Skip to content

Commit e8295e4

Browse files
committed
Updated threat setup_threat_security script to warn about skipped files.
1 parent fcd82fc commit e8295e4

1 file changed

Lines changed: 26 additions & 2 deletions

File tree

modules/04-security-threat/security/setup_threat_security.py

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -219,17 +219,25 @@ def main():
219219
)
220220
print(f"Security directory tree scaffolded under {MODULE_SECURITY_DIR}")
221221
else:
222-
SECURITY_TREE.generate_artifacts(
222+
summary = SECURITY_TREE.generate_artifacts(
223223
root=MODULE_SECURITY_DIR, force=args.force, strict=args.strict
224224
)
225225

226226
# Generate expired identity certs for the ExpiredCert attack mode.
227227
# These are signed by the TrustedIdentityCa (so the CA chain is
228228
# valid) but have notAfter in the past, causing Connext to reject
229229
# them at participant creation time.
230+
expired_generated = 0
231+
expired_skipped = 0
230232
for app_name in ("ThreatInjector", "ThreatExfiltrator"):
231233
id_dir = MODULE_SECURITY_DIR / "identity" / "security-threat" / app_name / app_name
232234
expired_cert = id_dir / "certs" / "TrustedIdentityCa" / "expired" / f"{app_name}.crt"
235+
# Mirror generate_expired_identity's own skip logic so the summary
236+
# reflects what it actually did.
237+
if expired_cert.is_file() and not args.force:
238+
expired_skipped += 1
239+
else:
240+
expired_generated += 1
233241
generate_expired_identity(
234242
key_path=id_dir / "private" / f"{app_name}.key",
235243
cnf=id_dir / f"{app_name}.cnf",
@@ -256,7 +264,23 @@ def main():
256264
force=args.force,
257265
)
258266

259-
print("Threat security artifacts generated!")
267+
total_generated = summary["total_generated"] + expired_generated
268+
total_skipped = summary["total_skipped"] + expired_skipped
269+
print(
270+
"Threat security artifact generation complete: "
271+
f"{total_generated} generated, "
272+
f"{total_skipped} skipped, "
273+
f"{summary['warnings']} validation warning(s)."
274+
)
275+
print(
276+
"Breakdown: "
277+
f"CA certs {summary['ca_certs_generated']} generated/{summary['ca_certs_skipped']} skipped; "
278+
f"signed governance {summary['signed_governance_generated']}/{summary['signed_governance_skipped']}; "
279+
f"signed permissions {summary['signed_permissions_generated']}/{summary['signed_permissions_skipped']}; "
280+
f"identity certs {summary['identity_certs_generated']}/{summary['identity_certs_skipped']}; "
281+
f"PSK seeds {summary['psk_seeds_generated']}/{summary['psk_seeds_skipped']}; "
282+
f"expired identity certs {expired_generated}/{expired_skipped}."
283+
)
260284

261285

262286
if __name__ == "__main__":

0 commit comments

Comments
 (0)