Commit 4e06f23a authored by Kamil Dzieżyk's avatar Kamil Dzieżyk Committed by Richard Neill
Browse files

ewaol-tests: Add password reset to tests which access Guest VM user account

This patch resets the user account password on the Guest VM before and after the
relevant test suites execute. The password reset only occurs on virtualization
images which have been security hardened via the ewaol-security DISTRO_FEATURE.
The password reset is added by having security-specific code override the
extra_cleanup function which is called only by virtualization-specific code,
achieved via conditional appends to the test suites in the recipes.

With this mechanism for conditional inclusion of code to the BATS scripts
aligned across the test suites, the special substring-replace for
K3S_LOAD_VIRT_FUNCS has been dropped.

As the conditionally-appended code may not be just tests but also additional
function and variable definitions, the files are renamed from
"additional-*-tests.bats" to "append-*.bats.

This patch also adds a new runtime test internal variable 'TEST_GUEST_VM_NAME'
that takes the value assigned to test spe...
parent 63b72429
......@@ -53,7 +53,7 @@ do_install() {
> "${WORKDIR}/run-ptest"
additional_tests="$(find "${WORKDIR}" -maxdepth 1 \
-name *additional-*-tests.bats -printf "%f ")"
-name *append-*.bats -printf "%f ")"
for test in ${additional_tests}; do
......
......@@ -17,9 +17,14 @@ TEST_FILES = "file://container-engine-integration-tests.bats \
file://container-engine-funcs.sh"
TEST_FILES:append:ewaol-virtualization = " \
file://container-engine-additional-virtual-tests.bats \
file://container-engine-append-virtualization.bats \
file://container-engine-virtualization-funcs.sh \
"
TEST_FILES:append:ewaol-security = " \
file://container-engine-append-security.bats \
file://container-engine-security-funcs.sh \
"
inherit runtime-integration-tests
require runtime-integration-tests.inc
#!/usr/bin/env bats
#
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
#
# Additional BATS code to be appended to the container engine test suite, if
# running on a security-hardened image
load "${TEST_DIR}/container-engine-security-funcs.sh"
......@@ -4,12 +4,37 @@
#
# SPDX-License-Identifier: MIT
#
# Additional tests to be added to the container engine test suite, if running on
# a virtualization image
# Additional BATS code to be added to the container engine test suite, if
# running on a virtualization image
if [ -z "${CE_TEST_GUEST_VM_NAME}" ]; then
CE_TEST_GUEST_VM_NAME="${EWAOL_GUEST_VM_HOSTNAME}1"
fi
TEST_GUEST_VM_NAME="${CE_TEST_GUEST_VM_NAME}"
load "${TEST_COMMON_DIR}/integration-tests-common-virtual-funcs.sh"
load "${TEST_DIR}/container-engine-virtualization-funcs.sh"
# Override the clean_test_environment call for the virtualization case to
# include an optional extra clean-up in addition to the normal base clean-up
clean_test_environment() {
export BATS_TEST_NAME="clean_test_environment"
_run base_cleanup
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
_run extra_cleanup
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
}
@test 'run container engine integration tests on the Guest VM from the Control VM' {
# Use the systemd-detect-virt utility to determine if running on the Guest
......@@ -23,14 +48,13 @@ load "${TEST_DIR}/container-engine-virtualization-funcs.sh"
else
subtest="Xendomains and Guest VM is initialized"
_run xendomains_and_guest_vm_is_initialized "${CE_TEST_GUEST_VM_NAME}"
_run xendomains_and_guest_vm_is_initialized "${TEST_GUEST_VM_NAME}"
if [ "${status}" -ne 0 ]; then
log "FAIL" "${subtest}"
return 1
else
log "PASS" "${subtest}"
fi
log "PASS"
subtest="Run tests on Guest VM"
_run run_tests_on_guest_vm
......@@ -40,6 +64,7 @@ load "${TEST_DIR}/container-engine-virtualization-funcs.sh"
else
log "PASS" "${subtest}"
fi
log "PASS"
fi
......
......@@ -156,3 +156,14 @@ clean_and_remove_image() {
return "${rc}"
}
base_cleanup() {
# Remove any dangling containers based on the image
_run clean_and_remove_image "${CE_TEST_IMAGE}"
if [ "${status}" -ne 0 ]; then
echo "Failed to remove test image and dangling containers"
fi
return "${status}"
}
......@@ -39,15 +39,11 @@ clean_test_environment() {
# to the clean-up activities.
export BATS_TEST_NAME="clean_test_environment"
# Remove any dangling containers based on the image
_run clean_and_remove_image "${CE_TEST_IMAGE}"
_run base_cleanup
if [ "${status}" -ne 0 ]; then
log "FAIL" "Remove test image and dangling containers"
log "FAIL"
exit 1
else
log "PASS" "Remove test image and dangling containers"
fi
}
# Runs once before the first test
......
#!/usr/bin/env bash
#
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
# Should only be called by virtualization-specific version of the environment
# clean-up
extra_cleanup() {
guest_vm_reset_password
}
......@@ -4,13 +4,9 @@
#
# SPDX-License-Identifier: MIT
if [ -z "${CE_TEST_GUEST_VM_NAME}" ]; then
CE_TEST_GUEST_VM_NAME="${EWAOL_GUEST_VM_HOSTNAME}1"
fi
run_tests_on_guest_vm() {
expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${CE_TEST_GUEST_VM_NAME}" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "ptest-runner container-engine-integration-tests" \
-timeout "120" \
-console "guest_vm" \
......
......@@ -228,3 +228,14 @@ wait_for_success() {
fi
}
# By default, the extra_* functions are not implemented
# Conditionally included files may define implementations by overriding them
extra_cleanup() {
return 0
}
extra_setup() {
return 0
}
......@@ -78,3 +78,33 @@ xendomains_and_guest_vm_is_initialized() {
return 0
}
guest_vm_reset_password() {
# Use the systemd-detect-virt utility to determine if running on the Guest
# VM (utility returns 0) or the Control VM (utility returns non-zero)
_run systemd-detect-virt
if [ "${status}" -ne 0 ]; then
_run xendomains_and_guest_vm_is_initialized "${TEST_GUEST_VM_NAME}"
if [ "${status}" -ne 0 ]; then
echo "${output}"
return "${status}"
fi
_run expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "sudo usermod -p '' ${USER} && \
sudo passwd -e ${USER}" \
-console "guest_vm" \
2>"${TEST_STDERR_FILE}"
if [ "${status}" -ne 0 ]; then
echo "Expect script to reset '${USER}' password on Guest VM failed."
echo "${output}"
return "${status}"
fi
fi
return 0
}
......@@ -18,25 +18,23 @@ TEST_FILES = "file://k3s-integration-tests.bats \
file://k3s-test-deployment.yaml"
TEST_FILES:append:ewaol-virtualization = " \
file://k3s-append-virtualization.bats \
file://k3s-virtualization-funcs.sh \
"
TEST_FILES:append:ewaol-security = " \
file://k3s-append-security.bats \
file://k3s-security-funcs.sh \
"
inherit runtime-integration-tests
require runtime-integration-tests.inc
K3S_TEST_DESC = "local deployment of K3s pods"
K3S_TEST_DESC:ewaol-virtualization = "remote deployment of K3s pods on the Guest VM, from the Control VM"
K3S_LOAD_VIRT_FUNCS = ""
K3S_LOAD_VIRT_FUNCS:ewaol-virtualization = 'load \"${TEST_DIR}/k3s-virtualization-funcs.sh\"${@"\n"}'
export K3S_TEST_DESC
ENVSUBST_VARS:append = " \$K3S_TEST_DESC \$K3S_LOAD_VIRT_FUNCS"
do_install:prepend() {
# export variable here to keep multiline string
export K3S_LOAD_VIRT_FUNCS="${K3S_LOAD_VIRT_FUNCS}"
}
ENVSUBST_VARS:append = " \$K3S_TEST_DESC"
do_install:append:ewaol-virtualization() {
......
#!/usr/bin/env bats
#
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
#
# Additional BATS code to be appended to the k3s test suite, if running on a
# security-hardened image
load "${TEST_DIR}/k3s-security-funcs.sh"
#!/usr/bin/env bats
#
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
#
# Additional BATS code to be appended to the k3s test suite, if running on a
# virtualization image
if [ -z "${K3S_TEST_GUEST_VM_NAME}" ]; then
K3S_TEST_GUEST_VM_NAME="${EWAOL_GUEST_VM_HOSTNAME}1"
fi
export TEST_GUEST_VM_NAME="${K3S_TEST_GUEST_VM_NAME}"
export K3S_AGENT_OVERRIDE_FILENAME="/lib/systemd/system/k3s-agent.service.d/01-test-connect.conf"
load "${TEST_COMMON_DIR}/integration-tests-common-virtual-funcs.sh"
load "${TEST_DIR}/k3s-virtualization-funcs.sh"
# Override the clean_test_environment call for the virtualization case to
# include an optional extra clean-up in addition to the normal base clean-up
clean_test_environment() {
export BATS_TEST_NAME="clean_test_environment"
status=0
_run base_cleanup
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
_run cleanup_k3s_agent_on_guest_vm
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
_run extra_cleanup
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
}
......@@ -203,17 +203,25 @@ remove_k3s_test_deployment() {
return 0
}
# The standard k3s integration tests do not require extra activities on test
# suite start/end, so define empty functions here
extra_cleanup() {
return 0
}
base_cleanup() {
extra_setup() {
return 0
}
_run wait_for_k3s_to_be_running
if [ "${status}" -ne 0 ]; then
echo "${output}"
return "${status}"
fi
_run remove_k3s_test_service
if [ "${status}" -ne 0 ]; then
echo "${output}"
return "${status}"
fi
_run remove_k3s_test_deployment
if [ "${status}" -ne 0 ]; then
echo "${output}"
return "${status}"
fi
extra_teardown() {
return 0
}
......@@ -35,25 +35,7 @@ clean_test_environment() {
# to the clean-up activities.
export BATS_TEST_NAME="clean_test_environment"
_run wait_for_k3s_to_be_running
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
_run remove_k3s_test_service
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
_run remove_k3s_test_deployment
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
fi
_run extra_cleanup
_run base_cleanup
if [ "${status}" -ne 0 ]; then
log "FAIL"
exit 1
......
#!/usr/bin/env bash
#
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
# Should only be called by virtualization-specific version of the environment
# clean-up
extra_cleanup() {
guest_vm_reset_password
}
......@@ -4,14 +4,6 @@
#
# SPDX-License-Identifier: MIT
load "${TEST_COMMON_DIR}/integration-tests-common-virtual-funcs.sh"
if [ -z "${K3S_TEST_GUEST_VM_NAME}" ]; then
K3S_TEST_GUEST_VM_NAME="${EWAOL_GUEST_VM_HOSTNAME}1"
fi
K3S_AGENT_OVERRIDE_FILENAME="/lib/systemd/system/k3s-agent.service.d/01-test-connect.conf"
# Override this test to validate that the pods are executed on the correct node
# (i.e. the agent on the Guest VM)
wait_for_deployment_to_be_running() {
......@@ -41,7 +33,7 @@ wait_for_deployment_to_be_running() {
if [ "${status}" -ne 0 ]; then
echo "Could not find the node running pod '${pod_name}'"
return 1
elif [ "${output}" != "${K3S_TEST_GUEST_VM_NAME}" ]; then
elif [ "${output}" != "${TEST_GUEST_VM_NAME}" ]; then
echo "Node running pod '${pod_name}' was '${output}'"
return 1
fi
......@@ -53,7 +45,7 @@ wait_for_deployment_to_be_running() {
}
get_target_node_ip() {
sudo -n kubectl get node "${K3S_TEST_GUEST_VM_NAME}" \
sudo -n kubectl get node "${TEST_GUEST_VM_NAME}" \
-o jsonpath="{.status.addresses[?(@.type=='InternalIP')].address}"
}
......@@ -63,20 +55,20 @@ cleanup_k3s_agent_on_guest_vm() {
# Stop the agent
expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${K3S_TEST_GUEST_VM_NAME}" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "sudo -n systemctl stop k3s-agent" \
-console "guest_vm" \
2>"${TEST_STDERR_FILE}"
# Remove the systemd override if it exists
expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${K3S_TEST_GUEST_VM_NAME}" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "sudo -n rm -f ${K3S_AGENT_OVERRIDE_FILENAME} && \
sudo -n systemctl daemon-reload" \
-console "guest_vm" \
2>"${TEST_STDERR_FILE}"
kubectl_delete "node" "${K3S_TEST_GUEST_VM_NAME}"
kubectl_delete "node" "${TEST_GUEST_VM_NAME}"
return 0
}
......@@ -104,7 +96,7 @@ ExecStart=/usr/local/bin/k3s agent --server=https://${ip}:6443 --token=${token}
&& sudo -n systemctl daemon-reload"
expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${K3S_TEST_GUEST_VM_NAME}" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "${cmd}" \
-console "guest_vm" \
2>"${TEST_STDERR_FILE}"
......@@ -114,7 +106,7 @@ ExecStart=/usr/local/bin/k3s agent --server=https://${ip}:6443 --token=${token}
start_k3s_agent_on_guest_vm() {
expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${K3S_TEST_GUEST_VM_NAME}" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "sudo -n systemctl start k3s-agent" \
-console "guest_vm" \
2>"${TEST_STDERR_FILE}"
......@@ -128,7 +120,7 @@ wait_for_k3s_to_be_running() {
# The overridden function also ensures that xendomains and the target Guest
# VM is running
_run xendomains_and_guest_vm_is_initialized "${K3S_TEST_GUEST_VM_NAME}"
_run xendomains_and_guest_vm_is_initialized "${TEST_GUEST_VM_NAME}"
if [ "${status}" -ne 0 ]; then
echo "${output}"
return "${status}"
......@@ -147,17 +139,12 @@ wait_for_k3s_to_be_running() {
return "${status}"
}
# Stop the agent (if it is running)
extra_cleanup() {
cleanup_k3s_agent_on_guest_vm
}
# Start the agent (if it is not running)
extra_setup() {
# Check if the agent is already running
_run expect "${TEST_COMMON_DIR}/run-command.expect" \
-hostname "${K3S_TEST_GUEST_VM_NAME}" \
-hostname "${TEST_GUEST_VM_NAME}" \
-command "systemctl is-active k3s-agent" \
-console "guest_vm" \
2>"${TEST_STDERR_FILE}"
......
......@@ -30,10 +30,13 @@ RDEPENDS:${PN}:append:ewaol-security = " expect"
DEPENDS:append = " gettext-native"
SRC_URI = "file://integration-tests-common-funcs.sh \
file://integration-tests-common-virtual-funcs.sh \
file://login-console-funcs.expect \
file://run-command.expect"
SRC_URI:append:ewaol-virtualization = " \
file://integration-tests-common-virtual-funcs.sh \
"
do_configure[noexec] = "1"
do_compile[noexec] = "1"
......@@ -43,9 +46,6 @@ do_install() {
install --mode="644" "${WORKDIR}/integration-tests-common-funcs.sh" \
"${D}/${TEST_COMMON_DIR}"
install --mode="644" "${WORKDIR}/integration-tests-common-virtual-funcs.sh" \
"${D}/${TEST_COMMON_DIR}"
install --mode="644" "${WORKDIR}/login-console-funcs.expect" \
"${D}/${TEST_COMMON_DIR}"
......@@ -53,4 +53,12 @@ do_install() {
> "${D}/${TEST_COMMON_DIR}/run-command.expect"
}
do_install:append:ewaol-virtualization() {
envsubst '$TEST_COMMON_DIR' \
< "${WORKDIR}/integration-tests-common-virtual-funcs.sh" \
> "${D}/${TEST_COMMON_DIR}/integration-tests-common-virtual-funcs.sh"
}
FILES:${PN} += "${TEST_COMMON_DIR}"
......@@ -18,12 +18,12 @@ TEST_FILES = "file://user-accounts-integration-tests.bats \
"
TEST_FILES:append:ewaol-virtualization = " \
file://user-accounts-additional-virtualization-tests.bats \
file://user-accounts-append-virtualization.bats \
file://user-accounts-virtualization-funcs.sh \
"
TEST_FILES:append:ewaol-security = " \
file://user-accounts-additional-security-tests.bats \
file://user-accounts-append-security.bats \
file://user-accounts-security-funcs.sh \
"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment