Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -308,7 +308,7 @@ delete-targetsources-dev-lab: ## Delete the target sources for the development l
##@ Testing Lab

.PHONY: run-integration-tests
run-integration-tests: docker-build undeploy-test-cluster deploy-test-cluster install-test-cluster-dependencies load-test-image deploy deploy-test-http-server install-kubectl install-gnmic install-containerlab deploy-test-topology apply-test-resources
run-integration-tests: docker-build undeploy-test-cluster deploy-test-cluster install-test-cluster-dependencies load-test-image deploy deploy-test-http-server create-secrets-for-apiserver install-kubectl install-gnmic install-containerlab deploy-test-topology apply-test-resources send-target-to-apiserver
kubectl wait --for=condition=Ready cluster --all --timeout=180s
kubectl wait --for=condition=Ready pipeline --all --timeout=180s
kubectl wait --for=jsonpath='{.status.targetsCount}'=3 targetsource --all --timeout=180s
Expand Down
9 changes: 7 additions & 2 deletions internal/apiserver/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,15 @@ func (a *APIServer) verifyAuthentication(ctx *gin.Context, registry core.Discove
return true, nil
}

// verifySignature verifies x-hook-signature from POST header with hmac from body and a kubernetes secret.
// verifySignature verifies the configured signature header from a POST request
// against an hmac computed from the body and a kubernetes secret.
func (a *APIServer) verifySignature(ctx *gin.Context, registry core.DiscoveryRegistryValue, logger logr.Logger) (bool, error) {
signatureHeader := ctx.GetHeader("x-hook-signature")
clc := registry.CommonLoaderConfig
headerName := clc.PushConfig.Auth.Signature.Header
if headerName == "" {
headerName = "x-hook-signature"
}
signatureHeader := ctx.GetHeader(headerName)
secret, err := getSecret(clc, clc.PushConfig.Auth.Signature.SecretRef.Key, clc.PushConfig.Auth.Signature.SecretRef.Name)

if err != nil {
Expand Down
16 changes: 16 additions & 0 deletions test.mk
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,22 @@ deploy-test-http-server: ## Deploy a test http pod with a static file inventory
undeploy-test-http-server: ## Undeploy the http pod for testing
kubectl delete -f test/integration/http/resources/

.PHONY: create-secrets-for-apiserver
create-secrets-for-apiserver: ## Create the secret used to authenticate push-API requests (HMAC signature)
kubectl create secret generic gnmic-signature --from-literal=signature=1879

.PHONY: send-target-to-apiserver
send-target-to-apiserver: ## POST a target to the push API, authenticated with an HMAC-SHA512 signature over the body
@SIG_SECRET=$$(kubectl get secret gnmic-signature -o jsonpath='{.data.signature}' | base64 --decode); \
BODY='[{"address":"clab-t1-leaf2","port":57400,"name":"leaf2","operation":"created","targetProfile":"default","labels":[{"vendor":"nokia_srlinux"},{"role":"leaf"}]}]'; \
SIGNATURE=$$(printf '%s' "$$BODY" | openssl dgst -sha512 -hmac "$$SIG_SECRET" | awk '{print $$NF}'); \
kubectl port-forward -n gnmic-system svc/gnmic-controller-manager-api 8082:8082 --address=0.0.0.0 >/dev/null 2>&1 & \
sleep 3; \
curl --retry 3 --retry-delay 1 --retry-connrefused -X POST "http://localhost:8082/api/v1/default/target-source/http-ts/applyTargets" \
-H "Content-Type: application/json" \
-H "x-hook-signature: $$SIGNATURE" \
-d "$$BODY"

.PHONY: deploy-test-netbox-instance
deploy-test-netbox-instance: NETBOX_CLUSTER_NAME=$(TEST_CLUSTER_NAME) ## Deploy the test netbox instance for testing
deploy-test-netbox-instance: NETBOX_PASSWORD=Netbox123
Expand Down
9 changes: 0 additions & 9 deletions test/integration/http/resources/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,5 @@ data:
"vendor": "nokia_srlinux",
"role": "leaf"
}
},
{
"address": "clab-t1-leaf2",
"port": 57400,
"name": "leaf2",
"labels": {
"vendor": "nokia_srlinux",
"role": "leaf"
}
}
]
9 changes: 9 additions & 0 deletions test/integration/resources/targetsources/http.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,15 @@ spec:
provider:
http:
url: http://http-svc.default.svc/targets.json
push:
enabled: true
auth:
signature:
secretRef:
name: gnmic-signature
key: signature
header: x-hook-signature
algorithm: sha512
targetLabels:
integrationtest: http
targetProfile: default
Loading