cbiedl
/
clevis


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
							#!/bin/bash -ex
# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2020 Red Hat, Inc.
# Author: Sergio Correia <scorreia@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

SOCAT="@SOCAT@"
TANGD_KEYGEN="@TANGD_KEYGEN@"
TANGD_UPDATE="@TANGD_UPDATE@"
TANGD="@TANGD@"

tang_error() {
    echo "${1}" >&2
    exit 1
}

tang_skip() {
    echo "${1}" >&2
    exit 77
}

tang_sanity_check() {
    [ -n "${SOCAT}" ] && [ -n "${TANGD_KEYGEN}" ] && \
        [ -n "${TANGD}" ] && return 0
    tang_skip "tang is not enabled/supported. Check if you have met all the requirements"
}

# Creates a tang adv to be used in the tests.
tang_create_adv() {
    local basedir="${1}"
    local adv="${2:-/dev/stdout}"

    local SIG="${basedir}/sig.jwk"
    jose jwk gen --input='{"alg":"ES512"}' --output="${SIG}"

    local EXC="${basedir}/exc.jwk"
    jose jwk gen --input='{"alg":"ECMR"}' --output="${EXC}"

    local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
    jose jwk pub --set --input="${SIG}" --input="${EXC}" \
        | jose jws sig --detached=- --signature="${TEMPLATE}" \
                       --key="${SIG}" --output="${adv}"
}

# Get a random port to be used with a test tang server.
tang_new_random_port() {
    tang_sanity_check
    shuf -i 1024-65535 -n 1
}

# Removes tang rotated keys from the test server.
tang_remove_rotated_keys() {
    tang_sanity_check
    local basedir="${1}"

    [ -z "${basedir}" ] && \
        tang_error "tang_remove_rotated_keys: please specify 'basedir'"

    local db="${basedir}/db"

    mkdir -p "${db}"
    pushd "${db}"
        find . -name ".*.jwk" -exec rm -f {} \;
    popd

    [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${basedir}/cache"
    return 0
}

# Creates new keys for the test tang server.
tang_new_keys() {
    tang_sanity_check
    local basedir="${1}"
    local rotate="${2:-}"
    local sig_name="${3:-}"
    local exc_name="${4:-}"

    [ -z "${basedir}" ] && tang_error "tang_new_keys: please specify 'basedir'"

    local db="${basedir}/db"
    mkdir -p "${db}"

    if [ -n "${rotate}" ]; then
        pushd "${db}"
            local k
            k=$(find . -name "*.jwk" | wc -l)
            if [ "${k}" -gt 0 ]; then
                for k in *.jwk; do
                    mv -f -- "${k}" ".${k}"
                done
            fi
        popd
    fi

    "${TANGD_KEYGEN}" "${db}" ${sig_name} ${exc_name}
    [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${basedir}/cache"

    return 0
}

# Wait for the tang server to be operational.
tang_wait_until_ready() {
    tang_sanity_check
    local port="${1}"

    [ -z "${port}" ] && \
        tang_error "tang_wait_until_ready: please specify 'port'"

    local max_timeout_in_s=5
    local start elapsed
    start="${SECONDS}"
    while ! curl --output /dev/null --silent --fail \
                "http://localhost:${port}/adv"; do
        elapsed=$((SECONDS - start))
        if [ "${elapsed}" -gt "${max_timeout_in_s}" ]; then
            tang_error "Timeout (${max_timeout_in_s}s) waiting for tang server"
        fi
        sleep 0.1
        echo -n . >&2
    done
}

# Start a test tang server.
tang_run() {
    tang_sanity_check
    local basedir="${1}"
    local port="${2}"
    local sig_name="${3:-}"
    local exc_name="${4:-}"

    [ -z "${basedir}" ] && tang_error "tang_run: please specify 'basedir'"
    [ -z "${port}" ] && tang_error "tang_run: please specify 'port'"

    if ! tang_new_keys "${basedir}" "" "${sig_name}" "${exc_name}"; then
        tang_error "Error creating new keys for tang server"
    fi

    local KEYS="${basedir}/cache"
    [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"

    local pid pidfile
    pidfile="${basedir}/tang.pid"

    "${SOCAT}" -v -v TCP-LISTEN:${port},reuseaddr,fork \
               exec:"${TANGD} ${KEYS}" &

    pid=$!
    echo "${pid}" > "${pidfile}"
    tang_wait_until_ready "${port}"
}

# Stop tang server.
tang_stop() {
    tang_sanity_check
    local basedir="${1}"
    [ -z "${basedir}" ] && tang_error "tang_stop: please specify 'basedir'"

    local pidfile="${basedir}/tang.pid"
    [ -f "${pidfile}" ] || return 0

    local pid
    pid=$(<"${pidfile}")
    kill -9 "${pid}" 2>/dev/null || :
}

# Get tang advertisement.
tang_get_adv() {
    tang_sanity_check
    local port="${1}"
    local adv="${2:-/dev/stdout}"

    [ -z "${port}" ] && tang_error "tang_get_adv: please specify 'port'"
    curl -L -o "${adv}" "http://localhost:${port}/adv"
}

run_test_server() {
    local port="${1}"
    local response="${2}"

    [ -z "${SOCAT}" ] && tang_skip "run_test_server: socat is not available"
    [ -z "${port}" ] && tang_error "run_test_server: please specify 'port'"
    [ -z "${response}" ] && tang_error "run_test_server: please specify 'response'"

    "${SOCAT}" -v -v TCP-LISTEN:${port},reuseaddr SYSTEM:"cat ${response}" &
    sleep 1
}