test monitor in the lambda emulator

Makefile

@@ -79,8 +79,16 @@ showcoverage: test
 generate:
 	go generate
 
+# image build order:
+#
+# app -> {app-hsm,monitor}
+# monitor -> monitor-lambda-emulator,monitor-hsm-lambda-emulator
+# app-hsm -> monitor-hsm-lambda-emulator (app-hsm writes chains and updated config to shared /tmp volume)
+#
 build: generate
-	docker-compose build --no-cache app app-hsm monitor monitor-hsm
+	docker-compose build --no-cache --parallel app db
+	docker-compose build --no-cache --parallel app-hsm monitor
+	docker-compose build --no-cache --parallel monitor-lambda-emulator monitor-hsm-lambda-emulator
 
 integration-test:
 	./bin/run_integration_tests.sh

bin/run_integration_tests.sh

@@ -10,7 +10,7 @@ docker-compose down -v
 docker-compose stop db
 docker-compose rm -f db
 
-# start db and servers
+# start db and app servers
 docker-compose up -d --force-recreate db app app-hsm
 
 echo "waiting for autograph-app to start"
@@ -28,16 +28,27 @@ done
 docker cp autograph-app-hsm:/tmp/normandy_dev_root_hash.txt .
 APP_HSM_NORMANDY_ROOT_HASH=$(grep '[0-9A-F]' normandy_dev_root_hash.txt | tr -d '\r\n')
 
+# start the monitor lambda emulators
+docker-compose up -d monitor-lambda-emulator
+AUTOGRAPH_ROOT_HASH=$APP_HSM_NORMANDY_ROOT_HASH docker-compose up -d monitor-hsm-lambda-emulator
+
+echo "waiting for monitor-lambda-emulator to start"
+while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-lambda-emulator)"; do
+  echo -n "."
+  sleep 1 # wait before checking again
+done
+echo "waiting for monitor-hsm-lambda-emulator to start"
+while test "true" != "$(docker inspect -f {{.State.Running}} autograph-monitor-hsm-lambda-emulator)"; do
+  echo -n "."
+  sleep 1 # wait before checking again
+done
+
 echo "checking monitoring using hsm root hash:" "$APP_HSM_NORMANDY_ROOT_HASH"
-docker-compose run \
-	       --rm \
-               -e AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs \
-               monitor
-docker-compose run \
-	       --rm \
-               -e "AUTOGRAPH_ROOT_HASH=$APP_HSM_NORMANDY_ROOT_HASH" \
-               -e AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs \
-               monitor-hsm
+# exec in containers to workaround https://circleci.com/docs/2.0/building-docker-images/#accessing-services
+docker-compose exec monitor-lambda-emulator "/usr/local/bin/test_monitor.sh"
+docker-compose logs monitor-lambda-emulator
+docker-compose exec monitor-hsm-lambda-emulator "/usr/local/bin/test_monitor.sh"
+docker-compose logs monitor-hsm-lambda-emulator
 
 echo "checking XPI signing"
 docker-compose run \

bin/test_monitor.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+# invoke a test monitor run in a lambda monitor
+
+MONITOR_ERROR=$(curl -w '\n' -X POST 'http://localhost:8080/2015-03-31/functions/function/invocations' -d '{}')
+test "$MONITOR_ERROR = null"

docker-compose.yml

@@ -69,46 +69,48 @@ services:
     image: autograph-monitor
     build:
       context: tools/autograph-monitor/
+
+  monitor-lambda-emulator:
+    container_name: autograph-monitor-lambda-emulator
+    image: autograph-monitor-lambda-emulator
+    build:
+      context: tools/autograph-monitor/
+      dockerfile: Dockerfile.lambda-emulator
     environment:
       - AUTOGRAPH_URL=http://autograph-app:8000/
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
+      # set a non-empty value to use the lambda handler
+      - LAMBDA_TASK_ROOT=/usr/local/bin/
       - AUTOGRAPH_ROOT_HASH
+    ports:
+      - "9000:8080"
     links:
       - app
     depends_on:
       - app
     volumes:
       - apptmpdir:/tmp/
-    command:
-      [
-        "/usr/bin/wait-for-it.sh",
-        "autograph-app:8001",
-        "--",
-        "/usr/bin/autograph-monitor",
-      ]
 
-  monitor-hsm:
-    container_name: autograph-monitor-hsm
-    image: autograph-monitor
+  monitor-hsm-lambda-emulator:
+    container_name: autograph-monitor-hsm-lambda-emulator
+    image: autograph-monitor-lambda-emulator
     build:
       context: tools/autograph-monitor/
+      dockerfile: Dockerfile.lambda-emulator
     environment:
       - AUTOGRAPH_URL=http://autograph-app-hsm:8001/
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
+      # set a non-empty value to use the lambda handler
+      - LAMBDA_TASK_ROOT=/usr/local/bin/
       - AUTOGRAPH_ROOT_HASH
+    ports:
+      - "9001:8080"
     links:
       - app-hsm
     depends_on:
       - app-hsm
     volumes:
       - hsmtmpdir:/tmp/
-    command:
-      [
-        "/usr/bin/wait-for-it.sh",
-        "autograph-app-hsm:8001",
-        "--",
-        "/usr/bin/autograph-monitor",
-      ]
 
   unit-test:
     container_name: autograph-unit-test

tools/autograph-monitor/.dockerignore

@@ -0,0 +1,3 @@
+*.pem
+*coverage.out
+testdata/

tools/autograph-monitor/Dockerfile

@@ -7,7 +7,6 @@ RUN cd /app/src/autograph/tools/autograph-monitor && go build -o /go/bin/autogra
 FROM debian:buster
 
 COPY --from=build /go/bin/autograph-monitor /usr/bin/autograph-monitor
-COPY --from=build /app/src/autograph/bin/wait-for-it.sh /usr/bin/wait-for-it.sh
 
 RUN addgroup --gid 10001 app \
       && \

tools/autograph-monitor/Dockerfile.lambda-emulator

@@ -0,0 +1,18 @@
+FROM autograph-app as app
+FROM autograph-monitor
+
+USER root
+
+COPY --from=app /app/src/autograph/bin/test_monitor.sh /usr/local/bin/test_monitor.sh
+
+RUN apt update \
+    && \
+    apt -y install curl \
+    && \
+    curl -Lo /usr/local/bin/aws-lambda-rie \
+    https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \
+    && \
+    chmod +x /usr/local/bin/aws-lambda-rie /usr/local/bin/test_monitor.sh
+
+USER app
+CMD ["/usr/local/bin/aws-lambda-rie", "/usr/bin/autograph-monitor"]

tools/autograph-monitor/Makefile

@@ -1,6 +1,8 @@
 build:
 	go build -o autograph-monitor *.go
 	zip -r autograph-monitor.zip autograph-monitor
+build-image:
+	docker build -t autograph-monitor:latest .
 doc:
 	go doc -all .
 doc-http:

tools/autograph-monitor/README.md

@@ -29,6 +29,7 @@ And additional optional environment variables:
   alerts for warnings like a content signature certificate expiring in
   30 days.
 
+When the upstream app is down monitor requests will time out after 30 seconds.
 
 An example run looks like: