mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
519 lines
18 KiB
Go
519 lines
18 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package provider
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"regexp"
|
|
"testing"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/semver"
|
|
"github.com/edgelesssys/constellation/v2/internal/versions"
|
|
"github.com/edgelesssys/constellation/v2/terraform-provider-constellation/internal/data"
|
|
"github.com/hashicorp/terraform-plugin-framework/attr"
|
|
"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
|
|
"github.com/hashicorp/terraform-plugin-testing/helper/resource"
|
|
"github.com/hashicorp/terraform-plugin-testing/terraform"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
const providerVersion string = "v2.14.0"
|
|
|
|
func TestMicroserviceConstraint(t *testing.T) {
|
|
providerVersion := semver.NewFromInt(2, 15, 0, "")
|
|
sut := &ClusterResource{
|
|
providerData: data.ProviderData{
|
|
Version: providerVersion,
|
|
},
|
|
}
|
|
testCases := []struct {
|
|
name string
|
|
version string
|
|
expectedErrorCount int
|
|
}{
|
|
{
|
|
name: "outdated by 2 minor versions is invalid",
|
|
version: "v2.13.0",
|
|
expectedErrorCount: 1,
|
|
},
|
|
{
|
|
name: "outdated by 1 minor is allowed for upgrade",
|
|
version: "v2.14.0",
|
|
expectedErrorCount: 0,
|
|
},
|
|
{
|
|
name: "same version is valid",
|
|
version: "v2.15.0",
|
|
expectedErrorCount: 0,
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
_, diags := sut.getMicroserviceVersion(&ClusterResourceModel{
|
|
MicroserviceVersion: basetypes.NewStringValue(tc.version),
|
|
})
|
|
require.Equal(t, tc.expectedErrorCount, diags.ErrorsCount())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestViolatedImageConstraint(t *testing.T) {
|
|
sut := &ClusterResource{
|
|
providerData: data.ProviderData{
|
|
Version: semver.NewFromInt(2, 15, 0, ""),
|
|
},
|
|
}
|
|
testCases := []struct {
|
|
name string
|
|
version string
|
|
expectedErrorCount int
|
|
}{
|
|
{
|
|
name: "outdated by 2 minor versions is invalid",
|
|
version: "v2.13.0",
|
|
expectedErrorCount: 1,
|
|
},
|
|
{
|
|
name: "outdated by 1 minor is allowed for upgrade",
|
|
version: "v2.14.0",
|
|
expectedErrorCount: 0,
|
|
},
|
|
{
|
|
name: "same version is valid",
|
|
version: "v2.15.0",
|
|
expectedErrorCount: 0,
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
img := imageAttribute{
|
|
Version: tc.version,
|
|
}
|
|
|
|
input, diags := basetypes.NewObjectValueFrom(context.Background(), map[string]attr.Type{
|
|
"version": basetypes.StringType{},
|
|
"reference": basetypes.StringType{},
|
|
"short_path": basetypes.StringType{},
|
|
}, img)
|
|
require.Equal(t, 0, diags.ErrorsCount())
|
|
_, _, diags2 := sut.getImageVersion(context.Background(), &ClusterResourceModel{
|
|
Image: input,
|
|
})
|
|
require.Equal(t, tc.expectedErrorCount, diags2.ErrorsCount())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAccClusterResourceImports(t *testing.T) {
|
|
// Set the path to the Terraform binary for acceptance testing when running under Bazel.
|
|
bazelPreCheck := func() { bazelSetTerraformBinaryPath(t) }
|
|
|
|
testCases := map[string]resource.TestCase{
|
|
"import success": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: testingConfig + `
|
|
resource "constellation_cluster" "test" {}
|
|
`,
|
|
ResourceName: "constellation_cluster.test",
|
|
ImportState: true,
|
|
ImportStateId: "constellation-cluster://?kubeConfig=YWJjZGU=&" + // valid base64 of "abcde"
|
|
"clusterEndpoint=b&" +
|
|
"masterSecret=de&" +
|
|
"masterSecretSalt=ad",
|
|
ImportStateCheck: func(states []*terraform.InstanceState) error {
|
|
state := states[0]
|
|
assert := assert.New(t)
|
|
assert.Equal("abcde", state.Attributes["kubeconfig"])
|
|
assert.Equal("b", state.Attributes["out_of_cluster_endpoint"])
|
|
assert.Equal("de", state.Attributes["master_secret"])
|
|
assert.Equal("ad", state.Attributes["master_secret_salt"])
|
|
return nil
|
|
},
|
|
},
|
|
},
|
|
},
|
|
"kubeconfig not base64": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: testingConfig + `
|
|
resource "constellation_cluster" "test" {}
|
|
`,
|
|
ResourceName: "constellation_cluster.test",
|
|
ImportState: true,
|
|
ImportStateId: "constellation-cluster://?kubeConfig=a&" +
|
|
"clusterEndpoint=b&" +
|
|
"masterSecret=de&" +
|
|
"masterSecretSalt=ad",
|
|
ExpectError: regexp.MustCompile(".*illegal base64 data.*"),
|
|
},
|
|
},
|
|
},
|
|
"mastersecret not hex": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: testingConfig + `
|
|
resource "constellation_cluster" "test" {}
|
|
`,
|
|
ResourceName: "constellation_cluster.test",
|
|
ImportState: true,
|
|
ImportStateId: "constellation-cluster://?kubeConfig=test&" +
|
|
"clusterEndpoint=b&" +
|
|
"masterSecret=xx&" +
|
|
"masterSecretSalt=ad",
|
|
ExpectError: regexp.MustCompile(".*Decoding hex-encoded master secret.*"),
|
|
},
|
|
},
|
|
},
|
|
"parameter missing": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: testingConfig + `
|
|
resource "constellation_cluster" "test" {}
|
|
`,
|
|
ResourceName: "constellation_cluster.test",
|
|
ImportState: true,
|
|
ImportStateId: "constellation-cluster://?kubeConfig=test&" +
|
|
"clusterEndpoint=b&" +
|
|
"masterSecret=xx&",
|
|
ExpectError: regexp.MustCompile(".*Missing query parameter.*"),
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for name, tc := range testCases {
|
|
t.Run(name, func(t *testing.T) {
|
|
resource.Test(t, tc)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAccClusterResource(t *testing.T) {
|
|
// Set the path to the Terraform binary for acceptance testing when running under Bazel.
|
|
bazelPreCheck := func() { bazelSetTerraformBinaryPath(t) }
|
|
|
|
testCases := map[string]resource.TestCase{
|
|
"master secret not hex": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "aws") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "aws"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "xxx"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*Master secret must be a hex-encoded 32-byte.*"),
|
|
},
|
|
},
|
|
},
|
|
"master secret salt not hex": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "aws") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "aws"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "xxx"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*Master secret salt must be a hex-encoded 32-byte.*"),
|
|
},
|
|
},
|
|
},
|
|
"measurement salt not hex": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "aws") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "aws"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "xxx"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*Measurement salt must be a hex-encoded 32-byte.*"),
|
|
},
|
|
},
|
|
},
|
|
"invalid node ip cidr": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "aws") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "aws"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0x.0/xxx"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*Node IP CIDR must be a valid CIDR.*"),
|
|
},
|
|
},
|
|
},
|
|
"invalid service ip cidr": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "aws") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "aws"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0x.0/xxx"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*Service IP CIDR must be a valid CIDR.*"),
|
|
},
|
|
},
|
|
},
|
|
"azure config missing": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "azure") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "azure"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*When csp is set to 'azure', the 'azure' configuration must be set.*"),
|
|
},
|
|
},
|
|
},
|
|
"gcp config missing": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "gcp") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "gcp"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
ip_cidr_pod = "0.0.0.0/24"
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(".*When csp is set to 'gcp', the 'gcp' configuration must be set.*"),
|
|
},
|
|
},
|
|
},
|
|
"gcp pod ip cidr missing": {
|
|
ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion),
|
|
PreCheck: bazelPreCheck,
|
|
Steps: []resource.TestStep{
|
|
{
|
|
Config: fullClusterTestingConfig(t, "gcp") + fmt.Sprintf(`
|
|
resource "constellation_cluster" "test" {
|
|
csp = "gcp"
|
|
name = "constell"
|
|
uid = "test"
|
|
image = data.constellation_image.bar.image
|
|
attestation = data.constellation_attestation.foo.attestation
|
|
init_secret = "deadbeef"
|
|
master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
|
|
out_of_cluster_endpoint = "192.0.2.1"
|
|
in_cluster_endpoint = "192.0.2.1"
|
|
network_config = {
|
|
ip_cidr_node = "0.0.0.0/24"
|
|
ip_cidr_service = "0.0.0.0/24"
|
|
}
|
|
gcp = {
|
|
project_id = "test"
|
|
service_account_key = "eyJ0ZXN0IjogInRlc3QifQ=="
|
|
}
|
|
kubernetes_version = "%s"
|
|
constellation_microservice_version = "%s"
|
|
}
|
|
`, versions.Default, providerVersion),
|
|
ExpectError: regexp.MustCompile(`.*When csp is set to 'gcp', 'ip_cidr_pod' must be set.*`),
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for name, tc := range testCases {
|
|
t.Run(name, func(t *testing.T) {
|
|
resource.Test(t, tc)
|
|
})
|
|
}
|
|
}
|
|
|
|
func fullClusterTestingConfig(t *testing.T, csp string) string {
|
|
t.Helper()
|
|
|
|
providerConfig := `
|
|
provider "constellation" {}
|
|
`
|
|
|
|
image := providerVersion
|
|
switch csp {
|
|
case "aws":
|
|
return providerConfig + fmt.Sprintf(`
|
|
data "constellation_image" "bar" {
|
|
version = "%s"
|
|
attestation_variant = "aws-sev-snp"
|
|
csp = "aws"
|
|
region = "us-east-2"
|
|
}
|
|
|
|
data "constellation_attestation" "foo" {
|
|
csp = "aws"
|
|
attestation_variant = "aws-sev-snp"
|
|
image = data.constellation_image.bar.image
|
|
}`, image)
|
|
case "azure":
|
|
return providerConfig + fmt.Sprintf(`
|
|
data "constellation_image" "bar" {
|
|
version = "%s"
|
|
attestation_variant = "azure-sev-snp"
|
|
csp = "azure"
|
|
}
|
|
|
|
data "constellation_attestation" "foo" {
|
|
csp = "azure"
|
|
attestation_variant = "azure-sev-snp"
|
|
image = data.constellation_image.bar.image
|
|
}`, image)
|
|
case "gcp":
|
|
return providerConfig + fmt.Sprintf(`
|
|
data "constellation_image" "bar" {
|
|
version = "%s"
|
|
attestation_variant = "gcp-sev-es"
|
|
csp = "gcp"
|
|
}
|
|
|
|
data "constellation_attestation" "foo" {
|
|
csp = "gcp"
|
|
attestation_variant = "gcp-sev-es"
|
|
image = data.constellation_image.bar.image
|
|
}`, image)
|
|
default:
|
|
t.Fatal("unknown csp")
|
|
return ""
|
|
}
|
|
}
|