Add jenkins conjur plugin test

[h-artzi]

Is your feature request related to a problem? Please describe.

I would like to see automated tests for the Jenkins conjur plugin because it will ensure that as the appliance is upgraded, the plugin continues to work.

Describe the solution you would like

1. Container running DAP
2. A container running Jenkins. Jenkins should run a job which gets a secret

Describe alternatives you have considered

N/A

Steps taken to test manually

1. Reference jenkins_plugin branch

• run ./start in jenkins_plugin_test
• This will start a dap instance
• In a new tab run docker-compose up Jenkins
  Note: I recommend having the UI open in a browser.
  DAP: https://localhost, username: admin, password: MySecretP@ss1
  Jenkins: http://localhost:8080, admin_password will be found in the logs

jenkins_1  | Jenkins initial setup is required. An admin user has been created and a password generated.
jenkins_1  | Please use the following password to proceed to installation:
jenkins_1  |
jenkins_1  | <password>
jenkins_1  |
jenkins_1  | This may also be found at: /var/jenkins_home/secrets/initialAdminPassword

Follow the prompts in the UI to create a new user or continue as admin.

2. Upload policies to DAP

$ ./cli conjur policy load --replace root policy/users.yml
$ ./cli conjur policy load root policy/policy.yml
$ ./cli conjur policy load staging policy/apps/myapp.yml
$ ./cli conjur policy load production policy/apps/myapp.yml
$ ./cli conjur policy load root policy/application_grants.yml
$ ./cli conjur policy load root policy/hosts.yml

Save the api_key from

➜  jenkins_plugin_test git:(jenkins_plugin) ✗ ./cli conjur policy load root policy/hosts.yml
Logged in
Loaded policy 'root'
{
  "created_roles": {
    "demo:host:test-host-1": {
      "id": "demo:host:test-host-1",
      "api_key": <api_key>
    }
  },
  "version": 4
}

Setting a Variable

./cli conjur variable values add production/myapp/database/username my-username

3. Download the plugin from jenkin-conjur-plugin

OR

git clone {repo}
cd conjur-credentials-plugin
mvn install -DskipTests

This must be uploaded into the Jenkins container:

Option 1:

• via the UI (run on the host)(Jenkins -> Manage Jenkins -> Manage Plugins -> Advanced and then go to upload)

Option 2:

• docker cp ./conjur-credentials.hpi jenkins_plugin_test_conjur_1:/var/jenkins_home/plugins (not tested)

Restart Jenkins by going to http://localhost:8080/restart and press yes

4. Enter the Jenkins container and download the SSL certificates from DAP

Note: The next steps must be executed by root in the Jenkins container. One way to log in to the Jenkins container as root is by executing docker exec --user 0 -it <docker_id> /bin/bash from your host

• execute openssl s_client -showcerts -connect jenkins_plugin_test_conjur_1:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
• cat conjur.pem to ensure certificate was retrieved
• keytool -import -alias conjur -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -file ./conjur.pem. There will be a prompt: do you trust this certificate? enter y and then it will prompt for a password. The password for the keystore is changeit

5. Setup Jenkins

• Set authn credentials for test-host-1. ( Credential Kind: "username with password")
  The password is the api_key that was saved in step 3.

• Set Conjur Appliance
  Go to http://localhost:8080/configure and then scroll down till you reach the section titled Conjur Appliance
  

• Set Conjur Secret by adding credential (Credential Kind: "Conjur Secret Credential")
  

6. Create a Freestyle job

• go to http://localhost:8080/view/all/newJob
  Choose your Conjur Authn Credential
  
  Check the Use secret text(s) or file(s) box in Build Environment and add a Conjur Secret Credential Binding
  
  Add build step (shell)
  
  Then Save the job

7. Run the job and go to Console Output

[izgeri]

do we already have integration tests like this in this project? I would not have known to look here when trying to understand integration test coverage, and I'm not sure @andytinkham would either.

is there a better place for these kinds of e2e tests to live? we're running into similar questions for k8s e2e tests too - in that case, we've decided a demo repo is definitely not the place for these tests, but we haven't decided on next steps yet.

[h-artzi]

We currently do not have integration tests like this in dap-intro. When I talked to Jason we decided it would be best to assign these tickets to dap-intro (in the meantime). However, we did not discuss where the tests would end up.

[izgeri]

It's worth noting also that the Jenkins plugin is in the process of migrating to be an official Jenkins plugin here: https://github.com/jenkinsci/conjur-credentials-plugin

In addition:

• @AndrewCopeland has some existing tests in his own github for the Jenkins integration, and is looking into adding additional automation flows for Jenkins right now too.
• @JfcAtCyberArk recently built some automations scripts for Jenkins that we may be able to leverage, that:
  • creates Jenkins "username/password" credentials to store DAP identity for any hosts flagged as Jenkins (using annotations)
  • creates Jenkins "Conjur secrets" credentials that reference DAP variables an identity (server based or folder based) has access to
  • creates a Jenkins validation job to validate the integration between DAP and Jenkins is successful