blob: 5db2b7bedee8afc9a9cbcbcfdaa3a0466cd1b2af (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#!/usr/bin/env bash
# ---------------------------------------------------------------
# Integration test for certificate bootstrap (TOFU workflow).
#
# Demonstrates Trust On First Use:
# 1. Client finds servers via LDS (trusted) → success
# 2. Client get-endpoints on ServerRegister → FAILS (untrusted)
# 3. Client download-cert on ServerRegister via None → success
# 4. Client get-endpoints on ServerRegister → success (now trusted)
# 5. Client read-time on ServerRegister → success
#
# Usage: tests/run_cert_bootstrap_test.sh <config_dir>
#
# Exit: 0 when all checks pass, 1 on any failure.
# ---------------------------------------------------------------
set -uo pipefail
source "$(dirname "$0")/test_helpers.sh"
CONFIG_DIR="${1:?Usage: $0 <config_dir>}"
LDS_PORT=14840
SR_PORT=14841
LDS_PID=""
SR_PID=""
TMPFILE=""
DOWNLOADED_CERT=""
# ── cleanup ────────────────────────────────────────────────────
cleanup() {
[ -n "$LDS_PID" ] && kill "$LDS_PID" 2>/dev/null && wait "$LDS_PID" 2>/dev/null
[ -n "$SR_PID" ] && kill "$SR_PID" 2>/dev/null && wait "$SR_PID" 2>/dev/null
[ -n "$TMPFILE" ] && rm -f "$TMPFILE"
[ -n "$DOWNLOADED_CERT" ] && rm -f "$DOWNLOADED_CERT"
rm -f "$CONFIG_DIR/certs/trust_client/ServerRegister_cert.der"
}
trap cleanup EXIT
# ── idempotency guard ─────────────────────────────────────────
rm -f "$CONFIG_DIR/certs/trust_client/ServerRegister_cert.der"
assert_ports_free "$LDS_PORT" "$SR_PORT"
# ── start LDS ──────────────────────────────────────────────────
build/bobink_opcua_discovery_server "$CONFIG_DIR/server_lds.conf" >/dev/null 2>&1 &
LDS_PID=$!
wait_for_port "$LDS_PORT" "$LDS_PID" "bobink_opcua_discovery_server"
# ── start ServerRegister ───────────────────────────────────────
build/bobink_opcua_server "$CONFIG_DIR/server_register.conf" "$CONFIG_DIR/server_register_client.conf" "opc.tcp://localhost:$LDS_PORT" >/dev/null 2>&1 &
SR_PID=$!
wait_for_port "$SR_PORT" "$SR_PID" "bobink_opcua_server"
TMPFILE=$(mktemp)
# ── Step 1: FindServers on LDS (client trusts LDS) ────────────
build/bobink_opcua_client "$CONFIG_DIR/client.conf" find-servers "opc.tcp://localhost:$LDS_PORT" >"$TMPFILE" 2>&1
FS_RC=$?
FS_OUTPUT=$(<"$TMPFILE")
[ "$FS_RC" -eq 0 ]
check "find-servers exit code is 0 (got $FS_RC)" $?
echo "$FS_OUTPUT" | grep -q "urn:localhost:bobink:ServerRegister"
check "find-servers contains urn:localhost:bobink:ServerRegister" $?
# ── Step 2: GetEndpoints on ServerRegister (should FAIL) ──────
build/bobink_opcua_client "$CONFIG_DIR/client.conf" get-endpoints "opc.tcp://localhost:$SR_PORT" >"$TMPFILE" 2>&1
GE_FAIL_RC=$?
GE_FAIL_OUTPUT=$(<"$TMPFILE")
[ "$GE_FAIL_RC" -ne 0 ]
check "get-endpoints FAILS without ServerRegister cert (exit code $GE_FAIL_RC)" $?
# ── Step 3: download-cert from ServerRegister (via None) ──────
DOWNLOADED_CERT=$(mktemp --suffix=.der)
build/bobink_opcua_client "$CONFIG_DIR/client.conf" download-cert "opc.tcp://localhost:$SR_PORT" "$DOWNLOADED_CERT" >"$TMPFILE" 2>&1
DC_RC=$?
DC_OUTPUT=$(<"$TMPFILE")
[ "$DC_RC" -eq 0 ]
check "download-cert exit code is 0 (got $DC_RC)" $?
echo "$DC_OUTPUT" | grep -q "Certificate saved to"
check "download-cert output contains 'Certificate saved to'" $?
# ── Step 4: Verify downloaded cert matches original ───────────
cmp -s "$DOWNLOADED_CERT" "$CONFIG_DIR/certs/ServerRegister/cert.der"
check "downloaded certificate matches ServerRegister cert.der" $?
# ── Step 5: Install cert into trust_client ────────────────────
cp "$DOWNLOADED_CERT" "$CONFIG_DIR/certs/trust_client/ServerRegister_cert.der"
# ── Step 6: GetEndpoints on ServerRegister (should succeed) ───
build/bobink_opcua_client "$CONFIG_DIR/client.conf" get-endpoints "opc.tcp://localhost:$SR_PORT" >"$TMPFILE" 2>&1
GE_RC=$?
GE_OUTPUT=$(<"$TMPFILE")
[ "$GE_RC" -eq 0 ]
check "get-endpoints succeeds after cert install (exit code $GE_RC)" $?
echo "$GE_OUTPUT" | grep -q "Aes256_Sha256_RsaPss"
check "get-endpoints contains Aes256_Sha256_RsaPss" $?
# ── Step 7: ReadTime on ServerRegister (should succeed) ───────
build/bobink_opcua_client "$CONFIG_DIR/client.conf" read-time "opc.tcp://localhost:$SR_PORT" >"$TMPFILE" 2>&1
RT_RC=$?
RT_OUTPUT=$(<"$TMPFILE")
[ "$RT_RC" -eq 0 ]
check "read-time exit code is 0 (got $RT_RC)" $?
echo "$RT_OUTPUT" | grep -q "date is:"
check "read-time output contains 'date is:'" $?
# ── result ─────────────────────────────────────────────────────
if [ "$FAILURES" -ne 0 ]; then
echo ""
echo "--- find-servers output ---"
echo "$FS_OUTPUT"
echo "--- get-endpoints (expected fail) output ---"
echo "$GE_FAIL_OUTPUT"
echo "--- download-cert output ---"
echo "$DC_OUTPUT"
echo "--- get-endpoints (after install) output ---"
echo "$GE_OUTPUT"
echo "--- read-time output ---"
echo "$RT_OUTPUT"
echo "--- end ---"
exit 1
fi
exit 0
|
