.

Author: CBenoit

.github/scripts/smoke-test-deb.sh

@@ -8,6 +8,9 @@
 #   - Binary is functional (--help, --config-init-only)
 #   - systemd unit file is installed (part of the .deb package)
 #   - Default configuration file is generated
+#   - Config directory has secure permissions
+#   - Service starts, responds to health check, and stops cleanly
+#   - Package uninstall removes files but preserves config
 #
 # Environment variables (required):
 #   PACKAGE_FILE   Absolute path to the .deb file inside the container.
@@ -16,8 +19,8 @@
 #
 # LIMITATION — systemd in containers:
 #   Docker containers do not normally run systemd. The postinst gates
-#   service enable/start on /run/systemd/system. Full service start/stop
-#   validation is best-effort and only attempted when systemd is detected.
+#   service enable/start on /run/systemd/system. When systemd is not
+#   detected, the service is started directly for the health check.
 # ──────────────────────────────────────────────────────────────────────────────
 
 set -euo pipefail
@@ -102,13 +105,13 @@ info "Updating apt and installing prerequisites…"
 export DEBIAN_FRONTEND=noninteractive
 apt-get update -qq
 PREREQ_LOG=$(mktemp)
-if apt-get install -y -qq file python3 > "$PREREQ_LOG" 2>&1; then
+if apt-get install -y -qq file python3 curl openssl > "$PREREQ_LOG" 2>&1; then
     rm -f "$PREREQ_LOG"
 else
     echo "Prerequisites installation output:"
     cat "$PREREQ_LOG"
     rm -f "$PREREQ_LOG"
-    fail "Prerequisites installation failed (file, python3)"
+    fail "Prerequisites installation failed (file, python3, curl, openssl)"
     diagnostics
     summary
 fi
@@ -146,6 +149,11 @@ check_native_library
 check_webapp
 check_config_dir
 
+# ── Config directory permissions ──────────────────────────────────────────────
+
+info "Checking config directory permissions…"
+check_config_dir_permissions
+
 # ── Binary functionality ──────────────────────────────────────────────────────
 
 info "Checking binary functionality…"
@@ -167,9 +175,31 @@ check_unit_file "fail"
 info "Checking service file has exactly one ExecStart directive…"
 check_single_execstart
 
-# ── Service startup (best-effort) ─────────────────────────────────────────────
+# ── Provisioner key ───────────────────────────────────────────────────────────
+# The gateway requires a provisioner public key to start.
+# Generate a key pair and place the public key where gateway.json points.
+
+info "Generating provisioner key…"
+check_provisioner_key
+
+# ── Service health ────────────────────────────────────────────────────────────
 
-check_service_startup
+info "Checking service health…"
+check_service_health
+
+# ── Uninstall ─────────────────────────────────────────────────────────────────
+
+info "Checking package uninstall…"
+REMOVE_LOG=$(mktemp)
+if apt-get remove -y "$PACKAGE_NAME" >"$REMOVE_LOG" 2>&1; then
+    pass "Package removal succeeded"
+else
+    echo "Removal output:"
+    cat "$REMOVE_LOG"
+    fail "Package removal failed"
+fi
+rm -f "$REMOVE_LOG"
+check_post_uninstall
 
 # ── Final output ──────────────────────────────────────────────────────────────
 

.github/scripts/smoke-test-lib.sh

@@ -36,6 +36,17 @@ summary() {
     fi
 }
 
+# ── Helpers ───────────────────────────────────────────────────────────────────
+
+# Returns 0 if systemd is running AND the unit file is installed on disk.
+systemd_and_unit_available() {
+    [ -d /run/systemd/system ] && command -v systemctl >/dev/null 2>&1 || return 1
+    for path in "${UNIT_FILE_PATHS[@]}"; do
+        [ -f "$path" ] && return 0
+    done
+    return 1
+}
+
 # ── Check functions ───────────────────────────────────────────────────────────
 
 check_binary_executable() {
@@ -77,6 +88,16 @@ check_config_dir() {
     fi
 }
 
+check_config_dir_permissions() {
+    local perms
+    perms=$(stat -c '%a' "$CONFIG_DIR" 2>/dev/null)
+    if [ "$perms" = "750" ]; then
+        pass "Config directory has secure permissions ($perms): $CONFIG_DIR"
+    else
+        fail "Config directory has insecure permissions ($perms, expected 750): $CONFIG_DIR"
+    fi
+}
+
 check_binary_help() {
     HELP_OUTPUT=$("$BINARY" --help 2>&1) && HELP_RC=$? || HELP_RC=$?
     if [ "$HELP_RC" -eq 0 ] || echo "$HELP_OUTPUT" | grep -qi 'gateway\|usage\|help'; then
@@ -147,19 +168,87 @@ check_single_execstart() {
     fi
 }
 
-check_service_startup() {
-    info "[Best-effort] Checking service startup…"
-    warn "systemd service startup testing is best-effort in containers."
-    warn "Full service validation requires a real systemd environment."
-    if [ -d /run/systemd/system ]; then
-        info "systemd detected; attempting service start…"
-        if systemctl start devolutions-gateway 2>&1; then
-            pass "[Best-effort] Service started successfully"
-            systemctl status devolutions-gateway 2>&1 || true
-        else
-            warn "Service start failed (expected in some container environments)."
+check_provisioner_key() {
+    info "Generating RSA-2048 provisioner key pair with openssl…"
+    KEY_LOG=$(mktemp)
+    if openssl genrsa -out "$CONFIG_DIR/provisioner.key" 2048 >"$KEY_LOG" 2>&1 \
+        && openssl rsa -in "$CONFIG_DIR/provisioner.key" \
+               -pubout -out "$CONFIG_DIR/provisioner.pem" >>"$KEY_LOG" 2>&1; then
+        pass "Provisioner key pair generated: $CONFIG_DIR/provisioner.pem"
+    else
+        echo "openssl output:"
+        cat "$KEY_LOG"
+        fail "Failed to generate provisioner key pair"
+    fi
+    rm -f "$KEY_LOG"
+}
+
+check_service_health() {
+    info "Checking service health…"
+
+    local health_url="http://localhost:7171/jet/health"
+    local gateway_pid=""
+
+    if systemd_and_unit_available; then
+        info "systemd available — using systemctl start/stop"
+        if ! systemctl start devolutions-gateway >/dev/null 2>&1; then
+            fail "systemctl start devolutions-gateway failed"
+            return
+        fi
+    else
+        info "systemd not available — starting binary directly"
+        "$BINARY" &
+        gateway_pid=$!
+    fi
+
+    # Wait for the service to be ready (up to 10 s).
+    local i=0
+    while [ "$i" -lt 10 ]; do
+        curl -sf "$health_url" >/dev/null 2>&1 && break
+        sleep 1
+        i=$((i + 1))
+    done
+
+    HEALTH_OUTPUT=$(curl -sf "$health_url" 2>/dev/null) && HEALTH_RC=$? || HEALTH_RC=$?
+
+    # Stop the service.
+    if systemd_and_unit_available; then
+        systemctl stop devolutions-gateway >/dev/null 2>&1 || true
+    elif [ -n "$gateway_pid" ]; then
+        kill "$gateway_pid" 2>/dev/null || true
+        wait "$gateway_pid" 2>/dev/null || true
+    fi
+
+    if [ "$HEALTH_RC" -eq 0 ]; then
+        pass "Health endpoint responded: $HEALTH_OUTPUT"
+    else
+        fail "Health endpoint did not respond at $health_url"
+    fi
+}
+
+check_post_uninstall() {
+    if [ ! -f "$BINARY" ]; then
+        pass "Binary removed after uninstall"
+    else
+        fail "Binary still present after uninstall: $BINARY"
+    fi
+
+    local unit_file_found=0
+    for path in "${UNIT_FILE_PATHS[@]}"; do
+        if [ -f "$path" ]; then
+            unit_file_found=1
+            break
         fi
+    done
+    if [ "$unit_file_found" -eq 0 ]; then
+        pass "Unit file removed after uninstall"
+    else
+        fail "Unit file still present after uninstall"
+    fi
+
+    if [ -d "$CONFIG_DIR" ]; then
+        pass "Config directory preserved after uninstall: $CONFIG_DIR"
     else
-        info "No systemd detected; skipping service startup test."
+        fail "Config directory was removed after uninstall (should be preserved)"
     fi
 }

.github/scripts/smoke-test-rpm.sh

@@ -2,12 +2,15 @@
 # ──────────────────────────────────────────────────────────────────────────────
 # RPM Package Installation Test for Devolutions Gateway
 #
-# Runs inside a Rocky Linux 9 (RHEL 9-compatible) container to validate:
+# Runs inside a Rocky Linux (RHEL-compatible) container to validate:
 #   - Package installs correctly via dnf
 #   - Expected files and directories are present
 #   - Binary is functional (--help, --config-init-only)
 #   - systemd unit file is installed (part of the .rpm package)
 #   - Default configuration file is generated
+#   - Config directory has secure permissions
+#   - Service starts, responds to health check, and stops cleanly
+#   - Package uninstall removes files but preserves config
 #
 # Environment variables (required):
 #   PACKAGE_FILE   Absolute path to the .rpm file inside the container.
@@ -16,9 +19,8 @@
 #
 # LIMITATION — systemd in containers:
 #   Docker containers do not normally run systemd. The RPM postinst
-#   gates service enable/start on /run/systemd/system. Full service
-#   start/stop validation is best-effort and only attempted when
-#   systemd is detected.
+#   gates service enable/start on /run/systemd/system. When systemd is
+#   not detected, the service is started directly for the health check.
 # ──────────────────────────────────────────────────────────────────────────────
 
 set -euo pipefail
@@ -101,20 +103,20 @@ echo ""
 
 info "Installing prerequisites…"
 PREREQ_LOG=$(mktemp)
-if dnf install -y -q file python3 > "$PREREQ_LOG" 2>&1; then
+if dnf install -y -q file python3 curl openssl > "$PREREQ_LOG" 2>&1; then
     rm -f "$PREREQ_LOG"
 else
     echo "Prerequisites installation output:"
     cat "$PREREQ_LOG"
     rm -f "$PREREQ_LOG"
-    fail "Prerequisites installation failed (file, python3)"
+    fail "Prerequisites installation failed (file, python3, curl, openssl)"
     diagnostics
     summary
 fi
 
 info "Installing package: $(basename "$PACKAGE_FILE")"
 # Use dnf to resolve and satisfy dependencies automatically.
-# The package declares a glibc dependency; Rocky Linux 9 provides glibc 2.34+.
+# The package declares a glibc dependency; Rocky Linux provides glibc 2.28+.
 INSTALL_LOG=$(mktemp)
 if dnf install -y "$PACKAGE_FILE" > "$INSTALL_LOG" 2>&1; then
     pass "Package installation succeeded"
@@ -145,6 +147,11 @@ check_native_library
 check_webapp
 check_config_dir
 
+# ── Config directory permissions ──────────────────────────────────────────────
+
+info "Checking config directory permissions…"
+check_config_dir_permissions
+
 # ── Binary functionality ──────────────────────────────────────────────────────
 
 info "Checking binary functionality…"
@@ -169,9 +176,31 @@ check_unit_file "fail"
 info "Checking service file has exactly one ExecStart directive…"
 check_single_execstart
 
-# ── Service startup (best-effort) ─────────────────────────────────────────────
+# ── Provisioner key ───────────────────────────────────────────────────────────
+# The gateway requires a provisioner public key to start.
+# Generate a key pair and place the public key where gateway.json points.
+
+info "Generating provisioner key…"
+check_provisioner_key
+
+# ── Service health ────────────────────────────────────────────────────────────
 
-check_service_startup
+info "Checking service health…"
+check_service_health
+
+# ── Uninstall ─────────────────────────────────────────────────────────────────
+
+info "Checking package uninstall…"
+REMOVE_LOG=$(mktemp)
+if dnf remove -y "$PACKAGE_NAME" >"$REMOVE_LOG" 2>&1; then
+    pass "Package removal succeeded"
+else
+    echo "Removal output:"
+    cat "$REMOVE_LOG"
+    fail "Package removal failed"
+fi
+rm -f "$REMOVE_LOG"
+check_post_uninstall
 
 # ── Final output ──────────────────────────────────────────────────────────────