(wip) tests

Author: BourgoisMickael

.github/docker/admin.json

@@ -0,0 +1,4 @@
+{
+    "accessKey": "D4IT2AWSB588GO5J9T00",
+    "secretKeyValue": "UEEu8tYlsOGGrgf4DAiSZD6apVNPUWqRiPG0nTB6"
+}

.github/docker/docker-compose.yaml

@@ -22,7 +22,9 @@ services:
       - DATA_HOST=0.0.0.0
       - METADATA_HOST=0.0.0.0
       - S3BACKEND
+      - S3VAULT=scality
       - S3DATA
+      - S3METADATA
       - MPU_TESTING
       - S3VAULT
       - S3_LOCATION_FILE
@@ -55,6 +57,26 @@ services:
       - ../../localMetadata:/usr/src/app/localMetadata
     environment:
       - S3_CONFIG_FILE=/conf/config.json
+      - S3KMS=aws
+      - S3VAULT=scality
+  vault:
+    # image: ${VAULT_IMAGE_BEFORE_SSE_MIGRATION}
+    image: ${VAULT_IMAGE}
+    command: sh -c "chmod 400 tests/utils/keyfile && yarn start > /artifacts/vault.log"
+    network_mode: "host"
+    volumes:
+      - /tmp/artifacts/${JOB_NAME}:/artifacts
+      - ./vault-config.json:/conf/config.json:ro
+      - ./vault-db:/data
+    environment:
+      - VAULT_DB_BACKEND=LEVELDB
+      - CI=true
+      - ENABLE_LOCAL_CACHE=true
+      - REDIS_HOST=0.0.0.0
+      - REDIS_PORT=6379
+      - KMS_BACKEND=aws
+    depends_on:
+      - redis
   redis:
     image: redis:alpine
     network_mode: "host"

.github/docker/local.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+set -e -o pipefail
+#in .github/docker
+
+export S3BACKEND=file
+export S3METADATA=scality
+export S3VAULT=scality
+export CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION=ghcr.io/scality/cloudserver:7.70.21-11
+export CLOUDSERVER_IMAGE_ORIGINAL=ghcr.io/scality/cloudserver:50db1ada69a394cf877bd3486d4d0e318158e338
+export MPU_TESTING="yes"
+export JOB_NAME=sse-kms-migration-tests-show-arn
+export kmsHideScalityArn=showArn
+
+export VAULT_IMAGE_BEFORE_SSE_MIGRATION=ghcr.io/scality/vault:7.70.15-5
+export VAULT_IMAGE_ORIGINAL=ghcr.io/scality/vault:e8c0fa2890c131581efd13ad3fd1ade7dcbd0968
+export KMS_IMAGE=nsmithuk/local-kms:3.11.7
+
+# IMAGE IS HARDCODED FOR OKMS TO HIDE
+export JOB_NAME=sse-kms-migration-tests-hide-arn
+export kmsHideScalityArn=hideArn
+# export JOB_NAME=sse-kms-migration-tests-show-arn
+# export kmsHideScalityArn=showArn
+
+mkdir -p /tmp/artifacts/$JOB_NAME
+
+export CLOUDSERVER_IMAGE=$CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION
+export VAULT_IMAGE=$VAULT_IMAGE_BEFORE_SSE_MIGRATION
+export SSE_CONF=before
+
+export KMS_AWS_SECRET_ACCESS_KEY=123
+export KMS_AWS_ACCESS_KEY_ID=456
+
+# START KMS
+docker run -d -p 8080:8080 $KMS_IMAGE || true
+
+    echo "waiting for local AWS KMS service on port 8080 to be available."
+
+    timeout 300 bash -c 'until curl -sS 0:8080 > /dev/null; do 
+        echo "service not ready on port 8080. Retrying in 2 seconds."
+        sleep 2
+    done'
+    echo "local AWS KMS service is up and running on port 8080."
+
+    AWS_ENDPOINT_URL=http://0:8080 AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=456 AWS_SECRET_ACCESS_KEY=123 aws kms list-keys --max-items 1
+# END KMS
+
+# Start all before migration
+docker compose up -d
+        bash ../../wait_for_local_port.bash 8500 40
+        bash ../../wait_for_local_port.bash 8000 40
+# HAVE vaultclient bin in your PATH or an alias
+alias vaultclient="~/scality/vaultclient/bin/vaultclient"
+export PATH="$PATH:~/scality/vaultclient/bin/"
+vaultclient --config admin.json delete-account --name mick || true
+vaultclient --config admin.json create-account --name mick --email [email protected]
+vaultclient --config admin.json generate-account-access-key --name mick --accesskey SCUBAINTERNAL0000000 --secretkey SCUBAINTERNAL000000000000000000000000000
+vaultclient --config admin.json get-account --account-name mick
+
+cd ../..
+
+echo ===== RUN BEFORE MIGRATION =====
+export S3_CONFIG_FILE=config.before.json
+
+        set -o pipefail;
+
+
+        echo Ensures the expected version of cloudserver is old one:
+        VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
+            exec cloudserver cat package.json | jq -r .version)
+        if [[ "$VERSION" != "7.70.21-11" ]]; then
+          echo "bad version of container. Should be 7.70.21-11. Was $VERSION" >&2
+          exit 1
+        else
+          echo OK $VERSION
+        fi
+
+        yarn run ft_sse_before_migration | tee /tmp/artifacts/$JOB_NAME/beforeMigration.log
+
+# RUN latest images
+cd .github/docker
+export SSE_CONF=sseMigration.$kmsHideScalityArn
+export CLOUDSERVER_IMAGE=$CLOUDSERVER_IMAGE_ORIGINAL
+export VAULT_IMAGE=$VAULT_IMAGE_ORIGINAL
+
+docker compose down cloudserver vault && docker compose up -d vault # cloudserver-sse-migration
+
+echo ==== RUN MIGRATION ====
+cd ../..
+yarn start_migration > s3.log &
+export S3_CONFIG_FILE=config.sseMigration.$kmsHideScalityArn.json
+export S3KMS=aws
+
+        set -o pipefail;
+        bash wait_for_local_port.bash 8500 40
+        bash wait_for_local_port.bash 8000 40
+
+        # echo Ensures the expected version of cloudserver is NOT old one
+        # VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
+        #     exec cloudserver-sse-migration cat package.json | jq -r .version)
+        # if [[ "$VERSION" == "7.70.21-11" ]]; then
+        #   echo "bad version of container. Should NOT be 7.70.21-11. Was $VERSION" >&2
+        #   exit 1
+        # else
+        #   echo OK $VERSION
+        # fi
+
+        yarn run ft_sse_migration # | tee /tmp/artifacts/$JOB_NAME/migration.log
+        sleep 10
+        yarn run ft_sse_arn # | tee /tmp/artifacts/$JOB_NAME/migration.log
+

.github/docker/vault-config.json

@@ -0,0 +1,76 @@
+{
+    "clusters": 1,
+    "healthChecks": {
+        "allowFrom": ["127.0.0.1/8", "::1"]
+    },
+    "interfaces": {
+        "S3": {
+            "address": "0.0.0.0",
+            "port": 8500,
+            "allowFrom": ["0.0.0.0/8", "::1"]
+        },
+        "administration": {
+            "address": "0.0.0.0",
+            "port": 8600
+        },
+        "sts": {
+            "address": "127.0.0.1",
+            "port": 8800
+        }
+    },
+    "map": ["127.0.0.1:4300", "127.0.0.2:4301", "127.0.0.3:4302", "127.0.0.4:4303", "127.0.0.5:4304"],
+    "keyFilePath": "./tests/utils/keyfile",
+    "adminCredentialsFilePath": "./tests/utils/admincredentials.json.encrypted",
+    "log": {
+        "level": "info",
+        "dump": "error"
+    },
+    "accountSeeds": [
+        {
+            "role": {
+                "roleName": "scality-role1",
+                "trustPolicy": {
+                    "Version": "2012-10-17",
+                    "Statement": [
+                        {
+                            "Effect": "Allow",
+                            "Principal": { "AWS": "arn:aws:iam::000000000000:user/root" },
+                            "Action": "sts:AssumeRole",
+                            "Condition": {}
+                        }
+                    ]
+                }
+            },
+            "permissionPolicy": {
+                "policyName": "scality-policy1",
+                "policyDocument": {
+                    "Version": "2012-10-17",
+                    "Statement": [
+                        {
+                            "Sid": "FullAccess",
+                            "Effect": "Allow",
+                            "Action": ["s3:*"],
+                            "Resource": ["*"]
+                        }
+                    ]
+                }
+            }
+        }
+    ],
+    "utapi": {
+        "host": "127.0.0.1",
+        "port": 8100
+    },
+    "scuba": {
+        "host": "127.0.0.1",
+        "port": 8100
+    },
+    "kmsAWS": {
+        "noAwsArn": true,
+        "providerName": "local",
+        "region": "us-east-1", 
+        "endpoint": "http://0:8080",
+        "ak": "456",
+        "sk": "123"
+    }
+}

.github/docker/vault-db/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

.github/workflows/tests.yaml

@@ -363,9 +363,12 @@ jobs:
     needs: build
     env:
       S3BACKEND: file
-      S3VAULT: mem
+      S3VAULT: scality
       CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION: ghcr.io/${{ github.repository }}:7.70.21-11
+      VAULT_IMAGE_BEFORE_SSE_MIGRATION: ghcr.io/scality/vault:7.70.15-5
       CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      VAULT_IMAGE: ghcr.io/scality/vault:e8c0fa2890c131581efd13ad3fd1ade7dcbd0968
+      KMS_IMAGE: nsmithuk/local-kms:3.11.7
       MPU_TESTING: "yes"
       JOB_NAME: ${{ matrix.job-name }}
     steps:

tests/functional/aws-node-sdk/lib/json/mem_credentials.json

@@ -6,5 +6,9 @@
   "lisa": {
     "accessKey": "accessKey2",
     "secretKey": "verySecretKey2"
+  },
+  "vault": {
+    "accessKey": "SCUBAINTERNAL0000000",
+    "secretKey": "SCUBAINTERNAL000000000000000000000000000"
   }
 }

tests/functional/sse-kms-migration/arnPrefix.js

@@ -58,9 +58,9 @@ const testCases = [
 ];
 const testCasesObj = testCases.filter(tc => !tc.deleteSSE);
 
-const s3config = getConfig('default', { signatureVersion: 'v4' });
+const s3config = getConfig('vault', { signatureVersion: 'v4' });
 const s3 = new S3(s3config);
-const bucketUtil = new BucketUtility();
+const bucketUtil = new BucketUtility('vault');
 
 kms.client._supportsDefaultKeyPerAccount = false; // To generate keys without vault account side effect
 
@@ -139,7 +139,7 @@ async function cleanup(Bucket) {
 const bucketInfo = new BucketInfo('enc-bucket-test', 'OwnerId',
     'OwnerDisplayName', new Date().toJSON());
 
-describe('SSE KMS arnPrefix', () => {
+describe.only('SSE KMS arnPrefix', () => {
     /** Bucket to test CopyObject from and to */
     const copyBkt = 'enc-bkt-copy';
     const copyObj = 'copy-obj';
@@ -195,7 +195,12 @@ describe('SSE KMS arnPrefix', () => {
                     ? obj.kmsKeyInfo.masterKeyArn
                     : obj.kmsKeyInfo.masterKeyId;
             }
-            return await putEncryptedObject(bkt.name, obj.name, objConf, obj.kmsKey, obj.body);
+            try {
+                return await putEncryptedObject(bkt.name, obj.name, objConf, obj.kmsKey, obj.body);
+            } catch (err) {
+                console.log('ERR', err, err && err.toString(), bktConf.name, obj.name, objConf.algo, obj.kmsKeyInfo)
+                throw err;
+            }
         }));
     };
 

tests/functional/sse-kms-migration/beforeMigration.js

@@ -50,9 +50,9 @@ const testCases = [
 ];
 const testCasesObj = testCases.filter(tc => !tc.deleteSSE);
 
-const config = getConfig('default', { signatureVersion: 'v4' });
+const config = getConfig('vault', { signatureVersion: 'v4' });
 const s3 = new S3(config);
-const bucketUtil = new BucketUtility();
+const bucketUtil = new BucketUtility('vault');
 
 // Fix for before migration run
 Object.defineProperty(kms, 'arnPrefix', { get() { return ''; } });

tests/functional/sse-kms-migration/cleanup.js

@@ -44,9 +44,9 @@ const testCases = [
     },
 ];
 
-const config = getConfig('default', { signatureVersion: 'v4' });
+const config = getConfig('vault', { signatureVersion: 'v4' });
 const s3 = new S3(config);
-const bucketUtil = new BucketUtility();
+const bucketUtil = new BucketUtility('vault');
 
 async function cleanup(Bucket) {
     try {
@@ -63,6 +63,7 @@ describe('SSE KMS Cleanup', () => {
     const mpuCopyBkt = 'enc-bkt-mpu-copy';
 
     it('Empty and delete buckets for SSE KMS Migration', async () => {
+        console.log('cleanup');
         void await promisify(metadata.setup.bind(metadata))();
 
         try {