Add lambda entrypoint to determine AUTOGRAPH_ROOT_HASH

bin/run_integration_tests.sh

@@ -24,13 +24,9 @@ while test "true" != "$(docker inspect -f {{.State.Running}} autograph-app-hsm)"
   sleep 1 # wait before checking again
 done
 
-# fetch the updated root hash from the app-hsm service
-docker cp autograph-app-hsm:/tmp/normandy_dev_root_hash.txt .
-APP_HSM_NORMANDY_ROOT_HASH=$(grep '[0-9A-F]' normandy_dev_root_hash.txt | tr -d '\r\n')
-
 # start the monitor lambda emulators
 docker compose up -d monitor-lambda-emulator
-AUTOGRAPH_ROOT_HASH=$APP_HSM_NORMANDY_ROOT_HASH docker compose up -d monitor-hsm-lambda-emulator
+docker compose up -d monitor-hsm-lambda-emulator
 
 echo "waiting for monitor-lambda-emulator to start"
 while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-lambda-emulator)"; do
@@ -43,7 +39,6 @@ while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-h
   sleep 1 # wait before checking again
 done
 
-echo "checking monitoring using hsm root hash:" "$APP_HSM_NORMANDY_ROOT_HASH"
 # exec in containers to workaround https://circleci.com/docs/2.0/building-docker-images/#accessing-services
 docker compose exec monitor-lambda-emulator "/usr/local/bin/test_monitor.sh"
 docker compose logs monitor-lambda-emulator

docker-compose.yml

@@ -82,7 +82,6 @@ services:
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
       # set a non-empty value to use the lambda handler
       - LAMBDA_TASK_ROOT=/usr/local/bin/
-      - AUTOGRAPH_ROOT_HASH
     ports:
       - "9000:8080"
     links:
@@ -103,7 +102,6 @@ services:
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
       # set a non-empty value to use the lambda handler
       - LAMBDA_TASK_ROOT=/usr/local/bin/
-      - AUTOGRAPH_ROOT_HASH
     ports:
       - "9001:8080"
     links:

tools/autograph-monitor/Dockerfile.lambda-emulator

@@ -4,9 +4,12 @@ USER root
 
 RUN cp /app/src/autograph/bin/test_monitor.sh /usr/local/bin/test_monitor.sh
 RUN curl -Lo /usr/local/bin/aws-lambda-rie \
-    https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \
-    && \
-    chmod +x /usr/local/bin/aws-lambda-rie /usr/local/bin/test_monitor.sh
+        https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie && \
+    chmod +x /usr/local/bin/aws-lambda-rie
+
+# Use an entrypoint to determine the AUTOGRAPH_ROOT_HASH
+COPY lambda-setup-entrypoint.sh /usr/local/bin/lambda-setup-entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/lambda-setup-entrypoint.sh"]
 
 USER app
-CMD ["/usr/local/bin/aws-lambda-rie", "/go/bin/autograph-monitor"]
+CMD ["/go/bin/autograph-monitor"]

tools/autograph-monitor/lambda-setup-entrypoint.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+# Fetch the normandy root hash
+export AUTOGRAPH_ROOT_HASH=$(autograph-client -t "$AUTOGRAPH_URL" -listconfig normandy | \
+      jq -r '.cacert' | openssl x509 -outform der | openssl dgst -sha256 -hex | \
+      awk '{print $2}' | tr '[:lower:]' '[:upper:]')
+
+echo "Autograph instance: $AUTOGRAPH_URL"
+echo "Got Root hash: $AUTOGRAPH_ROOT_HASH"
+echo "Starting lambda: $@"
+/usr/local/bin/aws-lambda-rie "$@"

tools/softhsm/Dockerfile

@@ -48,9 +48,6 @@ RUN cd /app/src/autograph/tools/genpki/ && \
       python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
       -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \
       python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
-      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \
-      cp /app/autograph.softhsm.yaml /tmp/ && \
-      /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \
-      cat /tmp/normandy_dev_root_hash.txt
+      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')"
 
 CMD /go/bin/autograph -c /app/autograph.softhsm.yaml