From fd021d160d27272e6f52e6e962a42dafdd270a37 Mon Sep 17 00:00:00 2001
From: Naomi Kirby <oskirby@gmail.com>
Date: Wed, 12 Jun 2024 08:10:35 -0700
Subject: [PATCH] Add lambda entrypoint to determine AUTOGRAPH_ROOT_HASH

---
 bin/run_integration_tests.sh                       |  7 +------
 bin/test_monitor.sh                                |  0
 docker-compose.yml                                 |  2 --
 tools/autograph-monitor/Dockerfile.lambda-emulator | 11 +++++++----
 tools/autograph-monitor/lambda-setup-entrypoint.sh | 14 ++++++++++++++
 tools/softhsm/Dockerfile                           |  5 +----
 6 files changed, 23 insertions(+), 16 deletions(-)
 mode change 100644 => 100755 bin/test_monitor.sh
 create mode 100755 tools/autograph-monitor/lambda-setup-entrypoint.sh

diff --git a/bin/run_integration_tests.sh b/bin/run_integration_tests.sh
index b25763b95..7408e8463 100755
--- a/bin/run_integration_tests.sh
+++ b/bin/run_integration_tests.sh
@@ -24,13 +24,9 @@ while test "true" != "$(docker inspect -f {{.State.Running}} autograph-app-hsm)"
   sleep 1 # wait before checking again
 done
 
-# fetch the updated root hash from the app-hsm service
-docker cp autograph-app-hsm:/tmp/normandy_dev_root_hash.txt .
-APP_HSM_NORMANDY_ROOT_HASH=$(grep '[0-9A-F]' normandy_dev_root_hash.txt | tr -d '\r\n')
-
 # start the monitor lambda emulators
 docker compose up -d monitor-lambda-emulator
-AUTOGRAPH_ROOT_HASH=$APP_HSM_NORMANDY_ROOT_HASH docker compose up -d monitor-hsm-lambda-emulator
+docker compose up -d monitor-hsm-lambda-emulator
 
 echo "waiting for monitor-lambda-emulator to start"
 while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-lambda-emulator)"; do
@@ -43,7 +39,6 @@ while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-h
   sleep 1 # wait before checking again
 done
 
-echo "checking monitoring using hsm root hash:" "$APP_HSM_NORMANDY_ROOT_HASH"
 # exec in containers to workaround https://circleci.com/docs/2.0/building-docker-images/#accessing-services
 docker compose exec monitor-lambda-emulator "/usr/local/bin/test_monitor.sh"
 docker compose logs monitor-lambda-emulator
diff --git a/bin/test_monitor.sh b/bin/test_monitor.sh
old mode 100644
new mode 100755
diff --git a/docker-compose.yml b/docker-compose.yml
index 4d91884f1..af856a88e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -82,7 +82,6 @@ services:
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
       # set a non-empty value to use the lambda handler
       - LAMBDA_TASK_ROOT=/usr/local/bin/
-      - AUTOGRAPH_ROOT_HASH
     ports:
       - "9000:8080"
     links:
@@ -103,7 +102,6 @@ services:
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
       # set a non-empty value to use the lambda handler
       - LAMBDA_TASK_ROOT=/usr/local/bin/
-      - AUTOGRAPH_ROOT_HASH
     ports:
       - "9001:8080"
     links:
diff --git a/tools/autograph-monitor/Dockerfile.lambda-emulator b/tools/autograph-monitor/Dockerfile.lambda-emulator
index 29a96f399..840ce22be 100644
--- a/tools/autograph-monitor/Dockerfile.lambda-emulator
+++ b/tools/autograph-monitor/Dockerfile.lambda-emulator
@@ -4,9 +4,12 @@ USER root
 
 RUN cp /app/src/autograph/bin/test_monitor.sh /usr/local/bin/test_monitor.sh
 RUN curl -Lo /usr/local/bin/aws-lambda-rie \
-    https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \
-    && \
-    chmod +x /usr/local/bin/aws-lambda-rie /usr/local/bin/test_monitor.sh
+        https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie && \
+    chmod +x /usr/local/bin/aws-lambda-rie
+
+# Use an entrypoint to determine the AUTOGRAPH_ROOT_HASH
+COPY lambda-setup-entrypoint.sh /usr/local/bin/lambda-setup-entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/lambda-setup-entrypoint.sh"]
 
 USER app
-CMD ["/usr/local/bin/aws-lambda-rie", "/go/bin/autograph-monitor"]
+CMD ["/go/bin/autograph-monitor"]
diff --git a/tools/autograph-monitor/lambda-setup-entrypoint.sh b/tools/autograph-monitor/lambda-setup-entrypoint.sh
new file mode 100755
index 000000000..1c038dbb3
--- /dev/null
+++ b/tools/autograph-monitor/lambda-setup-entrypoint.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+# Fetch the normandy root hash
+export AUTOGRAPH_ROOT_HASH=$(autograph-client -t "$AUTOGRAPH_URL" -listconfig normandy | \
+      jq -r '.cacert' | openssl x509 -outform der | openssl dgst -sha256 -hex | \
+      awk '{print $2}' | tr '[:lower:]' '[:upper:]')
+
+echo "Autograph instance: $AUTOGRAPH_URL"
+echo "Got Root hash: $AUTOGRAPH_ROOT_HASH"
+echo "Starting lambda: $@"
+/usr/local/bin/aws-lambda-rie "$@"
diff --git a/tools/softhsm/Dockerfile b/tools/softhsm/Dockerfile
index 9175ce596..adc63f78b 100644
--- a/tools/softhsm/Dockerfile
+++ b/tools/softhsm/Dockerfile
@@ -48,9 +48,6 @@ RUN cd /app/src/autograph/tools/genpki/ && \
       python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
       -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \
       python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
-      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \
-      cp /app/autograph.softhsm.yaml /tmp/ && \
-      /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \
-      cat /tmp/normandy_dev_root_hash.txt
+      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')"
 
 CMD /go/bin/autograph -c /app/autograph.softhsm.yaml