tests/run_cert_bootstrap_test.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

#!/usr/bin/env bash
# ---------------------------------------------------------------
# Integration test for certificate bootstrap (TOFU workflow).
#
# Demonstrates Trust On First Use:
# 1. Client get-endpoints on ServerRegister          → FAILS (untrusted)
# 2. Client download-cert on ServerRegister via None → success
# 3. Client get-endpoints on ServerRegister          → success (now trusted)
# 4. Client read-time on ServerRegister              → success
#
# Usage:  tests/run_cert_bootstrap_test.sh <config_dir>
#
# Exit: 0 when all checks pass, 1 on any failure.
# ---------------------------------------------------------------
set -uo pipefail

source "$(dirname "$0")/test_helpers.sh"

CONFIG_DIR="${1:?Usage: $0 <config_dir>}"

LDS_PORT=14840
SR_PORT=14841
LDS_PID=""
SR_PID=""
TMPFILE=""
DOWNLOADED_CERT=""

# ── cleanup ────────────────────────────────────────────────────
cleanup() {
  [ -n "$LDS_PID" ] && kill "$LDS_PID" 2>/dev/null && wait "$LDS_PID" 2>/dev/null
  [ -n "$SR_PID" ] && kill "$SR_PID" 2>/dev/null && wait "$SR_PID" 2>/dev/null
  [ -n "$TMPFILE" ] && rm -f "$TMPFILE"
  [ -n "$DOWNLOADED_CERT" ] && rm -f "$DOWNLOADED_CERT"
  rm -f "$CONFIG_DIR/certs/trust_client/ServerRegister_cert.der"
}
trap cleanup EXIT

# ── idempotency guard ─────────────────────────────────────────
rm -f "$CONFIG_DIR/certs/trust_client/ServerRegister_cert.der"

assert_ports_free "$LDS_PORT" "$SR_PORT"

# ── start LDS ──────────────────────────────────────────────────
build/bobink_opcua_discovery_server "$CONFIG_DIR/server_lds.conf" >/dev/null 2>&1 &
LDS_PID=$!
wait_for_port "$LDS_PORT" "$LDS_PID" "bobink_opcua_discovery_server"

# ── start ServerRegister ───────────────────────────────────────
build/bobink_opcua_server "$CONFIG_DIR/server_register.conf" "$CONFIG_DIR/server_register_client.conf" "opc.tcp://localhost:$LDS_PORT" >/dev/null 2>&1 &
SR_PID=$!
wait_for_port "$SR_PORT" "$SR_PID" "bobink_opcua_server"

TMPFILE=$(mktemp)

# ── Step 1: GetEndpoints on ServerRegister (should FAIL) ──────
build/bobink_opcua_client "$CONFIG_DIR/client.conf" get-endpoints "opc.tcp://localhost:$SR_PORT" >"$TMPFILE" 2>&1
GE_FAIL_RC=$?
GE_FAIL_OUTPUT=$(<"$TMPFILE")

[ "$GE_FAIL_RC" -ne 0 ]
check "get-endpoints FAILS without ServerRegister cert (exit code $GE_FAIL_RC)" $?

# ── Step 2: download-cert from ServerRegister (via None) ──────
DOWNLOADED_CERT=$(mktemp --suffix=.der)

build/bobink_opcua_client "$CONFIG_DIR/client.conf" download-cert "opc.tcp://localhost:$SR_PORT" "$DOWNLOADED_CERT" >"$TMPFILE" 2>&1
DC_RC=$?
DC_OUTPUT=$(<"$TMPFILE")

[ "$DC_RC" -eq 0 ]
check "download-cert exit code is 0 (got $DC_RC)" $?

echo "$DC_OUTPUT" | grep -q "Certificate saved to"
check "download-cert output contains 'Certificate saved to'" $?

# ── Step 3: Verify downloaded cert matches original ───────────
cmp -s "$DOWNLOADED_CERT" "$CONFIG_DIR/certs/ServerRegister/cert.der"
check "downloaded certificate matches ServerRegister cert.der" $?

# ── Step 4: Install cert into trust_client ────────────────────
cp "$DOWNLOADED_CERT" "$CONFIG_DIR/certs/trust_client/ServerRegister_cert.der"

# ── Step 5: GetEndpoints on ServerRegister (should succeed) ───
build/bobink_opcua_client "$CONFIG_DIR/client.conf" get-endpoints "opc.tcp://localhost:$SR_PORT" >"$TMPFILE" 2>&1
GE_RC=$?
GE_OUTPUT=$(<"$TMPFILE")

[ "$GE_RC" -eq 0 ]
check "get-endpoints succeeds after cert install (exit code $GE_RC)" $?

echo "$GE_OUTPUT" | grep -q "Aes256_Sha256_RsaPss"
check "get-endpoints contains Aes256_Sha256_RsaPss" $?

# ── Step 6: ReadTime on ServerRegister (should succeed) ───────
build/bobink_opcua_client "$CONFIG_DIR/client.conf" read-time "opc.tcp://localhost:$SR_PORT" >"$TMPFILE" 2>&1
RT_RC=$?
RT_OUTPUT=$(<"$TMPFILE")

[ "$RT_RC" -eq 0 ]
check "read-time exit code is 0 (got $RT_RC)" $?

echo "$RT_OUTPUT" | grep -q "date is:"
check "read-time output contains 'date is:'" $?

# ── result ─────────────────────────────────────────────────────
if [ "$FAILURES" -ne 0 ]; then
  echo ""
  echo "--- get-endpoints (expected fail) output ---"
  echo "$GE_FAIL_OUTPUT"
  echo "--- download-cert output ---"
  echo "$DC_OUTPUT"
  echo "--- get-endpoints (after install) output ---"
  echo "$GE_OUTPUT"
  echo "--- read-time output ---"
  echo "$RT_OUTPUT"
  echo "--- end ---"
  exit 1
fi
exit 0