Skip to content

Commit

Permalink
Merge pull request #156 from bhallasaksham/stress-test-scripts
Browse files Browse the repository at this point in the history 
Add stress test scripts
  • Loading branch information
@bhallasaksham
bhallasaksham authored Jan 13, 2025
2 parents 356e9f7 + e8cd219 commit 1ed2c9f
Show file tree
Hide file tree
Showing 6 changed files with 299 additions and 0 deletions.
31 changes: 31 additions & 0 deletions cdk/cdk-domainless-mode/test-scripts/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
### Test Scripts

#### Pre Requisites
- Ensure cdk stack is deployed to your personal account
- Create a new AL2023/Ubuntu instance in the ADStack VPC
- Install credentials-fetcher dependencies using dnf
```aiignore
dnf install -y realmd
dnf install -y oddjob
dnf install -y oddjob-mkhomedir
dnf install -y sssd
dnf install -y adcli
dnf install -y krb5-workstation
dnf install -y samba-common-tools
```
- Install the latest credentials-fetcher rpm in this instance
- Run credentials-fetcher rpm as a systemd process
```aiignore
systemctl start credentials-fetcher
systemctl status credentials-fetcher
```
- Clone credentials-fetcher repo and create a python proto file
```aiignore
git clone -b dev https://github.com/aws/credentials-fetcher.git
cd credentials-fetcher/protos
python3 -m venv .venv
source .venv/bin/activate
pip install grpcio-tools
python3 -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. credentialsfetcher.proto
cp *.py /home/ec2-user/credentials-fetcher/cdk/cdk-domainless-mode/test-scripts
```
91 changes: 91 additions & 0 deletions cdk/cdk-domainless-mode/test-scripts/add_delete_kerberos_leases.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
import grpc
import credentialsfetcher_pb2
import credentialsfetcher_pb2_grpc
import os
import json
import time

'''
Use this script to create and delete N kerberos leases in a recurring loop
(currently set to 100 times). This script is run to test that create/delete
functionality has no leaks or unexpected failures when run over a long
period of time. This script is run on a linux instance in stand-alone mode.
'''

with open('../data.json', 'r') as file:
# Load the JSON data
data = json.load(file)

def run():
with grpc.insecure_channel('unix:///var/credentials-fetcher/socket/credentials_fetcher.sock') as channel:
stub = credentialsfetcher_pb2_grpc.CredentialsFetcherServiceStub(channel)
number_of_gmsa_accounts = data["number_of_gmsa_accounts"]
directory_name = data["directory_name"]
netbios_name = data["netbios_name"]
username = data["username"]
password = data["password"]

for iter in range(100): # Repeat the process 100 times
lease_ids = []

# Create cred-specs for users ending with multiples of 5
for i in range(2, number_of_gmsa_accounts, 2):
credspec_contents = f"""{{
"CmsPlugins": ["ActiveDirectory"],
"DomainJoinConfig": {{
"Sid": "S-1-5-21-2725122404-4129967127-2630707939",
"MachineAccountName": "WebApp0{i}",
"Guid": "e96e0e09-9305-462f-9e44-8a8179722897",
"DnsTreeName": "{directory_name}",
"DnsName": "{directory_name}",
"NetBiosName": "{netbios_name}"
}},
"ActiveDirectoryConfig": {{
"GroupManagedServiceAccounts": [
{{"Name": "WebApp0{i}", "Scope": "{directory_name}"}},
{{"Name": "WebApp0{i}", "Scope": "{netbios_name}"}}
],
"HostAccountConfig": {{
"PortableCcgVersion": "1",
"PluginGUID": "{{GDMA0342-266A-4D1P-831J-20990E82944F}}",
"PluginInput": {{
"CredentialArn": "aws/directoryservice/contoso/gmsa"
}}
}}
}}
}}"""

contents = [credspec_contents]
response = stub.AddNonDomainJoinedKerberosLease(
credentialsfetcher_pb2.CreateNonDomainJoinedKerberosLeaseRequest(
credspec_contents=contents,
username=username,
password=password,
domain=directory_name
)
)
print(f"Created lease for WebApp0{i}: {response.lease_id}")
lease_path = (f"/var/credentials-fetcher/krbdir/"
f"{response.lease_id}/WebApp0{i}/krb5cc")
assert os.path.exists(lease_path)
lease_ids.append(response.lease_id)

# Small delay to allow for processing
time.sleep(1)

# Delete the created cred-specs
for lease_id in lease_ids:
delete_response = stub.DeleteKerberosLease(
credentialsfetcher_pb2.DeleteKerberosLeaseRequest(
lease_id=lease_id
)
)
print(f"Deleted lease: {delete_response.lease_id}")
lease_path = f"/var/credentials-fetcher/krbdir/{lease_id}"
print(lease_path)
assert not os.path.exists(lease_path)

print(f"Completed {iter} cycle of creation and deletion")

if __name__ == '__main__':
run()
33 changes: 33 additions & 0 deletions cdk/cdk-domainless-mode/test-scripts/create_domain_joined_AD_accounts.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Use this script to create new Domain Joined gMSA accounts and add them to
# the AD. This script is run on the Windows Instance with access to Managed AD.

$username = "admin@CONTOSO.COM"
$password = "Qn:51eJsORJNL@~{HY@?" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($username, $password)

$groupAllowedToRetrievePassword = "WebAppAccounts_OU"
$path = "OU=MYOU,OU=Users,OU=contoso,DC=contoso,DC=com"

for (($i = 1); $i -le 10;$i++)
{
# Create the gMSA account
$gmsa_account_name = "DJ_WebApp0" + $i
$gmsa_account_with_domain = $gmsa_account_name + "." + $env:USERDNSDOMAIN
$gmsa_account_with_host = "host/" + $gmsa_account_name
$gmsa_account_with_host_and_domain = $gmsa_account_with_host + "." + $env:USERDNSDOMAIN

try {
New-ADServiceAccount -Name $gmsa_account_name `
-DnsHostName $gmsa_account_with_domain `
-ServicePrincipalNames $gmsa_account_with_host, $gmsa_account_with_host_and_domain `
-PrincipalsAllowedToRetrieveManagedPassword $groupAllowedToRetrievePassword `
-Path $path `
-Credential $credential `
-Server $env:USERDNSDOMAIN `
-KerberosEncryptionType AES256
Write-Output "Created gMSA account: $gmsa_account_name"
} catch {
$string_err = $_ | Out-String
Write-Output "Error while gMSA account creation: " + $string_err
}
}
51 changes: 51 additions & 0 deletions cdk/cdk-domainless-mode/test-scripts/create_domain_joined_kerberos_leases.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
import grpc
import credentialsfetcher_pb2
import credentialsfetcher_pb2_grpc
import json
import os
'''
Use this script to create and test N leases for N domain-joined gMSA
accounts. This script is run on a linux instance in stand-alone mode.
'''
with open('../data.json', 'r') as file:
# Load the JSON data
data = json.load(file)

def run():
with grpc.insecure_channel('unix:///var/credentials-fetcher/socket/credentials_fetcher.sock') as channel:
stub = credentialsfetcher_pb2_grpc.CredentialsFetcherServiceStub(channel)
number_of_gmsa_accounts = data["number_of_gmsa_accounts"]
directory_name = data["directory_name"]
netbios_name = data["netbios_name"]
for i in range(1, number_of_gmsa_accounts):
credspec_contents = f"""{{
"CmsPlugins": ["ActiveDirectory"],
"DomainJoinConfig": {{
"Sid": "S-1-5-21-2725122404-4129967127-2630707939",
"MachineAccountName": "DJ_WebApp0{i}",
"Guid": "e96e0e09-9305-462f-9e44-8a8179722897",
"DnsTreeName": "{directory_name}",
"DnsName": "{directory_name}",
"NetBiosName": "{netbios_name}"
}},
"ActiveDirectoryConfig": {{
"GroupManagedServiceAccounts": [
{{"Name": "DJ_WebApp0{i}", "Scope": "{directory_name}"}},
{{"Name": "DJ_WebApp0{i}", "Scope": "{netbios_name}"}}
]
}}
}}"""

contents = [credspec_contents]
response = stub.AddKerberosLease(
credentialsfetcher_pb2.CreateKerberosLeaseRequest(
credspec_contents=contents
)
)
lease_path = (f"/var/credentials-fetcher/krbdir/"
f"{response.lease_id}/DJ_WebApp0{i}/krb5cc")
assert os.path.exists(lease_path)
print(f"Server response: {response}")

if __name__ == '__main__':
run()
29 changes: 29 additions & 0 deletions cdk/cdk-domainless-mode/test-scripts/create_non_domain_joined_AD_accounts.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Use this script to create new Non Domain Joined gMSA accounts and add them to
# the AD. This script is run on the Windows Instance with access to Managed AD.
# NOTE: The cdk stack already creates N gmsa accounts where N corresponds to the number_of_gmsa_accounts in data
# .json. Use this script if you would like to create new accounts without deploying/re-deploying the cdk stack

$username = "admin@CONTOSO.COM"
$password = "Qn:51eJsORJNL@~{HY@?" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($username, $password)

$groupAllowedToRetrievePassword = "WebAppAccounts_OU"
$path = "OU=MYOU,OU=Users,OU=contoso,DC=contoso,DC=com"

for (($i = 11); $i -le 200; $i++)
{
# Create the gMSA account
$gmsa_account_name = "WebApp0" + $i
$gmsa_account_with_domain = $gmsa_account_name + ".contoso.com"
$gmsa_account_with_host = "host/" + $gmsa_account_name
$gmsa_account_with_host_and_domain = $gmsa_account_with_host + ".contoso.com"

try {
#New-ADServiceAccount -Name serviceuser1 -Path "OU=MYOU1,OU=Users,OU=ActiveDirectory,DC=contoso,DC=com" -Credential $credential -DNSHostname "contoso.com"
New-ADServiceAccount -Name $gmsa_account_name -DnsHostName $gmsa_account_with_domain -ServicePrincipalNames $gmsa_account_with_host, $gmsa_account_with_host_and_domain -PrincipalsAllowedToRetrieveManagedPassword $groupAllowedToRetrievePassword -Path $path -Credential $credential -Server contoso.com
Write-Output "New-ADServiceAccount -Name $gmsa_account_name -DnsHostName $gmsa_account_with_domain -ServicePrincipalNames $gmsa_account_with_host, $gmsa_account_with_host_and_domain -PrincipalsAllowedToRetrieveManagedPassword $groupAllowedToRetrievePassword -Path $path -Credential $credential -Server contoso.com"
} catch {
$string_err = $_ | Out-String
Write-Output "Error while gMSA account creation and copy credspec to S3 bucket: " + $string_err
}
}
64 changes: 64 additions & 0 deletions cdk/cdk-domainless-mode/test-scripts/create_non_domain_joined_kerberos_leases.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
import grpc
import credentialsfetcher_pb2
import credentialsfetcher_pb2_grpc
import json
import os

'''
Use this script to create and test N leases for N non domain-joined gMSA
accounts. This script is run on a linux instance in stand-alone mode.
'''

with open('../data.json', 'r') as file:
# Load the JSON data
data = json.load(file)

def run():
with grpc.insecure_channel('unix:///var/credentials-fetcher/socket/credentials_fetcher.sock') as channel:
number_of_gmsa_accounts = data["number_of_gmsa_accounts"]
directory_name = data["directory_name"]
netbios_name = data["netbios_name"]
username = data["username"]
password = data["password"]
stub = credentialsfetcher_pb2_grpc.CredentialsFetcherServiceStub(channel)
for i in range(1, number_of_gmsa_accounts):
credspec_contents = f"""{{
"CmsPlugins": ["ActiveDirectory"],
"DomainJoinConfig": {{
"Sid": "S-1-5-21-2725122404-4129967127-2630707939",
"MachineAccountName": "WebApp0{i}",
"Guid": "e96e0e09-9305-462f-9e44-8a8179722897",
"DnsTreeName": "{directory_name}",
"DnsName": "{directory_name}",
"NetBiosName": "{netbios_name}"
}},
"ActiveDirectoryConfig": {{
"GroupManagedServiceAccounts": [
{{"Name": "WebApp0{i}", "Scope": "{directory_name}"}},
{{"Name": "WebApp0{i}", "Scope": "{netbios_name}"}}
],
"HostAccountConfig": {{
"PortableCcgVersion": "1",
"PluginGUID": "{{GDMA0342-266A-4D1P-831J-20990E82944F}}",
"PluginInput": {{
"CredentialArn": "aws/directoryservice/contoso/gmsa"
}}
}}
}}
}}"""
contents = [credspec_contents]
response = stub.AddNonDomainJoinedKerberosLease(
credentialsfetcher_pb2.CreateNonDomainJoinedKerberosLeaseRequest(
credspec_contents=contents,
username={username},
password={password},
domain={directory_name}
)
)
lease_path = (f"/var/credentials-fetcher/krbdir/"
f"{response.lease_id}/WebApp0{i}/krb5cc")
assert os.path.exists(lease_path)
print(f"Server response: {response}")

if __name__ == '__main__':
run()

0 comments on commit 1ed2c9f

Please sign in to comment.