diff --git a/doc/tang.8.adoc b/doc/tang.8.adoc index e0c9f7d..f7ef06e 100644 --- a/doc/tang.8.adoc +++ b/doc/tang.8.adoc @@ -71,6 +71,27 @@ be changed with the *-p* option. tang -l -p 9090 +== ENDPOINT + +The Tang server can be provided an endpoint. This endpoint will act as a prefix +for the URL to be accessed by the client. This endpoint can be specified with +the *-e* option. + + tang -l -p 9090 -e this/is/an/endpoint + +When endpoint is specified, the endpoint will be prepended to the normal adv/rec +URL. If no endpoint is provided, and assuming port 9090 is used, Tang server +will listen on next URLs: + + http://localhost:9090/adv (GET) + http://localhost:9090/rec (POST) + +If endpoint is provided, and assuming endpoint is /this/is/an/endpoint/, and +assuming also port 9090 is used, Tang server will listen on next URLs: + + http://localhost:9090/this/is/an/endpoint/adv (GET) + http://localhost:9090/this/is/an/endpoint/rec (POST) + == KEY ROTATION In order to preserve the security of the system over the long run, you need to diff --git a/src/socket.c b/src/socket.c index df512cc..9614995 100644 --- a/src/socket.c +++ b/src/socket.c @@ -146,8 +146,8 @@ static int listen_port(socket_list **slist, int port) return r; } -static void spawn_process(int fd, const char *jwkdir, - process_request_func pfunc, +static void spawn_process(process_request_func pfunc, + process_request_func_args_t pfunc_args, socket_list *slist) { pid_t pid; @@ -159,21 +159,23 @@ static void spawn_process(int fd, const char *jwkdir, close(ptr->s); } /* Ensure that both stdout and stdin are set */ - if (dup2(fd, STDOUT_FILENO) < 0) { + if (dup2(pfunc_args.fileno, STDOUT_FILENO) < 0) { perror("dup2"); - close(fd); + close(pfunc_args.fileno); return; } - close(fd); + close(pfunc_args.fileno); - pfunc(jwkdir, STDOUT_FILENO); + process_request_func_args_t pf = + { pfunc_args.jwkdir, STDOUT_FILENO, pfunc_args.endpoint }; + pfunc(pf); free_socket_list(slist); exit(0); } else if (pid == -1) { perror("fork failed"); } - close(fd); + close(pfunc_args.fileno); } static void handle_child(int sig) @@ -183,7 +185,7 @@ static void handle_child(int sig) while ((waitpid(-1, &status, WNOHANG)) > 0); } -int run_service(const char *jwkdir, int port, process_request_func pfunc) +int run_service(run_service_args_t rserv, process_request_func pfunc) { socket_list *slist, *ptr; int r, n = 0, accept_fd; @@ -198,9 +200,9 @@ int run_service(const char *jwkdir, int port, process_request_func pfunc) new_action.sa_flags = 0; sigaction(SIGCHLD, &new_action, NULL); - r = listen_port(&slist, port); + r = listen_port(&slist, rserv.port); if (r < 0) { - fprintf(stderr, "Could not listen port (%d)\n", port); + fprintf(stderr, "Could not listen port (%d)\n", rserv.port); return -1; } @@ -233,8 +235,9 @@ int run_service(const char *jwkdir, int port, process_request_func pfunc) perror("accept"); continue; } - - spawn_process(accept_fd, jwkdir, pfunc, slist); + process_request_func_args_t pr_args = + {rserv.jwkdir, accept_fd,rserv.endpoint}; + spawn_process(pfunc, pr_args, slist); } } diff --git a/src/socket.h b/src/socket.h index 7cfd873..7392d55 100644 --- a/src/socket.h +++ b/src/socket.h @@ -15,7 +15,18 @@ * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ +typedef struct process_request_func_args { + const char* jwkdir; + const int fileno; + const char* endpoint; +} process_request_func_args_t; -typedef int (*process_request_func)(const char *jwkdir, int in_fileno); +typedef int (*process_request_func)(const process_request_func_args_t); -int run_service(const char *jwkdir, int port, process_request_func); +typedef struct run_service_args { + const char* jwkdir; + const int port; + const char* endpoint; +} run_service_args_t; + +int run_service(const run_service_args_t, process_request_func); diff --git a/src/tang-show-keys b/src/tang-show-keys index 0c33c3a..3ba82e7 100755 --- a/src/tang-show-keys +++ b/src/tang-show-keys @@ -20,14 +20,23 @@ set -e -if [ $# -gt 1 ]; then - echo "Usage: $0 []" >&2 +if [ $# -gt 2 ]; then + echo "Usage: $0 [] []" >&2 exit 1 fi port=${1-80} -adv=$(curl -sSf "localhost:$port/adv") +if test -n "$2"; then + first_letter=$(printf %.1s "$2") + if [ "${first_letter}" = "/" ]; then + adv=$(curl -sSf "localhost:$port$2/adv") + else + adv=$(curl -sSf "localhost:$port/$2/adv") + fi +else + adv=$(curl -sSf "localhost:$port/adv") +fi THP_DEFAULT_HASH=S256 # SHA-256. jose fmt --json "${adv}" -g payload -y -o- \ diff --git a/src/tangd.c b/src/tangd.c index 7f197f6..31939a8 100644 --- a/src/tangd.c +++ b/src/tangd.c @@ -32,8 +32,11 @@ #include "keys.h" #include "socket.h" +const unsigned int MAX_URL = 256; + static const struct option long_options[] = { {"port", 1, 0, 'p'}, + {"endpoint", 1, 0, 'e'}, {"listen", 0, 0, 'l'}, {"version", 0, 0, 'v'}, {"help", 0, 0, 'h'}, @@ -45,6 +48,7 @@ print_help(const char *name) { fprintf(stderr, "Usage: %s [OPTIONS] \n", name); fprintf(stderr, " -p, --port=PORT Specify the port to listen (default 9090)\n"); + fprintf(stderr, " -e, --endpoint=ENDPOINT Specify endpoint to listen (empty by default)\n"); fprintf(stderr, " -l, --listen Run as a service and wait for connections\n"); fprintf(stderr, " -v, --version Display program version\n"); fprintf(stderr, " -h, --help Show this help message\n"); @@ -184,19 +188,37 @@ rec(http_method_t method, const char *path, const char *body, "\r\n%s", strlen(enc), enc); } -static struct http_dispatch dispatch[] = { - { adv, 1 << HTTP_GET, 2, "^/+adv/+([0-9A-Za-z_-]+)$" }, - { adv, 1 << HTTP_GET, 2, "^/+adv/*$" }, - { rec, 1 << HTTP_POST, 2, "^/+rec/+([0-9A-Za-z_-]+)$" }, - {} -}; - #define DEFAULT_PORT 9090 static int -process_request(const char *jwkdir, int in_fileno) +process_request(const process_request_func_args_t pr_args) { - struct http_state state = { .dispatch = dispatch, .misc = (char*)jwkdir }; + char adv_endpoint[MAX_URL]; + char adv2_endpoint[MAX_URL]; + char rec_endpoint[MAX_URL]; + if (pr_args.endpoint != NULL) { + if (pr_args.endpoint[0] == '/') { + snprintf(adv_endpoint, MAX_URL, "^%s/+adv/+([0-9A-Za-z_-]+)$", pr_args.endpoint); + snprintf(adv2_endpoint, MAX_URL, "^%s/+adv/*$", pr_args.endpoint); + snprintf(rec_endpoint, MAX_URL, "^%s/+rec/+([0-9A-Za-z_-]+)$", pr_args.endpoint); + } else { + snprintf(adv_endpoint, MAX_URL, "^/%s/+adv/+([0-9A-Za-z_-]+)$", pr_args.endpoint); + snprintf(adv2_endpoint, MAX_URL, "^/%s/+adv/*$", pr_args.endpoint); + snprintf(rec_endpoint, MAX_URL, "^/%s/+rec/+([0-9A-Za-z_-]+)$", pr_args.endpoint); + } + } else { + strncpy(adv_endpoint, "^/+adv/+([0-9A-Za-z_-]+)$", MAX_URL); + strncpy(adv2_endpoint, "^/+adv/*$", MAX_URL); + strncpy(rec_endpoint, "^/+rec/+([0-9A-Za-z_-]+)$", MAX_URL); + } + struct http_dispatch dispatch[] = { + { adv, 1 << HTTP_GET, 2, adv_endpoint }, + { adv, 1 << HTTP_GET, 2, adv2_endpoint }, + { rec, 1 << HTTP_POST, 2, rec_endpoint }, + {} + }; + + struct http_state state = { .dispatch = dispatch, .misc = (char*)pr_args.jwkdir }; http_parser_t parser; struct stat st = {}; char req[4096] = {}; @@ -206,18 +228,18 @@ process_request(const char *jwkdir, int in_fileno) tang_http_parser_init(&parser, &http_settings); parser.data = &state; - if (stat(jwkdir, &st) != 0) { - fprintf(stderr, "Error calling stat() on path: %s: %m\n", jwkdir); + if (stat(pr_args.jwkdir, &st) != 0) { + fprintf(stderr, "Error calling stat() on path: %s: %m\n", pr_args.jwkdir); return EXIT_FAILURE; } if (!S_ISDIR(st.st_mode)) { - fprintf(stderr, "Path is not a directory: %s\n", jwkdir); + fprintf(stderr, "Path is not a directory: %s\n", pr_args.jwkdir); return EXIT_FAILURE; } for (;;) { - r = read(in_fileno, &req[rcvd], sizeof(req) - rcvd - 1); + r = read(pr_args.fileno, &req[rcvd], sizeof(req) - rcvd - 1); if (r == 0) return rcvd > 0 ? EXIT_FAILURE : EXIT_SUCCESS; if (r < 0) @@ -244,9 +266,10 @@ main(int argc, char *argv[]) int listen = 0; int port = DEFAULT_PORT; const char *jwkdir = NULL; + const char *endpoint = NULL; while (1) { - int c = getopt_long(argc, argv, "lp:vh", long_options, NULL); + int c = getopt_long(argc, argv, "lp:e:vh", long_options, NULL); if (c == -1) break; @@ -260,6 +283,9 @@ main(int argc, char *argv[]) case 'p': port = atoi(optarg); break; + case 'e': + endpoint = optarg; + break; case 'l': listen = 1; break; @@ -273,8 +299,10 @@ main(int argc, char *argv[]) jwkdir = argv[optind++]; if (listen == 0) { /* process one-shot query from stdin */ - return process_request(jwkdir, STDIN_FILENO); + process_request_func_args_t pr = {jwkdir, STDIN_FILENO, endpoint}; + return process_request(pr); } else { /* listen and process all incoming connections */ - return run_service(jwkdir, port, process_request); + run_service_args_t rs = {jwkdir, port, endpoint}; + return run_service(rs, process_request); } } diff --git a/tests/adv b/tests/adv index 8e6dd0e..416dc6e 100755 --- a/tests/adv +++ b/tests/adv @@ -36,47 +36,47 @@ adv_startup () { adv_second_phase () { # Make sure requests on the root fail - fetch / && expected_fail + fetch "${ENDPOINT}"/ && expected_fail # The request should fail (404) for non-signature key IDs - fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk` && expected_fail - fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` && expected_fail + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/exc.jwk` && expected_fail + fetch "${ENDPOINT}"/adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` && expected_fail # The default advertisement fetch should succeed and pass verification - fetch /adv - fetch /adv | ver $TMP/db/sig.jwk - fetch /adv/ | ver $TMP/db/sig.jwk + fetch "${ENDPOINT}"/adv + fetch "${ENDPOINT}"/adv | ver $TMP/db/sig.jwk + fetch "${ENDPOINT}"/adv/ | ver $TMP/db/sig.jwk # Fetching by any thumbprint should work - fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk - fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk + fetch "${ENDPOINT}"/adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk # Requesting an adv by an advertised key ID should't be signed by hidden keys - fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk && expected_fail - fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk && expected_fail + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail # Verify that the default advertisement is not signed with hidden signature keys - fetch /adv/ | ver $TMP/db/.oth.jwk && expected_fail - fetch /adv/ | ver $TMP/db/.sig.jwk && expected_fail + fetch "${ENDPOINT}"/adv/ | ver $TMP/db/.oth.jwk && expected_fail + fetch "${ENDPOINT}"/adv/ | ver $TMP/db/.sig.jwk && expected_fail # A private key advertisement is signed by all advertised keys and the requested private key - fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk - fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk - fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail # Verify that the advertisements contain the cty parameter - fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E - fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \ + fetch "${ENDPOINT}"/adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E + fetch "${ENDPOINT}"/adv/`jose jwk thp -i $TMP/db/.sig.jwk` \ | jose fmt -j- -Og signatures -A \ -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \ -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU THP_DEFAULT_HASH=S256 # SHA-256. - test "$(tang-show-keys $PORT)" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i $TMP/db/sig.jwk)" + test "$(tang-show-keys $PORT $ENDPOINT)" = "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i $TMP/db/sig.jwk)" # Check that new keys will be created if none exist. rm -rf "${TMP}/db" && mkdir -p "${TMP}/db" - fetch /adv + fetch "${ENDPOINT}"/adv # Now let's make sure the new keys were named using our default thumbprint # hash and then rotate them and check if we still create new keys. @@ -88,7 +88,7 @@ adv_second_phase () { mv -f -- "${k}" ".${k}" done cd - - fetch /adv + fetch "${ENDPOINT}"/adv # Lets's now test with multiple pairs of keys. for i in 1 2 3 4 5 6 7 8 9; do @@ -103,12 +103,12 @@ adv_second_phase () { done # Verify the advertisement is correct. - validate "$(fetch /adv)" + validate "$(fetch "${ENDPOINT}"/adv)" # And make sure we can fetch an adv by its thumbprint. for jwk in "${TMP}"/db/other-sig-*.jwk; do for alg in $(jose alg -k hash); do - fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}" + fetch "${ENDPOINT}"/adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}" done done @@ -130,5 +130,5 @@ adv_second_phase () { valid_key_perm "${jwk}" done [ -z "${thp}" ] && die "There should be valid keys after rotation" - test "$(tang-show-keys $PORT)" = "${thp}" + test "$(tang-show-keys $PORT $ENDPOINT)" = "${thp}" } diff --git a/tests/adv-socat-endpoint b/tests/adv-socat-endpoint new file mode 100644 index 0000000..c4deb88 --- /dev/null +++ b/tests/adv-socat-endpoint @@ -0,0 +1,33 @@ +#!/bin/sh -ex +# +# Copyright (c) 2023 Red Hat, Inc. +# Author: Sergio Arroutbi +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +. adv + +sanity_check + +adv_startup + +port=$(random_port) +export PORT=$((port+3)) +export ENDPOINT="/api/dee-hms" +start_server_endpoint "${PORT}" "${ENDPOINT}" +export PID=$! +wait_for_port ${PORT} + +adv_second_phase diff --git a/tests/adv-standalone-endpoint b/tests/adv-standalone-endpoint new file mode 100644 index 0000000..de7a7fe --- /dev/null +++ b/tests/adv-standalone-endpoint @@ -0,0 +1,31 @@ +#!/bin/sh -ex +# +# Copyright (c) 2023 Red Hat, Inc. +# Author: Sergio Arroutbi +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +. adv + +adv_startup + +port=$(random_port) +export PORT=$((port+1)) +export ENDPOINT="/api/dee-hms" +start_standalone_server_endpoint "${PORT}" "${ENDPOINT}" +export PID=$! +wait_for_port ${PORT} + +adv_second_phase diff --git a/tests/helpers b/tests/helpers index 55447ae..5ce3daf 100755 --- a/tests/helpers +++ b/tests/helpers @@ -30,7 +30,12 @@ random_port() { if [ -n "${TANG_BSD}" ]; then jot -r 1 1024 65536 else - shuf -i 1024-65536 -n 1 + if test -f /dev/urandom; + then + shuf -i 1024-65535 -n 1 --random-file=/dev/urandom + else + shuf -i 1024-65535 -n 1 + fi fi } @@ -62,10 +67,18 @@ start_server() { "${SOCAT}" TCP-LISTEN:"${1}",bind=127.0.0.1,fork SYSTEM:"${VALGRIND} tangd ${TMP}/db" & } +start_server_endpoint() { + "${SOCAT}" TCP-LISTEN:"${1}",bind=127.0.0.1,fork SYSTEM:"${VALGRIND} tangd ${TMP}/db -e ${ENDPOINT}" & +} + start_standalone_server() { ${VALGRIND} tangd -p ${1} -l ${TMP}/db & } +start_standalone_server_endpoint() { + ${VALGRIND} tangd -p ${1} -l ${TMP}/db -e ${2} & +} + on_exit() { if [ "${PID}" ]; then kill "${PID}" || true diff --git a/tests/meson.build b/tests/meson.build index 7d184f8..e2e9924 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -41,9 +41,13 @@ if socat.found() endif test('adv-standalone', find_program('adv-standalone'), env: env, timeout: 360) +test('adv-standalone-endpoint', find_program('adv-standalone-endpoint'), env: env, timeout: 360) test('adv-socat', find_program('adv-socat'), env: env, timeout: 360) +test('adv-socat-endpoint', find_program('adv-socat-endpoint'), env: env, timeout: 360) test('rec-standalone', find_program('rec-standalone'), env: env, timeout: 360) +test('rec-standalone-endpoint', find_program('rec-standalone-endpoint'), env: env, timeout: 360) test('rec-socat', find_program('rec-socat'), env: env, timeout: 360) +test('rec-socat-endpoint', find_program('rec-socat-endpoint'), env: env, timeout: 360) test('test-keys', test_keys, env: env, timeout: 360) # vim:set ts=2 sw=2 et: diff --git a/tests/rec b/tests/rec index f15637d..d30f72f 100755 --- a/tests/rec +++ b/tests/rec @@ -51,3 +51,17 @@ rec_second_phase () { http://127.0.0.1:$PORT/rec/${exc_kid} < $TMP/exc.pub.jwk` [ "$good" = "$test" ] } + +rec_second_phase_endpoint () { + # Make sure that GET fails + curl -sf http://127.0.0.1:$PORT/$ENDPOINT/rec && expected_fail + curl -sf http://127.0.0.1:$PORT/$ENDPOINT/rec/ && expected_fail + + # Make a recovery request (NOTE: this is insecure! Don't do this in real code!) + good=`jose jwk exc -i '{"alg":"ECMR","key_ops":["deriveKey"]}' -l $TMP/exc.jwk -r $TMP/db/exc.jwk` + test=`curl -sf -X POST \ + -H "Content-Type: application/jwk+json" \ + --data-binary @- \ + http://127.0.0.1:$PORT/$ENDPOINT/rec/${exc_kid} < $TMP/exc.pub.jwk` + [ "$good" = "$test" ] +} diff --git a/tests/rec-socat-endpoint b/tests/rec-socat-endpoint new file mode 100644 index 0000000..f62d919 --- /dev/null +++ b/tests/rec-socat-endpoint @@ -0,0 +1,34 @@ +#!/bin/sh -ex +# +# Copyright (c) 2023 Red Hat, Inc. +# Author: Sergio Arroutbi +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +. rec + +sanity_check + +rec_startup + +# Start the server +port=$(random_port) +export PORT=$((port+4)) +export ENDPOINT="api/dee-hms" +start_server_endpoint "${PORT}" "${ENDPOINT}" +export PID=$! +wait_for_port ${PORT} + +rec_second_phase_endpoint diff --git a/tests/rec-standalone-endpoint b/tests/rec-standalone-endpoint new file mode 100755 index 0000000..2e7e1b8 --- /dev/null +++ b/tests/rec-standalone-endpoint @@ -0,0 +1,34 @@ +#!/bin/sh -ex +# +# Copyright (c) 2023 Red Hat, Inc. +# Author: Sergio Arroutbi +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +. rec + +sanity_check + +rec_startup + +# Start the server +port=$(random_port) +export PORT=$((port+2)) +export ENDPOINT="api/dee-hms" +start_standalone_server_endpoint "${PORT}" "${ENDPOINT}" +export PID=$! +wait_for_port ${PORT} + +rec_second_phase_endpoint