Implement OpenSSL encryption/decryption validation tests for Azure Linux CBL-Mariner (#3832)

WithEnoughCoffee · web-flow · commit b53d4ad6ac90 · 2025-06-10T10:02:51.000+08:00
diff --git a/lisa/tools/__init__.py b/lisa/tools/__init__.py
@@ -90,6 +90,7 @@
 from .ntttcp import Ntttcp
 from .nvidiasmi import NvidiaSmi
 from .nvmecli import Nvmecli
+from .openssl import OpenSSL
 from .parted import Parted
 from .perf import Perf
 from .pgrep import Pgrep, ProcessInfo
@@ -222,6 +223,7 @@
     "Ntttcp",
     "NvidiaSmi",
     "Nvmecli",
+    "OpenSSL",
     "Parted",
     "Perf",
     "Pidof",
diff --git a/lisa/tools/openssl.py b/lisa/tools/openssl.py
@@ -0,0 +1,103 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+import shlex
+from typing import TYPE_CHECKING
+
+from lisa.executable import Tool
+
+if TYPE_CHECKING:
+    from lisa.operating_system import Posix
+
+
+class OpenSSL(Tool):
+    """
+    OpenSSL tool for encryption and decryption operations.
+    """
+
+    @property
+    def command(self) -> str:
+        return "openssl"
+
+    @property
+    def can_install(self) -> bool:
+        return True
+
+    def encrypt(
+        self,
+        plaintext: str,
+        hex_key: str,
+        hex_iv: str,
+        algorithm: str = "aes-256-cbc",
+    ) -> str:
+        """
+        Encrypt the plaintext using the specified key and IV,
+        and return the base64 encoded ciphertext.
+        """
+        return self._run_with_piped_input(
+            plaintext,
+            f"enc -{algorithm} -K '{hex_key}' -iv '{hex_iv}' -base64 -A",
+            expected_exit_code_failure_message="Failed to encrypt data with OpenSSL.",
+        )
+
+    def decrypt(
+        self,
+        ciphertext: str,
+        hex_key: str,
+        hex_iv: str,
+        algorithm: str = "aes-256-cbc",
+    ) -> str:
+        """
+        This method decrypts the ciphertext using the specified
+        key and IV, and returns the plaintext.
+        Decrypt the ciphertext using the specified
+        key and IV, and return the plaintext.
+        """
+        return self._run_with_piped_input(
+            ciphertext,
+            f"enc -d -{algorithm} -K '{hex_key}' -iv '{hex_iv}' -base64 -A",
+            expected_exit_code_failure_message="Failed to decrypt data with OpenSSL.",
+        )
+
+    def _run_with_piped_input(
+        self,
+        piped_input_cmd: str,
+        openssl_cmd: str,
+        expected_exit_code: int = 0,
+        expected_exit_code_failure_message: str = "",
+    ) -> str:
+        """
+        Execute OpenSSL command with piped input and validate results.
+
+        Args:
+            piped_input_cmd: The input string to pipe to OpenSSL
+            openssl_cmd: The OpenSSL command to execute
+            expected_exit_code: Expected exit code from command (default: 0)
+            expected_exit_code_failure_message:
+            Message to display if the command fails with an unexpected exit code
+
+        Returns:
+            The stripped stdout from the command
+
+        Raises:
+            LisaException: When the command fails
+            or returns unexpected exit code
+        """
+        sanitized_input = shlex.quote(piped_input_cmd)
+        cmd = f"printf '%s' {sanitized_input} | {self.command} {openssl_cmd}"
+        result = self.node.execute(
+            cmd,
+            shell=True,
+            expected_exit_code=expected_exit_code,
+            expected_exit_code_failure_message=expected_exit_code_failure_message,
+        )
+        return result.stdout.strip()
+
+    def _install(self) -> bool:
+        """
+        Install OpenSSL on the node if
+        it is not already installed.
+        """
+        posix_os: Posix = self.node.os  # type: ignore
+        posix_os.install_packages([self])
+        return self._check_exists()
diff --git a/microsoft/testsuites/security/openssl.py b/microsoft/testsuites/security/openssl.py
@@ -0,0 +1,68 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+import json
+
+from assertpy import assert_that
+
+from lisa import Logger, Node, TestCaseMetadata, TestSuite, TestSuiteMetadata
+from lisa.tools import OpenSSL
+
+
+@TestSuiteMetadata(
+    area="security",
+    category="functional",
+    description="""
+    Tests the functionality of OpenSSL, including encryption and decryption
+    operations. Validates that OpenSSL can successfully encrypt plaintext data
+    and decrypt it back to its original form using generated keys and IVs.
+    """,
+)
+class OpenSSLTestSuite(TestSuite):
+    """
+    Test suite for OpenSSL functionality.
+    """
+
+    @TestCaseMetadata(
+        description="""
+        Verifies basic OpenSSL encryption and decryption behavior by generating
+        a random key and IV, encrypting various types of plaintext, and
+        decrypting them back to their original form.
+        """,
+        priority=2,
+    )
+    def verify_openssl_basic(self, log: Logger, node: Node) -> None:
+        self._openssl_test_encrypt_decrypt(log, node)
+
+    def _openssl_test_encrypt_decrypt(self, log: Logger, node: Node) -> None:
+        """
+        Tests OpenSSL encryption and decryption functionality.
+        This function generates a random key and IV, encrypts various types of
+        """
+
+        # Key and IV for encryption and decryption.
+        openssl = node.tools[OpenSSL]
+        key_hex = openssl.run(
+            "rand -hex 32",
+            expected_exit_code=0,
+        ).stdout.strip()
+        iv_hex = openssl.run(
+            "rand -hex 16",
+            expected_exit_code=0,
+        ).stdout.strip()
+        # Test with different data types and sizes
+        test_data = [
+            "cool",  # Short string
+            "A" * 1024,  # Longer string
+            "Special chars: !@#$%^&*()",  # Special characters
+            json.dumps({"resourceId": "test123"}),  # JSON Azure resource data
+        ]
+
+        for plaintext in test_data:
+            # Encrypt and decrypt the plaintext
+            log.debug(f"Output plaintext: {plaintext}")
+            encrypted_data = openssl.encrypt(plaintext, key_hex, iv_hex)
+            decrypted_data = openssl.decrypt(encrypted_data, key_hex, iv_hex)
+            assert_that(plaintext).described_as(
+                "Plaintext and decrypted data do not match"
+            ).is_equal_to(decrypted_data)
