#67 Add systems tests for HIRS Provisioner TPM 2.0 (#73)

* Added System Tests. * Cleaned up scripts * Cleaned up system tests. * Cleaned up system tests. * Cleaned up system tests. * Updated system tests. * Code review updates.
nsacyber · Jan 15, 2019 · 17d7dbd · 17d7dbd
1 parent 05a78a3
commit 17d7dbd
Show file tree

Hide file tree

Showing 11 changed files with 1,534 additions and 133 deletions.
diff --git a/.ci/docker/.env b/.ci/docker/.env
@@ -0,0 +1,10 @@
+HIRS_ACA_PROVISIONER_IP=172.19.0.3
+TPM_ENABLED=true
+IMA_ENABLED=false
+
+HIRS_ACA_PORTAL_IP=172.19.0.2
+HIRS_ACA_PORTAL_PORT=8443
+HIRS_BROKER_PORT=61616
+HIRS_ACA_PORTAL_CONTAINER_PORT=80
+
+HIRS_SUBNET=172.19.0.0/16
diff --git a/.ci/docker/docker-compose.yml b/.ci/docker/docker-compose.yml
@@ -1,17 +1,46 @@
 version: "3.1"
+
 services:
-  aca:
-    image: hirs/hirs-ci:aca
-    ports:
-      - "8443:8443"
-    volumes:
-      - ../../:/HIRS
-    command: /HIRS/.ci/integration-tests/setup-aca.sh
-  tpm2provisioner:
-    image: hirs/hirs-ci:tpm2provisioner
-    depends_on:
-      - "aca"
-    volumes:
-      - ../../:/HIRS
-    network_mode: "host"
-    command: /HIRS/.ci/integration-tests/setup-tpm2provisioner.sh
+   aca:
+      image: hirs/hirs-ci:aca
+      container_name: hirs-aca
+      volumes:
+         - ../../:/HIRS
+      ports:
+         - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
+      entrypoint: /bin/bash -c 
+      command: [HIRS/.ci/integration-tests/setup-aca.sh]
+      networks:
+         hirs_aca_system_tests:
+            ipv4_address: ${HIRS_ACA_PORTAL_IP}
+
+   tpm2provisioner:
+      image: hirs/hirs-ci:tpm2provisioner
+      container_name: hirs-aca-provisioner-tpm2
+      depends_on:
+         - aca 
+      volumes:
+         - ../../:/HIRS
+      entrypoint: /bin/bash -c 
+      command: [HIRS/.ci/integration-tests/setup-tpm2provisioner.sh;
+                HIRS/.ci/system-tests/systems-test-centos7-tpm2.sh]
+      networks:
+         hirs_aca_system_tests:
+            ipv4_address: ${HIRS_ACA_PROVISIONER_IP} 
+      environment:
+         - HIRS_ACA_PROVISIONER_IP=${HIRS_ACA_PROVISIONER_IP}
+         - TPM_ENABLED=${TPM_ENABLED}
+         - IMA_ENABLED=${IMA_ENABLED}
+         - HIRS_ACA_PORTAL_IP=${HIRS_ACA_PORTAL_IP}
+         - HIRS_ACA_PORTAL_PORT=${HIRS_ACA_PORTAL_PORT}
+         - HIRS_BROKER_PORT=${HIRS_BROKER_PORT}
+         - HIRS_ACA_PORTAL_CONTAINER_PORT=${HIRS_ACA_PORTAL_CONTAINER_PORT}
+         - HIRS_SUBNET=${HIRS_SUBNET}
+
+networks:
+   hirs_aca_system_tests:
+      driver: bridge 
+      ipam:
+         driver: default
+         config:
+           - subnet: ${HIRS_SUBNET} 
diff --git a/.ci/integration-tests/run-integration-tests.sh b/.ci/integration-tests/run-integration-tests.sh
diff --git a/.ci/integration-tests/setup-tpm2provisioner.sh b/.ci/integration-tests/setup-tpm2provisioner.sh
@@ -1,89 +1,143 @@
 #!/bin/bash
 
 # Script to setup the TPM2 Provisioner Docker Image for Integration Tests
-
 set -e
 
 # Wait for ACA to boot
-until [ "`curl --silent --connect-timeout 1 -I -k https://localhost:8443/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
-    :
+echo "Waiting for ACA to spin up..."
+until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
+  :
 done
-
-pushd /HIRS
-if [ ! -d package/rpm/RPMS ]; then
-    ./package/package.centos.sh
-fi
-yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm
-popd
-
-mkdir -p /var/run/dbus
-if [ -e /var/run/dbus/pid ]; then
-  rm /var/run/dbus/pid
-fi
-
-if [ -e /var/run/dbus/system_bus_socket ]; then
-  rm /var/run/dbus/system_bus_socket
-fi
-
-# Start the DBus
-dbus-daemon --fork --system
-echo "DBus started"
-
-# Give DBus time to start up
-sleep 5
-
-/ibmtpm/src/./tpm_server &
-echo "TPM Emulator started"
-
-tpm2-abrmd -t socket &
-echo "TPM2-Abrmd started"
-
-# Give ABRMD time to start and register on the DBus
-sleep 5
-
-# EK and PC Certificate
-ek_cert_der="/HIRS/.ci/integration-tests/certs/ek_cert.der"
-platform_cert="platformAttributeCertificate.pem"
-
-echo "Creating Platform Cert for Container"
-PC_DIR=/var/hirs/pc_generation
-mkdir -p $PC_DIR
-/opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile
-/opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile
-/opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile
-/opt/paccor/bin/observer -c $PC_DIR/componentsFile -p $PC_DIR/optionsFile -e $ek_cert_der -f $PC_DIR/observerFile
-/opt/paccor/bin/signer -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k /HIRS/.ci/integration-tests/certs/ca.key -P /HIRS/.ci/integration-tests/certs/ca.crt --pem -f $PC_DIR/$platform_cert
-
-# Release EK Cert if one exists
-if tpm2_nvlist | grep -q 0x1c00002; then
-  tpm2_nvrelease -x 0x1c00002 -a 0x40000001
-fi
-
-# Define nvram space to enable loading of EK cert (-x NV Index, -a handle to
-# authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t
-# specifies attribute value in publicInfo struct
-# [0x2000A = ownerread|ownerwrite|policywrite])
-size=$(cat $ek_cert_der | wc -c)
-echo "Define nvram location for ek cert of size $size"
-tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size
-
-# Load EK Cert into TPM nvram
-echo "Load ek cert into nvram"
-tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert_der
-
-# Release Platform Cert if one exists
-if tpm2_nvlist | grep -q 0x1c90000; then
-  tpm2_nvrelease -x 0x1c90000 -a 0x40000001
-fi
-
-# Store the platform certificate in the TPM's NVRAM
-echo "Load platform cert into nvram"
-tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $(cat $PC_DIR/$platform_cert | wc -c)
-tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert
-
-# Set Logging to INFO Level
-sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini
-
-echo "TPM2 Provisioner Loaded!"
-
-tail -f /dev/null
+echo "ACA is up!"
+
+# Function to install provisioner packages.
+function InstallProvisioner { 
+	echo "===========Installing Provisioner Packages...==========="
+
+	pushd /HIRS
+	if [ ! -d package/rpm/RPMS ]; then
+    	./package/package.centos.sh
+	fi
+	yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm
+	popd
+}
+
+# Function to initialize the TPM2 Emulator
+function InitTpmEmulator { 
+	echo "===========Initializing TPM2 Emulator...==========="
+
+	mkdir -p /var/run/dbus
+	if [ -e /var/run/dbus/pid ]; then
+	  rm /var/run/dbus/pid
+	fi
+
+	if [ -e /var/run/dbus/system_bus_socket ]; then
+	  rm /var/run/dbus/system_bus_socket
+	fi
+
+	# Start the DBus
+	dbus-daemon --fork --system
+	echo "DBus started"
+
+	# Give DBus time to start up
+	sleep 5
+
+	/ibmtpm/src/./tpm_server &
+	echo "TPM Emulator started"
+
+	tpm2-abrmd -t socket &
+	echo "TPM2-Abrmd started"
+
+	# Give ABRMD time to start and register on the DBus
+	sleep 5
+
+	# EK and PC Certificate
+	ek_cert_der="/HIRS/.ci/integration-tests/certs/ek_cert.der"
+	platform_cert="platformAttributeCertificate.pem"
+
+	echo "Creating Platform Cert for Container."
+	PC_DIR=/var/hirs/pc_generation
+	mkdir -p $PC_DIR
+	/opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile
+	/opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile
+	/opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile
+	/opt/paccor/bin/observer -c $PC_DIR/componentsFile -p $PC_DIR/optionsFile -e $ek_cert_der -f $PC_DIR/observerFile
+	/opt/paccor/bin/signer -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k /HIRS/.ci/integration-tests/certs/ca.key -P /HIRS/.ci/integration-tests/certs/ca.crt --pem -f $PC_DIR/$platform_cert
+
+	if tpm2_nvlist | grep -q 0x1c00002; then
+	  echo "Released NVRAM for EK."
+	  tpm2_nvrelease -x 0x1c00002 -a 0x40000001 
+	fi
+
+	# Define nvram space to enable loading of EK cert (-x NV Index, -a handle to
+	# authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t
+	# specifies attribute value in publicInfo struct
+	# [0x2000A = ownerread|ownerwrite|policywrite])
+	size=$(cat $ek_cert_der | wc -c)
+	echo "Define NVRAM location for EK cert of size $size."
+	tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size
+
+	# Load key into TPM nvram
+	echo "Loading EK cert into NVRAM."
+	tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert_der
+
+	if tpm2_nvlist | grep -q 0x1c90000; then
+	  echo "Released NVRAM for PC."
+	  tpm2_nvrelease -x 0x1c90000 -a 0x40000001 
+	fi
+
+	# Store the platform certificate in the TPM's NVRAM
+	size=$(cat $PC_DIR/$platform_cert | wc -c)
+	echo "Define NVRAM location for PC cert of size $size."
+	tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size
+
+	echo "Loading PC cert into NVRAM."
+	tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert
+
+	echo "===========TPM2 Emulator Initialization Complete!==========="
+
+	# Set Logging to INFO Level
+	sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini
+}
+
+# Function to update the hirs-site.config file
+function UpdateHirsSiteConfigFile {
+	HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
+
+	echo ""
+	echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...==========="
+	cat /HIRS/.ci/docker/.env
+
+	cat <<DEFAULT_SITE_CONFIG_FILE > $HIRS_SITE_CONFIG
+#*******************************************
+#* HIRS site configuration properties file
+#*******************************************
+CLIENT_HOSTNAME=${HIRS_ACA_PROVISIONER_IP}
+TPM_ENABLED=${TPM_ENABLED}
+IMA_ENABLED=${IMA_ENABLED}
+	
+# Site-specific configuration
+ATTESTATION_CA_FQDN=${HIRS_ACA_PORTAL_IP}
+ATTESTATION_CA_PORT=${HIRS_ACA_PORTAL_PORT}
+BROKER_FQDN=${HIRS_ACA_PORTAL_IP}
+BROKER_PORT=${HIRS_BROKER_PORT}
+PORTAL_FQDN=${HIRS_ACA_PORTAL_IP}
+PORTAL_PORT=${HIRS_ACA_PORTAL_PORT}
+	
+DEFAULT_SITE_CONFIG_FILE
+
+ echo "===========New HIRS Config File==========="
+ cat /etc/hirs/hirs-site.config
+}
+
+# Install packages
+InstallProvisioner
+
+# Install TPM Emulator
+InitTpmEmulator
+
+# Update the hir-site.config file
+UpdateHirsSiteConfigFile
+
+echo ""
+echo "===========HIRS ACA Provisioner Setup Complete!==========="
diff --git a/.ci/system-tests/run-system-tests.sh b/.ci/system-tests/run-system-tests.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Script to run the System Tests for HIRS
+
+set -e
+
+echo ""
+echo "System Tests Starting..."
+echo ""
+
+# Start System Testing Docker Environment
+cd .ci/docker
+
+docker-compose up -d
+
+tpm2_container_id="$(docker ps -aqf "name=hirs-aca-provisioner-tpm2")"
+echo "TPM2 Container ID: $tpm2_container_id"
+
+tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')"
+echo "TPM2 Container Status: $tpm2_container_status"
+
+while [ $tpm2_container_status == "running" ] 
+do
+  sleep 10 
+
+  # Add status message, so Travis will not time out. 
+  # It may timeout if it has'nt received output for more than 10 minutes.
+  echo "Still running tests, please wait..."
+
+  tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')"
+
+done
+
+echo ""
+echo "===========hirs-aca-provisioner-tpm2 System Tests Log:==========="
+docker logs $tpm2_container_id
+
+echo ""
+echo "End of System Tests, cleaning up..."
+echo ""
+docker-compose down