Add jenkins conjur plugin test

h-artzi commented 4 years ago

Is your feature request related to a problem? Please describe.

I would like to see automated tests for the Jenkins conjur plugin because it will ensure that as the appliance is upgraded, the plugin continues to work.

Describe the solution you would like

Container running DAP
A container running Jenkins. Jenkins should run a job which gets a secret

Describe alternatives you have considered

N/A

Steps taken to test manually

1. Reference jenkins_plugin branch

run ./start in jenkins_plugin_test
This will start a dap instance

In a new tab run docker-compose up Jenkins Note: I recommend having the UI open in a browser. DAP: https://localhost, username: admin, password: MySecretP@ss1 Jenkins: http://localhost:8080, admin_password will be found in the logs

jenkins_1  | Jenkins initial setup is required. An admin user has been created and a password generated.
jenkins_1  | Please use the following password to proceed to installation:
jenkins_1  |
jenkins_1  | <password>
jenkins_1  |
jenkins_1  | This may also be found at: /var/jenkins_home/secrets/initialAdminPassword

Follow the prompts in the UI to create a new user or continue as admin.

2. Upload policies to DAP

$ ./cli conjur policy load --replace root policy/users.yml
$ ./cli conjur policy load root policy/policy.yml
$ ./cli conjur policy load staging policy/apps/myapp.yml
$ ./cli conjur policy load production policy/apps/myapp.yml
$ ./cli conjur policy load root policy/application_grants.yml
$ ./cli conjur policy load root policy/hosts.yml

Save the api_key from

➜  jenkins_plugin_test git:(jenkins_plugin) ✗ ./cli conjur policy load root policy/hosts.yml
Logged in
Loaded policy 'root'
{
  "created_roles": {
    "demo:host:test-host-1": {
      "id": "demo:host:test-host-1",
      "api_key": <api_key>
    }
  },
  "version": 4
}

Setting a Variable

./cli conjur variable values add production/myapp/database/username my-username

3. Download the plugin from jenkin-conjur-plugin

OR

git clone {repo}
cd conjur-credentials-plugin
mvn install -DskipTests

This must be uploaded into the Jenkins container:

Option 1:

via the UI (run on the host)(Jenkins -> Manage Jenkins -> Manage Plugins -> Advanced and then go to upload)

Option 2:

docker cp ./conjur-credentials.hpi jenkins_plugin_test_conjur_1:/var/jenkins_home/plugins (not tested)

Restart Jenkins by going to http://localhost:8080/restart and press yes

4. Enter the Jenkins container and download the SSL certificates from DAP

Note: The next steps must be executed by root in the Jenkins container. One way to log in to the Jenkins container as root is by executing docker exec --user 0 -it <docker_id> /bin/bash from your host

execute openssl s_client -showcerts -connect jenkins_plugin_test_conjur_1:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
cat conjur.pem to ensure certificate was retrieved
keytool -import -alias conjur -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -file ./conjur.pem. There will be a prompt: do you trust this certificate? enter y and then it will prompt for a password. The password for the keystore is changeit

5. Setup Jenkins

Set authn credentials for test-host-1. ( Credential Kind: "username with password") The password is the api_key that was saved in step 3.

Screen Shot 2020-04-29 at 5 58 53 PM

Set Conjur Appliance Go to http://localhost:8080/configure and then scroll down till you reach the section titled Conjur Appliance
Set Conjur Secret by adding credential (Credential Kind: "Conjur Secret Credential")

6. Create a Freestyle job

go to http://localhost:8080/view/all/newJob Choose your Conjur Authn Credential Check the Use secret text(s) or file(s) box in Build Environment and add a Conjur Secret Credential Binding Add build step (shell) Then Save the job

7. Run the job and go to Console Output

Screen Shot 2020-04-29 at 6 21 08 PM

izgeri commented 4 years ago

do we already have integration tests like this in this project? I would not have known to look here when trying to understand integration test coverage, and I'm not sure @andytinkham would either.

is there a better place for these kinds of e2e tests to live? we're running into similar questions for k8s e2e tests too - in that case, we've decided a demo repo is definitely not the place for these tests, but we haven't decided on next steps yet.

h-artzi commented 4 years ago

We currently do not have integration tests like this in dap-intro. When I talked to Jason we decided it would be best to assign these tickets to dap-intro (in the meantime). However, we did not discuss where the tests would end up.

izgeri commented 4 years ago

It's worth noting also that the Jenkins plugin is in the process of migrating to be an official Jenkins plugin here: https://github.com/jenkinsci/conjur-credentials-plugin

In addition:

@andrewcopeland has some existing tests in his own github for the Jenkins integration, and is looking into adding additional automation flows for Jenkins right now too.
@JfcAtCyberArk recently built some automations scripts for Jenkins that we may be able to leverage, that:
- creates Jenkins "username/password" credentials to store DAP identity for any hosts flagged as Jenkins (using annotations)
- creates Jenkins "Conjur secrets" credentials that reference DAP variables an identity (server based or folder based) has access to
- creates a Jenkins validation job to validate the integration between DAP and Jenkins is successful

conjurdemos / conjur-intro