run-policy-filter-test.sh raw
1 #!/bin/bash
2 set -euo pipefail
3
4 # Policy Filter Integration Test
5 # This script runs the relay with the example policy and tests event filtering
6
7 # Config
8 PORT=${PORT:-34568}
9 URL=${URL:-ws://127.0.0.1:${PORT}}
10 LOG=/tmp/orly-policy-filter.out
11 PID=/tmp/orly-policy-filter.pid
12 DATADIR=$(mktemp -d)
13 CONFIG_DIR="$HOME/.config/ORLY_POLICY_TEST"
14
15 cleanup() {
16 trap - EXIT
17 if [[ -f "$PID" ]]; then
18 kill -INT "$(cat "$PID")" 2>/dev/null || true
19 rm -f "$PID"
20 fi
21 rm -rf "$DATADIR"
22 rm -rf "$CONFIG_DIR"
23 }
24 trap cleanup EXIT
25
26 echo "๐งช Policy Filter Integration Test"
27 echo "=================================="
28
29 # Create config directory
30 mkdir -p "$CONFIG_DIR"
31
32 # Generate keys using Go helper
33 echo "๐ Generating test keys..."
34 KEYGEN_TMP=$(mktemp)
35 cat > "$KEYGEN_TMP.go" <<'EOF'
36 package main
37
38 import (
39 "encoding/json"
40 "fmt"
41 p256k1signer "p256k1.mleku.dev/signer"
42 "next.orly.dev/pkg/encoders/hex"
43 )
44
45 func main() {
46 // Generate allowed signer
47 allowedSigner := p256k1signer.NewP256K1Signer()
48 if err := allowedSigner.Generate(); err != nil {
49 panic(err)
50 }
51 allowedPubkeyHex := hex.Enc(allowedSigner.Pub())
52 allowedSecHex := hex.Enc(allowedSigner.Sec())
53
54 // Generate unauthorized signer
55 unauthorizedSigner := p256k1signer.NewP256K1Signer()
56 if err := unauthorizedSigner.Generate(); err != nil {
57 panic(err)
58 }
59 unauthorizedPubkeyHex := hex.Enc(unauthorizedSigner.Pub())
60 unauthorizedSecHex := hex.Enc(unauthorizedSigner.Sec())
61
62 result := map[string]string{
63 "allowedPubkey": allowedPubkeyHex,
64 "allowedSec": allowedSecHex,
65 "unauthorizedPubkey": unauthorizedPubkeyHex,
66 "unauthorizedSec": unauthorizedSecHex,
67 }
68
69 jsonBytes, _ := json.Marshal(result)
70 fmt.Println(string(jsonBytes))
71 }
72 EOF
73
74 # Run from the project root directory
75 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
76 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
77 cd "$PROJECT_ROOT"
78 KEYS=$(go run -tags=cgo "$KEYGEN_TMP.go" 2>&1 | grep -E '^\{.*\}$' || true)
79 rm -f "$KEYGEN_TMP.go"
80 cd - > /dev/null
81
82 ALLOWED_PUBKEY=$(echo "$KEYS" | jq -r '.allowedPubkey')
83 ALLOWED_SEC=$(echo "$KEYS" | jq -r '.allowedSec')
84 UNAUTHORIZED_PUBKEY=$(echo "$KEYS" | jq -r '.unauthorizedPubkey')
85 UNAUTHORIZED_SEC=$(echo "$KEYS" | jq -r '.unauthorizedSec')
86
87 echo "โ
Generated keys:"
88 echo " Allowed pubkey: $ALLOWED_PUBKEY"
89 echo " Unauthorized pubkey: $UNAUTHORIZED_PUBKEY"
90
91 # Create policy JSON with generated keys
92 echo "๐ Creating policy.json..."
93 cat > "$CONFIG_DIR/policy.json" <<EOF
94 {
95 "kind": {
96 "whitelist": [4678, 10306, 30520, 30919]
97 },
98 "rules": {
99 "4678": {
100 "description": "Zenotp message events",
101 "script": "$CONFIG_DIR/validate4678.js",
102 "privileged": true
103 },
104 "10306": {
105 "description": "End user whitelist changes",
106 "read_allow": [
107 "$ALLOWED_PUBKEY"
108 ],
109 "privileged": true
110 },
111 "30520": {
112 "description": "Zenotp events",
113 "write_allow": [
114 "$ALLOWED_PUBKEY"
115 ],
116 "privileged": true
117 },
118 "30919": {
119 "description": "Zenotp events",
120 "write_allow": [
121 "$ALLOWED_PUBKEY"
122 ],
123 "privileged": true
124 }
125 }
126 }
127 EOF
128
129 echo "โ
Policy file created at: $CONFIG_DIR/policy.json"
130
131 # Build relay and test client
132 echo "๐จ Building relay..."
133 go build -o orly .
134
135 # Start relay
136 echo "๐ Starting relay on ${URL} with policy enabled..."
137 ORLY_APP_NAME="ORLY_POLICY_TEST" \
138 ORLY_DATA_DIR="$DATADIR" \
139 ORLY_PORT=${PORT} \
140 ORLY_POLICY_ENABLED=true \
141 ORLY_ACL_MODE=none \
142 ORLY_AUTH_TO_WRITE=true \
143 ORLY_LOG_LEVEL=info \
144 ./orly >"$LOG" 2>&1 & echo $! >"$PID"
145
146 # Wait for relay to start
147 sleep 3
148 if ! ps -p "$(cat "$PID")" >/dev/null 2>&1; then
149 echo "โ Relay failed to start; logs:" >&2
150 sed -n '1,200p' "$LOG" >&2
151 exit 1
152 fi
153
154 echo "โ
Relay started (PID: $(cat "$PID"))"
155
156 # Build test client
157 echo "๐จ Building test client..."
158 go build -o cmd/policyfiltertest/policyfiltertest ./cmd/policyfiltertest
159
160 # Export keys for test client
161 export ALLOWED_PUBKEY
162 export ALLOWED_SEC
163 export UNAUTHORIZED_PUBKEY
164 export UNAUTHORIZED_SEC
165
166 # Run tests
167 echo "๐งช Running policy filter tests..."
168 set +e
169 cmd/policyfiltertest/policyfiltertest -url "${URL}" -allowed-pubkey "$ALLOWED_PUBKEY" -allowed-sec "$ALLOWED_SEC" -unauthorized-pubkey "$UNAUTHORIZED_PUBKEY" -unauthorized-sec "$UNAUTHORIZED_SEC"
170 TEST_RESULT=$?
171 set -e
172
173 # Check logs for "policy rule is inactive" messages
174 echo "๐ Checking logs for policy rule inactivity..."
175 if grep -q "policy rule is inactive" "$LOG"; then
176 echo "โ ๏ธ WARNING: Found 'policy rule is inactive' messages in logs"
177 grep "policy rule is inactive" "$LOG" | head -5
178 else
179 echo "โ
No 'policy rule is inactive' messages found (good)"
180 fi
181
182 # Check logs for policy filtered events
183 echo "๐ Checking logs for policy filtered events..."
184 if grep -q "policy filtered out event" "$LOG"; then
185 echo "โ
Found policy filtered events (expected):"
186 grep "policy filtered out event" "$LOG" | head -5
187 fi
188
189 if [ $TEST_RESULT -eq 0 ]; then
190 echo "โ
All tests passed!"
191 exit 0
192 else
193 echo "โ Tests failed with exit code $TEST_RESULT"
194 echo "๐ Last 50 lines of relay log:"
195 tail -50 "$LOG"
196 exit $TEST_RESULT
197 fi
198
199