From 9730fec922cd2355d5cb46aaedfa4201c535838d Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 6 Mar 2017 15:13:22 -0500 Subject: [PATCH] qa: s3test task scans radosgw logs for leaked encryption keys Signed-off-by: Casey Bodley --- qa/tasks/s3tests.py | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/qa/tasks/s3tests.py b/qa/tasks/s3tests.py index 20f328b1799..c71ef49e801 100644 --- a/qa/tasks/s3tests.py +++ b/qa/tasks/s3tests.py @@ -352,6 +352,46 @@ def run_tests(ctx, config): ) yield +@contextlib.contextmanager +def scan_for_leaked_encryption_keys(ctx, config): + """ + Scan radosgw logs for the encryption keys used by s3tests to + verify that we're not leaking secrets. + + :param ctx: Context passed to task + :param config: specific configuration information + """ + assert isinstance(config, dict) + + try: + yield + finally: + # x-amz-server-side-encryption-customer-key + s3test_customer_key = 'pO3upElrwuEXSoFwCfnZPdSsmt/xWeFa0N9KgDijwVs=' + + log.debug('Scanning radosgw logs for leaked encryption keys...') + procs = list() + for client, client_config in config.iteritems(): + (remote,) = ctx.cluster.only(client).remotes.keys() + proc = remote.run( + args=[ + 'grep', + '--binary-files=text', + s3test_customer_key, + '/var/log/ceph/rgw.{client}.log'.format(client=client), + ], + wait=False, + check_status=False, + ) + procs.append(proc) + + for proc in procs: + proc.wait() + if proc.returncode == 1: # 1 means no matches + continue + log.error('radosgw log is leaking encryption keys!') + raise Exception('radosgw log is leaking encryption keys') + @contextlib.contextmanager def task(ctx, config): """ @@ -444,6 +484,7 @@ def task(ctx, config): s3tests_conf=s3tests_conf, )), lambda: run_tests(ctx=ctx, config=config), + lambda: scan_for_leaked_encryption_keys(ctx=ctx, config=config), ): pass yield -- 2.39.5