chore: compactify bash scripts

Author: Manuthor

.github/scripts/cargo_build.ps1

@@ -10,7 +10,6 @@ function BuildProject
         [string]$BuildType
     )
 
-    $env:RUST_LOG = "cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"
     # Add target
     rustup target add x86_64-pc-windows-msvc
 
@@ -24,26 +23,25 @@ function BuildProject
     if ($BuildType -eq "release")
     {
         cargo build --release --features "non-fips"
-        cargo test  --release --features "non-fips" -- --nocapture
         cargo packager --verbose --formats nsis --release
     }
     else
     {
         cargo build --features "non-fips"
-        cargo test  --features "non-fips" -- --nocapture
         cargo packager --verbose --formats nsis
     }
     Get-ChildItem ..\..
 
     # Check dynamic links
+    $previousErrorActionPreference = $ErrorActionPreference
     $ErrorActionPreference = "SilentlyContinue"
     $output = & "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.29.30133\bin\HostX64\x64\dumpbin.exe" /dependents target\$BuildType\cosmian_kms.exe | Select-String "libcrypto"
+    $ErrorActionPreference = $previousErrorActionPreference
     if ($output)
     {
-        throw "OpenSSL (libcrypto) found in dynamic dependencies. Error: $output"
+        Write-Error "OpenSSL (libcrypto) found in dynamic dependencies. Error: $output"
+        exit 1
     }
-
-    exit 0
 }
 
 

.github/scripts/cargo_test.ps1

@@ -0,0 +1,45 @@
+$ErrorActionPreference = "Stop"
+Set-StrictMode -Version Latest
+$PSNativeCommandUseErrorActionPreference = $true # might be true by default
+
+function TestProject
+{
+    param (
+        [Parameter(Mandatory = $true)]
+        [ValidateSet("debug", "release")]
+        [string]$BuildType
+    )
+
+    $env:RUST_LOG = "cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"
+    # Add target
+    rustup target add x86_64-pc-windows-msvc
+
+    $env:OPENSSL_DIR = "$env:VCPKG_INSTALLATION_ROOT\packages\openssl_x64-windows-static"
+    Get-ChildItem -Recurse $env:OPENSSL_DIR
+
+    if ($BuildType -eq "release")
+    {
+        cargo test -p cosmian_kms_server --release --features "non-fips" -- --nocapture
+        # cargo test --lib --workspace  --release --features "non-fips" -- --nocapture
+        if ($LASTEXITCODE -ne 0)
+        {
+            Write-Error "Release tests failed with exit code $LASTEXITCODE"
+            exit $LASTEXITCODE
+        }
+    }
+    else
+    {
+        cargo test -p cosmian_kms_server --features "non-fips" -- --nocapture
+        # cargo test --lib --workspace --features "non-fips" -- --nocapture
+        if ($LASTEXITCODE -ne 0)
+        {
+            Write-Error "Debug tests failed with exit code $LASTEXITCODE"
+            exit $LASTEXITCODE
+        }
+    }
+}
+
+
+# Example usage:
+# TestProject -BuildType debug
+# TestProject -BuildType release

.github/scripts/check_build.sh

@@ -2,42 +2,29 @@
 set -eo pipefail
 set -x
 
-# Resolve inputs with defaults inside the nix environment
-: "${DEBUG_OR_RELEASE:=debug}"
-: "${FEATURES:=}"
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+source "$SCRIPT_DIR/common.sh"
 
-RELEASE_FLAG=""
-if [ "$DEBUG_OR_RELEASE" = "release" ]; then
-  RELEASE_FLAG="--release"
-fi
-
-# Construct features flag
-FEATURES_FLAG=()
-if [ -n "$FEATURES" ]; then
-  FEATURES_FLAG=(--features "$FEATURES")
-fi
+init_build_env
 
-cargo build -p cosmian_kms_server $RELEASE_FLAG "${FEATURES_FLAG[@]}"
+cargo build -p cosmian_kms_server "$RELEASE_FLAG" "${FEATURES_FLAG[@]}"
 
 COSMIAN_KMS_EXE="target/$DEBUG_OR_RELEASE/cosmian_kms"
 
-# For verification during build, we temporarily use the nix store OpenSSL config
-# At runtime, the binary will use /usr/local/lib/openssl (its compiled-in OPENSSLDIR)
-# after running the setup_openssl_runtime.sh script
+# Verify binary works (temporarily use nix store OpenSSL config)
 export OPENSSL_CONF="${NIX_OPENSSL_OUT:-}/ssl/openssl.cnf"
 INFO_OUTPUT=$("$COSMIAN_KMS_EXE" --version 2>&1 || true)
 echo "$INFO_OUTPUT"
 echo "$INFO_OUTPUT" | grep -q "cosmian_kms_server" || {
   echo "Error: Binary does not appear to be working" >&2
   exit 1
 }
-
-# Unset OPENSSL_CONF so runtime will use the compiled-in OPENSSLDIR
 unset OPENSSL_CONF
 
 echo "Note: Binary built with OPENSSLDIR=/usr/local/lib/openssl"
 echo "Run 'nix-shell --keep NIX_OPENSSL_OUT shell.nix --run \"bash nix/scripts/setup_openssl_runtime.sh\"' to install runtime files"
 
+# Platform-specific checks
 UNAME=$(uname)
 if [ "$UNAME" = "Linux" ]; then
   LDD_OUTPUT=$(ldd "$COSMIAN_KMS_EXE")
@@ -47,17 +34,15 @@ if [ "$UNAME" = "Linux" ]; then
     exit 1
   }
 
-  # Verify GLIBC symbol versions are <= 2.28 (Linux only)
+  # Verify GLIBC symbol versions are <= 2.28
   GLIBC_SYMS=$(readelf -sW "$COSMIAN_KMS_EXE" | grep -o 'GLIBC_[0-9][0-9.]*' | sort -Vu)
   echo "$GLIBC_SYMS"
   MAX_GLIBC_VER=""
-  if [ -n "$GLIBC_SYMS" ]; then
-    MAX_GLIBC_VER=$(echo "$GLIBC_SYMS" | sed 's/^GLIBC_//' | sort -V | tail -n1)
-  fi
-  if [ -n "$MAX_GLIBC_VER" ] && [ "$(printf '%s\n' "$MAX_GLIBC_VER" "2.28" | sort -V | tail -n1)" != "2.28" ]; then
+  [ -n "$GLIBC_SYMS" ] && MAX_GLIBC_VER=$(echo "$GLIBC_SYMS" | sed 's/^GLIBC_//' | sort -V | tail -n1)
+  [ -n "$MAX_GLIBC_VER" ] && [ "$(printf '%s\n' "$MAX_GLIBC_VER" "2.28" | sort -V | tail -n1)" != "2.28" ] && {
     echo "Error: GLIBC symbols exceed 2.28 (max found: $MAX_GLIBC_VER)." >&2
     exit 1
-  fi
+  }
 else
   # macOS: check with otool
   if command -v otool >/dev/null 2>&1; then

.github/scripts/find_empty_files.sh

@@ -2,82 +2,153 @@
 # Common build utilities for Cosmian KMS build and packaging scripts
 # Source this file to use the functions
 
+# Initialize common environment variables and flags
+# Sets: DEBUG_OR_RELEASE, FEATURES, RELEASE_FLAG, FEATURES_FLAG array, VARIANT_NAME
+init_build_env() {
+  # Set defaults if not already set
+  DEBUG_OR_RELEASE="${DEBUG_OR_RELEASE:-debug}"
+  FEATURES="${FEATURES:-}"
+
+  RELEASE_FLAG=""
+  [ "$DEBUG_OR_RELEASE" = "release" ] && RELEASE_FLAG="--release"
+
+  FEATURES_FLAG=()
+  [ -n "$FEATURES" ] && FEATURES_FLAG=(--features "$FEATURES")
+
+  VARIANT_NAME="FIPS"
+  [ -n "$FEATURES" ] && VARIANT_NAME="non-FIPS"
+
+  # Export variables so they're available in the calling script
+  export DEBUG_OR_RELEASE FEATURES VARIANT_NAME
+}
+
+# Get repository root directory
+get_repo_root() {
+  local script_dir="${1:-.}"
+  cd "$script_dir" || exit
+  git rev-parse --show-toplevel 2>/dev/null || (cd "$script_dir/../.." && pwd)
+}
+
+# Setup RUST_LOG for tests
+setup_test_logging() {
+  export RUST_LOG="cosmian_kms_cli=error,cosmian_kms_server=error,cosmian_kmip=error,test_kms_server=error"
+}
+
+# Check if a TCP port is open (portable bash implementation)
+check_port() {
+  local host="$1" port="$2"
+  (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null &
+  local pid=$!
+  local count=0
+  while [ $count -lt 20 ]; do
+    kill -0 $pid 2>/dev/null || {
+      wait $pid 2>/dev/null
+      return $?
+    }
+    sleep 0.1
+    count=$((count + 1))
+  done
+  kill -9 $pid 2>/dev/null
+  wait $pid 2>/dev/null
+  return 1
+}
+
+# Run database tests (library and specific)
+# Usage: run_db_tests <db_type> [extra_test_args]
+run_db_tests() {
+  local db_type="$1"
+  shift
+
+  echo "Running $db_type library tests..."
+  KMS_TEST_DB="$db_type" cargo test --workspace --lib "$RELEASE_FLAG" "${FEATURES_FLAG[@]}" -- --nocapture "$@"
+
+  echo "Running $db_type database-specific tests..."
+  local test_name="test_db_${db_type//-/_}"
+  KMS_TEST_DB="$db_type" cargo test -p cosmian_kms_server_database --lib "$RELEASE_FLAG" "${FEATURES_FLAG[@]}" -- --nocapture "$test_name" --ignored
+}
+
+# Check database service availability and run tests
+# Usage: check_and_test_db <db_name> <db_type> <host_var> <port_var>
+check_and_test_db() {
+  local db_name="$1" db_type="$2" host_var="$3" port_var="$4"
+  local host="${!host_var}" port="${!port_var}"
+
+  if check_port "$host" "$port"; then
+    echo "$db_name is running at $host:$port"
+    run_db_tests "$db_type"
+    echo "$db_name tests completed successfully."
+  else
+    echo "Error: $db_name is not running at $host:$port" >&2
+    exit 1
+  fi
+}
+
 # Prepare OpenSSL staging directory for packaging
-# Usage: prepare_openssl_staging
 prepare_openssl_staging() {
   local repo_root="${1:-$(pwd)}"
   : "${FEATURES:=}"
 
-  # Determine variant based on FEATURES
-  local variant_name module_name
-  if [ -n "$FEATURES" ]; then
-    variant_name="non-FIPS"
-    module_name="legacy"
-  else
-    variant_name="FIPS"
-    module_name="fips"
-  fi
+  local variant_name="FIPS" module_name="fips"
+  [ -n "$FEATURES" ] && variant_name="non-FIPS" && module_name="legacy"
 
   echo "Preparing OpenSSL artifacts for ${variant_name} packaging..."
 
   local openssl_staging="$repo_root/target/openssl-staging"
-
-  # Clean staging directory first
   rm -rf "$openssl_staging"
   mkdir -p "$openssl_staging/lib64/ossl-modules"
 
-  # Find OpenSSL in Nix store
   local openssl_path openssl_dir
   openssl_path=$(type -p openssl || command -v openssl)
-  if [ -z "$openssl_path" ]; then
+  [ -z "$openssl_path" ] && {
     echo "Error: openssl not found in PATH" >&2
     return 1
-  fi
+  }
 
   openssl_dir=$(dirname "$(dirname "$openssl_path")")
   echo "Using OpenSSL from: $openssl_dir"
   echo "Staging OpenSSL artifacts to: $openssl_staging"
 
+  # Determine module extension (.so for Linux, .dylib for macOS)
+  local module_ext="so"
+  [ "$(uname)" = "Darwin" ] && module_ext="dylib"
+
   # Copy the appropriate module
-  if [ -f "$openssl_dir/lib64/ossl-modules/${module_name}.so" ]; then
-    cp "$openssl_dir/lib64/ossl-modules/${module_name}.so" "$openssl_staging/lib64/ossl-modules/"
-    echo "Copied ${module_name}.so from lib64"
-  elif [ -f "$openssl_dir/lib/ossl-modules/${module_name}.so" ]; then
-    cp "$openssl_dir/lib/ossl-modules/${module_name}.so" "$openssl_staging/lib64/ossl-modules/"
-    echo "Copied ${module_name}.so from lib"
-  else
-    echo "Error: ${module_name}.so not found" >&2
+  local module_found=false
+  for libdir in lib64 lib; do
+    if [ -f "$openssl_dir/$libdir/ossl-modules/${module_name}.${module_ext}" ]; then
+      cp "$openssl_dir/$libdir/ossl-modules/${module_name}.${module_ext}" "$openssl_staging/lib64/ossl-modules/${module_name}.so"
+      echo "Copied ${module_name}.${module_ext} from $libdir (saved as ${module_name}.so)"
+      module_found=true
+      break
+    fi
+  done
+
+  [ "$module_found" = "false" ] && {
+    echo "Error: ${module_name}.${module_ext} not found in lib or lib64/ossl-modules" >&2
     return 1
-  fi
+  }
 
   # Copy SSL configuration files for FIPS variant
   if [ -z "$FEATURES" ]; then
     mkdir -p "$openssl_staging/ssl"
 
     if [ -f "$openssl_dir/ssl/openssl.cnf" ]; then
       cp "$openssl_dir/ssl/openssl.cnf" "$openssl_staging/ssl/"
-      # Replace nix store path with /usr/local/lib/openssl
       sed -i "s|$openssl_dir/ssl|/usr/local/lib/openssl|g" "$openssl_staging/ssl/openssl.cnf"
       echo "Copied and updated openssl.cnf"
     fi
 
     if [ -f "$openssl_dir/ssl/fipsmodule.cnf" ]; then
-      # Regenerate fipsmodule.cnf with correct module path for packaging
       "$openssl_path" fipsinstall \
         -module "$openssl_staging/lib64/ossl-modules/fips.so" \
         -out "$openssl_staging/ssl/fipsmodule.cnf"
-
-      # Add explicit module path pointing to install location
       sed -i '/^\[fips_sect\]/a module-filename = /usr/local/lib/openssl/lib64/ossl-modules/fips.so' \
         "$openssl_staging/ssl/fipsmodule.cnf"
-
       echo "Regenerated fipsmodule.cnf with correct MAC and paths"
     fi
   fi
 
   echo "OpenSSL ${variant_name} artifacts prepared at: $openssl_staging"
   ls -la "$openssl_staging/lib64/ossl-modules/"
-  if [ -z "$FEATURES" ]; then
-    ls -la "$openssl_staging/ssl/"
-  fi
+  [ -z "$FEATURES" ] && ls -la "$openssl_staging/ssl/"
 }