Credhub tests (#234)

* Service broker that returns credhub credential

- Mock out most of the endpoints for open service broker
- For bind call credhub with mtls and set json credential
- bind to app returns 'credhub-ref'
- mock service broker gives mock app read and delete access

[#149254515] Create a dummy service broker that integrates with CredHub

Signed-off-by: Kelly Gerritz <[email protected]>
Signed-off-by: Isobel Redelmeier <[email protected]>

* Add java application to test credhub connection

  -uses Spring credhub connector to interpolate VCAP_SERVICES data and
  extract relevant credential from Credhub provided data
  - cleanup endpoint to remove test credentials
[#149254561] Create an app that uses dummy service broker and retrieves credentials from credhub

Signed-off-by: Edie Beer <[email protected]>

* wip test runner for credhub enabled broker-application integration

* Added support for CredHub in CATS

- Modified asset apps to clean up credhub after themselves

[#148365991] Users of CATS should validate that CredHub is running

Signed-off-by: Kelly Gerritz <[email protected]>

* Removed call to /cleanup endpoint

This functionality was moved to the unbind() of the service broker.

[#148365991] Users of CATS should validate that CredHub is running

Signed-off-by: Phil Goodwin <[email protected]>

.gitignore

@@ -7,4 +7,6 @@ results
 .DS_Store
 logs
 assets/*/.bundle
-assets/catnip/bin
+assets/catnip/bin
+assets/credhub-enabled-app/build
+assets/credhub-enabled-app/.gradle

README.md

@@ -124,6 +124,7 @@ cat > integration_config.json <<EOF
   "include_apps": true,
   "include_backend_compatibility": false,
   "include_container_networking": false,
+  "include_credhub" : false,
   "include_detect": true,
   "include_docker": false,
   "include_internet_dependent": false,
@@ -170,6 +171,7 @@ include_routing
   `include_security_groups` must also be set for tests to run.
   The [network-policy plugin][networking-releases] is required to run these tests.
   See setup section for instructions.
+* `include_credhub`: Flag to include tests for CredHub-delivered Secure Service Credentials. [CredHub configuration][credhub-secure-service-credentials] is required to run these tests.
 * `include_detect`: Flag to include tests in the detect group.
 * `include_docker`: Flag to include tests related to running Docker apps on Diego. Diego must be deployed and the CC API docker_diego feature flag must be enabled for these tests to pass.
 * `include_internet_dependent`: Flag to include tests that require the deployment to have internet access.
@@ -349,6 +351,7 @@ Test Group Name| Compatible Backend | Description
 `v3`| Diego| This test group contains tests for the next-generation v3 Cloud Controller API.  As of this writing, the v3 API is not officially supported.
 `isolation_segments` | Diego | This test group requires that Diego be deployed with a minimum of 2 cells. One of those cells must have been deployed with a `placement_tag`. If the deployment has been deployed with a routing isolation segment, `isolation_segment_domain` must also be set.
 `routing_isolation_segments` | Diego | This group tests that requests to isolated apps are only routed through isolated routers, and vice versa. It requires all of the setup for the isolation segments test suite. Additionally, a minimum of two Gorouter instances must be deployed. One instance must be configured with the property `routing_table_sharding_mode: shared-and-segments`. The other instance must have the properties `routing_table_sharding_mode: segments` and `isolation_segments: [YOUR_PLACEMENT_TAG_HERE]`. The `isolation_segment_name` in the CATs properties must match the `placement_tag` and `isolation_segment`.`isolation_segment_domain` must be set and traffic to that domain should go to the isolated router. CF deployment must also be updated with the property `properties.cc.diego.temporary_local_apps: true`.
+`credhub`|Diego|Tests CredHub-delivered Secure Service credentials in the service binding. [CredHub configuration][credhub-secure-service-credentials] is required to run these tests.
 
 ## Contributing
 
@@ -405,3 +408,4 @@ unless the test specifically needs to use a buildpack name or URL specific to th
 1. If you add a test that is unsupported on a particular backend, add a ginkgo Skip() in an if Config.Backend != "your_backend" {} clause, [see Ginkgo's skip](https://onsi.github.io/ginkgo/#the-spec-runner).
 
 [networking-releases]: https://github.com/cloudfoundry-incubator/cf-networking-release/releases
+[credhub-secure-service-credentials]: https://github.com/pivotal-cf/credhub-release/blob/master/docs/secure-service-credentials.md

assets/credhub-enabled-app/build.gradle

@@ -0,0 +1,49 @@
+
+description = 'CredHub Enabled App'
+
+buildscript {
+    ext {
+        springBootVersion = "1.5.4.RELEASE"
+    }
+
+    dependencies {
+        classpath 'org.springframework.build.gradle:propdeps-plugin:0.0.7'
+        classpath 'io.spring.gradle:spring-io-plugin:0.0.7.RELEASE'
+        classpath "org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}"
+    }
+
+    repositories {
+        mavenCentral()
+        maven { url "https://repo.spring.io/plugins-release" }
+    }
+}
+
+apply plugin: 'java'
+apply plugin: 'maven'
+
+apply plugin: 'propdeps'
+apply plugin: 'propdeps-maven'
+apply plugin: 'propdeps-idea'
+apply plugin: 'org.springframework.boot'
+
+dependencies {
+    compile group: 'org.springframework.credhub', name: 'spring-credhub-core', version: '1.0.0.BUILD-SNAPSHOT'
+
+    compile group: 'org.springframework.boot', name: 'spring-boot-starter-web'
+}
+
+repositories {
+    mavenCentral()
+    maven { url "https://repo.spring.io/libs-snapshot-local" }
+}
+
+springBoot {
+    backupSource = false
+}
+
+jar {
+    baseName = 'credhub-enabled-app'
+    destinationDir = file("$rootDir")
+}
+
+bootRepackage.withJarTask = jar

assets/credhub-enabled-app/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,6 @@
+#Mon Jul 31 09:36:12 EDT 2017
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-3.3-bin.zip

assets/credhub-enabled-app/gradlew

@@ -0,0 +1,172 @@
+#!/usr/bin/env sh
+
+##############################################################################
+##
+##  Gradle start up script for UN*X
+##
+##############################################################################
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+        PRG="$link"
+    else
+        PRG=`dirname "$PRG"`"/$link"
+    fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME="`pwd -P`"
+cd "$SAVED" >/dev/null
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS=""
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn ( ) {
+    echo "$*"
+}
+
+die ( ) {
+    echo
+    echo "$*"
+    echo
+    exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "`uname`" in
+  CYGWIN* )
+    cygwin=true
+    ;;
+  Darwin* )
+    darwin=true
+    ;;
+  MINGW* )
+    msys=true
+    ;;
+  NONSTOP* )
+    nonstop=true
+    ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+        JAVACMD="$JAVA_HOME/bin/java"
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD="java"
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+    MAX_FD_LIMIT=`ulimit -H -n`
+    if [ $? -eq 0 ] ; then
+        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+            MAX_FD="$MAX_FD_LIMIT"
+        fi
+        ulimit -n $MAX_FD
+        if [ $? -ne 0 ] ; then
+            warn "Could not set maximum file descriptor limit: $MAX_FD"
+        fi
+    else
+        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+    fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin ; then
+    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+    JAVACMD=`cygpath --unix "$JAVACMD"`
+
+    # We build the pattern for arguments to be converted via cygpath
+    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+    SEP=""
+    for dir in $ROOTDIRSRAW ; do
+        ROOTDIRS="$ROOTDIRS$SEP$dir"
+        SEP="|"
+    done
+    OURCYGPATTERN="(^($ROOTDIRS))"
+    # Add a user-defined pattern to the cygpath arguments
+    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+    fi
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    i=0
+    for arg in "$@" ; do
+        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
+
+        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
+            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+        else
+            eval `echo args$i`="\"$arg\""
+        fi
+        i=$((i+1))
+    done
+    case $i in
+        (0) set -- ;;
+        (1) set -- "$args0" ;;
+        (2) set -- "$args0" "$args1" ;;
+        (3) set -- "$args0" "$args1" "$args2" ;;
+        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+    esac
+fi
+
+# Escape application args
+save ( ) {
+    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+    echo " "
+}
+APP_ARGS=$(save "$@")
+
+# Collect all arguments for the java command, following the shell quoting and substitution rules
+eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+
+# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
+if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
+  cd "$(dirname "$0")"
+fi
+
+exec "$JAVACMD" "$@"

assets/credhub-enabled-app/src/main/java/org/credhub/Application.java

@@ -0,0 +1,14 @@
+package org.credhub;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+  public Application() {
+  }
+
+  public static void main(String[] args) {
+    SpringApplication.run(Application.class, args);
+  }
+}

assets/credhub-enabled-app/src/main/java/org/credhub/CredHubEnabledConfiguration.java

@@ -0,0 +1,12 @@
+package org.credhub;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.credhub.configuration.CredHubConfiguration;
+
+@Configuration
+@Import({CredHubConfiguration.class})
+public class CredHubEnabledConfiguration {
+  public CredHubEnabledConfiguration() {
+  }
+}

assets/credhub-enabled-app/src/main/java/org/credhub/CredHubEnabledController.java

@@ -0,0 +1,37 @@
+package org.credhub;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.credhub.core.CredHubTemplate;
+import org.springframework.credhub.support.ServicesData;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+@RestController
+public class CredHubEnabledController {
+  private CredHubTemplate credHubTemplate;
+  private ServicesData servicesData;
+
+  public CredHubEnabledController(CredHubTemplate credHubTemplate) {
+    this.credHubTemplate = credHubTemplate;
+  }
+
+  @GetMapping({"/test"})
+  public Object runTests() throws Exception {
+    String vcapServices = System.getenv("VCAP_SERVICES");
+    return ((Map)((List)this.interpolateServiceData(vcapServices).get("credhub-read")).get(0)).get("credentials");
+  }
+
+  private ServicesData interpolateServiceData(String vcapServices) throws IOException {
+    servicesData = this.buildServicesData(vcapServices);
+    return this.credHubTemplate.interpolateServiceData(servicesData);
+  }
+
+  private ServicesData buildServicesData(String vcapServices) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    return mapper.readValue(vcapServices, ServicesData.class);
+  }
+}

assets/credhub-service-broker/Gopkg.toml

@@ -0,0 +1,26 @@
+
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+
+[[constraint]]
+  name = "github.com/gorilla/mux"
+  version = "1.4.0"