/bash log-debug "test fetch x509 SVID..." -docker-compose exec -T -u ContainerUser spire-base \ +docker-compose exec -T -u ContainerUser spire-agent \ c:/spire/bin/spire-agent api fetch x509 || fail-now "failed to fetch x509" log-debug "test fetch JWT SVID..." -docker-compose exec -T -u ContainerUser spire-base \ +docker-compose exec -T -u ContainerUser spire-agent \ c:/spire/bin/spire-agent api fetch jwt -audience mydb fail-now "failed to fetch x509" diff --git a/test/integration/suites-windows/windows-service/common b/test/integration/suites-windows/windows-service/common index adc15da887..d2918ce8e9 100644 --- a/test/integration/suites-windows/windows-service/common +++ b/test/integration/suites-windows/windows-service/common @@ -22,7 +22,7 @@ assert-service-status() { for ((i=1;i<=MAXCHECKS;i++)); do log-info "checking for $1 service $2 ($i of $MAXCHECKS max)..." scCommand=$([ "$2" == "STOPPED" ] && echo "query" || echo "interrogate") - if docker-compose exec -T -u ContainerAdministrator spire-base sc "$scCommand" "$1" | grep -wq "$2"; then + if docker-compose exec -T -u ContainerAdministrator "$1" sc "$scCommand" "$1" | grep -wq "$2"; then log-info "$1 is in $2 state" return 0 fi @@ -49,18 +49,18 @@ assert-graceful-shutdown() { create-service() { log-info "creating $1 service..." - docker-compose exec -T -u ContainerAdministrator spire-base \ + docker-compose exec -T -u ContainerAdministrator "$1" \ sc create "$1" binPath="$2" || grep "STOPPED" fail-now "failed to create $1 service" } stop-service() { log-info "stopping $1 service..." - docker-compose exec -T -u ContainerAdministrator spire-base \ + docker-compose exec -T -u ContainerAdministrator "$1" \ sc stop "$1" || fail-now "failed to stop $1 service" } start-service(){ log-info "starting $1 service..." - docker-compose exec -T -u ContainerAdministrator spire-base \ - sc start "$@" | grep -wq "START_PENDING" || fail-now "failed to start $1 service" + docker-compose exec -T -u ContainerAdministrator "$1" \ + sc start "$@" | grep -wq "START_PENDING" || fail-now "failed to start $2 service" } diff --git a/test/integration/suites-windows/windows-service/conf/agent/agent.conf b/test/integration/suites-windows/windows-service/conf/agent/agent.conf index d0111f8076..ad67ee6328 100644 --- a/test/integration/suites-windows/windows-service/conf/agent/agent.conf +++ b/test/integration/suites-windows/windows-service/conf/agent/agent.conf @@ -1,7 +1,7 @@ agent { data_dir = "c:/spire/data/agent" log_level = "DEBUG" - server_address = "127.0.0.1" + server_address = "spire-server" log_file ="c:/spire/conf/agent/logs.txt" server_port = "8081" trust_bundle_path = "c:/spire/conf/agent/bootstrap.crt" diff --git a/test/integration/suites-windows/windows-service/conf/server/server.conf b/test/integration/suites-windows/windows-service/conf/server/server.conf index 526b320e9f..600d5ad85d 100644 --- a/test/integration/suites-windows/windows-service/conf/server/server.conf +++ b/test/integration/suites-windows/windows-service/conf/server/server.conf @@ -1,5 +1,5 @@ server { - bind_address = "127.0.0.1" + bind_address = "0.0.0.0" bind_port = "8081" trust_domain = "domain.test" log_file ="c:/spire/conf/server/logs.txt" diff --git a/test/integration/suites-windows/windows-service/docker-compose.yaml b/test/integration/suites-windows/windows-service/docker-compose.yaml index 36b395ee67..a74aef2684 100644 --- a/test/integration/suites-windows/windows-service/docker-compose.yaml +++ b/test/integration/suites-windows/windows-service/docker-compose.yaml @@ -1,10 +1,24 @@ version: '3' + services: - spire-base: - image: spire-base:latest + spire-server: + image: spire-server-windows:latest-local + hostname: spire-server volumes: - ./conf/server:c:/spire/conf/server + user: ContainerAdministrator + entrypoint: + - cmd + command: + - cmd /c ping -t localhost > NUL + spire-agent: + image: spire-agent-windows:latest-local + hostname: spire-agent + depends_on: ["spire-server"] + volumes: - ./conf/agent:c:/spire/conf/agent user: ContainerAdministrator + entrypoint: + - cmd command: - cmd /c ping -t localhost > NUL From 907ec1de43427b84660b2b5db9be9f612918decf Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Wed, 18 Jan 2023 14:22:35 -0300 Subject: [PATCH 9/9] Delete unused Dockerfile Signed-off-by: Guilherme Carvalho --- .../suites-windows/windows-service/05-test-fetch-svid | 2 +- test/integration/suites-windows/windows-service/Dockerfile | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 test/integration/suites-windows/windows-service/Dockerfile diff --git a/test/integration/suites-windows/windows-service/05-test-fetch-svid b/test/integration/suites-windows/windows-service/05-test-fetch-svid index d20484b6de..83168a2b63 100644 --- a/test/integration/suites-windows/windows-service/05-test-fetch-svid +++ b/test/integration/suites-windows/windows-service/05-test-fetch-svid @@ -6,4 +6,4 @@ docker-compose exec -T -u ContainerUser spire-agent \ log-debug "test fetch JWT SVID..." docker-compose exec -T -u ContainerUser spire-agent \ - c:/spire/bin/spire-agent api fetch jwt -audience mydb fail-now "failed to fetch x509" + c:/spire/bin/spire-agent api fetch jwt -audience mydb || fail-now "failed to fetch JWT" diff --git a/test/integration/suites-windows/windows-service/Dockerfile b/test/integration/suites-windows/windows-service/Dockerfile deleted file mode 100644 index a3b5c37808..0000000000 --- a/test/integration/suites-windows/windows-service/Dockerfile +++ /dev/null @@ -1,7 +0,0 @@ -FROM spire-agent-windows:latest-local as spire-agent-windows - -FROM spire-server-windows:latest-local as spire-base - -COPY --from=spire-agent-windows C:/spire/bin/spire-agent.exe C:/spire/bin/spire-agent.exe - -ENTRYPOINT [ "cmd" ]