From 933a2d76f7b4963d42601bf70d60bbe3af22c29b Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Thu, 3 Aug 2023 14:25:13 +0300 Subject: [PATCH 01/22] CLOUD-789 - add test to check password leaks in the logs --- e2e-tests/conf/secrets.yml | 2 +- e2e-tests/conf/secrets_without_tls.yml | 2 +- e2e-tests/functions | 42 +++++++++++++++++++++++ e2e-tests/init-deploy/compare/root-80.sql | 2 +- e2e-tests/init-deploy/run | 5 ++- e2e-tests/monitoring-2-0/run | 4 +++ 6 files changed, 53 insertions(+), 4 deletions(-) diff --git a/e2e-tests/conf/secrets.yml b/e2e-tests/conf/secrets.yml index 5cafbbf622..8436fb5e99 100644 --- a/e2e-tests/conf/secrets.yml +++ b/e2e-tests/conf/secrets.yml @@ -6,7 +6,7 @@ type: Opaque data: root: cm9vdF9wYXNzd29yZA== xtrabackup: YmFja3VwX3Bhc3N3b3Jk - monitor: bW9uaXRvcg== + monitor: bW9uaXRvcl9wYXNzd29yZAo= clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= pmmserver: YWRtaW4= diff --git a/e2e-tests/conf/secrets_without_tls.yml b/e2e-tests/conf/secrets_without_tls.yml index 6e7d8f077a..dd95e9052b 100644 --- a/e2e-tests/conf/secrets_without_tls.yml +++ b/e2e-tests/conf/secrets_without_tls.yml @@ -6,7 +6,7 @@ type: Opaque data: root: cm9vdF9wYXNzd29yZA== xtrabackup: YmFja3VwX3Bhc3N3b3Jk - monitor: bW9uaXRvcg== + monitor: bW9uaXRvcl9wYXNzd29yZAo= clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= pmmserver: YWRtaW4= diff --git a/e2e-tests/functions b/e2e-tests/functions index d0f1d903ad..2dd2a6972f 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1518,3 +1518,45 @@ function check_backup_deletion() { ((retry += 1)) done } + +check_passwords_leak() { + secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12")) | not) | .value') + echo secrets=$secrets + + passwords="$(for i in $secrets; do base64 -d <<< $i; echo; done) $secrets" + echo passwords=$passwords + + pods=$(kubectl_bin get pods -o name | awk -F "/" '{print $2}') + echo pods=$pods + + TEMP_DIR=$(mktemp -d) + + collect_logs() { + NS=$1 + for p in $pods; do + containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}') + for c in $containers; do + # temporary, because of: https://jira.percona.com/browse/PMM-8357 + if [[ ${c,,} =~ "pmm" ]]; then + continue + fi + kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt + echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt + for pass in $passwords; do + count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :) + if [[ $count != 0 ]]; then + echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt + false + fi + done + done + echo + done + } + + collect_logs $namespace + if [ -n "$OPERATOR_NS" ]; then + pods=$(kubectl_bin -n "${OPERATOR_NS}" get pods -o name | awk -F "/" '{print $2}') + collect_logs $OPERATOR_NS + fi +} \ No newline at end of file diff --git a/e2e-tests/init-deploy/compare/root-80.sql b/e2e-tests/init-deploy/compare/root-80.sql index 98f86faa76..927ac5d5e6 100644 --- a/e2e-tests/init-deploy/compare/root-80.sql +++ b/e2e-tests/init-deploy/compare/root-80.sql @@ -1,2 +1,2 @@ GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`%` WITH GRANT OPTION -GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ABORT_EXEMPT,AUDIT_ADMIN,AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FIREWALL_EXEMPT,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,GROUP_REPLICATION_STREAM,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SENSITIVE_VARIABLES_OBSERVER,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`%` WITH GRANT OPTION +GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ABORT_EXEMPT,AUDIT_ADMIN,AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FIREWALL_EXEMPT,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,GROUP_REPLICATION_STREAM,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SENSITIVE_VARIABLES_OBSERVER,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,TELEMETRY_LOG_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`%` WITH GRANT OPTION diff --git a/e2e-tests/init-deploy/run b/e2e-tests/init-deploy/run index 8e23dd1945..fac9e54caf 100755 --- a/e2e-tests/init-deploy/run +++ b/e2e-tests/init-deploy/run @@ -98,7 +98,10 @@ compare_mysql_cmd "select-1" "SELECT * from myApp.myApp;" "-h $cluster3-pxc-0.$c compare_mysql_cmd "select-1" "SELECT * from myApp.myApp;" "-h $cluster3-pxc-1.$cluster3-pxc -uroot -proot_password" compare_mysql_cmd "select-1" "SELECT * from myApp.myApp;" "-h $cluster3-pxc-2.$cluster3-pxc -uroot -proot_password" compare_mysql_cmd "max_allowed_packet-2" "SELECT @@max_allowed_packet;" "-h $cluster3-pxc-0.$cluster3-pxc -uroot -proot_password" -kubectl_bin delete -f $test_dir/conf/$cluster3.yml +desc 'check for passwords leak' +check_passwords_leak + +kubectl_bin delete -f $test_dir/conf/$cluster3.yml destroy $namespace desc "test passed" diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run index e5211176c6..bb2825e448 100755 --- a/e2e-tests/monitoring-2-0/run +++ b/e2e-tests/monitoring-2-0/run @@ -160,6 +160,10 @@ if [[ -n ${OPENSHIFT} ]]; then oc delete rolebinding pmm-pxc-operator-namespace-only fi fi + +desc 'check for passwords leak' +check_passwords_leak + helm uninstall monitoring destroy $namespace desc "test passed" From 0275289b9c9eb87a4f1ad7bcd56bbf0a5d33e360 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Thu, 3 Aug 2023 20:34:16 +0300 Subject: [PATCH 02/22] fixinf the passwords of monitor user and pmmserver user --- e2e-tests/conf/secrets.yml | 2 +- e2e-tests/conf/secrets_without_tls.yml | 2 +- e2e-tests/init-deploy/compare/xtrabackup-80.sql | 2 +- e2e-tests/init-deploy/run | 8 ++++---- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/e2e-tests/conf/secrets.yml b/e2e-tests/conf/secrets.yml index 8436fb5e99..d98e34068f 100644 --- a/e2e-tests/conf/secrets.yml +++ b/e2e-tests/conf/secrets.yml @@ -9,7 +9,7 @@ data: monitor: bW9uaXRvcl9wYXNzd29yZAo= clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= - pmmserver: YWRtaW4= + pmmserver: cG1tc2VydmVyX3Bhc3N3b3JkCg== operator: b3BlcmF0b3JhZG1pbg== replication: cmVwbF9wYXNzd29yZA== --- diff --git a/e2e-tests/conf/secrets_without_tls.yml b/e2e-tests/conf/secrets_without_tls.yml index dd95e9052b..c5fa5bb54c 100644 --- a/e2e-tests/conf/secrets_without_tls.yml +++ b/e2e-tests/conf/secrets_without_tls.yml @@ -9,6 +9,6 @@ data: monitor: bW9uaXRvcl9wYXNzd29yZAo= clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= - pmmserver: YWRtaW4= + pmmserver: cG1tc2VydmVyX3Bhc3N3b3JkCg== operator: b3BlcmF0b3JhZG1pbg== replication: cmVwbF9wYXNzd29yZA== \ No newline at end of file diff --git a/e2e-tests/init-deploy/compare/xtrabackup-80.sql b/e2e-tests/init-deploy/compare/xtrabackup-80.sql index c5800eeb1d..e527f789a0 100644 --- a/e2e-tests/init-deploy/compare/xtrabackup-80.sql +++ b/e2e-tests/init-deploy/compare/xtrabackup-80.sql @@ -1,2 +1,2 @@ GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `xtrabackup`@`%` -GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ABORT_EXEMPT,AUDIT_ADMIN,AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FIREWALL_EXEMPT,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,GROUP_REPLICATION_STREAM,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SENSITIVE_VARIABLES_OBSERVER,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `xtrabackup`@`%` +GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ABORT_EXEMPT,AUDIT_ADMIN,AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FIREWALL_EXEMPT,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,GROUP_REPLICATION_STREAM,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SENSITIVE_VARIABLES_OBSERVER,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,TELEMETRY_LOG_ADMIN,XA_RECOVER_ADMIN ON *.* TO `xtrabackup`@`%` diff --git a/e2e-tests/init-deploy/run b/e2e-tests/init-deploy/run index fac9e54caf..f349028c5d 100755 --- a/e2e-tests/init-deploy/run +++ b/e2e-tests/init-deploy/run @@ -33,19 +33,19 @@ compare_kubectl pdb/$cluster-proxysql desc 'check if MySQL users created' compare_mysql_user "-h $cluster-pxc -uroot -proot_password" -compare_mysql_user "-h $cluster-pxc -umonitor -pmonitor" +compare_mysql_user "-h $cluster-pxc -umonitor -pmonitor_password" compare_mysql_user "-h $cluster-pxc -uproxyuser -ps3cret" compare_mysql_user_local "-uxtrabackup -pbackup_password" "$cluster-pxc-0" "" "pxc" compare_mysql_user_local "-uclustercheck -pclustercheckpassword" "$cluster-pxc-0" "" "pxc" desc "check that pmm server user don't have access" -compare_mysql_user "-h $cluster-pxc -upmmserver -pmonitor" +compare_mysql_user "-h $cluster-pxc -upmmserver -ppmmserver_password" desc 'check if ProxySQL users created' compare_mysql_user "-h $cluster-proxysql -uroot -proot_password" -compare_mysql_user "-h $cluster-proxysql -umonitor -pmonitor" +compare_mysql_user "-h $cluster-proxysql -umonitor -pmonitor_password" desc "check that pmm server user don't have access" compare_mysql_user "-h $cluster-proxysql -uproxyuser -ps3cret" "-proxysql" -compare_mysql_user "-h $cluster-proxysql -upmmserver -pmonitor" "-proxysql" +compare_mysql_user "-h $cluster-proxysql -upmmserver -ppmmserver_password" "-proxysql" desc 'write data directly, read from all' run_mysql \ From e39bcf10dde05dccc4cf76ce34291433f1df5a03 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Thu, 3 Aug 2023 23:58:39 +0300 Subject: [PATCH 03/22] Adding password checks in haproxy and pitr tests --- e2e-tests/functions | 2 +- e2e-tests/haproxy/run | 3 +++ e2e-tests/pitr/run | 7 +++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 2dd2a6972f..9be5a27537 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1520,7 +1520,7 @@ function check_backup_deletion() { } check_passwords_leak() { - secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12")) | not) | .value') + secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12") or contains("release")) | not) | .value') echo secrets=$secrets passwords="$(for i in $secrets; do base64 -d <<< $i; echo; done) $secrets" diff --git a/e2e-tests/haproxy/run b/e2e-tests/haproxy/run index ff72c8f8da..bd0a49d5fd 100755 --- a/e2e-tests/haproxy/run +++ b/e2e-tests/haproxy/run @@ -66,6 +66,9 @@ main() { wait_for_running "$cluster-pxc" 3 check_haproxy_writer + desc 'check for passwords leak' + check_passwords_leak + desc 'delete active writer and checking all haproxy pods still point to the same writer' desc 'fail pxc-pod-0 pod for 60s' fail_pod $cluster-pxc-0 diff --git a/e2e-tests/pitr/run b/e2e-tests/pitr/run index 9bdc4acea2..03615ede56 100755 --- a/e2e-tests/pitr/run +++ b/e2e-tests/pitr/run @@ -95,6 +95,9 @@ main() { run_backup "$cluster" "on-pitr-minio" + desc 'check for passwords leak' + check_passwords_leak + write_test_data "$cluster" desc 'show binlog events' @@ -134,6 +137,10 @@ main() { run_recovery_check_pitr "$cluster" "restore-on-pitr-minio-gtid" "on-pitr-minio" "select-2" "" "" "$gtid" desc "done gtid type" + + desc 'check for passwords leak' + check_passwords_leak + sleep 60 if [[ $(kubectl get pxc-backup on-pitr-minio -o jsonpath='{.status.conditions}' | grep -c 'Binlog with GTID set') -eq 1 ]]; then echo "Binlog gap detected" From 7c5096f9f092e091851428916e1f9d12aae9618d Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Fri, 4 Aug 2023 15:30:30 +0300 Subject: [PATCH 04/22] fixing diff file with 2 new entries --- e2e-tests/users/compare/select-2.sql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/e2e-tests/users/compare/select-2.sql b/e2e-tests/users/compare/select-2.sql index 3a2c9f35e2..d41773703b 100644 --- a/e2e-tests/users/compare/select-2.sql +++ b/e2e-tests/users/compare/select-2.sql @@ -1,3 +1,4 @@ +coredump_filters global_variables mysql_aws_aurora_hostgroups mysql_collations @@ -15,6 +16,7 @@ mysql_users proxysql_servers restapi_routes runtime_checksums_values +runtime_coredump_filters runtime_global_variables runtime_mysql_aws_aurora_hostgroups runtime_mysql_firewall_whitelist_rules From 681dc6a918809fceb5cd440b86782494bf8f0f0b Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:49:27 +0300 Subject: [PATCH 05/22] trying to be more verbose when a password leak is found --- e2e-tests/functions | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 9be5a27537..2a14f57003 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1543,8 +1543,9 @@ check_passwords_leak() { kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt for pass in $passwords; do - count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :) - if [[ $count != 0 ]]; then + echo trying password: $pass + grep --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || : + if [[ $? == 0 ]]; then echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt false fi From d88fea0f61556d5fac5dc7b00cfc8d8b087cf181 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:58:01 +0300 Subject: [PATCH 06/22] previsous fix wasn't correct --- e2e-tests/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 2a14f57003..f58b949b70 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1544,8 +1544,8 @@ check_passwords_leak() { echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt for pass in $passwords; do echo trying password: $pass - grep --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || : - if [[ $? == 0 ]]; then + count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :) + if [[ $count != 0 ]]; then echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt false fi From 9ad2b34b0c116e333ea222596de07469ea1932d8 Mon Sep 17 00:00:00 2001 From: Tomislav Plavcic Date: Sat, 5 Aug 2023 17:09:37 +0200 Subject: [PATCH 07/22] Remove bash to lowercase function so it works in older bash --- e2e-tests/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index f58b949b70..41ecc843b1 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1537,7 +1537,7 @@ check_passwords_leak() { containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}') for c in $containers; do # temporary, because of: https://jira.percona.com/browse/PMM-8357 - if [[ ${c,,} =~ "pmm" ]]; then + if [[ ${c} =~ "pmm" ]]; then continue fi kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt @@ -1560,4 +1560,4 @@ check_passwords_leak() { pods=$(kubectl_bin -n "${OPERATOR_NS}" get pods -o name | awk -F "/" '{print $2}') collect_logs $OPERATOR_NS fi -} \ No newline at end of file +} From 593b6bcbae0f9b81ea68651ae1ef49f9bb8d7813 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Mon, 7 Aug 2023 18:37:43 +0300 Subject: [PATCH 08/22] for debugging purposes --- e2e-tests/functions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/e2e-tests/functions b/e2e-tests/functions index 41ecc843b1..696665bba7 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1544,6 +1544,9 @@ check_passwords_leak() { echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt for pass in $passwords; do echo trying password: $pass + echo the content of file ${TEMP_DIR}/logs_output-$p-$c.txt is: + echo ========================================================= + cat ${TEMP_DIR}/logs_output-$p-$c.txt count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :) if [[ $count != 0 ]]; then echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt From a4c54b29f3c4b9f768a5b23ab4da61a82bff9e3e Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Tue, 8 Aug 2023 09:42:39 +0300 Subject: [PATCH 09/22] for debugging purposes - 2 --- e2e-tests/functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 696665bba7..0e5873a1b0 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1544,12 +1544,12 @@ check_passwords_leak() { echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt for pass in $passwords; do echo trying password: $pass - echo the content of file ${TEMP_DIR}/logs_output-$p-$c.txt is: - echo ========================================================= - cat ${TEMP_DIR}/logs_output-$p-$c.txt count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :) if [[ $count != 0 ]]; then echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt + echo the content of file ${TEMP_DIR}/logs_output-$p-$c.txt is: + echo ========================================================= + cat ${TEMP_DIR}/logs_output-$p-$c.txt false fi done From e43d04e704f15d30d81574db4390bc099f887b40 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Tue, 8 Aug 2023 14:38:14 +0300 Subject: [PATCH 10/22] for debugging purposes - 3 --- e2e-tests/init-deploy/run | 1 + 1 file changed, 1 insertion(+) diff --git a/e2e-tests/init-deploy/run b/e2e-tests/init-deploy/run index f349028c5d..c9cf9789af 100755 --- a/e2e-tests/init-deploy/run +++ b/e2e-tests/init-deploy/run @@ -101,6 +101,7 @@ compare_mysql_cmd "max_allowed_packet-2" "SELECT @@max_allowed_packet;" "-h $clu desc 'check for passwords leak' check_passwords_leak +sleep 99999 kubectl_bin delete -f $test_dir/conf/$cluster3.yml destroy $namespace From 0af8d714eedfe2f7379a0a5dcaf8bca24b16cb33 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Tue, 8 Aug 2023 17:01:54 +0300 Subject: [PATCH 11/22] @ptankov for debugging purposes - 4 --- e2e-tests/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 0e5873a1b0..d75cc7c4b5 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1520,7 +1520,7 @@ function check_backup_deletion() { } check_passwords_leak() { - secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12") or contains("release")) | not) | .value') + secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12") or contains("release") or contains("namespace") or contains("AWS_ACCESS_KEY_ID") or contains("AZURE_STORAGE_ACCOUNT_NAME")) | not) | .value') echo secrets=$secrets passwords="$(for i in $secrets; do base64 -d <<< $i; echo; done) $secrets" From aeb2c169ad60d4faf37b95b5ab4084447601d89a Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Tue, 8 Aug 2023 19:23:05 +0300 Subject: [PATCH 12/22] for debugging purposes - 5 --- e2e-tests/init-deploy/run | 1 - 1 file changed, 1 deletion(-) diff --git a/e2e-tests/init-deploy/run b/e2e-tests/init-deploy/run index c9cf9789af..f349028c5d 100755 --- a/e2e-tests/init-deploy/run +++ b/e2e-tests/init-deploy/run @@ -101,7 +101,6 @@ compare_mysql_cmd "max_allowed_packet-2" "SELECT @@max_allowed_packet;" "-h $clu desc 'check for passwords leak' check_passwords_leak -sleep 99999 kubectl_bin delete -f $test_dir/conf/$cluster3.yml destroy $namespace From 95d07a980cc721e686d434e5922734c7ab881f28 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Fri, 29 Sep 2023 12:03:27 +0300 Subject: [PATCH 13/22] converting variables in a function to local --- e2e-tests/functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 27369d18b2..624f0b3c50 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1520,6 +1520,10 @@ function check_backup_deletion() { } check_passwords_leak() { + local secrets + local passwords + local pods + secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12") or contains("release") or contains("namespace") or contains("AWS_ACCESS_KEY_ID") or contains("AZURE_STORAGE_ACCOUNT_NAME")) | not) | .value') echo secrets=$secrets @@ -1529,8 +1533,6 @@ check_passwords_leak() { pods=$(kubectl_bin get pods -o name | awk -F "/" '{print $2}') echo pods=$pods - TEMP_DIR=$(mktemp -d) - collect_logs() { NS=$1 for p in $pods; do From 39eacd3d3e75b00dd3418a4a4b42ff5ce291c978 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Mon, 2 Oct 2023 16:06:08 +0300 Subject: [PATCH 14/22] changing TEMP_DIR to tmp_dir --- e2e-tests/functions | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 624f0b3c50..604ee09d6f 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1542,16 +1542,16 @@ check_passwords_leak() { if [[ ${c} =~ "pmm" ]]; then continue fi - kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt - echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt + kubectl_bin -n "$NS" logs $p -c $c > ${tmp_dir}/logs_output-$p-$c.txt + echo logs saved in: ${tmp_dir}/logs_output-$p-$c.txt for pass in $passwords; do echo trying password: $pass - count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :) + count=$(grep -c --fixed-strings -- "$pass" ${tmp_dir}/logs_output-$p-$c.txt || :) if [[ $count != 0 ]]; then - echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt - echo the content of file ${TEMP_DIR}/logs_output-$p-$c.txt is: + echo leaked passwords are found in log ${tmp_dir}/logs_output-$p-$c.txt + echo the content of file ${tmp_dir}/logs_output-$p-$c.txt is: echo ========================================================= - cat ${TEMP_DIR}/logs_output-$p-$c.txt + cat ${tmp_dir}/logs_output-$p-$c.txt false fi done From 22da5ab6f6a633c705f38bb47da5d17d362b41a2 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Mon, 2 Oct 2023 16:37:41 +0300 Subject: [PATCH 15/22] some more local variables declaration --- e2e-tests/functions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/e2e-tests/functions b/e2e-tests/functions index 604ee09d6f..989d6b4139 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1534,6 +1534,9 @@ check_passwords_leak() { echo pods=$pods collect_logs() { + local containers + local count + NS=$1 for p in $pods; do containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}') From 56d05fe2a4f4c729ff60fa252aad9fae927793a3 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Thu, 5 Oct 2023 20:33:03 +0300 Subject: [PATCH 16/22] - updating the compare yaml file to match new reality - skipping monitoring-0 pod from password leack check --- e2e-tests/functions | 7 +++++-- e2e-tests/monitoring-2-0/compare/agents-list.json | 1 - 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/e2e-tests/functions b/e2e-tests/functions index 989d6b4139..67db18fe06 100755 --- a/e2e-tests/functions +++ b/e2e-tests/functions @@ -1539,10 +1539,13 @@ check_passwords_leak() { NS=$1 for p in $pods; do + if [[ $p == "monitoring-0" ]]; then + continue + fi containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}') for c in $containers; do # temporary, because of: https://jira.percona.com/browse/PMM-8357 - if [[ ${c} =~ "pmm" ]]; then + if [[ $c =~ "pmm" ]]; then continue fi kubectl_bin -n "$NS" logs $p -c $c > ${tmp_dir}/logs_output-$p-$c.txt @@ -1551,7 +1554,7 @@ check_passwords_leak() { echo trying password: $pass count=$(grep -c --fixed-strings -- "$pass" ${tmp_dir}/logs_output-$p-$c.txt || :) if [[ $count != 0 ]]; then - echo leaked passwords are found in log ${tmp_dir}/logs_output-$p-$c.txt + echo leaked password $pass is found in log ${tmp_dir}/logs_output-$p-$c.txt echo the content of file ${tmp_dir}/logs_output-$p-$c.txt is: echo ========================================================= cat ${tmp_dir}/logs_output-$p-$c.txt diff --git a/e2e-tests/monitoring-2-0/compare/agents-list.json b/e2e-tests/monitoring-2-0/compare/agents-list.json index d35dbc282a..118aff3171 100644 --- a/e2e-tests/monitoring-2-0/compare/agents-list.json +++ b/e2e-tests/monitoring-2-0/compare/agents-list.json @@ -121,7 +121,6 @@ "service_type": "postgresql", "database_name": "postgres", "node_name": "pmm-server", - "cluster": "pmm-server-postgresql", "address": "127.0.0.1", "port": 5432, "agents": [ From 2513cc23f759727dabc7f402f15c7e8429c4e422 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Wed, 11 Oct 2023 18:32:08 +0300 Subject: [PATCH 17/22] monitor and pmmserver users included a new line in their passwords - removing that --- e2e-tests/conf/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e-tests/conf/secrets.yml b/e2e-tests/conf/secrets.yml index d98e34068f..9ff21ee71e 100644 --- a/e2e-tests/conf/secrets.yml +++ b/e2e-tests/conf/secrets.yml @@ -6,10 +6,10 @@ type: Opaque data: root: cm9vdF9wYXNzd29yZA== xtrabackup: YmFja3VwX3Bhc3N3b3Jk - monitor: bW9uaXRvcl9wYXNzd29yZAo= + monitor: bW9uaXRvcl9wYXNzd29yZA== clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= - pmmserver: cG1tc2VydmVyX3Bhc3N3b3JkCg== + pmmserver: cG1tc2VydmVyX3Bhc3N3b3Jk operator: b3BlcmF0b3JhZG1pbg== replication: cmVwbF9wYXNzd29yZA== --- From c160e112d798fc1aea5f497822e4ac5ccce5bfb7 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Mon, 16 Oct 2023 12:08:14 +0300 Subject: [PATCH 18/22] fixing a broken password --- e2e-tests/conf/secrets_without_tls.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e-tests/conf/secrets_without_tls.yml b/e2e-tests/conf/secrets_without_tls.yml index c5fa5bb54c..9a7c1b18a4 100644 --- a/e2e-tests/conf/secrets_without_tls.yml +++ b/e2e-tests/conf/secrets_without_tls.yml @@ -6,9 +6,9 @@ type: Opaque data: root: cm9vdF9wYXNzd29yZA== xtrabackup: YmFja3VwX3Bhc3N3b3Jk - monitor: bW9uaXRvcl9wYXNzd29yZAo= + monitor: bW9uaXRvcl9wYXNzd29yZA== clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= - pmmserver: cG1tc2VydmVyX3Bhc3N3b3JkCg== + pmmserver: cG1tc2VydmVyX3Bhc3N3b3Jk operator: b3BlcmF0b3JhZG1pbg== replication: cmVwbF9wYXNzd29yZA== \ No newline at end of file From 96f8d59cd9964844b6c99fd7b020ebac8b4fde38 Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Mon, 16 Oct 2023 12:08:42 +0300 Subject: [PATCH 19/22] pgrep command doesn't exist in the latest pmm docker image - workaround --- e2e-tests/monitoring-2-0/run | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run index bb2825e448..40cc00843b 100755 --- a/e2e-tests/monitoring-2-0/run +++ b/e2e-tests/monitoring-2-0/run @@ -71,8 +71,7 @@ else helm install monitoring --set imageTag=$IMAGE_PMM_SERVER_TAG --set imageRepo=$IMAGE_PMM_SERVER_REPO --set platform=$platform https://percona-charts.storage.googleapis.com/pmm-server-${PMM_SERVER_VER}.tgz fi kubectl_bin wait --for=condition=Ready pod/${cluster}-0 --timeout=120s -SERVICE="postgres" -until kubectl_bin exec monitoring-0 -- bash -c "pgrep -x $SERVICE >/dev/null"; do +until kubectl_bin exec monitoring-0 -- bash -c "ls -l /proc/*/exe 2>/dev/null| grep postgres >/dev/null"; do echo "Retry $retry" sleep 5 let retry+=1 From 8e40e7fe123fc4e12094f5e750074ea86ec0882d Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Tue, 17 Oct 2023 23:01:55 +0300 Subject: [PATCH 20/22] debugging purposes: 01 --- e2e-tests/monitoring-2-0/run | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run index 40cc00843b..90de5ef596 100755 --- a/e2e-tests/monitoring-2-0/run +++ b/e2e-tests/monitoring-2-0/run @@ -15,7 +15,7 @@ get_mgmnt_service_list() { {} EOF - curl -s -k -H "Authorization: Bearer ${api_key}" -X POST -d @payload.json "https://$endpoint/v1/management/Service/List" \ + curl -s -k -H "Authorization: Bearer ${api_key}" -X POST "https://$endpoint/v1/management/Service/List" \ | jq 'walk(if type=="object" then with_entries(select(.key | test("service_id|node_id|agent_id|created_at|updated_at|service_name") | not)) else . end)' \ | jq 'walk(if type == "array" then sort_by(.agent_type) else . end)' \ >${tmp_dir}/active_pmm_agents.json @@ -160,9 +160,9 @@ if [[ -n ${OPENSHIFT} ]]; then fi fi -desc 'check for passwords leak' -check_passwords_leak +# desc 'check for passwords leak' +# check_passwords_leak -helm uninstall monitoring -destroy $namespace -desc "test passed" +# helm uninstall monitoring +# destroy $namespace +# desc "test passed" From cb0da76702d29dd3fbf66f6d24a8cc79ea69fa9f Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Wed, 18 Oct 2023 10:17:53 +0300 Subject: [PATCH 21/22] debugging purposes: 02 --- e2e-tests/monitoring-2-0/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run index 90de5ef596..46b879c2e1 100755 --- a/e2e-tests/monitoring-2-0/run +++ b/e2e-tests/monitoring-2-0/run @@ -15,7 +15,7 @@ get_mgmnt_service_list() { {} EOF - curl -s -k -H "Authorization: Bearer ${api_key}" -X POST "https://$endpoint/v1/management/Service/List" \ + curl -s -k -H "Authorization: Bearer ${api_key}" -X POST -d @${tmp_dir}/payload.json "https://$endpoint/v1/management/Service/List" \ | jq 'walk(if type=="object" then with_entries(select(.key | test("service_id|node_id|agent_id|created_at|updated_at|service_name") | not)) else . end)' \ | jq 'walk(if type == "array" then sort_by(.agent_type) else . end)' \ >${tmp_dir}/active_pmm_agents.json From 313fd23b4eab8bf2ae2c4079a55fa7e192e8a8cb Mon Sep 17 00:00:00 2001 From: Pavel Tankov <4014969+ptankov@users.noreply.github.com> Date: Wed, 18 Oct 2023 13:31:00 +0300 Subject: [PATCH 22/22] removing the usage of the empty payload.json file --- e2e-tests/monitoring-2-0/run | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run index 46b879c2e1..40efebd3d2 100755 --- a/e2e-tests/monitoring-2-0/run +++ b/e2e-tests/monitoring-2-0/run @@ -11,11 +11,8 @@ get_mgmnt_service_list() { local api_key=$1 local endpoint=$2 local namespace=$3 - cat >${tmp_dir}/payload.json <${tmp_dir}/active_pmm_agents.json @@ -160,9 +157,9 @@ if [[ -n ${OPENSHIFT} ]]; then fi fi -# desc 'check for passwords leak' -# check_passwords_leak +desc 'check for passwords leak' +check_passwords_leak -# helm uninstall monitoring -# destroy $namespace -# desc "test passed" +helm uninstall monitoring +destroy $namespace +desc "test passed"