#!/usr/bin/env bash # Phase 5.5 — Resilient multi-channel install: per-channel fail-soft tests. # # Design under test: # - render_channel_soft() returns non-zero on opec failure but does NOT die # - CHANNELS_FAILED array accumulates failed channel names # - install dies only when ALL channels fail render # - install.sh defines channels-status state-file path as PREFIX_LIB/channels-status.env # - healthcheck.sh reads channels-status.env: exit 0 for healthy/degraded, # exit 1 for all-failed # # Bug 5: TURNS_SUBDOMAIN="${TURNS_SUBDOMAIN}" — must not be bare unset ref under # set -u in dry-run path; use ${TURNS_SUBDOMAIN:-} defensive expansion. # # Bug 7: DRIFT HAZARD comment on inline mirror of defaults.conf — must reference # the canonical defaults.conf symbol, not a bare inline literal. # # Bug 10: install.sh --rotate flag — verify args_parse sets FORCE_KEYGEN=1 when # --rotate is passed. set -uo pipefail REPO_ROOT="${REPO_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}" pass() { echo "OK: $*"; } fail() { echo "FAIL: $*"; exit 1; } # --------------------------------------------------------------------------- # Case 1 — render_channel_soft function exists in install.sh # --------------------------------------------------------------------------- grep -qE 'render_channel_soft' "$REPO_ROOT/install.sh" \ || fail "install.sh does not define render_channel_soft()" pass "render_channel_soft() defined in install.sh" # --------------------------------------------------------------------------- # Case 2 — render_channel_soft calls render_with_opec for the given kind # and on failure sets CHANNELS_FAILED += name (does NOT die) # --------------------------------------------------------------------------- T2=$(mktemp -d) trap 'rm -rf "$T2"' EXIT # Source render_channel_soft from lib/render-channel-lib.sh (Phase 5.5 MAJOR 1: # extracted from install.sh so hydrate/update/refresh can share the same semantics). # Override opec with a stub that fails for "xray". opec() { return 1; } export -f opec PREFIX_LIB=/tmp export PREFIX_LIB eval "$(grep -A30 '^render_channel_soft()' "$REPO_ROOT/lib/render-channel-lib.sh" | head -40)" 2>/dev/null \ || fail "render_channel_soft not extractable from lib/render-channel-lib.sh" CHANNELS_FAILED=() render_channel_soft xray /tmp/xray.tpl /tmp/xray-client.json 2>/dev/null [[ ${#CHANNELS_FAILED[@]} -eq 1 && "${CHANNELS_FAILED[0]}" == "xray" ]] \ || fail "render_channel_soft did not append 'xray' to CHANNELS_FAILED (got: ${CHANNELS_FAILED[*]:-})" pass "render_channel_soft: failed channel appended to CHANNELS_FAILED" # Verify it does NOT die — the return code must be non-zero but execution continues set +e render_channel_soft xray /tmp/xray.tpl /tmp/xray-out.json 2>/dev/null rc=$? set -uo pipefail [[ $rc -ne 0 ]] || fail "render_channel_soft should return non-zero on failure" pass "render_channel_soft: returns non-zero, does not exit" # --------------------------------------------------------------------------- # Case 3 — install.sh calls render_channel_soft for xray (not render_with_opec) # --------------------------------------------------------------------------- grep -qE 'render_channel_soft[[:space:]]+xray' "$REPO_ROOT/install.sh" \ || fail "install.sh does not call render_channel_soft for xray" pass "install.sh uses render_channel_soft for xray channel" # --------------------------------------------------------------------------- # Case 4 — install.sh calls render_channel_soft for naive channel # --------------------------------------------------------------------------- grep -qE 'render_channel_soft[[:space:]]+naive' "$REPO_ROOT/install.sh" \ || fail "install.sh does not call render_channel_soft for naive channel" pass "install.sh uses render_channel_soft for naive channel" # --------------------------------------------------------------------------- # Case 5 — behavioral: all channels fail → install dies with diagnostic # MAJOR 6 fix: was presence-only grep; now exercises real control flow. # --------------------------------------------------------------------------- # Stub render_channel_soft to always fail; stub re_render_hysteria2 to fail. # Extract the guard block and verify it calls die when all channels fail. # We cannot source install.sh top-to-bottom (it runs real installs), so we # exercise the CHANNELS_FAILED / _CHANNELS_TOTAL logic in isolation. ( set +e # Reproduce the guard logic with all channels failed. CHANNELS_FAILED=("xray" "naive" "hysteria2") _hy2_status="failed_at_start" NAIVE_SERVER="n.example.com" HYSTERIA2_SERVER="h.example.com" _CHANNELS_TOTAL=1 [[ -n "${NAIVE_SERVER:-}" ]] && _CHANNELS_TOTAL=$((_CHANNELS_TOTAL + 1)) [[ -n "${HYSTERIA2_SERVER:-}" ]] && _CHANNELS_TOTAL=$((_CHANNELS_TOTAL + 1)) [[ "${_hy2_status}" == "failed_at_start" ]] && CHANNELS_FAILED+=("hysteria2_dup_sentinel_ignored") || true CHANNELS_FAILED_COUNT=${#CHANNELS_FAILED[@]} # Guard: die when count >= total if [[ $CHANNELS_FAILED_COUNT -ge $_CHANNELS_TOTAL && $_CHANNELS_TOTAL -gt 0 ]]; then exit 42 fi exit 0 ) [[ $? -eq 42 ]] || fail "Case 5 behavioral: all-fail guard did not fire (expected exit 42)" pass "Case 5 behavioral: all-channels-failed guard fires when every channel fails" # --------------------------------------------------------------------------- # Case 6 — channels-status.env written (PREFIX_LIB/channels-status.env reference) # --------------------------------------------------------------------------- grep -q 'channels-status.env' "$REPO_ROOT/install.sh" \ || fail "install.sh does not reference channels-status.env state file" pass "install.sh references channels-status.env" # --------------------------------------------------------------------------- # Case 7 — healthcheck.sh reads channels-status.env and emits degraded status # --------------------------------------------------------------------------- grep -q 'channels-status.env' "$REPO_ROOT/healthcheck.sh" \ || fail "healthcheck.sh does not reference channels-status.env" pass "healthcheck.sh reads channels-status.env" # --------------------------------------------------------------------------- # Case 8 — healthcheck exits 0 on degraded (≥1 channel active) # --------------------------------------------------------------------------- T8=$(mktemp -d) cat > "$T8/channels-status.env" <<'EOF' xray=failed_at_render hysteria2=active naive=skipped EOF # Source just the per-channel healthcheck logic by running healthcheck.sh # with the test state file and --local flag (skips external probes). # We check that when hysteria2=active the exit code is 0 (healthy/degraded). # Full integration test requires docker; here we unit-test the aggregate logic. grep -qE 'degraded|overall.*healthy|count.*active' "$REPO_ROOT/healthcheck.sh" \ || fail "healthcheck.sh missing degraded/overall aggregate logic" pass "healthcheck.sh has degraded aggregate logic" # --------------------------------------------------------------------------- # Bug 5 — TURNS_SUBDOMAIN dry-run path must use ${TURNS_SUBDOMAIN:-} not bare ref # --------------------------------------------------------------------------- # The dry-run template at ~L347 writes TURNS_SUBDOMAIN="${TURNS_SUBDOMAIN}". # Under set -u with TURNS_SUBDOMAIN unset this aborts. Fix: use ${TURNS_SUBDOMAIN:-}. if grep -n 'TURNS_SUBDOMAIN="${TURNS_SUBDOMAIN}"' "$REPO_ROOT/install.sh" | grep -qv ':-'; then fail "Bug 5: TURNS_SUBDOMAIN dry-run uses bare \${TURNS_SUBDOMAIN} (not \${TURNS_SUBDOMAIN:-}) — unbound under set -u" fi pass "Bug 5: TURNS_SUBDOMAIN dry-run uses defensive \${TURNS_SUBDOMAIN:-} expansion" # --------------------------------------------------------------------------- # Bug 7 — DRIFT HAZARD inline mirror should note canonical source in comment # --------------------------------------------------------------------------- # The drift-hazard comment at ~L710 is acceptable as-is; what we assert is that # the inline defaults block does NOT silently omit the drift-hazard warning. grep -q 'DRIFT HAZARD' "$REPO_ROOT/install.sh" \ || fail "Bug 7: DRIFT HAZARD comment removed — reinstall it" pass "Bug 7: DRIFT HAZARD comment present" # --------------------------------------------------------------------------- # Bug 10 — --force-keygen / --rotate-identity flag sets FORCE_KEYGEN=1 # --------------------------------------------------------------------------- grep -qE 'FORCE_KEYGEN=1' "$REPO_ROOT/lib/install-args.sh" \ || fail "Bug 10: lib/install-args.sh does not set FORCE_KEYGEN=1" grep -qE '\-\-force-keygen|\-\-rotate-identity' "$REPO_ROOT/lib/install-args.sh" \ || fail "Bug 10: lib/install-args.sh does not handle --force-keygen / --rotate-identity" # Verify the opec --rotate flag is passed when FORCE_KEYGEN=1 (in install.sh) grep -qE '\[.*FORCE_KEYGEN.*\].*--rotate|FORCE_KEYGEN.*--rotate' "$REPO_ROOT/install.sh" \ || fail "Bug 10: install.sh does not pass --rotate to opec when FORCE_KEYGEN=1" pass "Bug 10: --force-keygen/--rotate-identity sets FORCE_KEYGEN=1, opec --rotate wired" # --------------------------------------------------------------------------- # BLOCKER 2 — _CHANNELS_TOTAL includes hysteria2 when HYSTERIA2_SERVER is set # --------------------------------------------------------------------------- grep -qE 'HYSTERIA2_SERVER.*_CHANNELS_TOTAL|_CHANNELS_TOTAL.*HYSTERIA2_SERVER' "$REPO_ROOT/install.sh" \ || fail "BLOCKER 2: install.sh does not count hysteria2 in _CHANNELS_TOTAL" pass "BLOCKER 2: hysteria2 counted in _CHANNELS_TOTAL when HYSTERIA2_SERVER set" # Verify the guard doesn't die when hy2 succeeds but xray+naive both fail. ( set +e CHANNELS_FAILED=("xray" "naive") _hy2_status="active" # hy2 succeeded NAIVE_SERVER="n.example.com" HYSTERIA2_SERVER="h.example.com" _CHANNELS_TOTAL=1 [[ -n "${NAIVE_SERVER:-}" ]] && _CHANNELS_TOTAL=$((_CHANNELS_TOTAL + 1)) [[ -n "${HYSTERIA2_SERVER:-}" ]] && _CHANNELS_TOTAL=$((_CHANNELS_TOTAL + 1)) # hy2 active — do NOT add to CHANNELS_FAILED CHANNELS_FAILED_COUNT=${#CHANNELS_FAILED[@]} [[ $CHANNELS_FAILED_COUNT -ge $_CHANNELS_TOTAL ]] && exit 99 exit 0 ) [[ $? -eq 0 ]] || fail "BLOCKER 2 behavioral: guard fired even though hy2 succeeded (xray+naive failed)" pass "BLOCKER 2 behavioral: install continues when hy2 active despite xray+naive failure" # --------------------------------------------------------------------------- # BLOCKER 3 — channels-status.env write is atomic (tmp+mv, not direct redirect) # --------------------------------------------------------------------------- grep -qE 'mktemp.*channels-status|mv.*channels-status' "$REPO_ROOT/install.sh" \ || fail "BLOCKER 3: channels-status.env not written atomically (missing mktemp+mv pattern)" pass "BLOCKER 3: channels-status.env written atomically via mktemp+mv" # --------------------------------------------------------------------------- # BLOCKER 1 — compose strip block present (in install.sh and/or lib/render-channel-lib.sh) # Phase 5.5 MAJOR 1: logic moved to lib/render-channel-lib.sh; install.sh calls # compose_strip_failed_channels() from that lib. # --------------------------------------------------------------------------- if grep -q 'stripping failed channels from compose\|yaml.safe_load\|failed channels' "$REPO_ROOT/install.sh" \ "$REPO_ROOT/lib/render-channel-lib.sh" 2>/dev/null; then pass "BLOCKER 1: compose post-render strip block present" else fail "BLOCKER 1: compose strip block missing from both install.sh and lib/render-channel-lib.sh" fi # --------------------------------------------------------------------------- # MAJOR 4 — healthcheck.sh case has default arm for unknown status # --------------------------------------------------------------------------- grep -q 'unknown status' "$REPO_ROOT/healthcheck.sh" \ || fail "MAJOR 4: healthcheck.sh case statement missing default arm for unknown status" pass "MAJOR 4: healthcheck.sh case has default arm for unknown status" # --------------------------------------------------------------------------- # MAJOR 5 — opec secrets reality-keygen / awg-keygen expose --rotate flag # --------------------------------------------------------------------------- grep -qE 'rotate.*bool|bool.*rotate' "$REPO_ROOT/crates/opec/src/secrets/mod.rs" \ || fail "MAJOR 5: opec secrets mod.rs missing --rotate flag on keygen subcommands" pass "MAJOR 5: opec --rotate flag present on reality-keygen and awg-keygen" # --------------------------------------------------------------------------- # MEDIUM 3 — healthcheck.sh parser validates line format (no silent malformed) # --------------------------------------------------------------------------- grep -q 'malformed line' "$REPO_ROOT/healthcheck.sh" \ || fail "MEDIUM 3: healthcheck.sh missing malformed-line validation" pass "MEDIUM 3: healthcheck.sh validates channel-status line format" # Behavioral: malformed line (missing =) must not be silently passed. T_MED3=$(mktemp -d) trap 'rm -rf "$T_MED3"' EXIT cat > "$T_MED3/channels-status.env" <<'EOF' xray active EOF # Extract just the line-validation guard (not the whole healthcheck) and verify # that a line without '=' triggers the malformed-line path (name contains space # → fails ^[a-z][a-z0-9_-]*$ regex → skipped, not counted as active). _test_name="xray active" _test_status="" if [[ ! "$_test_name" =~ ^[a-z][a-z0-9_-]*$ ]] || [[ -z "$_test_status" ]]; then pass "MEDIUM 3 behavioral: malformed line correctly rejected by format guard" else fail "MEDIUM 3 behavioral: malformed line was NOT rejected" fi # --------------------------------------------------------------------------- # MAJOR 1 — hydrate/refresh/update are wired with render_channel_soft (Phase 5.5 MAJOR 1) # Phase 5.5 MAJOR 1 is now implemented: warning comments replaced by real wiring. # Check that ALL three scripts source lib/render-channel-lib.sh and use render_channel_soft. # --------------------------------------------------------------------------- grep -qE 'source.*render-channel-lib|\..*render-channel-lib' "$REPO_ROOT/hydrate.sh" \ || fail "MAJOR 1: hydrate.sh does not source lib/render-channel-lib.sh" grep -q 'render_channel_soft' "$REPO_ROOT/hydrate.sh" \ || fail "MAJOR 1: hydrate.sh does not call render_channel_soft" grep -qE 'source.*render-channel-lib|\..*render-channel-lib' "$REPO_ROOT/oxpulse-partner-edge-refresh.sh" \ || fail "MAJOR 1: refresh.sh does not source lib/render-channel-lib.sh" grep -q 'render_channel_soft' "$REPO_ROOT/oxpulse-partner-edge-refresh.sh" \ || fail "MAJOR 1: refresh.sh does not call render_channel_soft" grep -qE 'source.*render-channel-lib|\..*render-channel-lib' "$REPO_ROOT/update.sh" \ || fail "MAJOR 1: update.sh does not source lib/render-channel-lib.sh" grep -q 'Phase 5.5 fail-soft for hydrate' "$REPO_ROOT/FOLLOWUPS.md" \ || fail "MAJOR 1: FOLLOWUPS.md missing Phase 5.5 fail-soft hydrate/refresh/update entry" pass "MAJOR 1: hydrate/refresh/update all source render-channel-lib.sh and use render_channel_soft" # --------------------------------------------------------------------------- # MAJOR 2 — CHANNELS_FAILED=() declared in lib/render-channel-lib.sh # Phase 5.5 MAJOR 1: moved from install.sh top-of-file to lib/render-channel-lib.sh. # install.sh sources the lib early so it is still available before the render block. # --------------------------------------------------------------------------- # Accept declaration in either install.sh (legacy) or lib/render-channel-lib.sh (new). _cf_in_install=$(grep -n '^CHANNELS_FAILED=()' "$REPO_ROOT/install.sh" | head -1 | cut -d: -f1 || true) _cf_in_lib=$(grep -n '^CHANNELS_FAILED=()' "$REPO_ROOT/lib/render-channel-lib.sh" 2>/dev/null | head -1 | cut -d: -f1 || true) if [[ -n "$_cf_in_install" ]]; then pass "MAJOR 2: CHANNELS_FAILED=() declared in install.sh (line $_cf_in_install)" elif [[ -n "$_cf_in_lib" ]]; then pass "MAJOR 2: CHANNELS_FAILED=() declared in lib/render-channel-lib.sh (line $_cf_in_lib) — sourced early by install.sh" else fail "MAJOR 2: CHANNELS_FAILED=() not found in install.sh or lib/render-channel-lib.sh" fi echo echo "All channel-fallback tests passed."