Sg integrationtest add aws-kms, and simple cli (#365)

* sg-integrationtest-includebaker add baking operations to allow policy test * sg-integrationtest add block operation * sg-integrationtest add aws kms test and simple signatory-cli test * sg-integrationtest missed workflow changes last commit * sg-integrationtest revert config file * sg-integrationtest improve readme * sg-integrationtest fix aws vault test * sg-integrationtest add to gitignore integration_test stuffs
ecadlabs · May 29, 2023 · 2cd924f · 2cd924f
1 parent 86d02c9
commit 2cd924f
Show file tree

Hide file tree

Showing 20 changed files with 179 additions and 30 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -108,8 +108,8 @@ jobs:
       fail-fast: false
       matrix:
         testenvs:
-          - env.current.amd64
-          - env.next.amd64
+          - current.amd64
+          - next.amd64
     steps:
       - uses: actions/checkout@v2
       - name: Login to DockerHub
@@ -120,9 +120,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Run tests
+        env:
+          IMAGE: ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64
+          VAULT_AWS_USER: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }}
+          VAULT_AWS_KEY: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }}
+          VAULT_AWS_SECRET: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }}
+          VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }}
+          VAULT_AWS_PKH_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }}
+          VAULT_AWS_PKH_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }}
         run: >
-         export $(xargs <integration_test/${{ matrix.testenvs }}); 
-         export IMAGE=ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64;        
+         . integration_test/.env.${{ matrix.testenvs }};
          docker compose -f integration_test/docker-compose.yml up -d --wait --pull always;
          docker exec octez sudo chown -R tezos /home/tezos/.tezos-client;
          go test $(go list ./... | grep integration_test);

diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,7 @@ dist
 .docker-creds
 signatory
 signatory-cli
+
+# some integration_tests write secret env var to files
+integration_test/gcp-token.json
+integration_test/.env.vaults.cicd
diff --git a/integration_test/.env.current.amd64 b/integration_test/.env.current.amd64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=amd64_v16.0-rc3
+export PROTOCOL=Mumbai
diff --git a/integration_test/.env.current.arm64 b/integration_test/.env.current.arm64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=arm64_v16.0-rc3
+export PROTOCOL=Mumbai
diff --git a/integration_test/.env.next.amd64 b/integration_test/.env.next.amd64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=amd64_v17.0-beta1
+export PROTOCOL=Nairobi
diff --git a/integration_test/.env.next.arm64 b/integration_test/.env.next.arm64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=arm64_v17.0-beta1
+export PROTOCOL=Nairobi
diff --git a/integration_test/.env.vaults b/integration_test/.env.vaults
@@ -0,0 +1,6 @@
+export VAULT_AWS_USER=${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }}
+export VAULT_AWS_KEY=${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }}
+export VAULT_AWS_SECRET=${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }}
+export VAULT_AWS_REGION=${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }}
+export VAULT_AWS_PKH_TZ2=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }}
+export VAULT_AWS_PKH_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }}
diff --git a/integration_test/README.md b/integration_test/README.md
@@ -32,22 +32,50 @@ echo $PAT |docker login ghcr.io -u <your_github_name> --password-stdin
 cd integration_test
 ```
 
-Exporting the Environment Variables used by the test is required. Choose the set of env var to use from the files `env.current.arm64`, `env.next.arm64`, `env.current.amd64`, `env.next.amd64`.  Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead.  Use `arm64` or `amd64` depending on your host architecture. 
+Exporting the Environment Variables used by the test is required. There are 3 groups of environment variables to consider:
 
-So, to set the env to use mainnet protocol, using a build of Signatory's `main` branch, on a macbook m1 host:
+1. Signatory image
+2. chain protocol and octez version
+3. vault specifics
+
+### Signatory image env var
+
+using a build of Signatory's main branch, on a macbook m1 host:
 
 ```sh
-export $(xargs <env.current.arm64)
 export IMAGE=ghcr.io/ecadlabs/signatory:main-arm64
 ```
 
-Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on an x86_64 host:
+or, on a `x86_64` host:
 
 ```sh
-export $(xargs <env.next.amd64)
 export IMAGE=ghcr.io/ecadlabs/signatory:main-amd64
 ```
 
+### chain protocol and octez version env var
+
+Choose the set of env var to use from the files `.env.current.arm64`, `.env.next.arm64`, `.env.current.amd64`, `.env.next.amd64`.  Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead.  Use `arm64` or `amd64` depending on your host architecture.
+
+So, to set the env to use mainnet protocol on macbook m1 host:
+
+```sh
+. .env.current.arm64
+```
+
+Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on x86_64 host:
+
+```sh
+. .env.next.amd64
+```
+
+### vault env var
+
+Github secrets are used to define vault env var used in github workflows. To run vault tests localhost, one must configure vaults and provide values in the file `.env.vaults` before sourcing it:
+
+```sh
+. .env.vaults
+```
+
 Next, start the stack:
 
 ```sh
@@ -66,6 +94,12 @@ Or, just run a single test:
 go clean -testcache && go test -run ^TestOperationAllowPolicy
 ```
 
+To run all tests but not vault tests:
+
+```sh
+go clean -testcache && go test $(go list |grep -v vault)
+```
+
 Stop the stack when you are done:
 
 ```sh
@@ -74,7 +108,7 @@ docker compose down
 
 ## Re-Running Tests
 
-Most tests can be re-run successfully as detailed above.  Some tests (like the `reveal` operation) can only be run once on a chain.  So, when re-running all, stop the stack and bring it up again in between test runs. 
+Most tests can be re-run successfully as detailed above.  Some tests (like the `reveal` operation) can only be run once on a chain.  So, when re-running all, stop the stack and bring it up again in between test runs.
 
 ## Notes to the operator
 

diff --git a/integration_test/authorizedkeys_test.go b/integration_test/authorizedkeys_test.go
@@ -9,7 +9,7 @@ import (
 
 func TestAuthorizedKeys(t *testing.T) {
 	var c Config
-	c.Read("signatory.yaml")
+	c.Read()
 	c.Server.Keys = []string{"edpkujLb5ZCZ2gprnRzE9aVHKZfx9A8EtWu2xxkwYSjBUJbesJ9rWE"}
 	backup_then_update_config(c)
 	defer restore_config()

diff --git a/integration_test/cli_test.go b/integration_test/cli_test.go
@@ -0,0 +1,17 @@
+package integrationtest
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCliList(t *testing.T) {
+	var c Config
+	c.Read()
+
+	out, err := SignatoryCli("list")
+	assert.Nil(t, err)
+	require.Contains(t, string(out), "tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb")
+}
diff --git a/integration_test/config.go b/integration_test/config.go
@@ -6,6 +6,10 @@ import (
 	yaml "gopkg.in/yaml.v3"
 )
 
+const (
+	filename = "signatory.yaml"
+)
+
 type Config struct {
 	Server ServerConfig            `yaml:"server"`
 	Vaults map[string]*VaultConfig `yaml:"vaults"`
@@ -34,26 +38,24 @@ type FileVault struct {
 	File string `yaml:"file"`
 }
 
-func (c *Config) Read(file string) error {
-	yamlFile, err := os.ReadFile(file)
+func (c *Config) Read() error {
+	yamlFile, err := os.ReadFile(filename)
 	if err != nil {
 		return err
 	}
 	if err = yaml.Unmarshal(yamlFile, c); err != nil {
 		return err
 	}
-
 	return nil
 }
 
-func (c *Config) Write(file string) error {
+func (c *Config) Write() error {
 	yamlFile, err := yaml.Marshal(c)
 	if err != nil {
 		panic(err)
 	}
-	if err = os.WriteFile(file, yamlFile, 0644); err != nil {
+	if err = os.WriteFile(filename, yamlFile, 0644); err != nil {
 		panic(err)
 	}
-
 	return nil
 }
diff --git a/integration_test/env.current.amd64 b/integration_test/env.current.amd64
diff --git a/integration_test/env.current.arm64 b/integration_test/env.current.arm64
diff --git a/integration_test/env.next.amd64 b/integration_test/env.next.amd64
diff --git a/integration_test/env.next.arm64 b/integration_test/env.next.arm64
diff --git a/integration_test/operationkinds_test.go b/integration_test/operationkinds_test.go
@@ -10,7 +10,6 @@ import (
 )
 
 const (
-	config        = "signatory.yaml"
 	account       = "tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B"
 	alias         = "opstest"
 	account1      = "tz1R8HJMzVdZ9RqLCknxeq9w5rSbiqJ41szi"
@@ -158,7 +157,7 @@ func TestOperationAllowPolicy(t *testing.T) {
 
 			//next, configure every operation allowed except for the one tested, to test it will be denied
 			var c Config
-			c.Read(config)
+			c.Read()
 			c.Tezos[test.account].Allow = test.notAllowPolicy
 			backup_then_update_config(c)
 			defer restore_config()
@@ -172,9 +171,9 @@ func TestOperationAllowPolicy(t *testing.T) {
 			assert.Contains(t, string(out), "`"+test.opName+"' is not allowed")
 
 			//finally, configure the operation being tested as the only one allowed and test it is successful
-			c.Read(config)
+			c.Read()
 			c.Tezos[test.account].Allow = test.allowPolicy
-			c.Write(config)
+			c.Write()
 			restart_signatory()
 			out, err = OctezClient(test.testOp...)
 			if err != nil {

diff --git a/integration_test/service.go b/integration_test/service.go
@@ -20,7 +20,7 @@ func backup_then_update_config(c Config) {
 	if err != nil {
 		panic("failed to backup config")
 	}
-	err = c.Write("signatory.yaml")
+	err = c.Write()
 	if err != nil {
 		panic("failed to write new config")
 	}

diff --git a/integration_test/signatory.yaml b/integration_test/signatory.yaml
@@ -6,6 +6,7 @@ vaults:
     driver: file
     config:
       file: /etc/secret.json
+
 tezos:
   #alice
   tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb:

diff --git a/integration_test/signatorycli.go b/integration_test/signatorycli.go
@@ -0,0 +1,12 @@
+package integrationtest
+
+import (
+	"os/exec"
+)
+
+func SignatoryCli(arg ...string) ([]byte, error) {
+	var cmd = "docker"
+	var args = []string{"exec", "signatory", "signatory-cli"}
+	args = append(args, arg...)
+	return exec.Command(cmd, args...).CombinedOutput()
+}
diff --git a/integration_test/vault_aws_test.go b/integration_test/vault_aws_test.go
@@ -0,0 +1,67 @@
+package integrationtest
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAWSVault(t *testing.T) {
+
+	tz2 := os.Getenv("VAULT_AWS_PKH_TZ2")
+	tz3 := os.Getenv("VAULT_AWS_PKH_TZ3")
+	user := os.Getenv("VAULT_AWS_USER")
+	key := os.Getenv("VAULT_AWS_KEY")
+	secret := os.Getenv("VAULT_AWS_SECRET")
+	region := os.Getenv("VAULT_AWS_REGION")
+
+	tz2alias := "awstz2"
+	tz3alias := "awstz3"
+
+	//config
+	var c Config
+	c.Read()
+	var v VaultConfig
+	v.Driver = "awskms"
+	v.Conf = map[string]*string{"user_name": &user, "access_key_id": &key, "secret_access_key": &secret, "region": &region}
+	c.Vaults["aws"] = &v
+	var p TezosPolicy
+	p.LogPayloads = true
+	p.Allow = map[string][]string{"generic": {"reveal", "transaction"}}
+	c.Tezos[tz2] = &p
+	c.Tezos[tz3] = &p
+	backup_then_update_config(c)
+	defer restore_config()
+	restart_signatory()
+
+	//setup
+	out, err := OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2)
+	assert.NoError(t, err)
+	assert.Contains(t, string(out), "Tezos address added: "+tz2)
+	defer OctezClient("forget", "address", tz2alias, "--force")
+
+	out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3)
+	assert.NoError(t, err)
+	assert.Contains(t, string(out), "Tezos address added: "+tz3)
+	defer OctezClient("forget", "address", tz3alias, "--force")
+
+	out, err = OctezClient("transfer", "100", "from", "alice", "to", tz2alias, "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	//test
+	//TODO: resolve issue #364 and enable the tz2 test
+	//out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425")
+	//assert.NoError(t, err)
+	//require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	out, err = OctezClient("transfer", "1", "from", tz3alias, "to", "alice", "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		export OCTEZ_VERSION=amd64_v16.0-rc3
		export PROTOCOL=Mumbai
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		export OCTEZ_VERSION=arm64_v16.0-rc3
		export PROTOCOL=Mumbai
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		export OCTEZ_VERSION=amd64_v17.0-beta1
		export PROTOCOL=Nairobi
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		export OCTEZ_VERSION=arm64_v17.0-beta1
		export PROTOCOL=Nairobi
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,7 @@ vaults: @@
         driver: file
         config:
           file: /etc/secret.json
     tezos:
       #alice
       tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb:
@@ Expand Down @@