Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add malicious join test #2304

Merged
merged 35 commits into from
Sep 15, 2023
Merged

ci: add malicious join test #2304

merged 35 commits into from
Sep 15, 2023

Conversation

msanft
Copy link
Contributor

@msanft msanft commented Sep 4, 2023

Context

We want an e2e-test that verifies that a malicious / unattested node cannot join a Constellation cluster.

Proposed change(s)

  • Create a test that sends a join request to an existing cluster while using a stub attestation issuer and thus not having a valid attestation document. This test is deployed into a cluster as a Kubernetes job. The outputs of these jobs are parsed afterwards to verify a correct completion of the test. While this might be quite hacky, it was the easiest way to deploy the test and access all the related resources, without adding too much complexity to the core of the test.
  • Currently, the test only uses the "stub" issuer. Potential extensions could use more sophisticated issuers that trigger more fine-grained checks in our attestation logic, e.g. VCEK matching report, etc.

Additional info

Checklist

  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@msanft msanft added the no changelog Change won't be listed in release changelog label Sep 4, 2023
@msanft msanft added this to the v2.11.0 milestone Sep 4, 2023
@msanft msanft requested a review from 3u13r as a code owner September 4, 2023 14:36
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
e2e/malicious-join/Dockerfile Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join_test.go Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join_test.go Outdated Show resolved Hide resolved
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Coverage report

Package Old New Trend
e2e/malicious-join 0.00% [no test files] 🚨

@3u13r
Copy link
Member

3u13r commented Sep 5, 2023

I'm thinking about 2 possible (future) extensions of this test:

  1. Try to join via every join-pod and not via the svc.
  2. Make the requests from a local test and not from inside the cluster. This would also allow to simply use our normal test pattern with require.NoError() and assert.Equal().

@msanft
Copy link
Contributor Author

msanft commented Sep 5, 2023

  1. Try to join via every join-pod and not via the svc.

Can be implemented in a future extension as discussed in-person.

  1. Make the requests from a local test and not from inside the cluster. This would also allow to simply use our normal test pattern with require.NoError() and assert.Equal().

Obsolete as discussed in-person.

e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
@katexochen katexochen self-requested a review September 6, 2023 08:31
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
e2e/malicious-join/malicious-join.go Outdated Show resolved Hide resolved
e2e/malicious-join/job.yaml Show resolved Hide resolved
.github/actions/e2e_malicious_join/action.yml Outdated Show resolved Hide resolved
@netlify
Copy link

netlify bot commented Sep 6, 2023

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 9088f73
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/6504649ba7b09d0008d7dfa3

@derpsteb derpsteb removed their request for review September 7, 2023 09:35
@3u13r
Copy link
Member

3u13r commented Sep 7, 2023

Please fix the tidy check. Started another e2e run: https://github.com/edgelesssys/constellation/actions/runs/6109204057

@3u13r 3u13r modified the milestones: v2.11.0, v2.12.0 Sep 8, 2023
@msanft
Copy link
Contributor Author

msanft commented Sep 11, 2023

e2e run

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
@msanft
Copy link
Contributor Author

msanft commented Sep 14, 2023

Copy link
Member

@katexochen katexochen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Maybe @malt3 could take a quick look over the bazel stuff, as I'm not entirely sure with it.

e2e/malicious-join/job_template.sh.in Outdated Show resolved Hide resolved
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Copy link
Contributor

@malt3 malt3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mostly looked at the bazel part. LGTM.

@msanft msanft merged commit 0a28cde into main Sep 15, 2023
8 checks passed
@msanft msanft deleted the feat/ci/malicious-join-test branch September 15, 2023 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no changelog Change won't be listed in release changelog
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants