Adds it for plugins.

Signed-off-by: JU4N98 <[email protected]>
spiffe · Jan 3, 2024 · d537634 · d537634
1 parent 7c29265
commit d537634
Show file tree

Hide file tree

Showing 8 changed files with 117 additions and 5 deletions.
diff --git a/.github/tests/it/client/Dockerfile b/.github/tests/it/client/Dockerfile
@@ -11,21 +11,33 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt install postgresql mysql-client -y
 
 RUN mkdir -p /run/client/certs
+RUN mkdir -p /run/client/plugin_certs
 COPY ./postgres-connect.sh /run/client/postgres-connect.sh
 COPY ./mysql-connect.sh /run/client/mysql-connect.sh
 COPY ./assert.sh /run/client/assert.sh
 
-RUN touch /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt
+RUN touch /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt \
+/run/client/certs/jwt.json /run/client/certs/jwk.json /run/client/plugin_certs/svid.crt \
+/run/client/plugin_certs/jwt.json /run/client/plugin_certs/jwk.json
 RUN chmod +x /run/client/postgres-connect.sh /run/client/mysql-connect.sh /run/client/assert.sh
-RUN chmod 600 /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt
+RUN chmod 600 /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt \ 
+/run/client/certs/jwt.json /run/client/certs/jwk.json /run/client/plugin_certs/svid.crt \
+/run/client/plugin_certs/jwt.json /run/client/plugin_certs/jwk.json
 RUN chown client:client \
     /run/client/postgres-connect.sh \
     /run/client/mysql-connect.sh \
     /run/client/assert.sh \
     /run/client/certs/svid.crt \
     /run/client/certs/svid.key \
-    /run/client/certs/root.crt
+    /run/client/certs/root.crt \
+    /run/client/certs/jwt.json \
+    /run/client/certs/jwk.json \
+    /run/client/plugin_certs/svid.crt \
+    /run/client/plugin_certs/jwt.json \
+    /run/client/plugin_certs/jwk.json
+
 
 USER root
 COPY --from=it-spiffe-helper /service/spiffe-helper /opt/helper/spiffe-helper
+COPY --from=it-spiffe-helper /service/simple-plugin /opt/helper/simple-plugin
 COPY --from=builder /service/client /opt/go-client/client
diff --git a/.github/tests/it/client/helper.conf b/.github/tests/it/client/helper.conf
@@ -6,3 +6,17 @@ renewSignal = "SIGUSR1"
 svidFileName = "svid.crt"
 svidKeyFileName = "svid.key"
 svidBundleFileName = "root.crt"
+jwt_audience = "example.org"
+jwt_svid_file_name = "jwt.json"
+jwt_bundle_file_name = "jwk.json"
+
+plugins {
+    "simple-plugin" {
+        path="/opt/helper/simple-plugin"
+        checksum="039bffe8a30ce9a6f3a1596e2d82ac6269cf2a083584ffae19c0ef178e23aba4"
+        plugin_cert_dir="/run/client/plugin_certs/"
+        x509_svid_file_name="svid.crt"
+        jwt_svid_file_name="jwt.json"
+        jwt_bundle_file_name="jwk.json"
+    }
+}
diff --git a/.github/tests/it/integration_test.sh b/.github/tests/it/integration_test.sh
@@ -33,6 +33,10 @@ TEST_FAILED=$((TEST_FAILED + $?))
 bash change-entry-client-test.sh
 TEST_FAILED=$((TEST_FAILED + $?))
 
+# Testing to upload a plugin and notify changes on SVIDs and bundles
+bash run-plugin-test.sh
+TEST_FAILED=$((TEST_FAILED + $?))
+
 echo
 if  ((TEST_FAILED == 1)); then
     echo -e "${RED}❌ ${TEST_FAILED} test failed.${RESET}"

diff --git a/.github/tests/it/run-plugin-test.sh b/.github/tests/it/run-plugin-test.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+RESET='\033[0m'
+bad=0
+
+ok(){
+    echo -e "${GREEN}✔️ $1 succeeded ${RESET}"
+}
+
+fail(){
+    echo -e "${RED}❌ $1 failed ${RESET}"
+}
+
+docker compose exec client su client -c "test -s /run/client/plugin_certs/svid.crt"
+if [ $? -eq 0 ]; then 
+  ok "Test plugin X.509 svid update"
+else
+  fail "Test plugin X.509 svid update"
+  exit 1
+fi
+
+docker compose exec client su client -c "test -s /run/client/plugin_certs/jwt.json"
+if [ $? -eq 0 ]; then 
+  ok "Test plugin JWT svid update"
+else
+  fail "Test plugin JWT svid update"
+  exit 1
+fi
+
+docker compose exec client su client -c "test -s /run/client/plugin_certs/jwk.json"
+if [ $? -eq 0 ]; then 
+  ok "Test plugin JWT bundle update"
+else
+  fail "Test plugin JWT bundle update"
+  exit 1
+fi
+
+exit 0
diff --git a/.github/tests/it/spiffe-helper/Dockerfile b/.github/tests/it/spiffe-helper/Dockerfile
@@ -2,3 +2,4 @@ FROM golang:1.21-alpine AS spiffe-helper
 COPY ./ /service/
 WORKDIR /service
 RUN go build -tags netgo -a -v -o /service/spiffe-helper ./cmd/spiffe-helper
+RUN go build -tags netgo -a -v -o /service/simple-plugin ./examples/plugin/plugin.go
diff --git a/.github/tests/run-plugin-test.sh b/.github/tests/run-plugin-test.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Define the target directory path
+target_dir="./it"
+
+# Check if the target directory exists
+if [ ! -d "$target_dir" ]; then
+  echo "Error: The target directory '$target_dir' does not exist."
+  exit 1
+fi
+
+# Change to the target directory
+cd "$target_dir" || exit
+
+bash run-plugin-test.sh 1
diff --git a/...notifier/simple-example/simple-example.go → examples/plugin/plugin.go b/...notifier/simple-example/simple-example.go → examples/plugin/plugin.go
@@ -3,32 +3,53 @@ package main
 import (
 	"context"
 	"log"
+	"os"
+	"path"
 
 	"github.com/hashicorp/go-plugin"
 	pb "github.com/spiffe/spiffe-helper/pkg/notifier"
 )
 
 type SimplePlugin struct {
 	pb.NotifierServer
+	configs map[string]string
+}
+
+func writeSomething(path string) {
+	file, err := os.Create(path)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer file.Close()
+
+	if _, err := file.WriteString("something"); err != nil {
+		log.Fatal(err)
+	}
 }
 
 func (s *SimplePlugin) LoadConfigs(ctx context.Context, request *pb.LoadConfigsRequest) (*pb.LoadConfigsResponse, error) {
-	configs := request.Configs
-	log.Printf("Message sent by %s to %s: %s", configs["from"], configs["to"], configs["message"])
+	s.configs = request.Configs
+	log.Printf("Plugin loaded")
 	return &pb.LoadConfigsResponse{}, nil
 }
 
 func (s *SimplePlugin) UpdateX509SVID(ctx context.Context, request *pb.UpdateX509SVIDRequest) (*pb.UpdateX509SVIDResponse, error) {
+	path := path.Join(s.configs["plugin_cert_dir"], s.configs["x509_svid_file_name"])
+	writeSomething(path)
 	log.Printf("X.509 SVID updated")
 	return &pb.UpdateX509SVIDResponse{}, nil
 }
 
 func (s *SimplePlugin) UpdateJWTSVID(ctx context.Context, request *pb.UpdateJWTSVIDRequest) (*pb.UpdateJWTSVIDResponse, error) {
+	path := path.Join(s.configs["plugin_cert_dir"], s.configs["jwt_svid_file_name"])
+	writeSomething(path)
 	log.Printf("JWT SVID updated")
 	return &pb.UpdateJWTSVIDResponse{}, nil
 }
 
 func (s *SimplePlugin) UpdateJWTBundle(ctx context.Context, request *pb.UpdateJWTBundleRequest) (*pb.UpdateJWTBundleResponse, error) {
+	path := path.Join(s.configs["plugin_cert_dir"], s.configs["jwt_bundle_file_name"])
+	writeSomething(path)
 	log.Printf("JWT bundle updated")
 	return &pb.UpdateJWTBundleResponse{}, nil
 }

diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go
@@ -215,6 +215,11 @@ func (s *Sidecar) loadPlugins() {
 			continue
 		}
 
+		if _, typeIsPresent := pluginConfig["type"]; typeIsPresent {
+			s.config.Log.Warnf("Please update the configuration for plugin %s, type is a reserved configuration name", pluginName)
+			continue
+		}
+
 		secureConfig, err := pb.GetSecureConfig(checksum)
 		if err != nil {
 			s.config.Log.Warnf("Error while trying to create secure config for plugin %s", pluginName)