Skip to content

Commit

Permalink
feat(test): add integration tests for MIW
Browse files Browse the repository at this point in the history
  • Loading branch information
paullatzelsperger committed Jul 10, 2023
1 parent 0c68b47 commit c875f46
Show file tree
Hide file tree
Showing 18 changed files with 3,307 additions and 13 deletions.
32 changes: 27 additions & 5 deletions .github/workflows/verify.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -187,9 +187,8 @@ jobs:
- name: Run Postgresql E2E tests
run: ./gradlew test -DincludeTags="PostgresqlIntegrationTest"

ssi-integration-tests:
miw-integration-tests:
runs-on: ubuntu-latest
continue-on-error: true
needs: [ verify-formatting, verify-license-headers ]

steps:
Expand All @@ -199,7 +198,30 @@ jobs:
- uses: actions/checkout@v2
- name: Starting MIW, Keycloak and Postgres Servers
run: |
docker compose -f edc-tests/e2e-tests/src/test/resources/docker-compose.yml up -d
cd edc-tests/miw-tests/src/test/resources/docker-environment
docker compose up --wait
- name: Run MIW E2E tests
run: ./gradlew test -DincludeTags="MiwIntegrationTest"
- uses: nick-fields/retry@v2
name: Wait for MIW
with:
timeout_minutes: 5
max_attempts: 3
command: |
code=$(curl -IL -sw "%{http_code}" http://localhost:8000/api/actuator/health -o /dev/null)
if [ "$code" -ne "401" ]; then
echo "MIW not ready yet, status = $code"
exit 1;
fi
- name: Seed test data
run: |
docker exec docker-environment-postgres-1 /opt/seed.sh
- name: Run MIW Integration tests
run: |
./gradlew -p edc-tests/miw-tests test -DincludeTags="MiwIntegrationTest" -PverboseTest=true
- name: Run SSI E2E tests
run: |
pwd
./gradlew compileJava compileTestJava
./gradlew -p edc-tests/e2e-tests test -DincludeTags="MiwIntegrationTest" -PverboseTest=true
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -109,3 +109,5 @@ buildNumber.properties
### Helm
**/*.lock
**/*.tgz

edc-tests/miw-tests/src/test/resources/docker-environment/postgres_data/
1 change: 1 addition & 0 deletions edc-tests/e2e-tests/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ dependencies {
testCompileOnly(project(":edc-tests:runtime:runtime-memory"))
testCompileOnly(project(":edc-tests:runtime:runtime-memory-ssi"))
testCompileOnly(project(":edc-tests:runtime:runtime-postgresql"))
testImplementation(libs.edc.auth.oauth2.client)
}

// do not publish
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@
public class MiwSsiCatalogTest {

protected static final Participant SOKRATES = new Participant(SOKRATES_NAME, SOKRATES_BPN, sokratesConfiguration());
static final String MIW_SOKRATES_URL = "http://localhost:8080";
static final String OAUTH_TOKEN_URL = "http://localhost:8081/realms/miw_test/protocol/openid-connect/token";
static final String MIW_SOKRATES_URL = "http://localhost:8000";
static final String OAUTH_TOKEN_URL = "http://localhost:8080/realms/miw_test/protocol/openid-connect/token";

@RegisterExtension
protected static final ParticipantRuntime SOKRATES_RUNTIME = new ParticipantRuntime(
Expand All @@ -56,7 +56,7 @@ public static Map<String, String> sokratesSsiMiwConfiguration() {
put("tx.ssi.oauth.client.id", "miw_private_client");
put("tx.ssi.oauth.client.secret.alias", "client_secret_alias");
put("tx.ssi.miw.authority.id", "BPNL000000000000");
put("tx.ssi.miw.authority.issuer", "did:web:localhost%3A8080:BPNL000000000000");
put("tx.ssi.miw.authority.issuer", "did:web:localhost%3A8000:BPNL000000000000");
put("tx.vault.seed.secrets", "client_secret_alias:miw_private_client");
put("tx.ssi.endpoint.audience", SOKRATES_DSP_CALLBACK);
}
Expand Down
3 changes: 3 additions & 0 deletions edc-tests/miw-tests/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# E2E-Tests

This module contains JUnit tests that spin up multiple runtimes in one JVM.
57 changes: 57 additions & 0 deletions edc-tests/miw-tests/build.gradle.kts
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
/*
* Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0
*
* SPDX-License-Identifier: Apache-2.0
*
* Contributors:
* Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
*
*/

plugins {
`java-library`
}

dependencies {
testImplementation(project(":spi:edr-cache-spi"))
testImplementation(project(":edc-extensions:control-plane-adapter-api"))
testImplementation(libs.okhttp.mockwebserver)
testImplementation(libs.restAssured)
testImplementation(libs.nimbus.jwt)
testImplementation(libs.postgres)
testImplementation(libs.awaitility)
testImplementation(libs.aws.s3)
testImplementation(libs.edc.spi.core)
testImplementation(libs.edc.junit)
testImplementation(libs.edc.spi.policy)
testImplementation(libs.edc.spi.contract)
testImplementation(libs.edc.core.api)
testImplementation(libs.edc.spi.catalog)
testImplementation(libs.edc.api.catalog)
testImplementation(libs.edc.api.contractnegotiation)
testImplementation(libs.edc.api.transferprocess)
testImplementation(libs.edc.spi.dataplane.selector)
testImplementation(libs.edc.ext.jsonld)
testImplementation(libs.edc.dsp)
testImplementation(testFixtures(libs.edc.sql.core))


testCompileOnly(project(":edc-tests:runtime:extensions"))
testCompileOnly(project(":edc-tests:runtime:runtime-memory"))
testCompileOnly(project(":edc-tests:runtime:runtime-memory-ssi"))
testCompileOnly(project(":edc-tests:runtime:runtime-postgresql"))
testImplementation(project(":edc-extensions:ssi:ssi-miw-credential-client"))
testImplementation(libs.edc.auth.oauth2.client)

runtimeOnly(libs.tink)

}

// do not publish
edcBuild {
publish.set(false)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
* Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0
*
* SPDX-License-Identifier: Apache-2.0
*
* Contributors:
* Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
*
*/

package org.eclipse.tractusx.edc.tag;

import org.eclipse.edc.junit.annotations.IntegrationTest;
import org.junit.jupiter.api.Tag;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target({ ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@IntegrationTest
@Tag("MiwIntegrationTest")
public @interface MiwIntegrationTest {
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Function-testing the Managed-Identity-Wallet

## Test setup

As test subject we used a `docker-compose.yml` file located in `src/main/resources/`. From that directory, simply
execute `docker compose up --wait`, and then, once everything is started,
run `docker exec -i resources-postgres-1 /opt/seed.sh` to seed test data.

## Test suite description

### `t0001` Request and verify a VP

### `t0002` Wrong audience

This test asserts, that a verification request is rejected, if the wrong `audience=` query parameter is supplied.
The `audience` query parameter must match the `aud` claim inside the token.

### `t0003` A self-signed VP token is rejected

This test asserts, that submitting a self-generated JWT (containing the original VP claim) should be rejected. The MIW
should only accept JWTs that were signed by the requestor's private key, which is hosted in MIW. Currently, no JWT
validation is done.

A rejected flow would be:

- request VC from MIW
- request VP from MIW, returned in JWT format
- decode the JWT, unpack the payload
- generate a random keypair
- re-use the original claims (payload) and header
- sign with the random keypair

### `t0004` A bogus JWT is rejected

This test is an amendment to `t0003` in that it not only forges the JWT itself, but the JWT does not contain any of the
required claims. For example, it does not even contain a `vp` claim, so there is no VerifiablePresentation.

### `t0005` A forged VC proof (altered JWS) is rejected

This test asserts, that an altered (and potentially even malformed) `jws` proof is rejected. This test specifically
targets the use of JsonWebSignature2020, because there the `proof` object contains a `jws` field.

Altering that `jws` value, here by replacing all "a" with "X" should cause the MIW to reject the verification request.

### `t0006` A tampered VC proof (changed document) is rejected

Similar to `t0005`, which alters the proof itself, this test alters the document, for which the proof was created.
Technically this should alter the document hash, so the proof becomes invalid, and the MIW should reject the request.

### `t0007` Forged `iss` claim is rejected

In this test we construct an impersonation attack, which assumes there are at least two participants in the MIW.
Participant 1 requests a VP, decodes it, replaces the `iss` claim with the ID of Participant 2 and - using again a
randomly generated keypair - signs this forged VP token. This effectively gives any participant the possibility to mount
impersonation attacks.

> Note that Participant 2 was created in the database using the `src/test/resources/db.sh` script
### `t0008` Invalid `iss` claim is rejected (non-existent user)

This test attempts to have a JWT verified where the `iss` claim cannot be resolved.

### `t0009` Invalid `iss` claim is rejected (not did:web format)

This test asserts that a malformed `iss` claim is rejected by MIW. Specifically, the claim must be in `did:web:....`
format.

### `t0010` An altered `aud` claim is rejected

Similar to `t0007`, and in extension to `t0003`, this test asserts, that a verification request is rejected by MIW, if
the `aud` claim inside the JWT token was replaced.
> Note that this attack is only possible if the integrity and provenance of the JWT is not checked, see `t0003`.
Loading

0 comments on commit c875f46

Please sign in to comment.