Merge pull request #13597 from cbodley/wip-s3tests-crypto

qa/rgw: add configuration for server-side encryption tests Reviewed-by: Orit Wasserman <owasserm@redhat.com>
author: Casey Bodley <cbodley@users.noreply.github.com> 2017-04-18 18:28:37 +0200
committer: GitHub <noreply@github.com> 2017-04-18 18:28:37 +0200
commit: da7acc4211629ea2375754c696ad8dd664b6cb7c (patch)
tree: 637e74cdf8e656534809104490f4ddf5255d283a /qa/tasks/s3tests.py
parent: Merge pull request #13483 from ceph/wip-rgw-encryption-doc (diff)
parent: qa: s3test task scans radosgw logs for leaked encryption keys (diff)
download: ceph-da7acc4211629ea2375754c696ad8dd664b6cb7c.tar.xz
ceph-da7acc4211629ea2375754c696ad8dd664b6cb7c.zip
1 files changed, 41 insertions, 0 deletions
diff --git a/qa/tasks/s3tests.py b/qa/tasks/s3tests.py
index 305025ff545..7d3df2bb9c6 100644
--- a/qa/tasks/s3tests.py
+++ b/qa/tasks/s3tests.py
@@ -360,6 +360,46 @@ def run_tests(ctx, config):
     yield
 
 @contextlib.contextmanager
+def scan_for_leaked_encryption_keys(ctx, config):
+    """
+    Scan radosgw logs for the encryption keys used by s3tests to
+    verify that we're not leaking secrets.
+
+    :param ctx: Context passed to task
+    :param config: specific configuration information
+    """
+    assert isinstance(config, dict)
+
+    try:
+        yield
+    finally:
+        # x-amz-server-side-encryption-customer-key
+        s3test_customer_key = 'pO3upElrwuEXSoFwCfnZPdSsmt/xWeFa0N9KgDijwVs='
+
+        log.debug('Scanning radosgw logs for leaked encryption keys...')
+        procs = list()
+        for client, client_config in config.iteritems():
+            (remote,) = ctx.cluster.only(client).remotes.keys()
+            proc = remote.run(
+                args=[
+                    'grep',
+                    '--binary-files=text',
+                    s3test_customer_key,
+                    '/var/log/ceph/rgw.{client}.log'.format(client=client),
+                ],
+                wait=False,
+                check_status=False,
+            )
+            procs.append(proc)
+
+        for proc in procs:
+            proc.wait()
+            if proc.returncode == 1: # 1 means no matches
+                continue
+            log.error('radosgw log is leaking encryption keys!')
+            raise Exception('radosgw log is leaking encryption keys')
+
+@contextlib.contextmanager
 def task(ctx, config):
     """
     Run the s3-tests suite against rgw.
@@ -451,6 +491,7 @@ def task(ctx, config):
                 s3tests_conf=s3tests_conf,
                 )),
         lambda: run_tests(ctx=ctx, config=config),
+        lambda: scan_for_leaked_encryption_keys(ctx=ctx, config=config),
         ):
         pass
     yield
author	Casey Bodley <cbodley@users.noreply.github.com>	2017-04-18 18:28:37 +0200
committer	GitHub <noreply@github.com>	2017-04-18 18:28:37 +0200
commit	da7acc4211629ea2375754c696ad8dd664b6cb7c (patch)
tree	637e74cdf8e656534809104490f4ddf5255d283a /qa/tasks/s3tests.py
parent	Merge pull request #13483 from ceph/wip-rgw-encryption-doc (diff)
parent	qa: s3test task scans radosgw logs for leaked encryption keys (diff)
download	ceph-da7acc4211629ea2375754c696ad8dd664b6cb7c.tar.xz ceph-da7acc4211629ea2375754c696ad8dd664b6cb7c.zip