Merge pull request #1 from iden3/integration_tests

Integration tests

.github/workflows/integration_tests.yml

@@ -0,0 +1,59 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    container:
+      image: golang:1.18.3-alpine3.16
+      volumes:
+        - vault_plugins:/vault/plugins
+    env:
+      VAULT_TOKEN: vaultpwd
+      VAULT_ADDR: http://vault:8200
+      VAULT_BJJ_PATH: bjj
+
+    steps:
+      - run: apk add --update-cache openssl curl build-base
+
+      - uses: actions/checkout@v3
+
+      - run: go build -o /vault/plugins/vault-plugin-secrets-bjj
+        working-directory: cmd/vault-plugin-secrets-bjj
+
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            /go/pkg/mod
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - run: >
+          export PLUGIN_SHA256=`openssl dgst -r -sha256 /vault/plugins/vault-plugin-secrets-bjj | awk '{print $1}'` &&
+          curl -X PUT --fail -i -H "X-Vault-Token: ${VAULT_TOKEN}"
+          -d "{\"type\":0,\"command\":\"vault-plugin-secrets-bjj\",\"sha256\":\"${PLUGIN_SHA256}\"}"
+          ${VAULT_ADDR}/v1/sys/plugins/catalog/vault-plugin-secrets-bjj
+      - run: >
+          curl -X POST --fail -s -H "X-Vault-Token: ${VAULT_TOKEN}" 
+          -d '{"type":"vault-plugin-secrets-bjj","description":"","config":{"options":null,"default_lease_ttl":"0s","max_lease_ttl":"0s","force_no_cache":false},"local":false,"seal_wrap":false,"external_entropy_access":false,"options":null}'
+          ${VAULT_ADDR}/v1/sys/mounts/${VAULT_BJJ_PATH}
+
+      - run: go test -v -race -timeout=60s ./...
+
+    services:
+      vault:
+        image: vault:1.10.3
+        ports:
+          - 8200:8200
+        volumes:
+          - vault_plugins:/vault/plugins
+        env:
+          SKIP_SETCAP: true
+          VAULT_DEV_ROOT_TOKEN_ID: vaultpwd
+          VAULT_LOCAL_CONFIG: '{"plugin_directory": "/vault/plugins"}'

go.mod

@@ -8,12 +8,14 @@ require (
 	github.com/hashicorp/vault/api v1.3.0
 	github.com/hashicorp/vault/sdk v0.3.1-0.20220112143259-b48602fdb885
 	github.com/iden3/go-iden3-crypto v0.0.13
+	github.com/stretchr/testify v1.7.0
 )
 
 require (
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dchest/blake512 v1.0.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.5.0 // indirect
 	github.com/fatih/color v1.7.0 // indirect
@@ -46,6 +48,7 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 // indirect
@@ -57,4 +60,5 @@ require (
 	google.golang.org/grpc v1.41.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )

go.sum

@@ -339,6 +339,7 @@ google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+Rur
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

main_test.go

@@ -0,0 +1,194 @@
+package vault_plugin_secrets_bjj
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"math/big"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/iden3/go-iden3-crypto/babyjub"
+	"github.com/iden3/go-iden3-crypto/utils"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	keyDest      = "dest"
+	keyPublicKey = "public_key"
+	keyData      = "data"
+	keySignature = "signature"
+)
+
+func newVaultClient(t testing.TB) (vaultCli *api.Client, mountPath string) {
+	vaultAddr := os.Getenv("VAULT_ADDR")
+	if vaultAddr == "" {
+		t.Skip("vault address is not configured")
+	}
+	vaultToken := os.Getenv("VAULT_TOKEN")
+	if vaultToken == "" {
+		t.Skip("vault token is not configured")
+	}
+
+	mountPath = os.Getenv("VAULT_BJJ_PATH")
+	if mountPath == "" {
+		t.Skip("BJJ plugin mount path is not set")
+	}
+
+	config := api.DefaultConfig()
+	config.Address = vaultAddr
+
+	var err error
+	vaultCli, err = api.NewClient(config)
+	require.NoError(t, err)
+
+	vaultCli.SetToken(vaultToken)
+
+	return
+}
+
+// create random key in vault and return path to it
+func newRandomBJJKey(t testing.TB, vaultCli *api.Client, keyPath string,
+	extraData map[string]interface{}) {
+
+	rndKeyPath := path.Join(keyPath, "random")
+	_, err := vaultCli.Logical().Write(rndKeyPath, extraData)
+	require.NoError(t, err)
+}
+
+func getSecretData(secret *api.Secret) map[string]interface{} {
+	if secret == nil {
+		panic("secret is nil")
+	}
+
+	if secret.Data == nil {
+		panic("secret data is nil")
+	}
+
+	return secret.Data
+}
+
+func getPublicKey(t testing.TB, vaultCli *api.Client, keyPath string) string {
+	requestPath := path.Join(keyPath, "public")
+	secret, err := vaultCli.Logical().Read(requestPath)
+	if err != nil {
+		panic(err)
+	}
+
+	data := getSecretData(secret)
+
+	pubKeyStr, ok := data[keyPublicKey].(string)
+	if !ok {
+		panic("unable to get public key from secret")
+	}
+
+	return pubKeyStr
+}
+
+func randomKeyPath(basePath string) string {
+	var rnd [16]byte
+	_, err := rand.Read(rnd[:])
+	if err != nil {
+		panic(err)
+	}
+
+	return path.Join(basePath, hex.EncodeToString(rnd[:]))
+}
+
+// move bjj key under new path
+func signBJJKey(vaultCli *api.Client, keyPath string,
+	dataToSign []byte) []byte {
+
+	dataStr := hex.EncodeToString(dataToSign)
+	data := map[string][]string{keyData: {dataStr}}
+	requestPath := path.Join(keyPath, "sign")
+	secret, err := vaultCli.Logical().ReadWithData(requestPath, data)
+	if err != nil {
+		panic(err)
+	}
+	data2 := getSecretData(secret)
+	sigStr, ok := data2[keySignature].(string)
+	if !ok {
+		panic("unable to get signature from secret")
+	}
+	sig, err := hex.DecodeString(sigStr)
+	if err != nil {
+		panic(err)
+	}
+	return sig
+}
+
+// move bjj key under new path
+func moveBJJKey(vaultCli *api.Client, oldPath, newPath string) {
+	data := map[string]interface{}{keyDest: newPath}
+	requestPath := path.Join(oldPath, "move")
+	_, err := vaultCli.Logical().Write(requestPath, data)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func dataAtPath(t testing.TB, vaultCli *api.Client,
+	keyPath string) map[string]interface{} {
+
+	secret, err := vaultCli.Logical().Read(keyPath)
+	require.NoError(t, err)
+	if secret == nil {
+		return nil
+	}
+	return getSecretData(secret)
+}
+
+func TestBJJPlugin(t *testing.T) {
+	vaultCli, mountPath := newVaultClient(t)
+
+	// register callback to delete key
+	rmKey := func(keyPath string) {
+		t.Cleanup(func() {
+			_, err := vaultCli.Logical().Delete(keyPath)
+			if err != nil {
+				t.Error(err)
+			}
+		})
+	}
+
+	keyPath := randomKeyPath(mountPath)
+	newRandomBJJKey(t, vaultCli, keyPath,
+		map[string]interface{}{"extra_key": "value"})
+	rmKey(keyPath)
+
+	secData := dataAtPath(t, vaultCli, keyPath)
+	require.Equal(t, "value", secData["extra_key"])
+
+	var privKey babyjub.PrivateKey
+	privKeyStr, err := hex.DecodeString(secData["key_data"].(string))
+	require.NoError(t, err)
+	copy(privKey[:], privKeyStr)
+	pubKey1Comp := privKey.Public().Compress()
+
+	pubKey2Str := getPublicKey(t, vaultCli, keyPath)
+	var pubKey2Comp babyjub.PublicKeyComp
+	pubKey2Bytes, err := hex.DecodeString(pubKey2Str)
+	require.NoError(t, err)
+	copy(pubKey2Comp[:], pubKey2Bytes)
+
+	require.Equal(t, pubKey1Comp, pubKey2Comp)
+
+	// Test sign
+	nonce := big.NewInt(100500)
+	nonceBytes := utils.SwapEndianness(nonce.Bytes())
+	sig1 := privKey.SignPoseidon(nonce).Compress()
+	sig2Bytes := signBJJKey(vaultCli, keyPath, nonceBytes)
+	var sig2 babyjub.SignatureComp
+	copy(sig2[:], sig2Bytes)
+	require.Equal(t, sig1, sig2)
+
+	// Test moving
+	newKeyPath := randomKeyPath(mountPath)
+	moveBJJKey(vaultCli, keyPath, newKeyPath)
+	newSecData := dataAtPath(t, vaultCli, newKeyPath)
+	require.Equal(t, secData, newSecData)
+
+	require.Nil(t, dataAtPath(t, vaultCli, keyPath))
+}