proxmox/scripts/verify/verify-static-permissions-on-all-besu-nodes.sh

#!/usr/bin/env bash
# Confirm static-nodes.json and permissions-nodes.toml on each Besu node (deploy target: /etc/besu/).
# Usage: bash scripts/verify/verify-static-permissions-on-all-besu-nodes.sh [--checksum]
#   --checksum: compare content hash to canonical (requires same files on all nodes).

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true

STATIC_CANONICAL="${PROJECT_ROOT}/config/besu-node-lists/static-nodes.json"
PERMS_CANONICAL="${PROJECT_ROOT}/config/besu-node-lists/permissions-nodes.toml"
CHECKSUM=false
[[ "${1:-}" = "--checksum" ]] && CHECKSUM=true

# Same VMID -> host as deploy-besu-node-lists-to-all.sh
declare -A HOST_BY_VMID
for v in 1000 1001 1002 1500 1501 1502 2101 2500 2501 2502 2503 2504 2505; do HOST_BY_VMID[$v]="${PROXMOX_R630_01:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"; done
for v in 2201 2303 2401; do HOST_BY_VMID[$v]="${PROXMOX_R630_02:-${PROXMOX_HOST_R630_02:-192.168.11.12}}"; done
for v in 1003 1004 1503 1504 1505 1506 1507 1508 2102 2301 2304 2305 2306 2400 2402 2403; do HOST_BY_VMID[$v]="${PROXMOX_ML110:-${PROXMOX_HOST_ML110:-192.168.11.10}}"; done

SSH_OPTS="-o ConnectTimeout=6 -o StrictHostKeyChecking=no"
CANONICAL_STATIC_SUM=""
CANONICAL_PERMS_SUM=""
if $CHECKSUM && [[ -f "$STATIC_CANONICAL" ]] && [[ -f "$PERMS_CANONICAL" ]]; then
  CANONICAL_STATIC_SUM=$(md5sum < "$STATIC_CANONICAL" 2>/dev/null | awk '{print $1}' || true)
  CANONICAL_PERMS_SUM=$(md5sum < "$PERMS_CANONICAL" 2>/dev/null | awk '{print $1}' || true)
fi

echo "=== Static-nodes and permissions-nodes on each Besu node ==="
echo "Canonical: $STATIC_CANONICAL, $PERMS_CANONICAL"
if $CHECKSUM && [[ -n "$CANONICAL_STATIC_SUM" ]]; then
  echo "Canonical static md5: $CANONICAL_STATIC_SUM | permissions: $CANONICAL_PERMS_SUM"
fi
echo ""

# Deploy target: /etc/besu/ only (matches deploy-besu-node-lists-to-all.sh)
STATIC_PATH="/etc/besu/static-nodes.json"
PERMS_PATH="/etc/besu/permissions-nodes.toml"

FAIL=0
for vmid in 1000 1001 1002 1003 1004 1500 1501 1502 1503 1504 1505 1506 1507 1508 2101 2102 2201 2301 2303 2304 2305 2306 2400 2401 2402 2403 2500 2501 2502 2503 2504 2505; do
  host="${HOST_BY_VMID[$vmid]:-}"
  [[ -z "$host" ]] && continue
  run=$(ssh $SSH_OPTS root@$host "pct exec $vmid -- bash -c 's=\"\"; p=\"\"; [ -f $STATIC_PATH ] && s=\"OK\" || s=\"MISSING\"; [ -f $PERMS_PATH ] && p=\"OK\" || p=\"MISSING\"; echo \"\$s \$p\"' 2>/dev/null" || echo "SKIP SKIP")
  if [[ "$run" =~ "SKIP" ]]; then
    echo "VMID $vmid @ $host: unreachable or container not running"
    FAIL=1
    continue
  fi
  read -r s p <<< "$run"
  if [[ "$s" = "OK" && "$p" = "OK" ]]; then
    line="VMID $vmid @ $host: static=$s permissions=$p"
    if $CHECKSUM && [[ -n "$CANONICAL_STATIC_SUM" ]]; then
      remote_static=$(ssh $SSH_OPTS root@$host "pct exec $vmid -- cat $STATIC_PATH 2>/dev/null" | md5sum | awk '{print $1}')
      remote_perms=$(ssh $SSH_OPTS root@$host "pct exec $vmid -- cat $PERMS_PATH 2>/dev/null" | md5sum | awk '{print $1}')
      [[ "$remote_static" != "$CANONICAL_STATIC_SUM" ]] && line="$line static_md5=DIFF" && FAIL=1 || line="$line static_md5=OK"
      [[ "$remote_perms" != "$CANONICAL_PERMS_SUM" ]] && line="$line perms_md5=DIFF" && FAIL=1 || line="$line perms_md5=OK"
    fi
    echo "$line"
  else
    echo "VMID $vmid @ $host: static=$s permissions=$p"
    FAIL=1
  fi
done

echo ""
if [[ $FAIL -eq 0 ]]; then
  echo "All nodes have /etc/besu/static-nodes.json and /etc/besu/permissions-nodes.toml. Use --checksum to compare to canonical."
else
  echo "Some nodes missing files or checksum mismatch. Deploy: bash scripts/deploy-besu-node-lists-to-all.sh"
  exit 1
fi