diff --git a/bin/run_integration_tests.sh b/bin/run_integration_tests.sh index b25763b95..7408e8463 100755 --- a/bin/run_integration_tests.sh +++ b/bin/run_integration_tests.sh @@ -24,13 +24,9 @@ while test "true" != "$(docker inspect -f {{.State.Running}} autograph-app-hsm)" sleep 1 # wait before checking again done -# fetch the updated root hash from the app-hsm service -docker cp autograph-app-hsm:/tmp/normandy_dev_root_hash.txt . -APP_HSM_NORMANDY_ROOT_HASH=$(grep '[0-9A-F]' normandy_dev_root_hash.txt | tr -d '\r\n') - # start the monitor lambda emulators docker compose up -d monitor-lambda-emulator -AUTOGRAPH_ROOT_HASH=$APP_HSM_NORMANDY_ROOT_HASH docker compose up -d monitor-hsm-lambda-emulator +docker compose up -d monitor-hsm-lambda-emulator echo "waiting for monitor-lambda-emulator to start" while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-lambda-emulator)"; do @@ -43,7 +39,6 @@ while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-h sleep 1 # wait before checking again done -echo "checking monitoring using hsm root hash:" "$APP_HSM_NORMANDY_ROOT_HASH" # exec in containers to workaround https://circleci.com/docs/2.0/building-docker-images/#accessing-services docker compose exec monitor-lambda-emulator "/usr/local/bin/test_monitor.sh" docker compose logs monitor-lambda-emulator diff --git a/bin/test_monitor.sh b/bin/test_monitor.sh old mode 100644 new mode 100755 diff --git a/docker-compose.yml b/docker-compose.yml index 4d91884f1..af856a88e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -82,7 +82,6 @@ services: - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs # set a non-empty value to use the lambda handler - LAMBDA_TASK_ROOT=/usr/local/bin/ - - AUTOGRAPH_ROOT_HASH ports: - "9000:8080" links: @@ -103,7 +102,6 @@ services: - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs # set a non-empty value to use the lambda handler - LAMBDA_TASK_ROOT=/usr/local/bin/ - - AUTOGRAPH_ROOT_HASH ports: - "9001:8080" links: diff --git a/tools/autograph-monitor/Dockerfile.lambda-emulator b/tools/autograph-monitor/Dockerfile.lambda-emulator index 29a96f399..840ce22be 100644 --- a/tools/autograph-monitor/Dockerfile.lambda-emulator +++ b/tools/autograph-monitor/Dockerfile.lambda-emulator @@ -4,9 +4,12 @@ USER root RUN cp /app/src/autograph/bin/test_monitor.sh /usr/local/bin/test_monitor.sh RUN curl -Lo /usr/local/bin/aws-lambda-rie \ - https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \ - && \ - chmod +x /usr/local/bin/aws-lambda-rie /usr/local/bin/test_monitor.sh + https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie && \ + chmod +x /usr/local/bin/aws-lambda-rie + +# Use an entrypoint to determine the AUTOGRAPH_ROOT_HASH +COPY lambda-setup-entrypoint.sh /usr/local/bin/lambda-setup-entrypoint.sh +ENTRYPOINT ["/usr/local/bin/lambda-setup-entrypoint.sh"] USER app -CMD ["/usr/local/bin/aws-lambda-rie", "/go/bin/autograph-monitor"] +CMD ["/go/bin/autograph-monitor"] diff --git a/tools/autograph-monitor/lambda-setup-entrypoint.sh b/tools/autograph-monitor/lambda-setup-entrypoint.sh new file mode 100755 index 000000000..1c038dbb3 --- /dev/null +++ b/tools/autograph-monitor/lambda-setup-entrypoint.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e +set -o pipefail + +# Fetch the normandy root hash +export AUTOGRAPH_ROOT_HASH=$(autograph-client -t "$AUTOGRAPH_URL" -listconfig normandy | \ + jq -r '.cacert' | openssl x509 -outform der | openssl dgst -sha256 -hex | \ + awk '{print $2}' | tr '[:lower:]' '[:upper:]') + +echo "Autograph instance: $AUTOGRAPH_URL" +echo "Got Root hash: $AUTOGRAPH_ROOT_HASH" +echo "Starting lambda: $@" +/usr/local/bin/aws-lambda-rie "$@" diff --git a/tools/softhsm/Dockerfile b/tools/softhsm/Dockerfile index 9175ce596..adc63f78b 100644 --- a/tools/softhsm/Dockerfile +++ b/tools/softhsm/Dockerfile @@ -48,9 +48,6 @@ RUN cd /app/src/autograph/tools/genpki/ && \ python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \ python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ - -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \ - cp /app/autograph.softhsm.yaml /tmp/ && \ - /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \ - cat /tmp/normandy_dev_root_hash.txt + -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" CMD /go/bin/autograph -c /app/autograph.softhsm.yaml