[#46] Setup Travis for HIRS Integration Tests (#68)

* [#46] Ensure Travis mounts repository rather than clones it in Docker

* [#46] Containerize HIRS ACA and prep ACA container for Integration Tests

* [#46] Containerize HIRS TPM2Provisioner and prep TPM2Provisioner container for Integration Tests

* [#46] Replace localinstall with install

* [#46] Prevent rebuilding of packages unnecessarily

* [#46] Finish initial docker compose setup for integration tests

* [#46] Allow for detection of complete Integration Environment Setup

* [#46] Fix Travis CI to allow for detecting Integ Test Environ Stand-Up

* [#46] Fix Initial Integration Test Script

* [#46] Troubleshoot Integration Test script
This commit is contained in:
apldev3 2019-01-07 15:28:53 -05:00 committed by GitHub
parent 64c532ff2f
commit 05a78a3d79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 287 additions and 19 deletions

10
.ci/docker/Dockerfile.aca Normal file
View File

@ -0,0 +1,10 @@
FROM hirs/hirs-ci:centos7
MAINTAINER apl.dev3@jhuapl.edu
# Install packages for installing HIRS ACA
RUN yum -y update && yum clean all
RUN yum install -y mariadb-server openssl tomcat java-1.8.0 rpmdevtools coreutils initscripts chkconfig sed grep firewalld policycoreutils && yum clean all
# Expose ACA Port
EXPOSE 8443

View File

@ -0,0 +1,14 @@
FROM hirs/hirs-ci:centos7
MAINTAINER apl.dev3@jhuapl.edu
# Install packages for installing HIRS TPM2 Provisioner
RUN yum -y update && yum clean all
# TODO: Remove vim-common if/when Paccor updates (Also update Paccor version below)
RUN yum install -y tpm2-tools libcurl procps-ng vim-common wget dbus python-requests && yum clean all
# Install PACCOR for Device Info Gathering
RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.0.6r3/paccor-1.0.6-3.noarch.rpm && yum -y install paccor-*.rpm && popd
# Install Software TPM for Provisioning
RUN mkdir ibmtpm && pushd ibmtpm && wget https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm974.tar.gz && tar -zxvf ibmtpm974.tar.gz && cd src && make -j5 && popd

View File

@ -0,0 +1,17 @@
version: "3.1"
services:
aca:
image: hirs/hirs-ci:aca
ports:
- "8443:8443"
volumes:
- ../../:/HIRS
command: /HIRS/.ci/integration-tests/setup-aca.sh
tpm2provisioner:
image: hirs/hirs-ci:tpm2provisioner
depends_on:
- "aca"
volumes:
- ../../:/HIRS
network_mode: "host"
command: /HIRS/.ci/integration-tests/setup-tpm2provisioner.sh

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,33 @@
#!/bin/bash
# Script to run the Integration Tests for HIRS
set -e
# Start Integration Testing Docker Environment
docker-compose -f .ci/docker/docker-compose.yml up -d
# Check to see if Environment Stand-Up is Complete
# TODO: Refine to handle multiple container IDs
container_id_regex='([a-f0-9]{12})\s+hirs\/hirs-ci:tpm2provisioner'
while : ; do
docker_containers=$(docker container ls)
if [[ $docker_containers =~ $container_id_regex ]]; then
container_id=${BASH_REMATCH[1]}
break
fi
echo "Containers not found. Waiting 5 seconds."
sleep 5
done
tpm2_provisioner_started_regex='TPM2 Provisioner Loaded!'
while : ; do
docker_logs=$(docker logs $container_id)
if [[ $docker_logs =~ $tpm2_provisioner_started_regex ]]; then
break
fi
echo "Containers not completely booted. Waiting 10 seconds."
sleep 10
done
echo "Environment Stand-Up Complete!"

View File

@ -0,0 +1,16 @@
#!/bin/bash
# Script to setup the ACA Docker Image for Integration Tests
set -e
# Prevent rebuild of packages if they already exist
cd /HIRS
if [ ! -d package/rpm/RPMS ]; then
./package/package.centos.sh
fi
yum install -y package/rpm/RPMS/noarch/HIRS_AttestationCA*.el7.noarch.rpm
echo "ACA Loaded!"
tail -f /dev/null

View File

@ -0,0 +1,89 @@
#!/bin/bash
# Script to setup the TPM2 Provisioner Docker Image for Integration Tests
set -e
# Wait for ACA to boot
until [ "`curl --silent --connect-timeout 1 -I -k https://localhost:8443/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
:
done
pushd /HIRS
if [ ! -d package/rpm/RPMS ]; then
./package/package.centos.sh
fi
yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm
popd
mkdir -p /var/run/dbus
if [ -e /var/run/dbus/pid ]; then
rm /var/run/dbus/pid
fi
if [ -e /var/run/dbus/system_bus_socket ]; then
rm /var/run/dbus/system_bus_socket
fi
# Start the DBus
dbus-daemon --fork --system
echo "DBus started"
# Give DBus time to start up
sleep 5
/ibmtpm/src/./tpm_server &
echo "TPM Emulator started"
tpm2-abrmd -t socket &
echo "TPM2-Abrmd started"
# Give ABRMD time to start and register on the DBus
sleep 5
# EK and PC Certificate
ek_cert_der="/HIRS/.ci/integration-tests/certs/ek_cert.der"
platform_cert="platformAttributeCertificate.pem"
echo "Creating Platform Cert for Container"
PC_DIR=/var/hirs/pc_generation
mkdir -p $PC_DIR
/opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile
/opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile
/opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile
/opt/paccor/bin/observer -c $PC_DIR/componentsFile -p $PC_DIR/optionsFile -e $ek_cert_der -f $PC_DIR/observerFile
/opt/paccor/bin/signer -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k /HIRS/.ci/integration-tests/certs/ca.key -P /HIRS/.ci/integration-tests/certs/ca.crt --pem -f $PC_DIR/$platform_cert
# Release EK Cert if one exists
if tpm2_nvlist | grep -q 0x1c00002; then
tpm2_nvrelease -x 0x1c00002 -a 0x40000001
fi
# Define nvram space to enable loading of EK cert (-x NV Index, -a handle to
# authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t
# specifies attribute value in publicInfo struct
# [0x2000A = ownerread|ownerwrite|policywrite])
size=$(cat $ek_cert_der | wc -c)
echo "Define nvram location for ek cert of size $size"
tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size
# Load EK Cert into TPM nvram
echo "Load ek cert into nvram"
tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert_der
# Release Platform Cert if one exists
if tpm2_nvlist | grep -q 0x1c90000; then
tpm2_nvrelease -x 0x1c90000 -a 0x40000001
fi
# Store the platform certificate in the TPM's NVRAM
echo "Load platform cert into nvram"
tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $(cat $PC_DIR/$platform_cert | wc -c)
tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert
# Set Logging to INFO Level
sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini
echo "TPM2 Provisioner Loaded!"
tail -f /dev/null

View File

@ -29,14 +29,18 @@ cache:
install: true
script:
- docker run --rm hirs/hirs-ci:centos7 /bin/bash -c "git clone https://github.com/nsacyber/HIRS.git /root/HIRS; cd /root/HIRS; git checkout ${TRAVIS_BRANCH}; ./gradlew :$SUBPROJECT:build"
- docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash -c "cd /HIRS; ./gradlew :$SUBPROJECT:build"
jobs:
include:
- stage: package
script: docker run --rm hirs/hirs-ci:centos7 /bin/bash -c "git clone https://github.com/nsacyber/HIRS.git /root/HIRS; cd /root/HIRS; git checkout ${TRAVIS_BRANCH}; ./package/package.centos.sh"
script: docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash -c "cd /HIRS; ./package/package.centos.sh"
env: null
name: "Package Centos"
- script: docker run --rm hirs/hirs-ci:ubuntu18 /bin/bash -c "git clone https://github.com/nsacyber/HIRS.git /root/HIRS; cd /root/HIRS; git checkout ${TRAVIS_BRANCH}; ./package/package.ubuntu.sh"
- script: docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:ubuntu18 /bin/bash -c "cd /HIRS; ./package/package.ubuntu.sh"
env: null
name: "Package Ubuntu"
- stage: integration-tests
script: .ci/integration-tests/./run-integration-tests.sh
env: null
name: "Integration Tests"

View File

@ -1,9 +1,16 @@
set -e
if ! [ $(id -u) = 0 ]; then
echo "Please run this script as root."
exit 1
fi
HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
sudo mkdir -p /var/log/hirs/provisioner
sudo ln /usr/local/lib/libcurl.so /usr/lib64/libcurl.so
sudo ln -s -f /usr/local/bin/hirs-provisioner-tpm2 /usr/sbin/hirs-provisioner-tpm2
sudo ln -s -f /usr/local/bin/tpm_aca_provision /usr/sbin/tpm_aca_provision
mkdir -p /var/log/hirs/provisioner
ln /usr/local/lib/libcurl.so /usr/lib64/libcurl.so
ln -s -f /usr/local/bin/hirs-provisioner-tpm2 /usr/sbin/hirs-provisioner-tpm2
ln -s -f /usr/local/bin/tpm_aca_provision /usr/sbin/tpm_aca_provision
if [ ! -f $HIRS_SITE_CONFIG ]; then
# Create template site config if it does not exist

View File

@ -1,5 +1,12 @@
#!/usr/bin/env bash
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
# variables for the CA certificates
CA_PATH=/etc/hirs/certificates
CA_KEYSTORE=${CA_PATH}/TrustStore.jks
@ -50,7 +57,7 @@ sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs
# copy the trust store to the ACA
cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
# start up the tomcat6 service
# start up the tomcat service
# Guess where Tomcat is installed and what it's called:
if [ -d /usr/share/tomcat6 ] ; then
@ -63,4 +70,17 @@ else
fi
# restart tomcat after updating the trust store.
/sbin/service ${TOMCAT_SERVICE} restart;
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
echo "Tomcat is running, so we restart it."
/usr/libexec/tomcat/server stop
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
fi
else
/sbin/service ${TOMCAT_SERVICE} restart;
fi

View File

@ -1,10 +1,27 @@
#!/bin/bash
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
echo "Creating HIRS Database..."
chkconfig $SQL_SERVICE on
service $SQL_SERVICE start
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
/usr/libexec/mariadb-prepare-db-dir
nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
MYSQLD_PID=$(pgrep -u mysql mysqld)
/usr/libexec/mariadb-wait-ready $MYSQLD_PID
fi
else
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
chkconfig $SQL_SERVICE on
service $SQL_SERVICE start
fi
CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
if [ $CENTOS_VER -eq "6" ] ; then

View File

@ -1,15 +1,20 @@
if ! [ $(id -u) = 0 ]; then
echo "Please run this script as root."
exit 1
fi
CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
if [ $CENTOS_VER -eq "6" ] ; then
checkHTTPS=`iptables-save | grep -- "--dport 8443 -j ACCEPT"`
if [[ $checkHTTPS == "" ]]; then
echo "Tomcat HTTPS firewall rule doesn't exist, adding now"
sudo iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT
service iptables save
fi
elif [ $CENTOS_VER -eq "7" ] ; then
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT
sudo firewall-cmd --reload
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT
firewall-cmd --reload
else
echo "Unsupported CentOS version: ${CENTOS_VER}"
exit 1

44
package/scripts/common/ssl_configure.sh Normal file → Executable file
View File

@ -14,6 +14,13 @@ P12_DATA=${CERTIFICATES}/private/p12.data
echo 'Checking SSL configuration for HIRS'
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
#################
# Key Generation
#################
@ -115,7 +122,15 @@ if [[ $1 = "server" ]]; then
chkconfig ${TOMCAT_SERVICE} on
# Configure the server.xml file such that it uses our key store and trust store
service ${TOMCAT_SERVICE} stop
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -f /usr/share/tomcat) -ne 0 ]]; then
echo "Tomcat is running, so we stop it."
/usr/libexec/tomcat/server stop
fi
else
service ${TOMCAT_SERVICE} stop
fi
# Configure Tomcat SSL properly. The method for doing this changes from 6.0.38 onward.
rpmdev-vercmp 6.0.38 $TOMCAT_VERSION
@ -143,7 +158,16 @@ EOF
# (3) set tomcat user as owner of tomcat installation
chgrp -R tomcat ${CATALINA_HOME}
service ${TOMCAT_SERVICE} start
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
else
service ${TOMCAT_SERVICE} start
fi
fi
fi
@ -207,7 +231,19 @@ if [[ $1 = "server" ]]; then
sed -i "/\[mysqld\]/r $MYSQL_ADDITIONS_FILE" /etc/my.cnf
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
service $SQL_SERVICE restart
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
echo "MariaDB is running, so we'll need to restart it."
mysqladmin shutdown
/usr/libexec/mariadb-prepare-db-dir
nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
MYSQLD_PID=$(pgrep -u mysql mysqld)
/usr/libexec/mariadb-wait-ready $MYSQLD_PID
fi
else
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
service $SQL_SERVICE restart
fi
fi
fi