ci: add malicious join test (#2304)

* malicious node join test Signed-off-by: Moritz Sanft <[email protected]> * add e2e build tag Signed-off-by: Moritz Sanft <[email protected]> * add namespaces to job apply Signed-off-by: Moritz Sanft <[email protected]> * fix image and workflow Signed-off-by: Moritz Sanft <[email protected]> * fix linter checks Signed-off-by: Moritz Sanft <[email protected]> * build instructions in Dockerfile Signed-off-by: Moritz Sanft <[email protected]> * only print important flags Signed-off-by: Moritz Sanft <[email protected]> * use `malicious-join` namespace Signed-off-by: Moritz Sanft <[email protected]> * build with bazel Signed-off-by: Moritz Sanft <[email protected]> * order imports Signed-off-by: Moritz Sanft <[email protected]> * test cases Signed-off-by: Moritz Sanft <[email protected]> * various fixes Signed-off-by: Moritz Sanft <[email protected]> * add missing quotes Signed-off-by: Moritz Sanft <[email protected]> * fix typo Signed-off-by: Moritz Sanft <[email protected]> * Update e2e/malicious-join/malicious-join.go Co-authored-by: Daniel Weiße <[email protected]> * Update e2e/malicious-join/malicious-join.go Co-authored-by: Daniel Weiße <[email protected]> * use switch case Signed-off-by: Moritz Sanft <[email protected]> * update image version Signed-off-by: Moritz Sanft <[email protected]> * fix linter checks Signed-off-by: Moritz Sanft <[email protected]> * wip Signed-off-by: Moritz Sanft <[email protected]> * various fixes Signed-off-by: Moritz Sanft <[email protected]> * update buildfiles Signed-off-by: Moritz Sanft <[email protected]> * use workdir Signed-off-by: Moritz Sanft <[email protected]> * fix linter Signed-off-by: Moritz Sanft <[email protected]> * add required permissions Signed-off-by: Moritz Sanft <[email protected]> * remove permissions Signed-off-by: Moritz Sanft <[email protected]> * remove packages: write permission at step Signed-off-by: Moritz Sanft <[email protected]> * login to registry Signed-off-by: Moritz Sanft <[email protected]> * fix typo Signed-off-by: Moritz Sanft <[email protected]> * fix log Signed-off-by: Moritz Sanft <[email protected]> * source base lib Signed-off-by: Moritz Sanft <[email protected]> * fix sourcing order Signed-off-by: Moritz Sanft <[email protected]> * export after definition Signed-off-by: Moritz Sanft <[email protected]> * fix script header Signed-off-by: Moritz Sanft <[email protected]> * dont exit after -e flag has been set Co-authored-by: Paul Meyer <[email protected]> --------- Signed-off-by: Moritz Sanft <[email protected]> Co-authored-by: Daniel Weiße <[email protected]> Co-authored-by: Paul Meyer <[email protected]>
edgelesssys · Sep 15, 2023 · 0a28cde · 0a28cde
1 parent 83cfc86
commit 0a28cde
Show file tree

Hide file tree

Showing 8 changed files with 408 additions and 3 deletions.
diff --git a/.github/actions/e2e_malicious_join/action.yml b/.github/actions/e2e_malicious_join/action.yml
@@ -0,0 +1,48 @@
+name: Malicious join
+description: "Verify that a malicious node cannot join a Constellation cluster."
+
+inputs:
+  cloudProvider:
+    description: "The cloud provider the test runs on."
+    required: true
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Log in to the Container registry
+      id: docker-login
+      uses: ./.github/actions/container_registry_login
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
+
+    - name: Run malicious join
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      working-directory: e2e/malicious-join
+      run: |
+        bazel run //e2e/malicious-join:stamp_and_push
+        yq eval -i "(.spec.template.spec.containers[0].command) = \
+          [ \"/malicious-join_bin\", \
+          \"--js-endpoint=join-service.kube-system:9090\", \
+          \"--csp=${{ inputs.cloudProvider }}\", \
+          \"--variant=default\" ]" job.yaml
+        kubectl create ns malicious-join
+        kubectl apply -n malicious-join -f job.yaml
+        kubectl wait -n malicious-join --for=condition=complete --timeout=10m job/malicious-join
+        kubectl logs -n malicious-join job/malicious-join | tail -n 1 | jq '.'
+        ALL_TESTS_PASSED=$(kubectl logs -n malicious-join job/malicious-join | tail -n 1 | jq -r '.allPassed')
+        if [[ "$ALL_TESTS_PASSED" != "true" ]]; then
+          kubectl logs -n malicious-join job/malicious-join
+          kubectl logs -n kube-system svc/join-service
+          exit 1
+        fi
+        kubectl delete ns malicious-join
diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
@@ -51,7 +51,7 @@ inputs:
     description: "Azure credentials authorized to create an IAM configuration."
     required: true
   test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, nop]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop]."
     required: true
   sonobuoyTestSuiteCmd:
     description: "The sonobuoy test suite to run."
@@ -85,7 +85,7 @@ runs:
   using: "composite"
   steps:
     - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "nop"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "nop"]'), inputs.test))
       shell: bash
       run: |
         echo "::error::Invalid input for test field: ${{ inputs.test }}"
@@ -261,10 +261,10 @@ runs:
         test: ${{ inputs.test }}
         provider: ${{ inputs.cloudProvider }}
         isDebugImage: ${{ inputs.isDebugImage }}
+
     #
     # Test payloads
     #
-
     - name: Nop test payload
       if: inputs.test == 'nop'
       shell: bash
@@ -326,3 +326,11 @@ runs:
         controlNodesCount: ${{ inputs.controlNodesCount }}
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         masterSecret: ${{ steps.constellation-create.outputs.masterSecret }}
+
+    - name: Run malicious join test
+      if: inputs.test == 'malicious join'
+      uses: ./.github/actions/e2e_malicious_join
+      with:
+        cloudProvider: ${{ inputs.cloudProvider }}
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
+        githubToken: ${{ inputs.githubToken }}
diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml
@@ -34,6 +34,7 @@ on:
           - "perf-bench"
           - "verify"
           - "recover"
+          - "malicious join"
           - "nop"
         required: true
       kubernetesVersion:

diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml
@@ -157,6 +157,20 @@ jobs:
             provider: "azure"
             kubernetes-version: "v1.28"
 
+          # malicious join test on latest k8s version
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            provider: "gcp"
+            kubernetes-version: "v1.28"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            provider: "azure"
+            kubernetes-version: "v1.28"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            provider: "aws"
+            kubernetes-version: "v1.28"
+
           #
           # Tests on release-stable refStream
           #

diff --git a/e2e/malicious-join/BUILD.bazel b/e2e/malicious-join/BUILD.bazel
@@ -0,0 +1,88 @@
+load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
+load("//bazel/sh:def.bzl", "sh_template")
+
+go_library(
+    name = "malicious-join_lib",
+    srcs = ["malicious-join.go"],
+    importpath = "github.com/edgelesssys/constellation/v2/e2e/malicious-join",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//internal/attestation/variant",
+        "//internal/cloud/cloudprovider",
+        "//internal/grpc/dialer",
+        "//internal/logger",
+        "//joinservice/joinproto",
+        "@org_uber_go_zap//zapcore",
+    ],
+)
+
+go_binary(
+    name = "malicious-join_bin",
+    embed = [":malicious-join_lib"],
+    pure = "on",
+    race = "off",
+    visibility = ["//visibility:public"],
+)
+
+pkg_tar(
+    name = "layer",
+    srcs = [
+        ":malicious-join_bin",
+    ],
+    mode = "0755",
+    remap_paths = {"/malicious-join_bin": "/malicious-join_bin"},
+)
+
+oci_image(
+    name = "malicious-join_image",
+    base = "@distroless_static_linux_amd64",
+    entrypoint = ["/malicious-join_bin"],
+    tars = [
+        ":layer",
+    ],
+    visibility = ["//visibility:public"],
+)
+
+genrule(
+    name = "malicious-join-test_repotag",
+    srcs = [
+        "//bazel/settings:tag",
+    ],
+    outs = ["repotag.txt"],
+    cmd = "echo -n 'ghcr.io/edgelesssys/malicious-join-test:' | cat - $(location //bazel/settings:tag) > $@",
+    visibility = ["//visibility:public"],
+)
+
+oci_push(
+    name = "malicious-join_push",
+    image = ":malicious-join_image",
+    repotags = ":repotag.txt",
+)
+
+sh_template(
+    name = "template_job",
+    data = [
+        "job.yaml",
+        ":repotag.txt",
+        "@yq_toolchains//:resolved_toolchain",
+    ],
+    substitutions = {
+        "@@REPO_TAG@@": "$(rootpath :repotag.txt)",
+        "@@TEMPLATE@@": "$(rootpath :job.yaml)",
+        "@@YQ_BIN@@": "$(rootpath @yq_toolchains//:resolved_toolchain)",
+    },
+    template = "job_template.sh.in",
+    visibility = ["//visibility:public"],
+)
+
+multirun(
+    name = "stamp_and_push",
+    commands = [
+        ":template_job",
+        ":malicious-join_push",
+    ],
+    visibility = ["//visibility:public"],
+)
diff --git a/e2e/malicious-join/job.yaml b/e2e/malicious-join/job.yaml
@@ -0,0 +1,12 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: malicious-join
+spec:
+  template:
+    spec:
+      containers:
+        - name: malicious-join
+          image: ghcr.io/edgelesssys/malicious-join-test:latest@sha256:f36fe306d50a6731ecdae3920682606967eb339fdd1a1e978b0ce39c2ab744bd
+      restartPolicy: Never
+  backoffLimit: 0 # Do not retry
diff --git a/e2e/malicious-join/job_template.sh.in b/e2e/malicious-join/job_template.sh.in
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../../bazel/sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+yq=$(realpath @@YQ_BIN@@)
+template=$(realpath @@TEMPLATE@@)
+REPO_TAG=$(realpath @@REPO_TAG@@)
+export REPO_TAG
+
+cd "${BUILD_WORKING_DIRECTORY}"
+
+if [[ $# -eq 0 ]]; then
+  workdir="."
+else
+  workdir="$1"
+fi
+
+echo "Stamping job deployment with $REPO_TAG"
+$yq eval '.spec.template.spec.containers[0].image |= "ghcr.io/edgelesssys/malicious-join-test:" + load_str(strenv(REPO_TAG))' "$template" > "$workdir/stamped_job.yaml"