search

mozilla-services / autograph-canary

An AWS lambda for checking Autograph signing is working correctly
0 stars 1 forks source link

readme

autograph-canary

CircleCI

autograph-canary is a containerized AWS lambda for running Firefox integration tests against signed autograph artifacts. It uses XPConnect to exercise Firefox client code against signed XPI/Addons and content signtures.

Usage

Installation

To download the built image from dockerhub run:

docker pull mozilla/autograph-canary

or see below to build it locally.

AWS Lambda

Environment Varables

The following environment variables with their default values below configure logging verbosity, tests to run, and test targets.

What log level should be used (use INFO for less verbose logging):

CANARY_LOG_LEVEL=debug

Which XPCShell test files in tests/ to run (as matched by pathlib glob):

TEST_FILES_GLOB="*_test.js"
Addon / XPI Signature Verification

Which PKI root to verify addons against. Defaults to prod, use stage to set xpinstall.signatures.dev-root to true (Fx Nightly only):

XPI_ENV=prod

Which XPI URLs to download and install as a CSV:

XPI_URLS=https://addons.mozilla.org/firefox/downloads/file/3772109/facebook_container-2.2.1-fx.xpi,https://addons.mozilla.org/firefox/downloads/file/3713375/firefox_multi_account_containers-7.3.0-fx.xpi,https://addons.mozilla.org/firefox/downloads/file/3768975/ublock_origin-1.35.2-an+fx.xpi
Content Signature Verification

Which prefs to use for content signature settings server URL, bucket, and root hash (prod or stage with an optional -preview suffix same as remotesettings devtools):

CSIG_ENV=prod

Which content signature collections to verify. Collections must all use the same CSIG_ENV and be a CSV list formatted as "$BUCKET_NAME/$COLLECTION_NAME". Use bin/list_collections.sh to list publicly available collections:

CSIG_COLLECTIONS=blocklists/gfx,blocklists/addons-bloomfilters,blocklists/plugins,blocklists/addons,blocklists/certificates,main/normandy-recipes,main/normandy-recipes-capabilities,main/hijack-blocklists,main/search-config,security-state/onecrl,security-state/intermediates

Event payload

To support running from scheduled events, autograph-canary ignores event payloads.

Command line

To run the default set of autograph-canary tests:

  1. install docker and docker-compose

  2. Run docker-compose build canary to build the canary container

  3. Run docker-compose run canary to run autograph.py from the main entrypoint

To run integration tests in the containerized AWS lambda emulator:

  1. install docker and docker-compose

  2. Run make build to build the canary and emulator containers

  3. Run make integration-test, which starts the emulator and runs bin/run_integration_tests.sh

Development

  1. install docker and docker-compose

  2. run cp docker-compose.override.yml.example docker-compose.override.yml

  3. Run make build to build the canary and emulator containers

  4. Run docker-compose up -d emulator to start the emulator container

  5. Run make emulator-shell to log into the emulator container. In the container run cp local/autograph.py . && python autograph.py to run tests without rebuilding the container.