fix(deploy): fix certificates not getting written and add tests

Closes #127

Co-Authored-By: Pisut Sritrakulchai <pisut.sritrakulchai@nordicsemi.no>

Author: coderbyheart

.gitignore

@@ -8,5 +8,5 @@ npm-debug.log
 cdk.out/
 dist/
 .envrc
-certificates/
+/certificates/
 cdk.context.json

cdk/backend.ts

@@ -18,11 +18,11 @@ import { packLayer } from './helpers/lambdas/packLayer.js'
 import { packBackendLambdas } from './packBackendLambdas.js'
 import { ECR_NAME, STACK_NAME } from './stacks/stackConfig.js'
 import { mkdir } from 'node:fs/promises'
-import { Scope, getSettingsOptional, putSettings } from '../util/settings.js'
-import { readFilesFromMap } from './helpers/readFilesFromMap.js'
-import { writeFilesFromMap } from './helpers/writeFilesFromMap.js'
+import { Scope } from '../util/settings.js'
 import { mqttBridgeCertificateLocation } from '../bridge/mqttBridgeCertificateLocation.js'
 import { caLocation } from '../bridge/caLocation.js'
+import { restoreCertificateFromSSM } from './helpers/certificates/restoreCertificateFromSSM.js'
+import { storeCertificateInSSM } from './helpers/certificates/storeCertificateInSSM.js'
 
 const repoUrl = new URL(pJSON.repository.url)
 const repository = {
@@ -80,44 +80,14 @@ const certificates = [
 ] as [Scope, Record<string, string>, logFn][]
 
 // Restore message bridge certificates from SSM
-const restoredCertificates = await Promise.all<boolean>(
-	certificates.map(async ([scope, certsMap, debug]) => {
-		debug(`Getting settings`, scope)
-		const settings = await getSettingsOptional<Record<string, string>, null>({
-			ssm,
-			stackName: STACK_NAME,
+const restoredCertificates = await Promise.all(
+	certificates.map(async ([scope, certsMap, debug]) =>
+		restoreCertificateFromSSM({ ssm, stackName: STACK_NAME })(
 			scope,
-		})(null)
-		if (settings === null) {
-			debug(`No certificate in settings.`)
-			return false
-		}
-
-		debug(`Restoring`)
-		const locations: Record<string, string> = Object.entries(settings).reduce(
-			(locations, [k, v]) => {
-				const path = certsMap[k]
-				debug(`Unrecognized path:`, k)
-				if (path === undefined) return locations
-				return {
-					...locations,
-					[path]: v,
-				}
-			},
-			{},
-		)
-		// Make sure all required locations exist
-
-		for (const k of Object.keys(certsMap)) {
-			if (locations[k] === undefined) {
-				debug(`Restored certificate settings are missing key`, k)
-				return false
-			}
-		}
-		for (const k of Object.keys(locations)) debug(`Restoring:`, k)
-		await writeFilesFromMap(settings)
-		return true
-	}),
+			certsMap,
+			debug,
+		),
+	),
 )
 
 // Pick up existing, or create new certificates
@@ -139,16 +109,10 @@ await Promise.all(
 			debug(`Certificate was restored. Nothing to store.`)
 			return
 		}
-		for (const k of Object.keys(certsMap)) debug(`Storing:`, k)
-		Object.entries(readFilesFromMap(certsMap)).map(async ([k, v]) =>
-			putSettings({
-				ssm,
-				stackName: STACK_NAME,
-				scope,
-			})({
-				property: k,
-				value: v,
-			}),
+		await storeCertificateInSSM({ ssm, stackName: STACK_NAME })(
+			scope,
+			certsMap,
+			debug,
 		)
 	}),
 )

cdk/helpers/readFilesFromMap.spec.ts renamed to cdk/helpers/certificates/readFilesFromMap.spec.ts

@@ -0,0 +1,139 @@
+import {
+	ParameterType,
+	type GetParametersByPathCommandOutput,
+	type SSMClient,
+} from '@aws-sdk/client-ssm'
+import { restoreCertificateFromSSM } from './restoreCertificateFromSSM.js'
+import { Scope } from '../../../util/settings.js'
+import { caLocation } from '../../../bridge/caLocation.js'
+import path from 'node:path'
+import os from 'node:os'
+import fs from 'node:fs/promises'
+import { readFilesFromMap } from './readFilesFromMap.js'
+
+describe('restoreCertificateFromSSM()', () => {
+	it('should query SSM for stored certificates, but not restored if value is not present', async () => {
+		const result: GetParametersByPathCommandOutput = {
+			Parameters: undefined,
+			$metadata: {},
+		}
+		const send = jest.fn(async () => Promise.resolve(result))
+		const ssm: SSMClient = {
+			send,
+		} as any
+
+		const tempDir = await fs.mkdtemp(
+			path.join(os.tmpdir(), 'restoreCertificateFromSSM-'),
+		)
+
+		const res = await restoreCertificateFromSSM({
+			ssm,
+			stackName: 'hello-nrfcloud',
+		})(
+			Scope.NRFCLOUD_BRIDGE_CERTIFICATE_MQTT, // 'nRFCloudBridgeCertificate/MQTT'
+			caLocation({
+				certsDir: tempDir,
+			}),
+		)
+
+		expect(res).toEqual(false)
+
+		expect(send).toHaveBeenLastCalledWith(
+			expect.objectContaining({
+				input: {
+					Path: `/hello-nrfcloud/nRFCloudBridgeCertificate/MQTT`,
+					Recursive: true,
+				},
+			}),
+		)
+	})
+
+	it('should not restore if value is incomplete', async () => {
+		const result: GetParametersByPathCommandOutput = {
+			Parameters: [
+				{
+					Type: ParameterType.STRING,
+					Name: 'invalidName',
+					Value: 'invalidValue',
+				},
+			],
+			$metadata: {},
+		}
+		const send = jest.fn(async () => Promise.resolve(result))
+		const ssm: SSMClient = {
+			send,
+		} as any
+
+		const tempDir = await fs.mkdtemp(
+			path.join(os.tmpdir(), 'restoreCertificateFromSSM-'),
+		)
+
+		const res = await restoreCertificateFromSSM({
+			ssm,
+			stackName: 'hello-nrfcloud',
+		})(
+			Scope.NRFCLOUD_BRIDGE_CERTIFICATE_MQTT, // 'nRFCloudBridgeCertificate/MQTT'
+			caLocation({
+				certsDir: tempDir,
+			}),
+		)
+
+		expect(res).toEqual(false)
+
+		expect(send).toHaveBeenLastCalledWith(
+			expect.objectContaining({
+				input: {
+					Path: `/hello-nrfcloud/nRFCloudBridgeCertificate/MQTT`,
+					Recursive: true,
+				},
+			}),
+		)
+	})
+
+	it('should restore if value in SSM is complete', async () => {
+		const result: GetParametersByPathCommandOutput = {
+			Parameters: ['key', 'cert', 'verificationCert'].map((Name) => ({
+				Type: ParameterType.STRING,
+				Name,
+				Value: `Content of ${Name}`,
+			})),
+			$metadata: {},
+		}
+		const send = jest.fn(async () => Promise.resolve(result))
+		const ssm: SSMClient = {
+			send,
+		} as any
+
+		const tempDir = await fs.mkdtemp(
+			path.join(os.tmpdir(), 'restoreCertificateFromSSM-'),
+		)
+
+		const certsMap = caLocation({
+			certsDir: tempDir,
+		})
+		const res = await restoreCertificateFromSSM({
+			ssm,
+			stackName: 'hello-nrfcloud',
+		})(
+			Scope.NRFCLOUD_BRIDGE_CERTIFICATE_MQTT, // 'nRFCloudBridgeCertificate/MQTT'
+			certsMap,
+		)
+
+		expect(res).toEqual(true)
+
+		expect(send).toHaveBeenLastCalledWith(
+			expect.objectContaining({
+				input: {
+					Path: `/hello-nrfcloud/nRFCloudBridgeCertificate/MQTT`,
+					Recursive: true,
+				},
+			}),
+		)
+
+		expect(await readFilesFromMap(certsMap)).toMatchObject({
+			key: `Content of key`,
+			cert: `Content of cert`,
+			verificationCert: `Content of verificationCert`,
+		})
+	})
+})

cdk/helpers/readFilesFromMap.ts renamed to cdk/helpers/certificates/readFilesFromMap.ts

@@ -0,0 +1,50 @@
+import { SSMClient } from '@aws-sdk/client-ssm'
+import { type logFn } from '../../../cli/log.js'
+import { Scope, getSettingsOptional } from '../../../util/settings.js'
+import { writeFilesFromMap } from './writeFilesFromMap.js'
+
+export const restoreCertificateFromSSM =
+	({ ssm, stackName }: { ssm: SSMClient; stackName: string }) =>
+	async (
+		scope: Scope,
+		certificateLocations: Record<string, string>,
+		debug?: logFn,
+	): Promise<boolean> => {
+		debug?.(`Getting settings`, scope)
+		const settings = await getSettingsOptional<Record<string, string>, null>({
+			ssm,
+			stackName,
+			scope,
+		})(null)
+		if (settings === null) {
+			debug?.(`No certificate stored in settings.`)
+			return false
+		}
+
+		// Make sure all required locations exist
+		for (const k of Object.keys(certificateLocations)) {
+			if (settings[k] === undefined) {
+				debug?.(`Restored certificate settings are missing key`, k)
+				return false
+			}
+		}
+
+		const locations: Record<string, string> = Object.entries(settings).reduce(
+			(locations, [k, v]) => {
+				const path = certificateLocations[k]
+				if (path === undefined) {
+					debug?.(`Unrecognized path:`, k)
+					return locations
+				}
+				return {
+					...locations,
+					[path]: v,
+				}
+			},
+			{},
+		)
+
+		for (const path of Object.keys(locations)) debug?.(`Restoring`, path)
+		await writeFilesFromMap(locations)
+		return true
+	}

cdk/helpers/certificates/restoreCertificateFromSSM.spec.ts

@@ -0,0 +1,67 @@
+import { ParameterType, type SSMClient } from '@aws-sdk/client-ssm'
+import { Scope } from '../../../util/settings.js'
+import { caLocation } from '../../../bridge/caLocation.js'
+import path from 'node:path'
+import os from 'node:os'
+import fs from 'node:fs/promises'
+import { writeFilesFromMap } from './writeFilesFromMap.js'
+import { storeCertificateInSSM } from './storeCertificateInSSM.js'
+
+describe('storeCertificateInSSM()', () => {
+	it('should store a certificate map in SSM', async () => {
+		const send = jest.fn(async () => Promise.resolve())
+		const ssm: SSMClient = {
+			send,
+		} as any
+		const certsDir = await fs.mkdtemp(
+			path.join(os.tmpdir(), 'restoreCertificateFromSSM-'),
+		)
+		const certsMap = caLocation({
+			certsDir,
+		})
+		await writeFilesFromMap({
+			[path.join(certsDir, 'CA.key')]: 'Contents of CA.key',
+			[path.join(certsDir, 'CA.cert')]: 'Contents of CA.cert',
+			[path.join(certsDir, 'CA.verification.cert')]:
+				'Contents of CA.verification.cert',
+		})
+
+		await storeCertificateInSSM({ ssm, stackName: 'hello-nrfcloud' })(
+			Scope.NRFCLOUD_BRIDGE_CERTIFICATE_MQTT, // 'nRFCloudBridgeCertificate/MQTT',
+			certsMap,
+		)
+
+		expect(send).toHaveBeenCalledWith(
+			expect.objectContaining({
+				input: {
+					Name: `/hello-nrfcloud/nRFCloudBridgeCertificate/MQTT/cert`,
+					Type: ParameterType.STRING,
+					Value: 'Contents of CA.cert',
+					Overwrite: true,
+				},
+			}),
+		)
+
+		expect(send).toHaveBeenCalledWith(
+			expect.objectContaining({
+				input: {
+					Name: `/hello-nrfcloud/nRFCloudBridgeCertificate/MQTT/key`,
+					Type: ParameterType.STRING,
+					Value: 'Contents of CA.key',
+					Overwrite: true,
+				},
+			}),
+		)
+
+		expect(send).toHaveBeenCalledWith(
+			expect.objectContaining({
+				input: {
+					Name: `/hello-nrfcloud/nRFCloudBridgeCertificate/MQTT/verificationCert`,
+					Type: ParameterType.STRING,
+					Value: 'Contents of CA.verification.cert',
+					Overwrite: true,
+				},
+			}),
+		)
+	})
+})

cdk/helpers/certificates/restoreCertificateFromSSM.ts

@@ -0,0 +1,25 @@
+import { SSMClient } from '@aws-sdk/client-ssm'
+import { type logFn } from '../../../cli/log.js'
+import { Scope, putSettings } from '../../../util/settings.js'
+import { readFilesFromMap } from './readFilesFromMap.js'
+
+export const storeCertificateInSSM =
+	({ ssm, stackName }: { ssm: SSMClient; stackName: string }) =>
+	async (
+		scope: Scope,
+		certsMap: Record<string, string>,
+		debug?: logFn,
+	): Promise<void> => {
+		const certContents = await readFilesFromMap(certsMap)
+		for (const [k, content] of Object.entries(certContents)) {
+			debug?.(`Storing certificate in settings:`, k)
+			await putSettings({
+				ssm,
+				stackName,
+				scope,
+			})({
+				property: k,
+				value: content,
+			})
+		}
+	}