feat(ci): spin 3 agents

Signed-off-by: Boris Glimcher <[email protected]>
opiproject · Jun 13, 2024 · 05f6d1e · 05f6d1e
1 parent 8b0f5e9
commit 05f6d1e
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 16 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -104,21 +104,21 @@ services:
         set -euxo pipefail
         env
         apk add --no-cache --no-check-certificate curl make && rm -rf /var/cache/apk/*
+        rm -rf /tmp/sztpd-simulator
         curl -kL https://watsen.net/support/sztpd-simulator-0.0.11.tgz | tar -zxvf - -C /tmp/
         cd /tmp/sztpd-simulator/pki
         echo "DNS.2 = bootstrap" >> sztpd1/sbi/end-entity/openssl.cnf
         echo "DNS.3 = web" >> sztpd1/sbi/end-entity/openssl.cnf
         echo "DNS.4 = redirecter" >> sztpd1/sbi/end-entity/openssl.cnf
-        sed -i 's/my-serial-number/third-serial-number/g' client/end-entity/openssl.cnf
         make pki SHELL=/bin/ash
         echo === SERVER SBI certificates ===
         cat sztpd1/sbi/end-entity/my_cert.pem sztpd1/sbi/intermediate2/my_cert.pem > /tmp/cert_chain.pem
         openssl crl2pkcs7 -nocrl -certfile /tmp/cert_chain.pem -outform DER -out /tmp/cert_chain.cms
         echo === CLIENT cert DevID trust anchor ===
         cat client/root-ca/my_cert.pem client/intermediate1/my_cert.pem client/intermediate2/my_cert.pem > /tmp/ta_cert_chain.pem
         openssl crl2pkcs7 -nocrl -certfile /tmp/ta_cert_chain.pem -outform DER -out /tmp/ta_cert_chain.cms
-        cat sztpd1/sbi/root-ca/my_cert.pem sztpd1/sbi/intermediate1/my_cert.pem > /opi.pem
         echo === COPY TO FINAL DESTINATION ===
+        cat sztpd1/sbi/root-ca/my_cert.pem sztpd1/sbi/intermediate1/my_cert.pem > /certs/client/opi.pem
         cp sztpd1/sbi/end-entity/private_key.der \
           sztpd1/sbi/end-entity/private_key.pem \
           sztpd1/sbi/end-entity/public_key.der \
@@ -128,7 +128,15 @@ services:
           /tmp/ta_cert_chain.cms \
           /tmp/ta_cert_chain.pem \
           /certs/server/
-        cp client/end-entity/private_key.pem client/end-entity/my_cert.pem /opi.pem /certs/client/
+        echo === Generate Clients Endponts ===
+        for vendor in first second third; do
+            sed -i "s/my-serial-number/$${vendor}-serial-number/g" client/end-entity/openssl.cnf
+            make -C client/end-entity cert_request   OPENSSL=openssl SHELL=/bin/ash
+            make -C client/intermediate2 sign_cert_request OPENSSL=openssl SHELL=/bin/ash REQDIR="../end-entity"
+            cp client/end-entity/private_key.pem /certs/client/$${vendor}_private_key.pem
+            cp client/end-entity/my_cert.pem /certs/client/$${vendor}_my_cert.pem
+            sed -i "s/$${vendor}-serial-number/my-serial-number/g" client/end-entity/openssl.cnf
+        done
       '
 
   web:
@@ -174,7 +182,7 @@ services:
       - opi
     command: dhclient -d -v
 
-  agent:
+  agent3: &agent
     image: ghcr.io/opiproject/opi-sztp-client:main
     build:
       context: sztp-agent
@@ -193,10 +201,26 @@ services:
       - opi
     command: ['/opi-sztp-agent', 'daemon',
               '--bootstrap-trust-anchor-cert', '/certs/opi.pem',
-              '--device-end-entity-cert', '/certs/my_cert.pem',
-              '--device-private-key', '/certs/private_key.pem',
+              '--device-end-entity-cert', '/certs/third_my_cert.pem',
+              '--device-private-key', '/certs/third_private_key.pem',
               '--serial-number', 'third-serial-number']
 
+  agent2:
+    <<: *agent
+    command: ['/opi-sztp-agent', 'daemon',
+              '--bootstrap-trust-anchor-cert', '/certs/opi.pem',
+              '--device-end-entity-cert', '/certs/second_my_cert.pem',
+              '--device-private-key', '/certs/second_private_key.pem',
+              '--serial-number', 'second-serial-number']
+
+  agent1:
+    <<: *agent
+    command: ['/opi-sztp-agent', 'daemon',
+              '--bootstrap-trust-anchor-cert', '/certs/opi.pem',
+              '--device-end-entity-cert', '/certs/first_my_cert.pem',
+              '--device-private-key', '/certs/first_private_key.pem',
+              '--serial-number', 'first-serial-number']
+
   avahi:
     image: docker.io/flungo/avahi:latest
     environment:

diff --git a/scripts/tests.sh b/scripts/tests.sh
@@ -29,11 +29,11 @@ docker-compose exec -T client cat /var/lib/dhclient/dhclient.leases | grep sztp-
 REDIRECT=$(docker-compose exec -T client cat /var/lib/dhclient/dhclient.leases | grep sztp-redirect-urls | head -n 1 | awk '{print $3}' | tr -d '";')
 
 # reusable variables
-CERTIFICATES=(--key /certs/private_key.pem --cert /certs/my_cert.pem --cacert /certs/opi.pem)
+CERTIFICATES=(--key /certs/third_private_key.pem --cert /certs/third_my_cert.pem --cacert /certs/opi.pem)
 SERIAL_NUMBER=third-serial-number
 SBI_CREDENTIALS=(--user "${SERIAL_NUMBER}":my-secret)
 NBI_CREDENTIALS=(--user [email protected]:my-secret)
-CURL=(docker run --rm --user 0 --network sztp_opi -v sztp_client-certs:/certs docker.io/curlimages/curl:8.5.0 --fail-with-body)
+CURL=(docker run --rm --user 0 --network sztp_opi -v /tmp:/tmp -v sztp_client-certs:/certs docker.io/curlimages/curl:8.5.0 --fail-with-body)
 
 # TODO: remove --insecure
 "${CURL[@]}" --insecure "${CERTIFICATES[@]}" --output /tmp/first-boot-image.tst  "https://web:443/first-boot-image.img"
@@ -94,7 +94,7 @@ BASENAME=$(basename "${URL}")
 "${CURL[@]}" --insecure "${CERTIFICATES[@]}" --output "/tmp/${BASENAME}" "${URL}"
 
 # Validate signature
-SIGNATURE=$(docker-compose run -T agent ash -c "openssl dgst -sha256 -c \"/tmp/${BASENAME}\" | awk '{print \$2}'")
+SIGNATURE=$(docker run --rm -v /tmp:/tmp docker.io/alpine/openssl:3.3.1 dgst -sha256 -c "/tmp/${BASENAME}" | awk '{print $2}')
 jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"image-verification\"[] /tmp/post_rpc_fixed.json | grep "${SIGNATURE}"
 
 # send progress
@@ -104,13 +104,15 @@ jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"image
 docker-compose ps
 
 # test go-code
-name=$(docker-compose ps | grep agent | awk '{print $1}')
-rc=$(docker wait "${name}")
-if [ "${rc}" != "0" ]; then
-    echo "agent failed:"
-    docker logs "${name}"
-    exit 1
-fi
+for name in $(docker-compose ps | grep agent | awk '{print $1}')
+do
+    rc=$(docker wait "${name}")
+    if [ "${rc}" != "0" ]; then
+        echo "agent failed:"
+        docker logs "${name}"
+        exit 1
+    fi
+done
 
 # check bootstrapping log
 docker-compose exec -T bootstrap curl --include --request GET --fail "${NBI_CREDENTIALS[@]}"  -H "Accept:application/yang-data+json" http://bootstrap:7080/restconf/ds/ietf-datastores:operational/wn-sztpd-1:devices/device="${SERIAL_NUMBER}"/bootstrapping-log