92 lines
3.7 KiB
Bash
92 lines
3.7 KiB
Bash
#!/bin/bash
|
|
# Sanity: exchange can read bank wire gateway (bearer + public URL).
|
|
# Run on koopa as root (needs /root/bank-exchange-password.txt + podman).
|
|
set -euo pipefail
|
|
ROOT=$(cd "$(dirname "$0")" && pwd)
|
|
# shellcheck source=lib.sh
|
|
source "$ROOT/lib.sh"
|
|
need_root
|
|
|
|
echo "=== Exchange wirewatch / wire gateway ==="
|
|
|
|
if ! read_pw EPW /root/bank-exchange-password.txt; then
|
|
fail "missing /root/bank-exchange-password.txt"
|
|
exit 1
|
|
fi
|
|
|
|
ET=$(bank_token exchange "$EPW")
|
|
if [ -z "$ET" ]; then
|
|
fail "could not get bank token for exchange user"
|
|
exit 1
|
|
fi
|
|
pass "bank token for exchange user"
|
|
|
|
# History must work with Bearer (Basic is rejected by libeufin on history)
|
|
tmp=$(mktemp)
|
|
code=$(curl -sk -m 15 -o "$tmp" -w '%{http_code}' \
|
|
-H "Authorization: Bearer ${ET}" \
|
|
"${BANK_PUBLIC}/accounts/exchange/taler-wire-gateway/history/incoming?delta=-10")
|
|
if [ "$code" = "200" ]; then
|
|
pass "wire gateway history via ${BANK_PUBLIC} (HTTP $code)"
|
|
python3 -c 'import json,sys; d=json.load(open(sys.argv[1])); print(" incoming_count", len(d.get("incoming_transactions") or []))' "$tmp"
|
|
else
|
|
# fallback local
|
|
code2=$(curl -sS -m 15 -o "$tmp" -w '%{http_code}' \
|
|
-H "Authorization: Bearer ${ET}" \
|
|
"${BANK_URL}/accounts/exchange/taler-wire-gateway/history/incoming?delta=-10")
|
|
if [ "$code2" = "200" ]; then
|
|
warn "public wire gateway HTTP $code; local BANK_URL OK ($code2) — check DNS/hosts in exchange container"
|
|
else
|
|
fail "wire gateway history public=$code local=$code2"
|
|
fi
|
|
fi
|
|
rm -f "$tmp"
|
|
|
|
# Basic must fail on history (documents expected auth mode)
|
|
code_b=$(curl -sk -m 10 -o /dev/null -w '%{http_code}' \
|
|
-u "exchange:${EPW}" \
|
|
"${BANK_URL}/accounts/exchange/taler-wire-gateway/history/incoming?delta=-5")
|
|
if [ "$code_b" = "401" ]; then
|
|
pass "Basic auth correctly rejected on history ($code_b) — use bearer TOKEN"
|
|
else
|
|
warn "Basic on history returned $code_b (expected 401)"
|
|
fi
|
|
|
|
# Container credential + wirewatch process
|
|
if su - hernani -c 'podman exec taler-exchange-hacktivism true' 2>/dev/null; then
|
|
su - hernani -c 'podman exec taler-exchange-hacktivism bash -c "
|
|
set +e
|
|
echo \"--- secret (redacted) ---\"
|
|
if [ -r /etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf ]; then
|
|
sed \"s/secret-token:.*/secret-token:***/; s/^TOKEN = .*/TOKEN = ***/; s/^PASSWORD = .*/PASSWORD = ***/\" \
|
|
/etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf
|
|
else
|
|
# root-only file: cat as root via outer exec
|
|
true
|
|
fi
|
|
echo \"--- hosts bank ---\"
|
|
grep bank.hacktivism.ch /etc/hosts || echo \"(no hosts pin)\"
|
|
echo \"--- wirewatch ---\"
|
|
ps -eo pid,stat,args | grep \"[w]irewatch\" || echo \"(no wirewatch process)\"
|
|
"' 2>&1 || warn "podman exec exchange failed"
|
|
|
|
AUTH_METHOD=$(su - hernani -c 'podman exec -u root taler-exchange-hacktivism \
|
|
grep -E "^WIRE_GATEWAY_AUTH_METHOD" /etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf' 2>/dev/null | awk '{print $3}')
|
|
GW_URL=$(su - hernani -c 'podman exec -u root taler-exchange-hacktivism \
|
|
grep -E "^WIRE_GATEWAY_URL" /etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf' 2>/dev/null | awk '{print $3}')
|
|
info "WIRE_GATEWAY_URL=$GW_URL"
|
|
info "WIRE_GATEWAY_AUTH_METHOD=$AUTH_METHOD"
|
|
if [ "$AUTH_METHOD" = "bearer" ]; then pass "auth method bearer"
|
|
else fail "auth method is '$AUTH_METHOD' (want bearer + TOKEN=)"
|
|
fi
|
|
case "$GW_URL" in
|
|
https://bank.hacktivism.ch/*) pass "gateway uses public bank URL" ;;
|
|
http://127.*|http://host.containers*) warn "gateway uses local URL: $GW_URL" ;;
|
|
*) warn "unexpected gateway URL: $GW_URL" ;;
|
|
esac
|
|
else
|
|
warn "exchange container not reachable via podman"
|
|
fi
|
|
|
|
echo "=== summary fails=$FAILS ==="
|
|
exit "$FAILS"
|