admin/elmprodvpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6a56d734c2c1ed78ca5412e6780604d16bc8837f
elmprodvpn/tests/transport_packaging_policy_rollout.sh

221 lines
7.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
UPDATER="${ROOT_DIR}/scripts/transport-packaging/update.sh"
require_cmd() {
local cmd="$1"
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "[transport_packaging_policy_rollout] missing command: ${cmd}" >&2
exit 1
fi
}
require_cmd bash
require_cmd openssl
require_cmd sha256sum
require_cmd jq
tmp_dir="$(mktemp -d)"
trap 'rm -rf "$tmp_dir"' EXIT
assets_dir="${tmp_dir}/assets"
bin_root="${tmp_dir}/bin-root"
keys_dir="${tmp_dir}/keys"
mkdir -p "$assets_dir" "$bin_root" "$keys_dir"
asset_v1="${assets_dir}/sing-box-v1"
asset_v2="${assets_dir}/sing-box-v2"
sig_v1="${assets_dir}/sing-box-v1.sig"
sig_v2="${assets_dir}/sing-box-v2.sig"
sig_bad="${assets_dir}/sing-box-v2.bad.sig"
cat >"$asset_v1" <<'EOF'
#!/usr/bin/env bash
echo "signed sing-box v1"
EOF
chmod +x "$asset_v1"
cat >"$asset_v2" <<'EOF'
#!/usr/bin/env bash
echo "signed sing-box v2"
EOF
chmod +x "$asset_v2"
sha_v1="$(sha256sum "$asset_v1" | awk '{print $1}')"
sha_v2="$(sha256sum "$asset_v2" | awk '{print $1}')"
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "${keys_dir}/release-private.pem" >/dev/null 2>&1
openssl rsa -pubout -in "${keys_dir}/release-private.pem" -out "${keys_dir}/release-public.pem" >/dev/null 2>&1
openssl dgst -sha256 -sign "${keys_dir}/release-private.pem" -out "$sig_v1" "$asset_v1"
openssl dgst -sha256 -sign "${keys_dir}/release-private.pem" -out "$sig_v2" "$asset_v2"
cp "$sig_v1" "$sig_bad"
sig_sha_v1="$(sha256sum "$sig_v1" | awk '{print $1}')"
sig_sha_v2="$(sha256sum "$sig_v2" | awk '{print $1}')"
sig_sha_bad="$(sha256sum "$sig_bad" | awk '{print $1}')"
policy="${tmp_dir}/source-policy.json"
cat >"$policy" <<'EOF'
{
"schema_version": 1,
"require_https": false,
"allow_file_scheme": true,
"signature": {
"default_mode": "required",
"allowed_types": ["openssl-sha256"]
},
"components": {
"singbox": {
"allowed_url_prefixes": ["file://"],
"signature_mode": "required"
}
}
}
EOF
manifest="${tmp_dir}/manifest-canary.json"
cat >"$manifest" <<EOF
{
"schema_version": 1,
"components": {
"singbox": {
"enabled": true,
"binary_name": "sing-box",
"targets": {
"linux-amd64": {
"version": "1.0.0",
"url": "file://${asset_v1}",
"sha256": "${sha_v1}",
"asset_type": "raw",
"rollout": {
"stage": "canary",
"percent": 20
},
"signature": {
"type": "openssl-sha256",
"url": "file://${sig_v1}",
"sha256": "${sig_sha_v1}",
"public_key_path": "${keys_dir}/release-public.pem"
}
}
}
}
}
}
EOF
echo "[transport_packaging_policy_rollout] stage mismatch -> skip"
"$UPDATER" --manifest "$manifest" --source-policy "$policy" --bin-root "$bin_root" --component singbox --target linux-amd64 --rollout-stage stable --cohort-id 5
if [[ -e "${bin_root}/sing-box" ]]; then
echo "[transport_packaging_policy_rollout] expected no install on stage mismatch" >&2
exit 1
fi
echo "[transport_packaging_policy_rollout] canary gated by cohort -> skip"
"$UPDATER" --manifest "$manifest" --source-policy "$policy" --bin-root "$bin_root" --component singbox --target linux-amd64 --rollout-stage canary --cohort-id 55
if [[ -e "${bin_root}/sing-box" ]]; then
echo "[transport_packaging_policy_rollout] expected no install when cohort is out of rollout percent" >&2
exit 1
fi
echo "[transport_packaging_policy_rollout] canary in cohort -> install"
"$UPDATER" --manifest "$manifest" --source-policy "$policy" --bin-root "$bin_root" --component singbox --target linux-amd64 --rollout-stage canary --cohort-id 5
out_v1="$("${bin_root}/sing-box")"
if [[ "$out_v1" != "signed sing-box v1" ]]; then
echo "[transport_packaging_policy_rollout] expected signed v1 output, got: ${out_v1}" >&2
exit 1
fi
echo "[transport_packaging_policy_rollout] untrusted source must fail"
manifest_untrusted="${tmp_dir}/manifest-untrusted.json"
jq \
'.components.singbox.targets["linux-amd64"].version = "1.1.0" |
.components.singbox.targets["linux-amd64"].url = "https://example.com/sing-box" |
.components.singbox.targets["linux-amd64"].sha256 = "0000000000000000000000000000000000000000000000000000000000000000" |
.components.singbox.targets["linux-amd64"].rollout.stage = "stable" |
.components.singbox.targets["linux-amd64"].rollout.percent = 100' \
"$manifest" >"$manifest_untrusted"
if "$UPDATER" --manifest "$manifest_untrusted" --source-policy "$policy" --bin-root "$bin_root" --component singbox --target linux-amd64 --rollout-stage stable --cohort-id 5 --dry-run; then
echo "[transport_packaging_policy_rollout] expected failure for untrusted source" >&2
exit 1
fi
echo "[transport_packaging_policy_rollout] bad signature must fail"
manifest_bad_sig="${tmp_dir}/manifest-bad-sig.json"
cat >"$manifest_bad_sig" <<EOF
{
"schema_version": 1,
"components": {
"singbox": {
"enabled": true,
"binary_name": "sing-box",
"targets": {
"linux-amd64": {
"version": "1.2.0",
"url": "file://${asset_v2}",
"sha256": "${sha_v2}",
"asset_type": "raw",
"rollout": {
"stage": "stable",
"percent": 100
},
"signature": {
"type": "openssl-sha256",
"url": "file://${sig_bad}",
"sha256": "${sig_sha_bad}",
"public_key_path": "${keys_dir}/release-public.pem"
}
}
}
}
}
}
EOF
if "$UPDATER" --manifest "$manifest_bad_sig" --source-policy "$policy" --bin-root "$bin_root" --component singbox --target linux-amd64 --rollout-stage stable --cohort-id 5; then
echo "[transport_packaging_policy_rollout] expected failure for bad signature" >&2
exit 1
fi
echo "[transport_packaging_policy_rollout] valid signature update -> install v2"
manifest_good_sig="${tmp_dir}/manifest-good-sig.json"
cat >"$manifest_good_sig" <<EOF
{
"schema_version": 1,
"components": {
"singbox": {
"enabled": true,
"binary_name": "sing-box",
"targets": {
"linux-amd64": {
"version": "1.3.0",
"url": "file://${asset_v2}",
"sha256": "${sha_v2}",
"asset_type": "raw",
"rollout": {
"stage": "stable",
"percent": 100
},
"signature": {
"type": "openssl-sha256",
"url": "file://${sig_v2}",
"sha256": "${sig_sha_v2}",
"public_key_path": "${keys_dir}/release-public.pem"
}
}
}
}
}
}
EOF
"$UPDATER" --manifest "$manifest_good_sig" --source-policy "$policy" --bin-root "$bin_root" --component singbox --target linux-amd64 --rollout-stage stable --cohort-id 5
out_v2="$("${bin_root}/sing-box")"
if [[ "$out_v2" != "signed sing-box v2" ]]; then
echo "[transport_packaging_policy_rollout] expected signed v2 output, got: ${out_v2}" >&2
exit 1
fi
echo "[transport_packaging_policy_rollout] passed"
Reference in New Issue View Git Blame Copy Permalink