e2e-test: update kbs test case to support kbs with ibmse verifier

- split kbs relates codes to one file - deploy kbs with ibmse verifer base on ENV IBM_SE_CREDS_DIR - update kbs test case for libvrit provider to support kbs with ibmse verifier - set key source before test cases - `deny_all.rego` and `allow_with_wrong_image_tag.rego` are FAIL cases - `allow_with_correct_claims.rego` is PASS case fixes confidential-containers#1934 Signed-off-by: Da Li Liu <[email protected]>
liudalibj · Jul 26, 2024 · 36cb6a2 · 36cb6a2
1 parent b8730a4
commit 36cb6a2
Show file tree

Hide file tree

Showing 7 changed files with 548 additions and 332 deletions.
diff --git a/src/cloud-api-adaptor/test/e2e/common.go b/src/cloud-api-adaptor/test/e2e/common.go
@@ -24,7 +24,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const CURL_IMAGE = "quay.io/curl/curl:latest"
 const BUSYBOX_IMAGE = "quay.io/prometheus/busybox:latest"
 const WAIT_DEPLOYMENT_AVAILABLE_TIMEOUT = time.Second * 180
 const DEFAULT_AUTH_SECRET = "auth-json-secret-default"
@@ -39,6 +38,10 @@ func isTestWithTrusteeOperator() bool {
 	return os.Getenv("TEST_TRUSTEE_OPERATOR") == "yes"
 }
 
+func isTestWithKbsIBMSE() bool {
+	return os.Getenv("IBM_SE_CREDS_DIR") != ""
+}
+
 func isTestOnCrio() bool {
 	return os.Getenv("CONTAINER_RUNTIME") == "crio"
 }
@@ -187,10 +190,6 @@ func NewPodWithInitContainer(namespace string, podName string) *corev1.Pod {
 	return NewPod(namespace, podName, "busybox", BUSYBOX_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}), WithInitContainers(initContainer))
 }
 
-func NewCurlPodWithName(namespace, podName string) *corev1.Pod {
-	return NewPod(namespace, podName, "curl", CURL_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}))
-}
-
 func NewBusyboxPodWithName(namespace, podName string) *corev1.Pod {
 	return NewPod(namespace, podName, "busybox", BUSYBOX_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}))
 }

diff --git a/src/cloud-api-adaptor/test/e2e/common_suite.go b/src/cloud-api-adaptor/test/e2e/common_suite.go
@@ -585,7 +585,7 @@ func DoTestKbsKeyRelease(t *testing.T, e env.Environment, assert CloudAssert) {
 			ContainerName: pod.Spec.Containers[0].Name,
 			TestCommandStdoutFn: func(stdout bytes.Buffer) bool {
 				if strings.Contains(stdout.String(), "This is my cluster name") {
-					log.Infof("Success to get key.bin %s", stdout.String())
+					log.Infof("Success to get key.bin: %s", stdout.String())
 					return true
 				} else {
 					log.Errorf("Failed to access key.bin: %s", stdout.String())
@@ -603,21 +603,28 @@ func DoTestKbsKeyRelease(t *testing.T, e env.Environment, assert CloudAssert) {
 func DoTestKbsKeyReleaseForFailure(t *testing.T, e env.Environment, assert CloudAssert) {
 
 	log.Info("Do test kbs key release failure case")
-	pod := NewCurlPodWithName(E2eNamespace, "curl-failure")
+	pod := NewBusyboxPodWithName(E2eNamespace, "busybox-wget-failure")
 	testCommands := []TestCommand{
 		{
-			Command:       []string{"curl", "-s", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},
+			Command:       []string{"wget", "-q", "-O-", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},
 			ContainerName: pod.Spec.Containers[0].Name,
-			TestCommandStdoutFn: func(stdout bytes.Buffer) bool {
-				body := stdout.String()
-				if strings.Contains(strings.ToLower(body), "error") {
-					log.Infof("Pass failure case as: %s", stdout.String())
+			TestErrorFn: func(err error) bool {
+				if strings.Contains(err.Error(), "command terminated with exit code 1") {
 					return true
 				} else {
-					log.Errorf("Failed to faliure case as: %s", stdout.String())
+					log.Errorf("Got unexpected error: %s", err.Error())
 					return false
 				}
 			},
+			TestCommandStdoutFn: func(stdout bytes.Buffer) bool {
+				if strings.Contains(stdout.String(), "This is my cluster name") {
+					log.Errorf("FAIL as successed to get key.bin: %s", stdout.String())
+					return false
+				} else {
+					log.Infof("PASS as failed to access key.bin: %s", stdout.String())
+					return true
+				}
+			},
 		},
 	}
 

diff --git a/src/cloud-api-adaptor/test/e2e/libvirt_test.go b/src/cloud-api-adaptor/test/e2e/libvirt_test.go
@@ -108,12 +108,25 @@ func TestLibvirtKbsKeyRelease(t *testing.T) {
 	if !isTestWithKbs() {
 		t.Skip("Skipping kbs related test as kbs is not deployed")
 	}
-	_ = keyBrokerService.EnableKbsCustomizedPolicy("deny_all.rego")
+	_ = keyBrokerService.SetSampleSecretKey()
+	_ = keyBrokerService.EnableKbsCustomizedResourcePolicy("allow_all.rego")
+	_ = keyBrokerService.EnableKbsCustomizedAttestationPolicy("deny_all.rego")
 	assert := LibvirtAssert{}
 	t.Parallel()
 	DoTestKbsKeyReleaseForFailure(t, testEnv, assert)
-	_ = keyBrokerService.EnableKbsCustomizedPolicy("allow_all.rego")
-	DoTestKbsKeyRelease(t, testEnv, assert)
+	if isTestWithKbsIBMSE() {
+		t.Log("KBS with ibmse cases")
+		// the allow_*_.rego file is created by follow document
+		// https://github.com/confidential-containers/trustee/blob/main/deps/verifier/src/se/README.md#set-attestation-policy
+		_ = keyBrokerService.EnableKbsCustomizedAttestationPolicy("allow_with_wrong_image_tag.rego")
+		DoTestKbsKeyReleaseForFailure(t, testEnv, assert)
+		_ = keyBrokerService.EnableKbsCustomizedAttestationPolicy("allow_with_correct_claims.rego")
+		DoTestKbsKeyRelease(t, testEnv, assert)
+	} else {
+		t.Log("KBS normal cases")
+		_ = keyBrokerService.EnableKbsCustomizedAttestationPolicy("allow_all.rego")
+		DoTestKbsKeyRelease(t, testEnv, assert)
+	}
 }
 
 func TestLibvirtRestrictivePolicyBlocksExec(t *testing.T) {

diff --git a/src/cloud-api-adaptor/test/e2e/main_test.go b/src/cloud-api-adaptor/test/e2e/main_test.go
@@ -155,7 +155,7 @@ func TestMain(m *testing.M) {
 		var kbsparams string
 		if shouldDeployKbs {
 			log.Info("Deploying kbs")
-			if keyBrokerService, err = pv.NewKeyBrokerService(props["CLUSTER_NAME"]); err != nil {
+			if keyBrokerService, err = pv.NewKeyBrokerService(props["CLUSTER_NAME"], cfg); err != nil {
 				return ctx, err
 			}