github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/manager/keymanager/keymanager_test.go (about) 1 package keymanager 2 3 import ( 4 "bytes" 5 "context" 6 "testing" 7 "time" 8 9 "github.com/docker/swarmkit/api" 10 "github.com/docker/swarmkit/manager/state/store" 11 "github.com/stretchr/testify/assert" 12 ) 13 14 func createClusterSpec(name string) *api.ClusterSpec { 15 return &api.ClusterSpec{ 16 Annotations: api.Annotations{ 17 Name: name, 18 }, 19 } 20 } 21 22 func createCluster(t *testing.T, s *store.MemoryStore, id, name string) *api.Cluster { 23 spec := createClusterSpec(name) 24 25 cluster := &api.Cluster{ 26 ID: id, 27 Spec: *spec, 28 } 29 assert.NoError(t, s.Update(func(tx store.Tx) error { 30 return store.CreateCluster(tx, cluster) 31 })) 32 return cluster 33 } 34 35 // Verify the key generation and rotation for default subsystems 36 func TestKeyManagerDefaultSubsystem(t *testing.T) { 37 st := store.NewMemoryStore(nil) 38 defer st.Close() 39 createCluster(t, st, "default", store.DefaultClusterName) 40 41 k := New(st, DefaultConfig()) 42 43 ctx := context.Background() 44 go k.Run(ctx) 45 time.Sleep(250 * time.Millisecond) 46 47 // verify the number of keys allocated matches the keyring size. 48 var ( 49 clusters []*api.Cluster 50 err error 51 ) 52 k.store.View(func(readTx store.ReadTx) { 53 clusters, err = store.FindClusters(readTx, store.ByName(k.config.ClusterName)) 54 }) 55 56 assert.NoError(t, err) 57 assert.Equal(t, len(clusters[0].NetworkBootstrapKeys), len(k.config.Subsystems)*keyringSize) 58 59 key1 := clusters[0].NetworkBootstrapKeys[0].Key 60 61 k.rotateKey(ctx) 62 63 // verify that after a rotation oldest key has been removed from the keyring 64 assert.Equal(t, len(k.keyRing.keys), len(k.config.Subsystems)*keyringSize) 65 for _, key := range k.keyRing.keys { 66 match := bytes.Equal(key.Key, key1) 67 assert.False(t, match) 68 } 69 } 70 71 // Verify the key generation and rotation for IPsec subsystem 72 func TestKeyManagerCustomSubsystem(t *testing.T) { 73 st := store.NewMemoryStore(nil) 74 defer st.Close() 75 createCluster(t, st, "default", store.DefaultClusterName) 76 77 config := &Config{ 78 ClusterName: store.DefaultClusterName, 79 Keylen: DefaultKeyLen, 80 RotationInterval: DefaultKeyRotationInterval, 81 Subsystems: []string{SubsystemIPSec}, 82 } 83 k := New(st, config) 84 85 ctx := context.Background() 86 go k.Run(ctx) 87 time.Sleep(250 * time.Millisecond) 88 89 // verify the number of keys allocated matches the keyring size. 90 var ( 91 clusters []*api.Cluster 92 err error 93 ) 94 k.store.View(func(readTx store.ReadTx) { 95 clusters, err = store.FindClusters(readTx, store.ByName(k.config.ClusterName)) 96 }) 97 98 assert.NoError(t, err) 99 assert.Equal(t, len(clusters[0].NetworkBootstrapKeys), keyringSize) 100 101 key1 := clusters[0].NetworkBootstrapKeys[0].Key 102 103 k.rotateKey(ctx) 104 105 // verify that after a rotation oldest key has been removed from the keyring 106 // also verify that all keys are for the right subsystem 107 assert.Equal(t, len(k.keyRing.keys), keyringSize) 108 for _, key := range k.keyRing.keys { 109 match := bytes.Equal(key.Key, key1) 110 assert.False(t, match) 111 match = key.Subsystem == SubsystemIPSec 112 assert.True(t, match) 113 } 114 } 115 116 // Verify that instantiating keymanager fails if an invalid subsystem is 117 // passed 118 func TestKeyManagerInvalidSubsystem(t *testing.T) { 119 st := store.NewMemoryStore(nil) 120 defer st.Close() 121 createCluster(t, st, "default", store.DefaultClusterName) 122 123 config := &Config{ 124 ClusterName: store.DefaultClusterName, 125 Keylen: DefaultKeyLen, 126 RotationInterval: DefaultKeyRotationInterval, 127 Subsystems: []string{"serf"}, 128 } 129 k := New(st, config) 130 131 assert.Nil(t, k) 132 }