Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add malicious join test #2304

Merged
merged 35 commits into from
Sep 15, 2023
Merged

ci: add malicious join test #2304

merged 35 commits into from
Sep 15, 2023

Conversation

msanft
Copy link
Contributor

@msanft msanft commented Sep 4, 2023
edited
Loading

Context

We want an e2e-test that verifies that a malicious / unattested node cannot join a Constellation cluster.

Proposed change(s)

  • Create a test that sends a join request to an existing cluster while using a stub attestation issuer and thus not having a valid attestation document. This test is deployed into a cluster as a Kubernetes job. The outputs of these jobs are parsed afterwards to verify a correct completion of the test. While this might be quite hacky, it was the easiest way to deploy the test and access all the related resources, without adding too much complexity to the core of the test.
  • Currently, the test only uses the "stub" issuer. Potential extensions could use more sophisticated issuers that trigger more fine-grained checks in our attestation logic, e.g. VCEK matching report, etc.

Additional info

Checklist

  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@msanft msanft added the no changelog Change won't be listed in release changelog label Sep 4, 2023
@msanft msanft added this to the v2.11.0 milestone Sep 4, 2023
@msanft msanft requested a review from 3u13r as a code owner September 4, 2023 14:36
daniel-weisse
daniel-weisse reviewed Sep 5, 2023
View reviewed changes
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
e2e/malicious-join/Dockerfile Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join_test.go Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join_test.go Outdated Show resolved Hide resolved
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Coverage report

Package Old New Trend
e2e/malicious-join 0.00% [no test files] 🚨

@3u13r
Copy link
Member

3u13r commented Sep 5, 2023

I'm thinking about 2 possible (future) extensions of this test:

  1. Try to join via every join-pod and not via the svc.
  2. Make the requests from a local test and not from inside the cluster. This would also allow to simply use our normal test pattern with require.NoError() and assert.Equal().

@msanft
Copy link
Contributor Author

msanft commented Sep 5, 2023

  1. Try to join via every join-pod and not via the svc.

Can be implemented in a future extension as discussed in-person.

  1. Make the requests from a local test and not from inside the cluster. This would also allow to simply use our normal test pattern with require.NoError() and assert.Equal().

Obsolete as discussed in-person.

daniel-weisse
daniel-weisse reviewed Sep 5, 2023
View reviewed changes
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
@katexochen katexochen self-requested a review September 6, 2023 08:31
katexochen
katexochen requested changes Sep 6, 2023
View reviewed changes
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
e2e/malicious-join/job.yaml Show resolved Hide resolved
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
@netlify
Copy link

netlify bot commented Sep 6, 2023
edited
Loading

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 9088f73
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/6504649ba7b09d0008d7dfa3

@derpsteb derpsteb removed their request for review September 7, 2023 09:35
@3u13r
Copy link
Member

3u13r commented Sep 7, 2023

Please fix the tidy check. Started another e2e run: https://github.com/edgelesssys/constellation/actions/runs/6109204057

@3u13r 3u13r modified the milestones: v2.11.0, v2.12.0 Sep 8, 2023
@msanft
Copy link
Contributor Author

msanft commented Sep 11, 2023

e2e run

@msanft
malicious node join test
09a9520 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
add e2e build tag
31b92d9 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
add namespaces to job apply
716429b 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix image and workflow
977df9a 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix linter checks
f9b7509 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
build instructions in Dockerfile
71f2e9b 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
only print important flags
1ebe1cd 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
use malicious-join namespace
a66caaa 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
various fixes
758d8dd 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
update buildfiles
369fb06 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
use workdir
0effada 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix linter
7b2caf9 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
add required permissions
b043251 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
remove permissions
457f5aa 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
remove packages: write permission at step
c7108e3 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
login to registry
34dcaa9 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix typo
cf07aae 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix log
3efa3c0 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
source base lib
8ea0813 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix sourcing order
82ec638 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
export after definition
d1e1f10 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
fix script header
32ad6a5 
Signed-off-by: Moritz Sanft <[email protected]>
@msanft
Copy link
Contributor Author

msanft commented Sep 14, 2023

https://github.com/edgelesssys/constellation/actions/runs/6182501369 one last e2e test

katexochen
katexochen approved these changes Sep 15, 2023
View reviewed changes
Copy link
Member

@katexochen katexochen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Maybe @malt3 could take a quick look over the bazel stuff, as I'm not entirely sure with it.

e2e/malicious-join/job_template.sh.in Outdated Show resolved Hide resolved
malt3
malt3 approved these changes Sep 15, 2023
View reviewed changes
Copy link
Contributor

@malt3 malt3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mostly looked at the bazel part. LGTM.

@msanft msanft merged commit 0a28cde into main Sep 15, 2023
8 checks passed
@msanft msanft deleted the feat/ci/malicious-join-test branch September 15, 2023 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derpsteb derpsteb derpsteb left review comments

@daniel-weisse daniel-weisse daniel-weisse approved these changes

@katexochen katexochen katexochen approved these changes

@malt3 malt3 malt3 approved these changes

@3u13r 3u13r Awaiting requested review from 3u13r 3u13r is a code owner

Assignees
No one assigned
Labels
no changelog Change won't be listed in release changelog
Projects
None yet
Milestone
v2.12.0
Development

Successfully merging this pull request may close these issues.
6 participants
@msanft @3u13r @malt3 @derpsteb @katexochen @daniel-weisse