Add download-cert client operation with integration test

Retrieves the server's DER certificate via GetEndpoints and
writes it to a local file.  The test starts a secure ServerLDS,
downloads its certificate, and verifies it matches the original.

1 files changed, 114 insertions, 0 deletions

diff --git a/tests/run_download_cert_test.sh b/tests/run_download_cert_test.sh
new file mode 100755
index 0000000..9bcc750
--- /dev/null
+++ b/tests/run_download_cert_test.sh
@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+# ---------------------------------------------------------------
+# Integration test for the download-cert client operation.
+#
+# Starts a secure ServerLDS, downloads its certificate via the
+# client's download-cert operation, and compares the downloaded
+# file with the original certificate on disk.
+#
+# Usage:  tests/run_download_cert_test.sh <config_dir>
+#
+# Exit: 0 when all checks pass, 1 on any failure.
+# ---------------------------------------------------------------
+set -uo pipefail
+
+CONFIG_DIR="${1:?Usage: $0 <config_dir>}"
+
+LDS_PORT=14840
+LDS_PID=""
+TMPFILE=""
+DOWNLOADED_CERT=""
+FAILURES=0
+
+# ── ensure certificates exist ─────────────────────────────────
+CERT_DIR=certs
+GEN_CERT=tools/generate_certificate.sh
+
+for identity in ServerLDS Client; do
+  if [ ! -f "$CERT_DIR/${identity}_cert.der" ]; then
+    "$GEN_CERT" "$CERT_DIR" "$identity"
+  fi
+done
+
+for store in server_lds client; do
+  mkdir -p "$CERT_DIR/trust/$store"
+  for identity in ServerLDS Client; do
+    cert="$CERT_DIR/${identity}_cert.der"
+    [ -f "$cert" ] && cp -n "$cert" "$CERT_DIR/trust/$store/"
+  done
+done
+
+# ── cleanup ────────────────────────────────────────────────────
+cleanup() {
+  [ -n "$LDS_PID" ] && kill "$LDS_PID" 2>/dev/null && wait "$LDS_PID" 2>/dev/null
+  [ -n "$TMPFILE" ] && rm -f "$TMPFILE"
+  [ -n "$DOWNLOADED_CERT" ] && rm -f "$DOWNLOADED_CERT"
+}
+trap cleanup EXIT
+
+# ── helpers ────────────────────────────────────────────────────
+wait_for_port() {
+  local port="$1" pid="$2" label="$3" i=0
+  while [ $i -lt 50 ]; do
+    if ! kill -0 "$pid" 2>/dev/null; then
+      echo "FAIL: $label exited prematurely"
+      exit 1
+    fi
+    if ss -tlnp 2>/dev/null | grep -q ":${port} "; then
+      return 0
+    fi
+    sleep 0.1
+    i=$((i + 1))
+  done
+  echo "FAIL: $label did not listen on port $port within 5 s"
+  exit 1
+}
+
+check() {
+  local label="$1" result="$2"
+  if [ "$result" -eq 0 ]; then
+    echo "PASS: $label"
+  else
+    echo "FAIL: $label"
+    FAILURES=$((FAILURES + 1))
+  fi
+}
+
+# ── port check ─────────────────────────────────────────────────
+if ss -tlnp 2>/dev/null | grep -q ":${LDS_PORT} "; then
+  echo "FAIL: port $LDS_PORT is already in use"
+  exit 1
+fi
+
+# ── start LDS ──────────────────────────────────────────────────
+build/ServerLDS "$CONFIG_DIR/server_lds.conf" >/dev/null 2>&1 &
+LDS_PID=$!
+wait_for_port "$LDS_PORT" "$LDS_PID" "ServerLDS"
+
+# ── download certificate ───────────────────────────────────────
+TMPFILE=$(mktemp)
+DOWNLOADED_CERT=$(mktemp --suffix=.der)
+
+build/Client "$CONFIG_DIR/client.conf" download-cert "opc.tcp://localhost:$LDS_PORT" "$DOWNLOADED_CERT" >"$TMPFILE" 2>&1
+DC_RC=$?
+DC_OUTPUT=$(<"$TMPFILE")
+
+[ "$DC_RC" -eq 0 ]
+check "download-cert exit code is 0 (got $DC_RC)" $?
+
+echo "$DC_OUTPUT" | grep -q "Certificate saved to"
+check "download-cert output contains 'Certificate saved to'" $?
+
+# ── compare with original ─────────────────────────────────────
+cmp -s "$DOWNLOADED_CERT" "certs/ServerLDS_cert.der"
+check "downloaded certificate matches certs/ServerLDS_cert.der" $?
+
+# ── result ─────────────────────────────────────────────────────
+if [ "$FAILURES" -ne 0 ]; then
+  echo ""
+  echo "--- download-cert output ---"
+  echo "$DC_OUTPUT"
+  echo "--- end ---"
+  exit 1
+fi
+exit 0