[GSS] Test secrets are not exposed in Noobaa (#10213)

Signed-off-by: Mahesh Shetty <[email protected]>
red-hat-storage · Aug 29, 2024 · 60f0479 · 60f0479
1 parent 3419ffc
commit 60f0479
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 12 deletions.
diff --git a/ocs_ci/helpers/helpers.py b/ocs_ci/helpers/helpers.py
@@ -4492,6 +4492,30 @@ def get_s3_credentials_from_secret(secret_name):
     return access_key, secret_key
 
 
+def get_noobaa_db_credentials_from_secret():
+    """
+    Get credentials details i.e., user and password
+    from noobaa-db secret
+
+    Returns:
+        user_name: Username for the db
+        password: Password for the db
+
+    """
+    ocp_secret_obj = OCP(
+        kind=constants.SECRET, namespace=config.ENV_DATA["cluster_namespace"]
+    )
+    nb_db_secret = ocp_secret_obj.get(resource_name=constants.NOOBAA_DB_SECRET)
+
+    base64_user_name = nb_db_secret["data"]["user"]
+    base64_password = nb_db_secret["data"]["password"]
+
+    user_name = base64.b64decode(base64_user_name).decode("utf-8")
+    password = base64.b64decode(base64_password).decode("utf-8")
+
+    return user_name, password
+
+
 def verify_pvc_size(pod_obj, expected_size):
     """
     Verify PVC size is as expected or not.

diff --git a/ocs_ci/ocs/constants.py b/ocs_ci/ocs/constants.py
@@ -555,6 +555,9 @@
 NOOBAA_DB_STATEFULSET = "noobaa-db-pg"
 NOOBAA_CORE_STATEFULSET = "noobaa-core"
 
+# Noobaa db secret
+NOOBAA_DB_SECRET = "noobaa-db"
+
 # Auth Yaml
 OCSCI_DATA_BUCKET = "ocs-ci-data"
 AUTHYAML = "auth.yaml"

diff --git a/ocs_ci/ocs/resources/storage_cluster.py b/ocs_ci/ocs/resources/storage_cluster.py
@@ -78,7 +78,6 @@
 from ocs_ci.utility.utils import run_cmd, TimeoutSampler, convert_device_size
 from ocs_ci.utility.decorators import switch_to_orig_index_at_last
 from ocs_ci.helpers.helpers import storagecluster_independent_check
-from ocs_ci.deployment.helpers.mcg_helpers import check_if_mcg_root_secret_public
 
 log = logging.getLogger(__name__)
 
@@ -783,13 +782,6 @@ def ocs_install_verification(
     ):
         validate_serviceexport()
 
-    # check that noobaa root secrets are not public
-    if not (client_cluster or managed_service):
-        assert (
-            check_if_mcg_root_secret_public() is False
-        ), "Seems like MCG root secrets are public, please check"
-        log.info("Noobaa root secrets are not public")
-
     # Verify the owner of CSI deployments and daemonsets
     csi_owner_kind = constants.CONFIGMAP if hci_cluster else constants.DEPLOYMENT
     csi_owner_name = (

diff --git a/tests/functional/object/mcg/test_noobaa_db_cleartext_postgres_password.py b/tests/functional/object/mcg/test_noobaa_db_cleartext_postgres_password.py
@@ -3,21 +3,22 @@
 from ocs_ci.framework.testlib import tier2, BaseTest, bugzilla, polarion_id
 from ocs_ci.framework.pytest_customization.marks import red_squad, mcg
 from ocs_ci.framework import config
+from ocs_ci.helpers.helpers import get_noobaa_db_credentials_from_secret
 from ocs_ci.ocs.resources import pod
-
+from ocs_ci.ocs.resources.pod import search_pattern_in_pod_logs
 
 log = logging.getLogger(__name__)
 
 
+@mcg
+@red_squad
 @tier2
 class TestNoobaaSecurity(BaseTest):
     """
     Test Noobaa Security
 
     """
 
-    @mcg
-    @red_squad
     @bugzilla("2274193")
     @polarion_id("OCS-5787")
     def test_noobaa_db_cleartext_postgres_password(self):
@@ -43,3 +44,44 @@ def test_noobaa_db_cleartext_postgres_password(self):
         assert (
             "set=password" not in nooobaa_db_pod_logs
         ), f"noobaa-db pod logs include password logs:{nooobaa_db_pod_logs}"
+
+    @bugzilla("2240778")
+    @polarion_id("OCS-6183")
+    def test_nb_db_password_in_core_and_endpoint(self):
+        """
+        Verify that postgres password is not exposed in
+        noobaa core and endpoint logs
+
+        1. Get the noobaa core log
+        2. Get the noobaa endpoint log
+        3. Verify postgres password doesnt exist in the endpoint and core logs
+
+        """
+        # get the noobaa db password
+        _, noobaa_db_password = get_noobaa_db_credentials_from_secret()
+
+        # get noobaa core log and verify that the password is not
+        # present in the log
+        filtered_log = search_pattern_in_pod_logs(
+            pod_name=pod.get_noobaa_core_pod().name,
+            pattern=noobaa_db_password,
+        )
+        assert (
+            len(filtered_log) == 0
+        ), f"Noobaa db password seems to be present in the noobaa core logs:\n{filtered_log}"
+        log.info(
+            "Verified that noobaa db password is not present in the noobaa core log."
+        )
+
+        # get noobaa endpoint log and verify that the password is not
+        # present in the log
+        filtered_log = search_pattern_in_pod_logs(
+            pod_name=pod.get_noobaa_endpoint_pods()[0].name,
+            pattern=noobaa_db_password,
+        )
+        assert (
+            len(filtered_log) == 0
+        ), f"Noobaa db password seems to be present in the noobaa endpoint logs:\n{filtered_log}"
+        log.info(
+            "Verified that noobaa db password is not present in the noobaa endpoint log."
+        )
diff --git a/tests/functional/object/mcg/test_noobaa_secret.py b/tests/functional/object/mcg/test_noobaa_secret.py
@@ -1,8 +1,14 @@
+import re
+
 import pytest
 import json
 import logging
 import boto3
 
+from ocs_ci.ocs.resources.pod import (
+    get_noobaa_operator_pod,
+    search_pattern_in_pod_logs,
+)
 from ocs_ci.utility import templating
 from ocs_ci.ocs import constants
 from ocs_ci.ocs.resources.backingstore import BackingStore
@@ -19,6 +25,7 @@
     runs_on_provider,
     mcg,
     post_upgrade,
+    tier1,
 )
 from ocs_ci.ocs.exceptions import CommandFailed
 from ocs_ci.utility.aws import update_config_from_s3
@@ -343,7 +350,7 @@ def test_noobaa_secret_deletion_method2(self, teardown_factory, mcg_obj, cleanup
 @bugzilla("2219522")
 @polarion_id("OCS-5205")
 @runs_on_provider
-@tier2
+@tier1
 def test_noobaa_root_secret():
     """
     This test verifies if the noobaa root secret is publicly
@@ -355,3 +362,31 @@ def test_noobaa_root_secret():
         check_if_mcg_root_secret_public() is False
     ), "Seems like MCG root secrets are exposed publicly, please check"
     logger.info("MCG root secrets are not exposed to public")
+
+
+@mcg
+@red_squad
+@tier1
+@bugzilla("2277186")
+@polarion_id("OCS-6184")
+def test_operator_logs_for_secret():
+    """
+    This test verifies if secrets are exposed
+    in noobaa operator logs
+
+    """
+
+    # get the noobaa operator logs filtered
+    pattern = r"Identity:\S+ Secret:\S+"
+    filtered_log = search_pattern_in_pod_logs(
+        pod_name=get_noobaa_operator_pod().name, pattern=pattern
+    )
+
+    # check if secrets are exposed in the noobaa operator logs
+    for log_line in filtered_log:
+        matches = re.findall(pattern, log_line)
+        for match in matches:
+            assert (
+                match == "Identity:**** Secret:****"
+            ), f"Looks like secrets are exposed in the noobaa operator logs. {match}"
+    logger.info("Secrets are not exposed in the operator logs")