Cloud-789: add test to check password leaks in the logs (#418)

Co-authored-by: Tomislav Plavcic <[email protected]>

Author: ptankov

e2e-tests/functions

@@ -460,3 +460,40 @@ verify_certificate_sans() {
 
 	diff "${have}" "${want}"
 }
+
+check_passwords_leak() {
+
+	secrets=$(kubectl get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (endswith(".crt") or endswith(".key") or endswith(".pub") or endswith(".pem") or endswith(".p12")) | not) | .value')
+
+	passwords="$(for i in $secrets; do base64 -d <<< $i; echo; done) $secrets"
+	pods=$(kubectl -n "${NAMESPACE}" get pods -o name | awk -F "/" '{print $2}')
+
+	collect_logs() {
+		NS=$1
+		for p in $pods; do
+			containers=$(kubectl -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}')
+			for c in $containers; do
+				# temporary, because of: https://jira.percona.com/browse/PMM-8357
+				if [[ ${c,,} =~ "pmm" ]]; then
+					continue
+				fi
+				kubectl -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt
+				echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt
+				for pass in $passwords; do
+					count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :)
+					if [[ $count != 0 ]]; then
+						echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt
+						false
+					fi
+				done
+			done
+			echo
+		done
+	}
+
+	collect_logs $NAMESPACE
+	if [ -n "$OPERATOR_NS" ]; then
+		pods=$(kubectl -n "${OPERATOR_NS}" get pods -o name | awk -F "/" '{print $2}')
+		collect_logs $OPERATOR_NS
+	fi
+}

e2e-tests/tests/demand-backup/06-check-password-leak.yaml

@@ -0,0 +1,10 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      check_passwords_leak

e2e-tests/tests/demand-backup/07-assert.yaml

@@ -1,31 +1,24 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 400
+timeout: 30
 ---
-apiVersion: ps.percona.com/v1alpha1
-kind: PerconaServerMySQL
+kind: ConfigMap
+apiVersion: v1
 metadata:
-  name: demand-backup
-  finalizers:
-    - delete-mysql-pods-in-order
-status:
-  haproxy:
-    ready: 3
-    size: 3
-    state: ready
-  mysql:
-    ready: 3
-    size: 3
-    state: ready
-  orchestrator:
-    ready: 3
-    size: 3
-    state: ready
-  state: ready
+  name: 04-delete-data-minio-0
+data:
+  data: ""
 ---
-kind: PerconaServerMySQLRestore
-apiVersion: ps.percona.com/v1alpha1
+kind: ConfigMap
+apiVersion: v1
 metadata:
-  name: demand-backup-restore-minio
-status:
-  state: Succeeded
+  name: 04-delete-data-minio-1
+data:
+  data: ""
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 04-delete-data-minio-2
+data:
+  data: ""

e2e-tests/tests/demand-backup/06-delete-data.yaml renamed to e2e-tests/tests/demand-backup/07-delete-data.yaml

@@ -1,24 +1,31 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 30
+timeout: 400
 ---
-kind: ConfigMap
-apiVersion: v1
+apiVersion: ps.percona.com/v1alpha1
+kind: PerconaServerMySQL
 metadata:
-  name: 06-read-data-minio-0
-data:
-  data: "100500"
+  name: demand-backup
+  finalizers:
+    - delete-mysql-pods-in-order
+status:
+  haproxy:
+    ready: 3
+    size: 3
+    state: ready
+  mysql:
+    ready: 3
+    size: 3
+    state: ready
+  orchestrator:
+    ready: 3
+    size: 3
+    state: ready
+  state: ready
 ---
-kind: ConfigMap
-apiVersion: v1
+kind: PerconaServerMySQLRestore
+apiVersion: ps.percona.com/v1alpha1
 metadata:
-  name: 06-read-data-minio-1
-data:
-  data: "100500"
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: 06-read-data-minio-2
-data:
-  data: "100500"
+  name: demand-backup-restore-minio
+status:
+  state: Succeeded

e2e-tests/tests/demand-backup/08-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      check_passwords_leak

e2e-tests/tests/demand-backup/07-restore-from-minio.yaml renamed to e2e-tests/tests/demand-backup/08-restore-from-minio.yaml

@@ -1,31 +1,24 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 400
+timeout: 30
 ---
-apiVersion: ps.percona.com/v1alpha1
-kind: PerconaServerMySQL
+kind: ConfigMap
+apiVersion: v1
 metadata:
-  name: demand-backup
-  finalizers:
-    - delete-mysql-pods-in-order
-status:
-  haproxy:
-    ready: 3
-    size: 3
-    state: ready
-  mysql:
-    ready: 3
-    size: 3
-    state: ready
-  orchestrator:
-    ready: 3
-    size: 3
-    state: ready
-  state: ready
+  name: 06-read-data-minio-0
+data:
+  data: "100500"
 ---
-kind: PerconaServerMySQLRestore
-apiVersion: ps.percona.com/v1alpha1
+kind: ConfigMap
+apiVersion: v1
 metadata:
-  name: demand-backup-restore-minio-backup-source
-status:
-  state: Succeeded
+  name: 06-read-data-minio-1
+data:
+  data: "100500"
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 06-read-data-minio-2
+data:
+  data: "100500"