From 2f45238508163b011c6b3e3694ae57351f34799a Mon Sep 17 00:00:00 2001 From: Adrian Benavides Date: Wed, 26 Feb 2025 15:19:02 +0100 Subject: [PATCH] test(rust): segment orchestrator bats tests --- Cargo.lock | 1 + .../tests/bats/load/orchestrator.bash | 13 + .../tests/bats/local/authority.bats | 16 +- .../tests/bats/orchestrator/message.bats | 34 --- .../tests/bats/orchestrator/portals.bats | 243 ---------------- .../tests/bats/orchestrator/projects.bats | 16 +- .../tests/bats/orchestrator/relay.bats | 16 -- .../tests/bats/orchestrator/spaces.bats | 4 - .../bats/orchestrator_enroll/message.bats | 38 +++ .../orchestrator_enroll/node_control_api.bats | 10 +- .../tests/bats/orchestrator_enroll/nodes.bats | 53 ++-- .../bats/orchestrator_enroll/portals.bats | 261 ++++++++++++++++++ .../tests/bats/orchestrator_enroll/relay.bats | 2 +- .../use_cases.bats | 0 .../bats/orchestrator_enrolled/README.md | 2 + .../command_reference.bats | 0 .../bats/orchestrator_enrolled/message.bats | 32 +++ .../bats/orchestrator_enrolled/relay.bats | 34 +++ .../orchestrator_enrolled/setup_suite.bash | 13 + .../trust.bats | 12 +- .../ockam/ockam_command/tests/bats/run.sh | 13 +- .../rust/ockam/ockam_vault/Cargo.toml | 4 +- 22 files changed, 449 insertions(+), 368 deletions(-) create mode 100644 implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/message.bats create mode 100644 implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/portals.bats rename implementations/rust/ockam/ockam_command/tests/bats/{orchestrator => orchestrator_enroll}/use_cases.bats (100%) create mode 100644 implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/README.md rename implementations/rust/ockam/ockam_command/tests/bats/{orchestrator_enroll => orchestrator_enrolled}/command_reference.bats (100%) create mode 100644 implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/message.bats create mode 100644 implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/relay.bats create mode 100644 implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/setup_suite.bash rename implementations/rust/ockam/ockam_command/tests/bats/{orchestrator_enroll => orchestrator_enrolled}/trust.bats (88%) diff --git a/Cargo.lock b/Cargo.lock index f3fc64895cb..5d71c1b2853 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5050,6 +5050,7 @@ dependencies = [ "aes-gcm", "arrayref", "aws-lc-rs", + "base64ct", "cfg-if", "ed25519-dalek", "hex", diff --git a/implementations/rust/ockam/ockam_command/tests/bats/load/orchestrator.bash b/implementations/rust/ockam/ockam_command/tests/bats/load/orchestrator.bash index 508c1cd7f7b..a8f6276bcc3 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/load/orchestrator.bash +++ b/implementations/rust/ockam/ockam_command/tests/bats/load/orchestrator.bash @@ -47,3 +47,16 @@ function copy_enrolled_home_dir() { cp -a $OCKAM_HOME_BASE/database.sqlite3 $OCKAM_HOME/ fi } + +export DEFAULT_TICKET_PATH="$OCKAM_HOME_BASE/.tmp/default.ticket" +function get_default_ticket() { + if [ ! -z "${ORCHESTRATOR_TESTS}" ]; then + # if the ticket doesn't exist, create it + if [ ! -f "$DEFAULT_TICKET_PATH" ]; then + OCKAM_HOME=$OCKAM_HOME_BASE "$OCKAM" project ticket --usage-count 1000 --expires-in 1h >$DEFAULT_TICKET_PATH + fi + + fi + # return the path to the ticket + echo "$DEFAULT_TICKET_PATH" +} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/local/authority.bats b/implementations/rust/ockam/ockam_command/tests/bats/local/authority.bats index 3c9680df0e9..2e2589c9b77 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/local/authority.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/local/authority.bats @@ -88,12 +88,12 @@ teardown() { "id": "1", "name": "default", "space_name": "together-porgy", - "access_route": "/dnsaddr/127.0.0.1/tcp/4000/service/api", + "access_route": "/ip4/127.0.0.1/tcp/4000/service/api", "users": [], "space_id": "1", "identity": "I923829d0397a06fa862be5a87b7966959b8ef99ab6455b843ca9131a747b4819", "project_change_history": "81825837830101583285f68200815820f405e06d988fa8039cce1cd0ae607e46847c1b64bc459ca9d89dd9b21ae30681f41a654cebe91a7818eee98200815840494c9b70e8a9ad5593fceb478f722a513b4bd39fa70f4265d584253bc24617d0eb498ce532273f6d0d5326921e013696fce57c20cc6c4008f74b816810f0b009", - "authority_access_route": "/dnsaddr/127.0.0.1/tcp/$port/service/api", + "authority_access_route": "/ip4/127.0.0.1/tcp/$port/service/api", "authority_identity": "$authority_identity_full", "version": "605c4632ded93eb17edeeef31fa3860db225b3ab-2023-12-05", "running": false, @@ -161,12 +161,12 @@ EOF "id": "1", "name": "default", "space_name": "together-porgy", - "access_route": "/dnsaddr/127.0.0.1/tcp/4000/service/api", + "access_route": "/ip4/127.0.0.1/tcp/4000/service/api", "users": [], "space_id": "1", "identity": "I923829d0397a06fa862be5a87b7966959b8ef99ab6455b843ca9131a747b4819", "project_change_history": "81825837830101583285f68200815820f405e06d988fa8039cce1cd0ae607e46847c1b64bc459ca9d89dd9b21ae30681f41a654cebe91a7818eee98200815840494c9b70e8a9ad5593fceb478f722a513b4bd39fa70f4265d584253bc24617d0eb498ce532273f6d0d5326921e013696fce57c20cc6c4008f74b816810f0b009", - "authority_access_route": "/dnsaddr/127.0.0.1/tcp/$port/service/api", + "authority_access_route": "/ip4/127.0.0.1/tcp/$port/service/api", "authority_identity": "$authority_identity_full", "version": "605c4632ded93eb17edeeef31fa3860db225b3ab-2023-12-05", "running": false, @@ -220,12 +220,12 @@ EOF "id": "1", "name": "default", "space_name": "together-porgy", - "access_route": "/dnsaddr/127.0.0.1/tcp/4000/service/api", + "access_route": "/ip4/127.0.0.1/tcp/4000/service/api", "users": [], "space_id": "1", "identity": "I923829d0397a06fa862be5a87b7966959b8ef99ab6455b843ca9131a747b4819", "project_change_history": "81825837830101583285f68200815820f405e06d988fa8039cce1cd0ae607e46847c1b64bc459ca9d89dd9b21ae30681f41a654cebe91a7818eee98200815840494c9b70e8a9ad5593fceb478f722a513b4bd39fa70f4265d584253bc24617d0eb498ce532273f6d0d5326921e013696fce57c20cc6c4008f74b816810f0b009", - "authority_access_route": "/dnsaddr/127.0.0.1/tcp/$port/service/api", + "authority_access_route": "/ip4/127.0.0.1/tcp/$port/service/api", "authority_identity": "$authority_identity_full", "version": "605c4632ded93eb17edeeef31fa3860db225b3ab-2023-12-05", "running": false, @@ -270,12 +270,12 @@ EOF "id": "1", "name": "default", "space_name": "together-porgy", - "access_route": "/dnsaddr/127.0.0.1/tcp/4000/service/api", + "access_route": "/ip4/127.0.0.1/tcp/4000/service/api", "users": [], "space_id": "1", "identity": "I923829d0397a06fa862be5a87b7966959b8ef99ab6455b843ca9131a747b4819", "project_change_history": "81825837830101583285f68200815820f405e06d988fa8039cce1cd0ae607e46847c1b64bc459ca9d89dd9b21ae30681f41a654cebe91a7818eee98200815840494c9b70e8a9ad5593fceb478f722a513b4bd39fa70f4265d584253bc24617d0eb498ce532273f6d0d5326921e013696fce57c20cc6c4008f74b816810f0b009", - "authority_access_route": "/dnsaddr/127.0.0.1/tcp/$port/service/api", + "authority_access_route": "/ip4/127.0.0.1/tcp/$port/service/api", "authority_identity": "$authority_identity_full", "version": "605c4632ded93eb17edeeef31fa3860db225b3ab-2023-12-05", "running": false, diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/message.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/message.bats index e6104d7baa3..5bea3a541d7 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/message.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/message.bats @@ -22,37 +22,3 @@ teardown() { run_success "$OCKAM" message send "$msg" --to /project/default/service/echo assert_output "$msg" } - -@test "message - send a message to a project node from a background node" { - run_success "$OCKAM" node create blue - - msg=$(random_str) - run_success "$OCKAM" message send "$msg" --from /node/blue --to /project/default/service/echo - assert_output "$msg" -} - -@test "message - send a message to a project node from an embedded node, passing identity" { - run_success "$OCKAM" identity create m1 - m1_identifier=$($OCKAM identity show m1) - - run_success "$OCKAM" project-member add "$m1_identifier" --attribute role=member - sleep 2 - - # m1 identity was added by enroller - run_success "$OCKAM" project enroll --identity m1 - - # m1 is a member, must be able to contact the project' service - msg=$(random_str) - run_success "$OCKAM" message send --timeout 5 --identity m1 --to /project/default/service/echo "$msg" - assert_output "$msg" - - # m2 is not a member, must not be able to contact the project' service - run_success "$OCKAM" identity create m2 - run_failure "$OCKAM" message send --no-retry --timeout 5 --identity m2 --to /project/default/service/echo "$msg" -} - -@test "message - send a hex encoded message to a project node from an embedded node" { - msg=$(random_hex_str) - run_success "$OCKAM" message send "$msg" --to /project/default/service/echo --hex - assert_output "$msg" -} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/portals.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/portals.bats index 9d2681e8d9c..bca8b876fb8 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/portals.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/portals.bats @@ -33,32 +33,6 @@ teardown() { run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" } -@test "portals - create an inlet using only default arguments, an outlet, a relay in an orchestrator project and move tcp traffic through it" { - run_success "$OCKAM" node create blue - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - - relay_name=$(random_str) - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - - addr=$($OCKAM tcp-inlet create --via $relay_name) - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 $addr -} - -@test "portals - create an inlet (with implicit secure channel creation), an outlet, a relay in an orchestrator project and move tcp traffic through it" { - port="$(random_port)" - - run_success "$OCKAM" node create blue - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - - relay_name="$(random_str)" - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - - run_success "$OCKAM" node create green - run_success "$OCKAM" tcp-inlet create --at /node/green --from "$port" --via "$relay_name" - - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" -} - @test "portals - inlet/outlet example with credential, not provided" { ENROLLED_OCKAM_HOME=$OCKAM_HOME @@ -93,220 +67,3 @@ teardown() { # Green can't establish secure channel with blue, because it didn't exchange credential with it. run_failure curl -sfI -m 3 "127.0.0.1:$port" } - -@test "portals - inlet (with implicit secure channel creation) / outlet example with credential, not provided" { - port="$(random_port)" - ENROLLED_OCKAM_HOME=$OCKAM_HOME - setup_home_dir - NON_ENROLLED_OCKAM_HOME=$OCKAM_HOME - "$OCKAM" project import --project-file $PROJECT_PATH - - run_success "$OCKAM" identity create green - run_success "$OCKAM" identity create blue - green_identifier=$($OCKAM identity show green) - blue_identifier=$($OCKAM identity show blue) - - relay_name="$(random_str)" - run_success "$OCKAM" node create green --identity green - run_success "$OCKAM" node create blue --identity blue - - # Green isn't enrolled as project member - export OCKAM_HOME=$ENROLLED_OCKAM_HOME - run_success "$OCKAM" project-member add "$blue_identifier" --attribute role=member --relay $relay_name - sleep 2 - - export OCKAM_HOME=$NON_ENROLLED_OCKAM_HOME - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - assert_output --partial "forward_to_$relay_name" - - run_success "$OCKAM" tcp-inlet create --at /node/green --from "$port" --via "$relay_name" - # Green can't establish secure channel with blue, because it isn't a member - run_failure curl -sfI -m 3 "127.0.0.1:$port" -} - -@test "portals - inlet/outlet example with credential" { - port="$(random_port)" - ENROLLED_OCKAM_HOME=$OCKAM_HOME - - # Setup non-enrolled identities - setup_home_dir - NON_ENROLLED_OCKAM_HOME=$OCKAM_HOME - "$OCKAM" project import --project-file $PROJECT_PATH - - run_success "$OCKAM" identity create green - run_success "$OCKAM" identity create blue - green_identifier=$($OCKAM identity show green) - blue_identifier=$($OCKAM identity show blue) - - relay_name="$(random_str)" - run_success "$OCKAM" node create green --identity green - run_success "$OCKAM" node create blue --identity blue - - # Add identities as members of the project - export OCKAM_HOME=$ENROLLED_OCKAM_HOME - run_success "$OCKAM" project-member add "$blue_identifier" --attribute role=member --relay $relay_name - run_success "$OCKAM" project-member add "$green_identifier" --attribute role=member - sleep 2 - - # Use project from the now enrolled identities - export OCKAM_HOME=$NON_ENROLLED_OCKAM_HOME - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - assert_output --partial "forward_to_$relay_name" - - run_success bash -c "$OCKAM secure-channel create --from /node/green --to /project/default/service/forward_to_$relay_name/service/api \ - | $OCKAM tcp-inlet create --at /node/green --from $port --to -/service/outlet" - - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" -} - -@test "portals - inlet (with implicit secure channel creation) / outlet example with enrollment token" { - port="$(random_port)" - ENROLLED_OCKAM_HOME=$OCKAM_HOME - - relay_name="$(random_str)" - green_token=$($OCKAM project ticket --usage-count 10 --attribute app=app1) - blue_token=$($OCKAM project ticket --usage-count 10 --attribute app=app1 --relay $relay_name) - - setup_home_dir - NON_ENROLLED_OCKAM_HOME=$OCKAM_HOME - # "$OCKAM" project import --project-file $PROJECT_PATH - - run_success "$OCKAM" identity create green - run_success "$OCKAM" identity create blue - - run_success "$OCKAM" project enroll $green_token --identity green - run_success "$OCKAM" node create green --identity green - - run_success "$OCKAM" project enroll $blue_token --identity blue - run_success "$OCKAM" node create blue --identity blue - - run_success "$OCKAM" tcp-outlet create --at /node/blue \ - --to 127.0.0.1:$PYTHON_SERVER_PORT --allow '(= subject.app "app1")' - - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - assert_output --partial "forward_to_$relay_name" - - run_success "$OCKAM" tcp-inlet create --at /node/green \ - --from "$port" --via "$relay_name" --allow '(= subject.app "app1")' - - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" -} - -@test "portals - local inlet and outlet passing through a relay, removing and re-creating the outlet" { - inlet_port="$(random_port)" - node_port="$(random_port)" - relay_name="$(random_str)" - - run_success "$OCKAM" node create blue --tcp-listener-address "127.0.0.1:$node_port" - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - - run_success "$OCKAM" node create green - run_success "$OCKAM" tcp-inlet create --at /node/green --from "$inlet_port" --via "$relay_name" - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$inlet_port" - - $OCKAM node delete blue --yes - run_failure curl -sfI -m 3 "127.0.0.1:$inlet_port" - - run_success "$OCKAM" node create blue --tcp-listener-address "127.0.0.1:$node_port" - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - run_success "$OCKAM" relay create "$relay_name" --to /node/blue - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$inlet_port" -} - -@test "portals - create an inlet/outlet pair, copy heavy payload" { - port="$(random_port)" - relay_name="$(random_str)" - - run_success "$OCKAM" node create blue - sleep 1 - run_success "$OCKAM" relay create "${relay_name}" --to /node/blue - run_success "$OCKAM" tcp-outlet create --at /node/blue --to "$PYTHON_SERVER_PORT" - - run_success "$OCKAM" node create green - run_success "$OCKAM" tcp-inlet create --at /node/green --from "${port}" \ - --to "/project/default/service/forward_to_${relay_name}/secure/api/service/outlet" - - # generate 10MB of random data - run_success openssl rand -out "${OCKAM_HOME_BASE}/.tmp/payload" $((1024 * 1024 * 10)) - - # write payload to file `payload.copy` - run_success curl -sf --retry-all-errors --retry-delay 5 --retry 10 -m 60 "127.0.0.1:${port}/.tmp/payload" -o "${OCKAM_HOME}/payload.copy" - - # compare `payload` and `payload.copy` - run_success cmp "${OCKAM_HOME_BASE}/.tmp/payload" "${OCKAM_HOME}/payload.copy" -} - -@test "portals - create an inlet/outlet pair, connection goes down, connection restored" { - inlet_port="$(random_port)" - socat_port="$(random_port)" - - project_address=$($OCKAM project show default --output json | jq .access_route -r | sed 's#/dnsaddr/\([^/]*\)/.*#\1#') - project_port=$($OCKAM project show default --output json | jq .access_route -r | sed 's#.*/tcp/\([^/]*\)/.*#\1#') - project_id=$($OCKAM project show default --output json | jq .id -r) - - # pass traffic through socat, so we can simulate the connection being interrupted - socat TCP-LISTEN:${socat_port},reuseaddr TCP:${project_address}:${project_port} & - socat_pid=$! - - run_success "$OCKAM" node create blue - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - - relay_name="$(random_str)" - run_success "$OCKAM" relay create "${relay_name}" --project-relay --to /node/blue \ - --at "/ip4/127.0.0.1/tcp/${socat_port}/service/$project_id/secure/api" - - run_success "$OCKAM" node create green - run_success "$OCKAM" tcp-inlet create --at /node/green --from "${inlet_port}" \ - --via "${relay_name}" - - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:${inlet_port}" - status=$("$OCKAM" relay show "${relay_name}" --output json | jq .connection_status -r) - assert_equal "$status" "Up" - - kill -QUIT $socat_pid - sleep 1 - run_failure curl -sfI -m 3 "127.0.0.1:${inlet_port}" - sleep 40 - status=$("$OCKAM" relay show "${relay_name}" --output json | jq .connection_status -r) - assert [ "$status" != "Up" ] - - # restore connection - socat TCP-LISTEN:${socat_port},reuseaddr TCP:${project_address}:${project_port} & - socat_pid=$! - sleep 2 - - run_success curl -sfI --retry-all-errors --retry-delay 2 --retry 10 -m 30 "127.0.0.1:${inlet_port}" - status=$("$OCKAM" relay show "${relay_name}" --output json | jq .connection_status -r) - assert_equal "$status" "Up" - - kill -QUIT $socat_pid -} - -@test "portals - create a local TLS inlet, https works without skipping verification" { - skip - port="$(random_port)" - - ticket=$($OCKAM project ticket --usage-count 10 --tls) - setup_home_dir - run_success "$OCKAM" project enroll "${ticket}" - - run_success "$OCKAM" node create blue - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - run_success "$OCKAM" tcp-inlet create --tls --from $port --to /secure/api/service/outlet - - # first wait for the connection without validation - run_success curl -sfI --insecure --retry-all-errors --retry-delay 5 --retry 10 -m 5 \ - "https://127.0.0.1:${port}" - - # extract certificate subject - subject=$(openssl s_client -showcerts -connect "127.0.0.1:${port}" &1 | - grep -o 'subject=CN=.*' | sed -E 's/.*CN=[*][.](.*)/\1/') - - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 \ - "https://arbitrary-name.${subject}:${port}" -} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/projects.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/projects.bats index b8dcf55d21f..22e5073ae6a 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/projects.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/projects.bats @@ -20,21 +20,10 @@ teardown() { run_success "$OCKAM" project version } -@test "project - enrollment from file - parse check" { - TICKET_PATH="$OCKAM_HOME/p.ticket" - run_success bash -c "$OCKAM project ticket --usage-count 10 >$TICKET_PATH" - - # From file - run_success "$OCKAM" project enroll $TICKET_PATH --test-argument-parser - - # From contents - run_success "$OCKAM" project enroll $(cat $TICKET_PATH) --test-argument-parser -} - @test "projects - enrollment with controller" { ENROLLED_OCKAM_HOME=$OCKAM_HOME - # Change new home directories for two un-enrolled identities + # Create new home directories for two un-enrolled identities setup_home_dir GREEN_OCKAM_HOME=$OCKAM_HOME run_success "$OCKAM" project import --project-file $PROJECT_PATH @@ -102,7 +91,8 @@ teardown() { # Now the green node, with its green identity, can now access the project's services export OCKAM_HOME=$NON_ENROLLED_OCKAM_HOME - run_success "$OCKAM" relay create "$relay_name" + run_success "$OCKAM" relay create "$relay_name" --jq ".connection_status" + assert_output "\"Up\"" } @test "projects - send a message to a project node from an embedded node, enrolled member on different install" { diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/relay.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/relay.bats index c1b3570f09d..0c48d69176d 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/relay.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/relay.bats @@ -17,22 +17,6 @@ teardown() { # ===== TESTS -@test "relay - create relay with default parameters" { - port="$(random_port)" - - run_success "$OCKAM" node create blue - run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT - - relay_name="$(random_str)" - run_success "$OCKAM" relay create $relay_name - - run_success "$OCKAM" node create green - run_success bash -c "$OCKAM secure-channel create --from /node/green --to /project/default/service/forward_to_$relay_name/service/api \ - | $OCKAM tcp-inlet create --at /node/green --from $port --to -/service/outlet" - - run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" -} - @test "relay - control who can create/claim a relay" { run_success "$OCKAM" identity create green run_success "$OCKAM" identity create blue diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/spaces.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/spaces.bats index 72796b1b3ff..1a67c565496 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/spaces.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/spaces.bats @@ -17,10 +17,6 @@ teardown() { # ===== TESTS -@test "spaces - list" { - run_success "$OCKAM" space list -} - @test "spaces - CRUD admins" { # get space admin email (the one used to enroll) run_success "$OCKAM" space-admin list --jq ".[0].email" diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/message.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/message.bats new file mode 100644 index 00000000000..7f088a6b0c0 --- /dev/null +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/message.bats @@ -0,0 +1,38 @@ +#!/bin/bash + +# ===== SETUP + +setup() { + load ../load/base.bash + load ../load/orchestrator.bash + load_bats_ext + setup_home_dir + skip_if_orchestrator_tests_not_enabled + copy_enrolled_home_dir +} + +teardown() { + teardown_home_dir +} + +# ===== TESTS + +@test "message - send a message to a project node from an embedded node, passing identity" { + run_success "$OCKAM" identity create m1 + m1_identifier=$($OCKAM identity show m1) + + run_success "$OCKAM" project-member add "$m1_identifier" --attribute role=member + sleep 2 + + # m1 identity was added by enroller + run_success "$OCKAM" project enroll --identity m1 + + # m1 is a member, must be able to contact the project' service + msg=$(random_str) + run_success "$OCKAM" message send --timeout 5 --identity m1 --to /project/default/service/echo "$msg" + assert_output "$msg" + + # m2 is not a member, must not be able to contact the project' service + run_success "$OCKAM" identity create m2 + run_failure "$OCKAM" message send --no-retry --timeout 5 --identity m2 --to /project/default/service/echo "$msg" +} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/node_control_api.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/node_control_api.bats index 723600ef99b..f1745ee136e 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/node_control_api.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/node_control_api.bats @@ -14,10 +14,11 @@ teardown() { } @test "node control api - relay node resolution" { + relay=$(random_str) ticket=$($OCKAM project ticket \ --attribute node_control_api_backend \ --attribute node_control_api_frontend \ - --relay red) + --relay $relay) api_port="$(random_port)" frontend_node_port="$(random_port)" @@ -45,7 +46,7 @@ teardown() { backend: true, node-resolution: direct-connection }}}" - run_success "$OCKAM" relay create --to red --at "/ip4/127.0.0.1/tcp/${frontend_node_port}/secure/api" red + run_success "$OCKAM" relay create --to red --at "/ip4/127.0.0.1/tcp/${frontend_node_port}/secure/api" ${relay} # verify that it can be accessed via control node api run_success curl -vf \ @@ -95,6 +96,7 @@ teardown() { @test "node control api - portals" { ticket=$($OCKAM project ticket \ + --usage-count 5 \ --attribute node_control_api_backend \ --attribute node_control_api_frontend) api_port="$(random_port)" @@ -193,6 +195,7 @@ teardown() { @test "node control api - relay" { ticket=$($OCKAM project ticket \ + --usage-count 5 \ --attribute node_control_api_backend \ --attribute node_control_api_frontend \ --relay "my-address") @@ -266,6 +269,7 @@ teardown() { @test "node control api - ticket" { ticket=$($OCKAM project ticket \ + --usage-count 5 \ --enroller \ --attribute node_control_api_backend \ --attribute node_control_api_frontend) @@ -306,6 +310,7 @@ teardown() { @test "node control api - local authority ticket" { ticket=$($OCKAM project ticket \ + --usage-count 5 \ --enroller \ --attribute node_control_api_backend \ --attribute node_control_api_frontend) @@ -377,6 +382,7 @@ EOF @test "node control api - authority members" { ticket=$($OCKAM project ticket \ + --usage-count 5 \ --enroller \ --attribute node_control_api_backend \ --attribute node_control_api_frontend) diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/nodes.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/nodes.bats index ecea1cd8e2d..c326f90e290 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/nodes.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/nodes.bats @@ -18,15 +18,13 @@ teardown() { # ===== TESTS @test "nodes - create with config, admin enrolling twice with the project doesn't return error" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - cat <"$OCKAM_HOME/config.yaml" name: n1 EOF ## The default identity is already enrolled, so the enrollment step should be skipped run_success "$OCKAM" node create "$OCKAM_HOME/config.yaml" \ - --enrollment-ticket "$OCKAM_HOME/enrollment.ticket" + --enrollment-ticket $(get_default_ticket) run_success "$OCKAM" message send hello --timeout 5 --to "/node/n1/secure/api/service/echo" } @@ -88,7 +86,7 @@ EOF run_success "$OCKAM" message send --timeout 5 hello --to "/node/n1/secure/api/service/echo" run_success "$OCKAM" message send --timeout 5 hello --to "/project/default/service/forward_to_$RELAY_NAME/secure/api/service/echo" # tcp-listener-address set to expected port - run_success "$OCKAM" message send --timeout 5 hello --to "/dnsaddr/127.0.0.1/tcp/$NODE_PORT/secure/api/service/echo" + run_success "$OCKAM" message send --timeout 5 hello --to "/ip4/127.0.0.1/tcp/$NODE_PORT/secure/api/service/echo" # portal is working: inlet -> relay -> outlet -> python server run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$CLIENT_PORT" } @@ -125,7 +123,7 @@ EOF run_success "$OCKAM" message send --timeout 5 hello --to "/node/n1/secure/api/service/echo" run_success "$OCKAM" message send --timeout 5 hello --to "/project/default/service/forward_to_$RELAY_NAME/secure/api/service/echo" # tcp-listener-address set to expected port - run_success "$OCKAM" message send --timeout 5 hello --to "/dnsaddr/127.0.0.1/tcp/$NODE_PORT/secure/api/service/echo" + run_success "$OCKAM" message send --timeout 5 hello --to "/ip4/127.0.0.1/tcp/$NODE_PORT/secure/api/service/echo" # portal is working: inlet -> relay -> outlet -> python server run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$CLIENT_PORT" } @@ -207,7 +205,7 @@ EOF @test "nodes - create with config, using the specified identity" { export RELAY_NAME=$(random_str) - $OCKAM project ticket --relay "$RELAY_NAME" >"$OCKAM_HOME/enrollment.ticket" + $OCKAM project ticket --usage-count 5 --relay "$RELAY_NAME" >"$OCKAM_HOME/enrollment.ticket" ticket_path="$OCKAM_HOME/enrollment.ticket" setup_home_dir @@ -226,22 +224,16 @@ EOF } @test "nodes - create with config, using the specified enrollment ticket" { - $OCKAM project ticket >"$OCKAM_HOME/enrollment.ticket" - ticket_path="$OCKAM_HOME/enrollment.ticket" - setup_home_dir # The identity will be enrolled - run_success "$OCKAM" node create n1 --identity i1 --enrollment-ticket "$ticket_path" + run_success "$OCKAM" node create n1 --identity i1 --enrollment-ticket $(get_default_ticket) # Check that the identity can reach the project run_success $OCKAM message send hi --identity i1 --to "/project/default/service/echo" } @test "nodes - create with config, using the specified enrollment ticket, overriding config" { - $OCKAM project ticket >"$OCKAM_HOME/enrollment.ticket" - ticket_path="$OCKAM_HOME/enrollment.ticket" - setup_home_dir cat <"$OCKAM_HOME/config.yaml" ticket: other.ticket @@ -250,7 +242,7 @@ identity: i2 EOF # The values from the config file will be overridden by the command line arguments - run_success "$OCKAM" node create n1 --identity i1 --enrollment-ticket "$ticket_path" + run_success "$OCKAM" node create n1 --identity i1 --enrollment-ticket $(get_default_ticket) run_failure "$OCKAM" node show n2 run_failure "$OCKAM" identity show i2 @@ -259,8 +251,7 @@ EOF } @test "nodes - create with config, using the specified enrollment ticket as an env var" { - $OCKAM project ticket >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET=$(cat "$OCKAM_HOME/enrollment.ticket") + export ENROLLMENT_TICKET=$(cat $(get_default_ticket)) setup_home_dir # The ENROLLMENT_TICKET is parsed automatically, so the `node create` command will @@ -273,8 +264,7 @@ EOF } @test "nodes - create with config, using the specified enrollment ticket as an env var, in foreground" { - $OCKAM project ticket >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET=$(cat "$OCKAM_HOME/enrollment.ticket") + export ENROLLMENT_TICKET=$(cat $(get_default_ticket)) setup_home_dir run_success "$OCKAM" node create n1 -f & @@ -286,8 +276,7 @@ EOF } @test "nodes - create with config, using a json-encoded enrollment ticket" { - $OCKAM project ticket --output json >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET="$OCKAM_HOME/enrollment.ticket" + export ENROLLMENT_TICKET=$(get_default_ticket) setup_home_dir cat <"$OCKAM_HOME/config.yaml" @@ -323,18 +312,16 @@ EOF } @test "nodes - create with inline config 1" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET="$OCKAM_HOME/enrollment.ticket" + export ENROLLMENT_TICKET=$(get_default_ticket) setup_home_dir - run_success "$OCKAM" node create "{ \"name\": \"n1\" }" + run_success "$OCKAM" node create "{ \"name\": \"n1\" }" run_success "$OCKAM" node show n1 run_success $OCKAM message send hi --from n1 --to "/project/default/service/echo" } @test "nodes - create with inline config 2" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET="$OCKAM_HOME/enrollment.ticket" + export ENROLLMENT_TICKET=$(get_default_ticket) setup_home_dir run_success "$OCKAM" node create "{ \"ticket\": \"$ENROLLMENT_TICKET\", \"name\": \"n2\" }" @@ -343,18 +330,14 @@ EOF } @test "nodes - create with inline config 3" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - ticket_path="$OCKAM_HOME/enrollment.ticket" - setup_home_dir - run_success "$OCKAM" node create "{ \"name\": \"n3\" }" --enrollment-ticket "$ticket_path" + run_success "$OCKAM" node create "{ \"name\": \"n3\" }" --enrollment-ticket $(get_default_ticket) run_success "$OCKAM" node show n3 run_success $OCKAM message send hi --from n3 --to "/project/default/service/echo" } @test "nodes - create with inline config 4" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET="$OCKAM_HOME/enrollment.ticket" + export ENROLLMENT_TICKET=$(get_default_ticket) setup_home_dir run_success "$OCKAM" node create "{ \"name\": \"n4\" }" --foreground & @@ -364,8 +347,7 @@ EOF } @test "nodes - create with inline config 5" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - export ENROLLMENT_TICKET="$OCKAM_HOME/enrollment.ticket" + export ENROLLMENT_TICKET=$(get_default_ticket) setup_home_dir run_success "$OCKAM" node create "{ \"ticket\": \"$ENROLLMENT_TICKET\", \"name\": \"n5\" }" --foreground & @@ -375,11 +357,8 @@ EOF } @test "nodes - create with inline config 6" { - $OCKAM project ticket --usage-count 5 >"$OCKAM_HOME/enrollment.ticket" - ticket_path="$OCKAM_HOME/enrollment.ticket" - setup_home_dir - run_success "$OCKAM" node create "{ \"name\": \"n6\" }" --enrollment-ticket "$ticket_path" --foreground & + run_success "$OCKAM" node create "{ \"name\": \"n6\" }" --enrollment-ticket $(get_default_ticket) --foreground & sleep 10 run_success "$OCKAM" node show n6 run_success $OCKAM message send hi --from n6 --to "/project/default/service/echo" diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/portals.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/portals.bats new file mode 100644 index 00000000000..edbbc891931 --- /dev/null +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/portals.bats @@ -0,0 +1,261 @@ +#!/bin/bash + +# ===== SETUP + +setup() { + load ../load/base.bash + load ../load/orchestrator.bash + load_bats_ext + setup_home_dir + skip_if_orchestrator_tests_not_enabled + copy_enrolled_home_dir +} + +teardown() { + teardown_home_dir +} + +# ===== TESTS + +@test "portals - create an inlet using only default arguments, an outlet, a relay in an orchestrator project and move tcp traffic through it" { + run_success "$OCKAM" node create blue + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + + relay_name=$(random_str) + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + + addr=$($OCKAM tcp-inlet create --via $relay_name) + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 $addr +} + +@test "portals - create an inlet (with implicit secure channel creation), an outlet, a relay in an orchestrator project and move tcp traffic through it" { + port="$(random_port)" + + run_success "$OCKAM" node create blue + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + + relay_name="$(random_str)" + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + + run_success "$OCKAM" node create green + run_success "$OCKAM" tcp-inlet create --at /node/green --from "$port" --via "$relay_name" + + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" +} + +@test "portals - inlet (with implicit secure channel creation) / outlet example with credential, not provided" { + port="$(random_port)" + ENROLLED_OCKAM_HOME=$OCKAM_HOME + setup_home_dir + NON_ENROLLED_OCKAM_HOME=$OCKAM_HOME + "$OCKAM" project import --project-file $PROJECT_PATH + + run_success "$OCKAM" identity create green + run_success "$OCKAM" identity create blue + green_identifier=$($OCKAM identity show green) + blue_identifier=$($OCKAM identity show blue) + + relay_name="$(random_str)" + run_success "$OCKAM" node create green --identity green + run_success "$OCKAM" node create blue --identity blue + + # Green isn't enrolled as project member + export OCKAM_HOME=$ENROLLED_OCKAM_HOME + run_success "$OCKAM" project-member add "$blue_identifier" --attribute role=member --relay $relay_name + sleep 2 + + export OCKAM_HOME=$NON_ENROLLED_OCKAM_HOME + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + assert_output --partial "forward_to_$relay_name" + + run_success "$OCKAM" tcp-inlet create --at /node/green --from "$port" --via "$relay_name" + # Green can't establish secure channel with blue, because it isn't a member + run_failure curl -sfI -m 3 "127.0.0.1:$port" +} + +@test "portals - inlet/outlet example with credential" { + port="$(random_port)" + ENROLLED_OCKAM_HOME=$OCKAM_HOME + + # Setup non-enrolled identities + setup_home_dir + NON_ENROLLED_OCKAM_HOME=$OCKAM_HOME + "$OCKAM" project import --project-file $PROJECT_PATH + + run_success "$OCKAM" identity create green + run_success "$OCKAM" identity create blue + green_identifier=$($OCKAM identity show green) + blue_identifier=$($OCKAM identity show blue) + + relay_name="$(random_str)" + run_success "$OCKAM" node create green --identity green + run_success "$OCKAM" node create blue --identity blue + + # Add identities as members of the project + export OCKAM_HOME=$ENROLLED_OCKAM_HOME + run_success "$OCKAM" project-member add "$blue_identifier" --attribute role=member --relay $relay_name + run_success "$OCKAM" project-member add "$green_identifier" --attribute role=member + sleep 2 + + # Use project from the now enrolled identities + export OCKAM_HOME=$NON_ENROLLED_OCKAM_HOME + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + assert_output --partial "forward_to_$relay_name" + + run_success bash -c "$OCKAM secure-channel create --from /node/green --to /project/default/service/forward_to_$relay_name/service/api \ + | $OCKAM tcp-inlet create --at /node/green --from $port --to -/service/outlet" + + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" +} + +@test "portals - inlet (with implicit secure channel creation) / outlet example with enrollment token" { + port="$(random_port)" + ENROLLED_OCKAM_HOME=$OCKAM_HOME + + relay_name="$(random_str)" + green_token=$($OCKAM project ticket --usage-count 10 --attribute app=app1) + blue_token=$($OCKAM project ticket --usage-count 10 --attribute app=app1 --relay $relay_name) + + setup_home_dir + NON_ENROLLED_OCKAM_HOME=$OCKAM_HOME + # "$OCKAM" project import --project-file $PROJECT_PATH + + run_success "$OCKAM" identity create green + run_success "$OCKAM" identity create blue + + run_success "$OCKAM" project enroll $green_token --identity green + run_success "$OCKAM" node create green --identity green + + run_success "$OCKAM" project enroll $blue_token --identity blue + run_success "$OCKAM" node create blue --identity blue + + run_success "$OCKAM" tcp-outlet create --at /node/blue \ + --to 127.0.0.1:$PYTHON_SERVER_PORT --allow '(= subject.app "app1")' + + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + assert_output --partial "forward_to_$relay_name" + + run_success "$OCKAM" tcp-inlet create --at /node/green \ + --from "$port" --via "$relay_name" --allow '(= subject.app "app1")' + + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" +} + +@test "portals - local inlet and outlet passing through a relay, removing and re-creating the outlet" { + inlet_port="$(random_port)" + node_port="$(random_port)" + relay_name="$(random_str)" + + run_success "$OCKAM" node create blue --tcp-listener-address "127.0.0.1:$node_port" + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + + run_success "$OCKAM" node create green + run_success "$OCKAM" tcp-inlet create --at /node/green --from "$inlet_port" --via "$relay_name" + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$inlet_port" + + $OCKAM node delete blue --yes + run_failure curl -sfI -m 3 "127.0.0.1:$inlet_port" + + run_success "$OCKAM" node create blue --tcp-listener-address "127.0.0.1:$node_port" + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + run_success "$OCKAM" relay create "$relay_name" --to /node/blue + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$inlet_port" +} + +@test "portals - create an inlet/outlet pair, copy heavy payload" { + port="$(random_port)" + relay_name="$(random_str)" + + run_success "$OCKAM" node create blue + sleep 1 + run_success "$OCKAM" relay create "${relay_name}" --to /node/blue + run_success "$OCKAM" tcp-outlet create --at /node/blue --to "$PYTHON_SERVER_PORT" + + run_success "$OCKAM" node create green + run_success "$OCKAM" tcp-inlet create --at /node/green --from "${port}" \ + --to "/project/default/service/forward_to_${relay_name}/secure/api/service/outlet" + + # generate 10MB of random data + run_success openssl rand -out "${OCKAM_HOME_BASE}/.tmp/payload" $((1024 * 1024 * 10)) + + # write payload to file `payload.copy` + run_success curl -sf --retry-all-errors --retry-delay 5 --retry 10 -m 60 "127.0.0.1:${port}/.tmp/payload" -o "${OCKAM_HOME}/payload.copy" + + # compare `payload` and `payload.copy` + run_success cmp "${OCKAM_HOME_BASE}/.tmp/payload" "${OCKAM_HOME}/payload.copy" +} + +@test "portals - create an inlet/outlet pair, connection goes down, connection restored" { + inlet_port="$(random_port)" + socat_port="$(random_port)" + + project_address=$($OCKAM project show default --output json | jq .access_route -r | sed 's#/dnsaddr/\([^/]*\)/.*#\1#') + project_port=$($OCKAM project show default --output json | jq .access_route -r | sed 's#.*/tcp/\([^/]*\)/.*#\1#') + project_id=$($OCKAM project show default --output json | jq .id -r) + + # pass traffic through socat, so we can simulate the connection being interrupted + socat TCP-LISTEN:${socat_port},reuseaddr TCP:${project_address}:${project_port} & + socat_pid=$! + + run_success "$OCKAM" node create blue + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + + relay_name="$(random_str)" + run_success "$OCKAM" relay create "${relay_name}" --project-relay --to /node/blue \ + --at "/ip4/127.0.0.1/tcp/${socat_port}/service/$project_id/secure/api" + + run_success "$OCKAM" node create green + run_success "$OCKAM" tcp-inlet create --at /node/green --from "${inlet_port}" \ + --via "${relay_name}" + + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:${inlet_port}" + status=$("$OCKAM" relay show "${relay_name}" --output json | jq .connection_status -r) + assert_equal "$status" "Up" + + kill -QUIT $socat_pid + sleep 1 + run_failure curl -sfI -m 3 "127.0.0.1:${inlet_port}" + sleep 40 + status=$("$OCKAM" relay show "${relay_name}" --output json | jq .connection_status -r) + assert [ "$status" != "Up" ] + + # restore connection + socat TCP-LISTEN:${socat_port},reuseaddr TCP:${project_address}:${project_port} & + socat_pid=$! + sleep 2 + + run_success curl -sfI --retry-all-errors --retry-delay 2 --retry 10 -m 30 "127.0.0.1:${inlet_port}" + status=$("$OCKAM" relay show "${relay_name}" --output json | jq .connection_status -r) + assert_equal "$status" "Up" + + kill -QUIT $socat_pid +} + +@test "portals - create a local TLS inlet, https works without skipping verification" { + skip + port="$(random_port)" + + ticket=$($OCKAM project ticket --usage-count 10 --tls) + setup_home_dir + run_success "$OCKAM" project enroll "${ticket}" + + run_success "$OCKAM" node create blue + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + run_success "$OCKAM" tcp-inlet create --tls --from $port --to /secure/api/service/outlet + + # first wait for the connection without validation + run_success curl -sfI --insecure --retry-all-errors --retry-delay 5 --retry 10 -m 5 \ + "https://127.0.0.1:${port}" + + # extract certificate subject + subject=$(openssl s_client -showcerts -connect "127.0.0.1:${port}" &1 | + grep -o 'subject=CN=.*' | sed -E 's/.*CN=[*][.](.*)/\1/') + + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 \ + "https://arbitrary-name.${subject}:${port}" +} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/relay.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/relay.bats index c3ef504163d..63e7714dbb9 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/relay.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/relay.bats @@ -21,7 +21,7 @@ teardown() { relay_name=$(random_str) relay_ticket_path="$OCKAM_HOME/relay.ticket" - run_success bash -c "$OCKAM project ticket --usage-count 1 --relay $relay_name > $relay_ticket_path" + run_success bash -c "$OCKAM project ticket --usage-count 5 --relay $relay_name > $relay_ticket_path" setup_home_dir $OCKAM project enroll $relay_ticket_path diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator/use_cases.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/use_cases.bats similarity index 100% rename from implementations/rust/ockam/ockam_command/tests/bats/orchestrator/use_cases.bats rename to implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/use_cases.bats diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/README.md b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/README.md new file mode 100644 index 00000000000..c1a09131f01 --- /dev/null +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/README.md @@ -0,0 +1,2 @@ +This suite includes tests that require an enrolled identity but doesn't need to generate/enroll new tickets +or add new members to a project. diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/command_reference.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/command_reference.bats similarity index 100% rename from implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/command_reference.bats rename to implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/command_reference.bats diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/message.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/message.bats new file mode 100644 index 00000000000..b0a68f0f64f --- /dev/null +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/message.bats @@ -0,0 +1,32 @@ +#!/bin/bash + +# ===== SETUP + +setup() { + load ../load/base.bash + load ../load/orchestrator.bash + load_bats_ext + setup_home_dir + skip_if_orchestrator_tests_not_enabled + copy_enrolled_home_dir +} + +teardown() { + teardown_home_dir +} + +# ===== TESTS + +@test "message - send a message to a project node from a background node" { + run_success "$OCKAM" node create blue + + msg=$(random_str) + run_success "$OCKAM" message send "$msg" --from /node/blue --to /project/default/service/echo + assert_output "$msg" +} + +@test "message - send a hex encoded message to a project node from an embedded node" { + msg=$(random_hex_str) + run_success "$OCKAM" message send "$msg" --to /project/default/service/echo --hex + assert_output "$msg" +} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/relay.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/relay.bats new file mode 100644 index 00000000000..d0c2cbd0f60 --- /dev/null +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/relay.bats @@ -0,0 +1,34 @@ +#!/bin/bash + +# ===== SETUP + +setup() { + load ../load/base.bash + load ../load/orchestrator.bash + load_bats_ext + setup_home_dir + skip_if_orchestrator_tests_not_enabled + copy_enrolled_home_dir +} + +teardown() { + teardown_home_dir +} + +# ===== TESTS + +@test "relay - create relay with default parameters" { + port="$(random_port)" + + run_success "$OCKAM" node create blue + run_success "$OCKAM" tcp-outlet create --at /node/blue --to 127.0.0.1:$PYTHON_SERVER_PORT + + relay_name="$(random_str)" + run_success "$OCKAM" relay create $relay_name + + run_success "$OCKAM" node create green + run_success bash -c "$OCKAM secure-channel create --from /node/green --to /project/default/service/forward_to_$relay_name/service/api \ + | $OCKAM tcp-inlet create --at /node/green --from $port --to -/service/outlet" + + run_success curl -sfI --retry-all-errors --retry-delay 5 --retry 10 -m 5 "127.0.0.1:$port" +} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/setup_suite.bash b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/setup_suite.bash new file mode 100644 index 00000000000..3bdfae9ce59 --- /dev/null +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/setup_suite.bash @@ -0,0 +1,13 @@ +#!/bin/bash + +setup_suite() { + load ../load/base.bash + load ../load/orchestrator.bash + orchestrator_setup_suite +} + +teardown_suite() { + load ../load/base.bash + load ../load/orchestrator.bash + orchestrator_teardown_suite +} diff --git a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/trust.bats b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/trust.bats similarity index 88% rename from implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/trust.bats rename to implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/trust.bats index 8b019e7aead..082bdebaa3f 100644 --- a/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/trust.bats +++ b/implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/trust.bats @@ -50,13 +50,13 @@ teardown() { run_success "$OCKAM" node create attacker --identity attacker --authority-identity $attacker_identity # Fail, attacker won't present any credential - run_failure $OCKAM message send --no-retry --timeout 2 --from attacker --identity attacker --to "/dnsaddr/127.0.0.1/tcp/$port/secure/api/service/echo" $msg + run_failure $OCKAM message send --no-retry --timeout 2 --from attacker --identity attacker --to "/ip4/127.0.0.1/tcp/$port/secure/api/service/echo" $msg # Fail, attacker will present an invalid credential (self signed rather than signed by authority) attacker_cred=$($OCKAM credential issue --as attacker --for $attacker_identifier --encoding hex) run_success "$OCKAM" credential store --at attacker --issuer "$attacker_identifier" --scope "test" --credential $attacker_cred - run_failure $OCKAM message send --no-retry --timeout 2 --from attacker --identity attacker --to "/dnsaddr/127.0.0.1/tcp/$port/secure/api/service/echo" $msg + run_failure $OCKAM message send --no-retry --timeout 2 --from attacker --identity attacker --to "/ip4/127.0.0.1/tcp/$port/secure/api/service/echo" $msg } @test "trust - online authority; Credential Exchange is performed" { @@ -83,7 +83,7 @@ teardown() { assert_success sleep 1 - authority_route="/dnsaddr/127.0.0.1/tcp/$auth_port/service/api" + authority_route="/ip4/127.0.0.1/tcp/$auth_port/service/api" run_success "$OCKAM" node create --identity alice --tcp-listener-address 127.0.0.1:$node_port --authority-identity $authority_identity sleep 1 @@ -92,12 +92,12 @@ teardown() { # send a message to alice using the trust context msg=$(random_str) - run_success "$OCKAM" message send --timeout 2 --identity bob --from bob_node --to /dnsaddr/127.0.0.1/tcp/$node_port/secure/api/service/echo $msg + run_success "$OCKAM" message send --timeout 2 --identity bob --from bob_node --to /ip4/127.0.0.1/tcp/$node_port/secure/api/service/echo $msg assert_output "$msg" # send a message to authority node echo service to make sure we can use it as a healthcheck endpoint - run_success "$OCKAM" message send --timeout 2 --identity bob --to "/dnsaddr/127.0.0.1/tcp/$auth_port/secure/api/service/echo" $msg + run_success "$OCKAM" message send --timeout 2 --identity bob --to "/ip4/127.0.0.1/tcp/$auth_port/secure/api/service/echo" $msg assert_output "$msg" - run_failure "$OCKAM" message send --no-retry --timeout 2 --identity attacker --to /dnsaddr/127.0.0.1/tcp/$node_port/secure/api/service/echo $msg + run_failure "$OCKAM" message send --no-retry --timeout 2 --identity attacker --to /ip4/127.0.0.1/tcp/$node_port/secure/api/service/echo $msg } diff --git a/implementations/rust/ockam/ockam_command/tests/bats/run.sh b/implementations/rust/ockam/ockam_command/tests/bats/run.sh index 02f723edb1a..4588a2a0c73 100755 --- a/implementations/rust/ockam/ockam_command/tests/bats/run.sh +++ b/implementations/rust/ockam/ockam_command/tests/bats/run.sh @@ -15,6 +15,7 @@ if [ $# -eq 0 ]; then local_suite=true local_as_root_suite=true orchestrator_enroll_suite=true + orchestrator_enrolled_suite=true orchestrator_suite=true serial_suite=true examples_suite=true @@ -23,6 +24,7 @@ else local_suite=false local_as_root_suite=false orchestrator_enroll_suite=false + orchestrator_enrolled_suite=false orchestrator_suite=false serial_suite=false examples_suite=false @@ -34,13 +36,13 @@ for suite in "$@"; do local) local_suite=true ;; local_as_root) local_as_root_suite=true ;; orchestrator_enroll) orchestrator_enroll_suite=true ;; + orchestrator_enrolled) orchestrator_enrolled_suite=true ;; orchestrator) orchestrator_suite=true ;; serial) serial_suite=true ;; examples) examples_suite=true ;; kafka) kafka_suite=true ;; *) - echo "Unknown suite: $suite" - exit 1 + echo "Unknown suite: '$suite', ignoring..." ;; esac done @@ -65,6 +67,11 @@ if [ "$orchestrator_enroll_suite" = true ]; then bats "$current_directory/orchestrator_enroll" --timing fi +if [ "$orchestrator_enrolled_suite" = true ]; then + echo "Running orchestrator_enrolled suite..." + bats "$current_directory/orchestrator_enrolled" --timing -j 3 +fi + if [ "$orchestrator_suite" = true ]; then echo "Running orchestrator suite..." bats "$current_directory/orchestrator" --timing @@ -82,5 +89,5 @@ fi if [ "$kafka_suite" = true ]; then echo "Running kafka suite..." - bats "$current_directory/kafka" --timing --jobs 1 + bats "$current_directory/kafka" --timing fi diff --git a/implementations/rust/ockam/ockam_vault/Cargo.toml b/implementations/rust/ockam/ockam_vault/Cargo.toml index cebd363be79..10168750a8c 100644 --- a/implementations/rust/ockam/ockam_vault/Cargo.toml +++ b/implementations/rust/ockam/ockam_vault/Cargo.toml @@ -45,6 +45,7 @@ std = [ "alloc", "p256/std", "storage", + "base64ct", ] # Feature: "no_std" enables functionality required for platforms @@ -75,6 +76,7 @@ storage = ["ockam_node/storage", "sqlx", "sqlx-core"] aes-gcm = { version = "0.10", default-features = false, features = ["aes", "zeroize"], optional = true } arrayref = "0.3" aws-lc-rs = { version = "=1.11", default-features = false, features = ["non-fips", "bindgen"], optional = true } +base64ct = { version = "=1.6.0", optional = true } cfg-if = "1.0.0" ed25519-dalek = { version = "2.1", default-features = false, features = ["fast", "rand_core", "zeroize"] } hex = { version = "0.4", default-features = false } @@ -103,4 +105,4 @@ tokio = { version = "1.41", features = ["full"] } trybuild = { version = "1.0", features = ["diff"] } [package.metadata.cargo-machete] -ignored = ["ockam_macros", "rand_pcg"] +ignored = ["ockam_macros", "rand_pcg", "base64ct"]