Merge pull request #681 from mmartinv/enhance-onboarding-testing

enhance onboarding testing
fdo-rs · Oct 11, 2024 · 4a0a7bf · 4a0a7bf
2 parents f0bd963 + 359ea48
commit 4a0a7bf
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 81 deletions.
diff --git a/.packit.yaml b/.packit.yaml
@@ -34,9 +34,9 @@ jobs:
           fedora-latest-stable: {}
           fedora-latest: {}
           fedora-rawhide: {}
-          fedora-eln:
-              additional_repos:
-                  - https://kojipkgs.fedoraproject.org/repos/eln-build/latest/$basearch/
+#          fedora-eln:
+#              additional_repos:
+#                  - https://kojipkgs.fedoraproject.org/repos/eln-build/latest/$basearch/
 
     - job: tests
       trigger: pull_request
@@ -48,6 +48,7 @@ jobs:
           fedora-latest-stable: {}
           fedora-latest: {}
           fedora-rawhide: {}
+#          fedora-eln: {}
 
     - <<: *fdo_copr_build
       trigger: commit

diff --git a/test/fmf/plans/onboarding.fmf b/test/fmf/plans/onboarding.fmf
@@ -6,6 +6,20 @@ execute:
 prepare:
     - how: shell
       script: dnf install -y postgresql-server sqlite
+    - how: shell
+      script: |
+        echo "Adding missing SELinux permissions"
+        tee /tmp/fdo-missing.cil <<EOF
+        (allow fdo_t etc_t (file (write)))
+        (allow fdo_t fdo_conf_t (file (append create rename setattr unlink write)))
+        (allow fdo_t fdo_var_lib_t (dir (add_name remove_name write)))
+        (allow fdo_t fdo_var_lib_t (file (create setattr unlink write)))
+        (allow fdo_t krb5_keytab_t (dir (search)))
+        (allow fdo_t postgresql_port_t (tcp_socket (name_connect)))
+        (allow fdo_t sssd_t (unix_stream_socket (connectto)))
+        (allow fdo_t sssd_var_run_t (sock_file (write)))
+        EOF
+        semodule -i /tmp/fdo-missing.cil
 provision:
     how: virtual
     memory: 4096

diff --git a/test/fmf/tests/onboarding/run-onboarding.sh b/test/fmf/tests/onboarding/run-onboarding.sh
@@ -17,6 +17,8 @@ DATABASES="${MANUFACTURER_DATABASE} ${OWNER_DATABASE} ${RENDEZVOUS_DATABASE}"
 
 OV_STORE_DRIVER="${OV_STORE_DRIVER:-Directory}"
 
+SERVICE_INFO_DIR="/var/lib/fdo/service-info/files"
+
 DATABASE_DRIVER="None"
 [ "${OV_STORE_DRIVER}" != "Postgres" ] || DATABASE_DRIVER="postgresql"
 [ "${OV_STORE_DRIVER}" != "Sqlite" ] || DATABASE_DRIVER="sqlite"
@@ -28,7 +30,7 @@ DATABASE_PASSWORD="redhat"
 [ "$DATABASE_DRIVER" != "postgresql" ] || DATABASE_URL="${DATABASE_DRIVER}://${DATABASE_USER}:${DATABASE_PASSWORD}@127.0.0.1/fdo"
 [ "$DATABASE_DRIVER" != "sqlite" ] || DATABASE_URL="${DATABASE_DRIVER}://${DATABASE_DIR}/fido-device-onboard.db"
 
-generate_keys() {
+generate_fdo_certificates() {
   ORGANIZATION="Red Hat"
   COUNTRY="US"
   VALIDITY="3650"
@@ -41,6 +43,56 @@ generate_keys() {
   done
 }
 
+generate_serviceinfo_files() {
+  mkdir -p ${SERVICE_INFO_DIR}/etc/{sudoers.d,pki/ca-trust/source/anchors}
+  cat > "${SERVICE_INFO_DIR}/etc/hosts" <<EOF
+127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
+EOF
+  cat > "${SERVICE_INFO_DIR}/etc/sudoers.d/edge" <<EOF
+edge ALL=(ALL) NOPASSWD: ALL
+EOF
+  cat > "${SERVICE_INFO_DIR}/etc/pki/ca-trust/source/anchors/isrg-root-x2-cross-signed.crt" <<EOF
+-----BEGIN CERTIFICATE-----
+MIIEYDCCAkigAwIBAgIQB55JKIY3b9QISMI/xjHkYzANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yMDA5MDQwMDAwMDBa
+Fw0yNTA5MTUxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5l
+dCBTZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgy
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0H
+ttwW+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7
+AlF9ItgKbppbd9/w+kHsOdx1ymgHDB/qo4HlMIHiMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR8Qpau3ktIO/qS+J6Mz22LqXI3lTAf
+BgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQw
+IgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wJwYDVR0fBCAwHjAc
+oBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzAiBgNVHSAEGzAZMAgGBmeBDAEC
+ATANBgsrBgEEAYLfEwEBATANBgkqhkiG9w0BAQsFAAOCAgEAG38lK5B6CHYAdxjh
+wy6KNkxBfr8XS+Mw11sMfpyWmG97sGjAJETM4vL80erb0p8B+RdNDJ1V/aWtbdIv
+P0tywC6uc8clFlfCPhWt4DHRCoSEbGJ4QjEiRhrtekC/lxaBRHfKbHtdIVwH8hGR
+Ib/hL8Lvbv0FIOS093nzLbs3KvDGsaysUfUfs1oeZs5YBxg4f3GpPIO617yCnpp2
+D56wKf3L84kHSBv+q5MuFCENX6+Ot1SrXQ7UW0xx0JLqPaM2m3wf4DtVudhTU8yD
+ZrtK3IEGABiL9LPXSLETQbnEtp7PLHeOQiALgH6fxatI27xvBI1sRikCDXCKHfES
+c7ZGJEKeKhcY46zHmMJyzG0tdm3dLCsmlqXPIQgb5dovy++fc5Ou+DZfR4+XKM6r
+4pgmmIv97igyIintTJUJxCD6B+GGLET2gUfA5GIy7R3YPEiIlsNekbave1mk7uOG
+nMeIWMooKmZVm4WAuR3YQCvJHBM8qevemcIWQPb1pK4qJWxSuscETLQyu/w4XKAM
+YXtX7HdOUM+vBqIPN4zhDtLTLxq9nHE+zOH40aijvQT2GcD5hq/1DhqqlWvvykdx
+S2McTZbbVSMKnQ+BdaDmQPVkRgNuzvpqfQbspDQGdNpT2Lm4xiN9qfgqLaSCpi4t
+EcrmzTFYeYXmchynn9NM0GbQp7s=
+-----END CERTIFICATE-----
+EOF
+
+}
+
+
+generate_ssh_key() {
+  SSH_KEY_TMP_DIR=$(mktemp -d)
+  SSH_KEY_FILE="${SSH_KEY_TMP_DIR}/ssh_key"
+  SSH_PUB_KEY_FILE="${SSH_KEY_FILE}.pub"
+  ssh-keygen -q -N '' -f "${SSH_KEY_FILE}"
+  cat "${SSH_PUB_KEY_FILE}"
+  rm -rf "${SSH_KEY_TMP_DIR}"
+}
+
 setup_postgresql() {
   systemctl stop postgresql.service
   rm -rf /var/lib/pgsql/data
@@ -60,7 +112,7 @@ setup_postgresql() {
 setup_sqlite() {
   mkdir -p ${DATABASE_DIR}
   DATABASE_FILE="${DATABASE_DIR}/fido-device-onboard.db"
-  > ${DATABASE_FILE}
+  true > ${DATABASE_FILE}
   for DATABASE in ${DATABASES}; do
     sqlite3 ${DATABASE_FILE} < "${MIGRATIONS_BASE_DIR}/migrations_${DATABASE}_server_sqlite/up.sql"
   done
@@ -153,18 +205,96 @@ setup_serviceinfo() {
  tee "${CONF_DIR}/serviceinfo-api-server.yml" <<EOF
 ---
 service_info:
-  initial_user: null
-  files: null
-  commands: null
-  diskencryption_clevis: null
-  additional_serviceinfo: null
+  initial_user:
+    username: edge
+    sshkeys:
+    - "${SSH_PUB_KEY}"
+  commands:
+  - command: touch
+    args:
+    - /etc/command-testfile1
+  - command: bash
+    args:
+    - -c
+    - echo command-testfile1-content1 > /etc/command-testfile1
+  - command: bash
+    args:
+    - -c
+    - echo command-testfile1-content2 >> /etc/command-testfile1
+  - command: mkdir
+    args:
+    - -p
+    - /etc/commands
+  - command: mv
+    args:
+    - /etc/command-testfile1
+    - /etc/commands/
+  - command: bash
+    args:
+    - -c
+    - echo command-testfile2-content1 > /etc/commands/command-testfile2
+  - command: bash
+    args:
+    - -c
+    - echo command-testfile2-content2 >> /etc/commands/command-testfile2
+  - command: rm
+    args:
+    - -rf
+    - /etc/commands
+  - command: find
+    args:
+    - /etc
+    - /var
+    - -type
+    - f
+    - -exec
+    - touch {}
+    - ;
+  - command: mkdir
+    args:
+    - -p
+    - /etc/sudoers.d /var/fdo /var/lib/fdo /var/fdo-test /var/lib/fdo-test
+  - command: /usr/bin/sed
+    args:
+    - -i
+    - -e
+    - s/^#PasswordAuthentication yes/PasswordAuthentication no/
+    - /etc/ssh/sshd_config
+    may_fail: false
+    return_stdout: true
+    return_stderr: true
+  - command: systemctl
+    args:
+    - restart
+    - sshd
+    return_stdout: true
+    return_stderr: true
+  - command: systemctl
+    args:
+    - daemon-reload
+    return_stdout: true
+    return_stderr: true
+  files:
+  - path: /etc/hosts
+    permissions: 644
+    source_path: ${SERVICE_INFO_DIR}/etc/hosts
+  - path: /etc/sudoers.d/edge
+    source_path: ${SERVICE_INFO_DIR}/etc/sudoers.d/edge
+  - path: /etc/pki/ca-trust/source/anchors/isrg-root-x2-cross-signed.crt
+    source_path: ${SERVICE_INFO_DIR}/etc/pki/ca-trust/source/anchors/isrg-root-x2-cross-signed.crt
+#  diskencryption_clevis:
+#  - disk_label: /dev/vda
+#    binding:
+#      pin: test
+#      config: "{}"
+#    reencrypt: true
+#  after_onboarding_reboot: true
 bind: 0.0.0.0:8083
 service_info_auth_token: 2IOtlXsSqfcGjnhBLZjPiHIteskzZEW3lncRzpEmgqI=
 admin_auth_token: Va40bSkLcxwnfml1pmIuaWaOZG96mSMB6fu0xuzcueg=
 device_specific_store_driver:
   Directory:
     path: ${STORES_DIR}/serviceinfo_api_devices
-
 EOF
 }
 
@@ -175,93 +305,36 @@ export_import_vouchers() {
   fdo-owner-tool export-manufacturer-vouchers "http://${PRIMARY_IP}:8080" --path "${MANUFACTURER_EXPORT_DIR}"
   sudo tar xvf "${MANUFACTURER_EXPORT_DIR}"/export.tar -C "${MANUFACTURER_EXPORT_DIR}"
   sudo rm -rf "${MANUFACTURER_EXPORT_DIR}"/export.tar
-  fdo-owner-tool import-ownership-vouchers "$(tr [:upper:] [:lower:] <<< ${OV_STORE_DRIVER})" "${DATABASE_URL}" "${MANUFACTURER_EXPORT_DIR}"
+  fdo-owner-tool import-ownership-vouchers "$(tr "[:upper:]" "[:lower:]" <<< "${OV_STORE_DRIVER}")" "${DATABASE_URL}" "${MANUFACTURER_EXPORT_DIR}"
 }
 
 perform_no_plain_di() {
   rm -f "${DEVICE_CREDENTIAL}" "${ONBOARDING_PERFORMED}"
-  /usr/libexec/fdo/fdo-manufacturing-client no-plain-di \
-                                            --manufacturing-server-url http://${PRIMARY_IP}:8080 \
-                                            --rootcerts ${KEYS_DIR}/diun_cert.pem
+  LOG_LEVEL=trace /usr/libexec/fdo/fdo-manufacturing-client no-plain-di \
+                                                            --manufacturing-server-url http://${PRIMARY_IP}:8080 \
+                                                            --rootcerts ${KEYS_DIR}/diun_cert.pem
 }
 
 onboard() {
-  /usr/libexec/fdo/fdo-client-linuxapp
-}
-
-fix_selinux_policies() {
-  SELINUX_MODULE="fdo-db"
-  SELINUX_TE_FILE="${SELINUX_MODULE}.te"
-  SELINUX_MOD_FILE="${SELINUX_MODULE}.mod"
-  SELINUX_POLICY_FILE="${SELINUX_MODULE}.pp"
-  semodule -l | grep -q "${SELINUX_MODULE}" || (tee "${SELINUX_TE_FILE}" <<EOF
-module fdo-db 1.0;
-
-require {
-	type postgresql_port_t;
-	type fdo_conf_t;
-	type fdo_t;
-	type etc_t;
-	type krb5_keytab_t;
-	type sssd_var_run_t;
-	type fdo_var_lib_t;
-	type sssd_t;
-	class tcp_socket name_connect;
-	class dir { add_name remove_name search write };
-	class sock_file write;
-	class unix_stream_socket connectto;
-	class file { append create rename setattr unlink write };
-}
-
-#============= fdo_t ==============
-
-allow fdo_t etc_t:file write;
-
-allow fdo_t fdo_conf_t:file { append create rename setattr unlink write };
-
-allow fdo_t fdo_var_lib_t:dir { add_name remove_name write };
-
-allow fdo_t fdo_var_lib_t:file { create setattr unlink write };
-
-allow fdo_t krb5_keytab_t:dir search;
-
-allow fdo_t postgresql_port_t:tcp_socket name_connect;
-
-allow fdo_t sssd_t:unix_stream_socket connectto;
-
-allow fdo_t sssd_var_run_t:sock_file write;
-EOF
-  checkmodule -M -m -o ${SELINUX_MOD_FILE} ${SELINUX_TE_FILE}
-  semodule_package -o ${SELINUX_POLICY_FILE} -m ${SELINUX_MOD_FILE}
-  semodule -i ${SELINUX_POLICY_FILE})
-
+  LOG_LEVEL=trace /usr/libexec/fdo/fdo-client-linuxapp
 }
 
 [ "${OV_STORE_DRIVER}" != "Sqlite" ] || setup_sqlite
 [ "${OV_STORE_DRIVER}" != "Postgres" ] || setup_postgresql
-fix_selinux_policies
-generate_keys
+SSH_PUB_KEY=$(generate_ssh_key)
+generate_fdo_certificates
 setup_manufacturing
 setup_owner
 setup_rendezvous
+generate_serviceinfo_files
 setup_serviceinfo
 systemctl restart fdo-{manufacturing,owner-onboarding,rendezvous,serviceinfo-api}-server.service
 # Wait for servers to be up and running
-until [ "$(curl -X POST http://${PRIMARY_IP}:8080/ping)" == "pong" ]; do
-    sleep 1;
-done;
-
-until [ "$(curl -X POST http://${PRIMARY_IP}:8081/ping)" == "pong" ]; do
-    sleep 1;
-done;
-
-until [ "$(curl -X POST http://${PRIMARY_IP}:8082/ping)" == "pong" ]; do
-    sleep 1;
-done;
-
-until [ "$(curl -X POST http://${PRIMARY_IP}:8083/ping)" == "pong" ]; do
-    sleep 1;
-done;
+for PORT in 808{0..3}; do
+  until [ "$(curl -s -X POST http://${PRIMARY_IP}:${PORT}/ping)" == "pong" ]; do
+      sleep 1;
+  done;
+done
 perform_no_plain_di
 [ "${OV_STORE_DRIVER}" = "Directory" ] || export_import_vouchers
 sleep 60