From 60f0479559556cda25d097e38978f515226f1c3b Mon Sep 17 00:00:00 2001 From: Mahesh Shetty Date: Thu, 29 Aug 2024 15:16:32 +0530 Subject: [PATCH] [GSS] Test secrets are not exposed in Noobaa (#10213) Signed-off-by: Mahesh Shetty --- ocs_ci/helpers/helpers.py | 24 ++++++++++ ocs_ci/ocs/constants.py | 3 ++ ocs_ci/ocs/resources/storage_cluster.py | 8 ---- ...t_noobaa_db_cleartext_postgres_password.py | 48 +++++++++++++++++-- .../object/mcg/test_noobaa_secret.py | 37 +++++++++++++- 5 files changed, 108 insertions(+), 12 deletions(-) diff --git a/ocs_ci/helpers/helpers.py b/ocs_ci/helpers/helpers.py index 3d7c2b69766..88008f64733 100644 --- a/ocs_ci/helpers/helpers.py +++ b/ocs_ci/helpers/helpers.py @@ -4492,6 +4492,30 @@ def get_s3_credentials_from_secret(secret_name): return access_key, secret_key +def get_noobaa_db_credentials_from_secret(): + """ + Get credentials details i.e., user and password + from noobaa-db secret + + Returns: + user_name: Username for the db + password: Password for the db + + """ + ocp_secret_obj = OCP( + kind=constants.SECRET, namespace=config.ENV_DATA["cluster_namespace"] + ) + nb_db_secret = ocp_secret_obj.get(resource_name=constants.NOOBAA_DB_SECRET) + + base64_user_name = nb_db_secret["data"]["user"] + base64_password = nb_db_secret["data"]["password"] + + user_name = base64.b64decode(base64_user_name).decode("utf-8") + password = base64.b64decode(base64_password).decode("utf-8") + + return user_name, password + + def verify_pvc_size(pod_obj, expected_size): """ Verify PVC size is as expected or not. diff --git a/ocs_ci/ocs/constants.py b/ocs_ci/ocs/constants.py index 04ef93ed743..e62a965ffaa 100644 --- a/ocs_ci/ocs/constants.py +++ b/ocs_ci/ocs/constants.py @@ -555,6 +555,9 @@ NOOBAA_DB_STATEFULSET = "noobaa-db-pg" NOOBAA_CORE_STATEFULSET = "noobaa-core" +# Noobaa db secret +NOOBAA_DB_SECRET = "noobaa-db" + # Auth Yaml OCSCI_DATA_BUCKET = "ocs-ci-data" AUTHYAML = "auth.yaml" diff --git a/ocs_ci/ocs/resources/storage_cluster.py b/ocs_ci/ocs/resources/storage_cluster.py index ff6ca3d84bb..70566fbcddd 100644 --- a/ocs_ci/ocs/resources/storage_cluster.py +++ b/ocs_ci/ocs/resources/storage_cluster.py @@ -78,7 +78,6 @@ from ocs_ci.utility.utils import run_cmd, TimeoutSampler, convert_device_size from ocs_ci.utility.decorators import switch_to_orig_index_at_last from ocs_ci.helpers.helpers import storagecluster_independent_check -from ocs_ci.deployment.helpers.mcg_helpers import check_if_mcg_root_secret_public log = logging.getLogger(__name__) @@ -783,13 +782,6 @@ def ocs_install_verification( ): validate_serviceexport() - # check that noobaa root secrets are not public - if not (client_cluster or managed_service): - assert ( - check_if_mcg_root_secret_public() is False - ), "Seems like MCG root secrets are public, please check" - log.info("Noobaa root secrets are not public") - # Verify the owner of CSI deployments and daemonsets csi_owner_kind = constants.CONFIGMAP if hci_cluster else constants.DEPLOYMENT csi_owner_name = ( diff --git a/tests/functional/object/mcg/test_noobaa_db_cleartext_postgres_password.py b/tests/functional/object/mcg/test_noobaa_db_cleartext_postgres_password.py index 0f26415caad..9484e1102a6 100644 --- a/tests/functional/object/mcg/test_noobaa_db_cleartext_postgres_password.py +++ b/tests/functional/object/mcg/test_noobaa_db_cleartext_postgres_password.py @@ -3,12 +3,15 @@ from ocs_ci.framework.testlib import tier2, BaseTest, bugzilla, polarion_id from ocs_ci.framework.pytest_customization.marks import red_squad, mcg from ocs_ci.framework import config +from ocs_ci.helpers.helpers import get_noobaa_db_credentials_from_secret from ocs_ci.ocs.resources import pod - +from ocs_ci.ocs.resources.pod import search_pattern_in_pod_logs log = logging.getLogger(__name__) +@mcg +@red_squad @tier2 class TestNoobaaSecurity(BaseTest): """ @@ -16,8 +19,6 @@ class TestNoobaaSecurity(BaseTest): """ - @mcg - @red_squad @bugzilla("2274193") @polarion_id("OCS-5787") def test_noobaa_db_cleartext_postgres_password(self): @@ -43,3 +44,44 @@ def test_noobaa_db_cleartext_postgres_password(self): assert ( "set=password" not in nooobaa_db_pod_logs ), f"noobaa-db pod logs include password logs:{nooobaa_db_pod_logs}" + + @bugzilla("2240778") + @polarion_id("OCS-6183") + def test_nb_db_password_in_core_and_endpoint(self): + """ + Verify that postgres password is not exposed in + noobaa core and endpoint logs + + 1. Get the noobaa core log + 2. Get the noobaa endpoint log + 3. Verify postgres password doesnt exist in the endpoint and core logs + + """ + # get the noobaa db password + _, noobaa_db_password = get_noobaa_db_credentials_from_secret() + + # get noobaa core log and verify that the password is not + # present in the log + filtered_log = search_pattern_in_pod_logs( + pod_name=pod.get_noobaa_core_pod().name, + pattern=noobaa_db_password, + ) + assert ( + len(filtered_log) == 0 + ), f"Noobaa db password seems to be present in the noobaa core logs:\n{filtered_log}" + log.info( + "Verified that noobaa db password is not present in the noobaa core log." + ) + + # get noobaa endpoint log and verify that the password is not + # present in the log + filtered_log = search_pattern_in_pod_logs( + pod_name=pod.get_noobaa_endpoint_pods()[0].name, + pattern=noobaa_db_password, + ) + assert ( + len(filtered_log) == 0 + ), f"Noobaa db password seems to be present in the noobaa endpoint logs:\n{filtered_log}" + log.info( + "Verified that noobaa db password is not present in the noobaa endpoint log." + ) diff --git a/tests/functional/object/mcg/test_noobaa_secret.py b/tests/functional/object/mcg/test_noobaa_secret.py index b4996b010d1..d149e3078fa 100644 --- a/tests/functional/object/mcg/test_noobaa_secret.py +++ b/tests/functional/object/mcg/test_noobaa_secret.py @@ -1,8 +1,14 @@ +import re + import pytest import json import logging import boto3 +from ocs_ci.ocs.resources.pod import ( + get_noobaa_operator_pod, + search_pattern_in_pod_logs, +) from ocs_ci.utility import templating from ocs_ci.ocs import constants from ocs_ci.ocs.resources.backingstore import BackingStore @@ -19,6 +25,7 @@ runs_on_provider, mcg, post_upgrade, + tier1, ) from ocs_ci.ocs.exceptions import CommandFailed from ocs_ci.utility.aws import update_config_from_s3 @@ -343,7 +350,7 @@ def test_noobaa_secret_deletion_method2(self, teardown_factory, mcg_obj, cleanup @bugzilla("2219522") @polarion_id("OCS-5205") @runs_on_provider -@tier2 +@tier1 def test_noobaa_root_secret(): """ This test verifies if the noobaa root secret is publicly @@ -355,3 +362,31 @@ def test_noobaa_root_secret(): check_if_mcg_root_secret_public() is False ), "Seems like MCG root secrets are exposed publicly, please check" logger.info("MCG root secrets are not exposed to public") + + +@mcg +@red_squad +@tier1 +@bugzilla("2277186") +@polarion_id("OCS-6184") +def test_operator_logs_for_secret(): + """ + This test verifies if secrets are exposed + in noobaa operator logs + + """ + + # get the noobaa operator logs filtered + pattern = r"Identity:\S+ Secret:\S+" + filtered_log = search_pattern_in_pod_logs( + pod_name=get_noobaa_operator_pod().name, pattern=pattern + ) + + # check if secrets are exposed in the noobaa operator logs + for log_line in filtered_log: + matches = re.findall(pattern, log_line) + for match in matches: + assert ( + match == "Identity:**** Secret:****" + ), f"Looks like secrets are exposed in the noobaa operator logs. {match}" + logger.info("Secrets are not exposed in the operator logs")