src/test/shell/bazel/remote/remote_execution_tls_test.sh - bazel - Git at Google

 #!/bin/bash
 #
 # Copyright 2019 The Bazel Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # Tests remote caching with TLS.
 #

 # Load the test setup defined in the parent directory
 CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${CURRENT_DIR}/../../integration_test_setup.sh" \
   || { echo "integration_test_setup.sh not found!" >&2; exit 1; }

 cert_path="${BAZEL_RUNFILES}/src/test/testdata/test_tls_certificate"
 client_mtls_flags=
 enable_mtls=0
 if [[ $1 == "--mtls" ]]; then
   enable_mtls=1
   client_mtls_flags="--tls_client_certificate=${cert_path}/client.crt --tls_client_key=${cert_path}/client.pem"
 fi

 function set_up() {
   work_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX")
   cas_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX")
   pid_file=$(mktemp -u "${TEST_TMPDIR}/remote.XXXXXXXX")
   attempts=1
   mtls_flag=
   if [[ $enable_mtls == 1 ]]; then
     mtls_flag=--tls_ca_certificate="${cert_path}/ca.crt"
   fi
   while [ $attempts -le 3 ]; do
     (( attempts++ ))
     worker_port=$(pick_random_unused_tcp_port) || fail "no port found"
     "${BAZEL_RUNFILES}/src/tools/remote/worker" \
         --work_path="${work_path}" \
         --listen_port=${worker_port} \
         --cas_path=${cas_path} \
         --tls_certificate="${cert_path}/server.crt" \
         --tls_private_key="${cert_path}/server.pem" \
         $mtls_flag \
         --pid_file="${pid_file}" >& $TEST_log &
     local wait_seconds=0
     until [ -s "${pid_file}" ] || [ "$wait_seconds" -eq 15 ]; do
       sleep 1
       ((wait_seconds++)) || true
     done
     if [ -s "${pid_file}" ]; then
       break
     fi
   done
   if [ ! -s "${pid_file}" ]; then
     fail "Timed out waiting for remote worker to start."
   fi
 }

 function _prepareBasicRule(){
   mkdir -p a
   cat > a/BUILD <<EOF
 genrule(
   name = 'foo',
   outs = ["foo.txt"],
   cmd = "echo \"foo bar\" > \$@",
 )
 EOF

 }
 function tear_down() {
   bazel clean >& $TEST_log
   if [ -s "${pid_file}" ]; then
     local pid=$(cat "${pid_file}")
     kill "${pid}" || true
   fi
   rm -rf "${pid_file}"
   rm -rf "${work_path}"
   rm -rf "${cas_path}"
 }

 function test_remote_grpcs_cache() {
   # Test that if 'grpcs' is provided as a scheme for --remote_cache flag, remote cache works.
   _prepareBasicRule

   bazel build \
       --remote_cache=grpcs://localhost:${worker_port} \
       --tls_certificate="${cert_path}/ca.crt" \
       ${client_mtls_flags} \
       //a:foo \
       || fail "Failed to build //a:foo with grpcs remote cache"
 }

 # Tests that bazel fails if no client cert is provided but the server requires one.
 function test_mtls_fails_if_client_has_no_cert() {
   # This test only makes sense when we test mtls.
   [[ $enable_mtls == 1 ]] || return 0
   _prepareBasicRule

   bazel build \
       --remote_cache=grpcs://localhost:${worker_port} \
       --tls_certificate="${cert_path}/ca.crt" \
       //a:foo 2> $TEST_log \
       && fail "Expected bazel to fail without a client cert" || true
   expect_log "ALERT_HANDSHAKE_FAILURE"
 }

 function test_remote_grpc_cache() {
   # Test that if default scheme for --remote_cache flag, remote cache works.
   _prepareBasicRule

   bazel build \
       --remote_cache=localhost:${worker_port} \
       --tls_certificate="${cert_path}/ca.crt" \
       ${client_mtls_flags} \
       //a:foo \
       || fail "Failed to build //a:foo with grpc remote cache"
 }

 function test_remote_https_cache() {
   # Test that if 'https' is provided as a scheme for --remote_cache flag, remote cache works.
   _prepareBasicRule

   bazel build \
       --remote_cache=https://localhost:${worker_port} \
       --tls_certificate="${cert_path}/ca.crt" \
       ${client_mtls_flags} \
       //a:foo \
       || fail "Failed to build //a:foo with https remote cache"
 }

 function test_remote_cache_with_incompatible_tls_enabled_removed_grpc_scheme() {
   # Test that if 'grpc' scheme for --remote_cache flag, remote cache fails.
   _prepareBasicRule

   bazel build \
       --remote_cache=grpc://localhost:${worker_port} \
       --tls_certificate="${cert_path}/ca.crt" \
       ${client_mtls_flags} \
       //a:foo \
       && fail "Expected test failure" || true
 }

 run_suite "Remote cache TLS tests"
	#!/bin/bash
	#
	# Copyright 2019 The Bazel Authors. All rights reserved.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#
	# Tests remote caching with TLS.
	#

	# Load the test setup defined in the parent directory
	CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
	source "${CURRENT_DIR}/../../integration_test_setup.sh" \
	\|\| { echo "integration_test_setup.sh not found!" >&2; exit 1; }

	cert_path="${BAZEL_RUNFILES}/src/test/testdata/test_tls_certificate"
	client_mtls_flags=
	enable_mtls=0
	if [[ $1 == "--mtls" ]]; then
	enable_mtls=1
	client_mtls_flags="--tls_client_certificate=${cert_path}/client.crt --tls_client_key=${cert_path}/client.pem"
	fi

	function set_up() {
	work_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX")
	cas_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX")
	pid_file=$(mktemp -u "${TEST_TMPDIR}/remote.XXXXXXXX")
	attempts=1
	mtls_flag=
	if [[ $enable_mtls == 1 ]]; then
	mtls_flag=--tls_ca_certificate="${cert_path}/ca.crt"
	fi
	while [ $attempts -le 3 ]; do
	(( attempts++ ))
	worker_port=$(pick_random_unused_tcp_port) \|\| fail "no port found"
	"${BAZEL_RUNFILES}/src/tools/remote/worker" \
	--work_path="${work_path}" \
	--listen_port=${worker_port} \
	--cas_path=${cas_path} \
	--tls_certificate="${cert_path}/server.crt" \
	--tls_private_key="${cert_path}/server.pem" \
	$mtls_flag \
	--pid_file="${pid_file}" >& $TEST_log &
	local wait_seconds=0
	until [ -s "${pid_file}" ] \|\| [ "$wait_seconds" -eq 15 ]; do
	sleep 1
	((wait_seconds++)) \|\| true
	done
	if [ -s "${pid_file}" ]; then
	break
	fi
	done
	if [ ! -s "${pid_file}" ]; then
	fail "Timed out waiting for remote worker to start."
	fi
	}

	function _prepareBasicRule(){
	mkdir -p a
	cat > a/BUILD <<EOF
	genrule(
	name = 'foo',
	outs = ["foo.txt"],
	cmd = "echo \"foo bar\" > \$@",
	)
	EOF

	}
	function tear_down() {
	bazel clean >& $TEST_log
	if [ -s "${pid_file}" ]; then
	local pid=$(cat "${pid_file}")
	kill "${pid}" \|\| true
	fi
	rm -rf "${pid_file}"
	rm -rf "${work_path}"
	rm -rf "${cas_path}"
	}

	function test_remote_grpcs_cache() {
	# Test that if 'grpcs' is provided as a scheme for --remote_cache flag, remote cache works.
	_prepareBasicRule

	bazel build \
	--remote_cache=grpcs://localhost:${worker_port} \
	--tls_certificate="${cert_path}/ca.crt" \
	${client_mtls_flags} \
	//a:foo \
	\|\| fail "Failed to build //a:foo with grpcs remote cache"
	}

	# Tests that bazel fails if no client cert is provided but the server requires one.
	function test_mtls_fails_if_client_has_no_cert() {
	# This test only makes sense when we test mtls.
	[[ $enable_mtls == 1 ]] \|\| return 0
	_prepareBasicRule

	bazel build \
	--remote_cache=grpcs://localhost:${worker_port} \
	--tls_certificate="${cert_path}/ca.crt" \
	//a:foo 2> $TEST_log \
	&& fail "Expected bazel to fail without a client cert" \|\| true
	expect_log "ALERT_HANDSHAKE_FAILURE"
	}

	function test_remote_grpc_cache() {
	# Test that if default scheme for --remote_cache flag, remote cache works.
	_prepareBasicRule

	bazel build \
	--remote_cache=localhost:${worker_port} \
	--tls_certificate="${cert_path}/ca.crt" \
	${client_mtls_flags} \
	//a:foo \
	\|\| fail "Failed to build //a:foo with grpc remote cache"
	}

	function test_remote_https_cache() {
	# Test that if 'https' is provided as a scheme for --remote_cache flag, remote cache works.
	_prepareBasicRule

	bazel build \
	--remote_cache=https://localhost:${worker_port} \
	--tls_certificate="${cert_path}/ca.crt" \
	${client_mtls_flags} \
	//a:foo \
	\|\| fail "Failed to build //a:foo with https remote cache"
	}

	function test_remote_cache_with_incompatible_tls_enabled_removed_grpc_scheme() {
	# Test that if 'grpc' scheme for --remote_cache flag, remote cache fails.
	_prepareBasicRule

	bazel build \
	--remote_cache=grpc://localhost:${worker_port} \
	--tls_certificate="${cert_path}/ca.crt" \
	${client_mtls_flags} \
	//a:foo \
	&& fail "Expected test failure" \|\| true
	}

	run_suite "Remote cache TLS tests"