Initial KMIP signer support (#566)

* Support multiple signers of different types behind a `hsm` feature flag, and support in principle selecting which signer to use for which purpose (#539). Note: Currently only usable in combination with a new`hsm-tests` feature flag due to lack of any actual means to select an alternate signer via code or config. * Replaces the dummy signer with a KMIP signer (#566) and supporting dependencies `kmip-protocol` (#557, #558, #559), `backoff` (retry support), `r2d2` (connection pooling support). Adds a `hsm-tests` feature flag for testing exclusively with KMIP, i.e. not using the OpenSSL signer at all. * Adds a GitHub Actions `hsmtest` CI job that tests Krill integration with a co-installed PyKMIP instance (#560, #561, #683).
NLnetLabs · Nov 23, 2021 · 936dbda · 936dbda
1 parent 6bf5ddd
commit 936dbda
Show file tree

Hide file tree

Showing 26 changed files with 1,729 additions and 307 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -67,3 +67,43 @@ jobs:
         name: cypress-ui-test-captures ${{ matrix.os }} ${{ matrix.rust }}
         path: target/ui/
         if-no-files-found: ignore
+
+  hsmtest:
+    name: hsmtest
+    runs-on: ubuntu-18.04
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v1
+
+    - name: Install Rust
+      uses: hecrj/setup-rust-action@v1
+      with:
+        rust-version: stable
+
+    - uses: actions/setup-python@v2
+      with:
+        python-version: '3.x'
+
+    - name: Install PyKMIP
+      uses: BSFishy/pip-action@v1
+      with:
+        packages: pykmip
+
+    - name: Compile the tests
+      run: |
+        cargo build --tests --no-default-features --features hsm,hsm-tests
+
+    - name: Run the tests against the PyKMIP server
+      run: |
+        cd test-resources/pykmip
+        python run-server.py &
+        sleep 5s
+        openssl s_client -connect 127.0.0.1:5696 || true
+        cd -
+        cargo test --no-default-features --features hsm,hsm-tests -- --test-threads=1 2>&1
+
+    - name: Dump PyKMIP log
+      working-directory: test-resources/pykmip
+      run: |
+        ls -la
+        cat server.log
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,6 +21,7 @@ exclude = [
 build = "build.rs"
 
 [dependencies]
+backoff               = { version = "0.3.0", optional = true }
 base64                = "^0.13"
 basic-cookies         = { version = "^0.1", optional = true }
 bcder                 = "0.6.1"
@@ -35,11 +36,13 @@ hex                   = "^0.4"
 hyper                 = { version = "^0.14", features = ["server"] }
 intervaltree          = "0.2.6"
 jmespatch             = { version = "^0.3", features = ["sync"], optional = true }
+kmip                  = { version = "0.3.1", package = "kmip-protocol", features = ["tls-with-openssl"], optional = true }
 libflate              = "^1"
 log                   = "^0.4"
 openidconnect         = { version = "^2.0.0", optional = true, default_features = false }
 openssl               = { version = "^0.10", features = ["v110"] }
 oso                   = { version = "^0.12", optional = true, default_features = false }
+r2d2                  = { version = "0.8.9", optional = true }
 rand                  = "^0.8"
 regex                 = { version = "^1.4", optional = true, default_features = false, features = ["std"] }
 reqwest               = { version = "0.11", features = ["json"] }
@@ -73,7 +76,8 @@ ui-tests = []
 extra-debug = [ "rpki/extra-debug" ]
 static-openssl = [ "openssl/vendored" ]
 all-except-ui-tests = [ "multi-user", "rta", "static-openssl", "aspa" ]
-hsm = []
+hsm = ["backoff", "kmip", "r2d2"]
+hsm-tests = []
 
 # Make sure that Krill crashes on panics, rather than losing threads and
 # limping on in a bad state.