diff options
Diffstat (limited to 'integration')
| -rwxr-xr-x | integration/smoke-test | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/integration/smoke-test b/integration/smoke-test new file mode 100755 index 0000000..4d92478 --- /dev/null +++ b/integration/smoke-test @@ -0,0 +1,97 @@ +#!/bin/bash + +set -eu + +function die() { + echo "ERROR: $*" >&2 + exit 1 +} + +function pass() { + echo "PASS: $*" >&2 +} + +function config() { + domain=$1; shift + remove_keys=$1; shift + + cat << EOF +{ + "monitor": [ + { + "bootstrap_at": "2025-01-01T00:00:00Z", + "suffix": "$domain" + } + ], + "remove_logs": [ +EOF + + mapfile -t keys <<< "$remove_keys" + for ((i = 0; i < ${#keys[@]}; i++)); do + key=${keys[i]} + if ((i == ${#keys[@]} - 1)); then + echo " \"$key\"" + else + echo " \"$key\"," + fi + done + + cat << EOF + ] +} +EOF +} + +#------------------------------------------------------------------------------- +# Options +#------------------------------------------------------------------------------- +TARGET_LOG=${TARGET_LOG:-"Google 'Argon2025h1' log"} # which log to test with +WAIT=${WAIT:-3} # seconds to wait for entries + +#------------------------------------------------------------------------------- +# Working directories +#------------------------------------------------------------------------------- +cd "$(dirname "$0")" + +dir=./testonly +rm -rf "$dir" +mkdir "$dir" + +#------------------------------------------------------------------------------- +# Metadata to configure monitoring of a single log +#------------------------------------------------------------------------------- +go run gitlab.torproject.org/rgdd/ct/cmd/ct-metadata@latest get source -n google > "$dir/metadata.json" +log_id=$(jq -r --arg desc "$TARGET_LOG" '.operators[].logs[] | select(.description == $desc) | .log_id' "$dir/metadata.json" | base64 -d | base16) +remove_keys=$(jq -r --arg desc "$TARGET_LOG" '.operators[].logs[] | select(.description != $desc) | .key' "$dir/metadata.json") + +config "www.example.org" "$remove_keys" > $dir/config.json +go run ../cmd/silentct-mon --bootstrap -c "$dir/config.json" -d "$dir/state" -C "dev:silentct" -v DEBUG + +pass "bootstrap the monitor with a single log" +sleep "$WAIT" + +#------------------------------------------------------------------------------- +# Figure out which domain name will be in the next log entry +#------------------------------------------------------------------------------- +next_index=$(jq '.next_index' "$dir/state/monitor_state/$log_id.json") +next_domain=$(go run github.com/google/certificate-transparency-go/client/ctclient@latest \ + get-entries --first "$next_index" --last "$next_index" --text --log_name "$TARGET_LOG" | \ + grep DNS | cut -d',' -f1 | cut -d':' -f2) + +[[ -n $next_domain ]] || die "failed to extract next domain name" + +#------------------------------------------------------------------------------- +# Run and find a match which turns into a certificate mis-issuance notice +#------------------------------------------------------------------------------- +config "$next_domain" "$remove_keys" >"$dir/config.json" +timeout 10s go run ../cmd/silentct-mon -c "$dir/config.json" -d "$dir/state" -C "dev:silentct" -p 1s -v DEBUG 2>&1 | tee "$dir/output.txt" +grep -q -E '([1-9][0-9]*|[1-9] matches)' "$dir/output.txt" || die "expected at least one match" +grep -q -F '[NOTICE] certificate mis-issuance?' "$dir/output.txt" || die "expected notice about mis-issued certificate" + +pass "run the monitor and be warned of an unreported certificate" + +#------------------------------------------------------------------------------- +# Success +#------------------------------------------------------------------------------- +echo "---" >&2 +echo "All smoke tests passed" >&2 |