@alwaysai/device-agent 1.3.1 → 1.4.0

package/src/secure-tunneling/secure-tunneling.test.ts

@@ -0,0 +1,1239 @@
+import { AAI_DIR } from 'alwaysai/lib/paths';
+import { join } from 'path';
+import { aaiArtifactsBucketUrl } from '../urls';
+import {
+  AWS_ROOT_CERTIFICATE_FILE_PATH,
+  SECURE_TUNNEL_BIN_DIR,
+  SECURE_TUNNEL_BIN_NAME,
+  SECURE_TUNNEL_BIN_PATH
+} from '../util/directories';
+import { downloadFile } from '../util/download-file';
+import { getArch, getDistribution, getOsVersion } from '../util/system-info';
+import {
+  SecureTunnelHandlerSingleton,
+  SecureTunnelPortInfo,
+  SecureTunnelShadowDesRep,
+  SecureTunnelShadowUpdateDelta
+} from './secure-tunneling';
+// import { JsSpawner } from 'alwaysai/lib/util/spawner';
+import { ChildProcess } from 'child_process';
+import { killDetachedProcess, runDetachedProcess } from './spawner-detached';
+
+//-----------------------------------------------------------------------------
+// mocks
+//-----------------------------------------------------------------------------
+jest.mock('alwaysai/lib/util/spawner');
+const mockJsSpawner = {
+  exiresolvePathsts: jest.fn(),
+  readdir: jest.fn(),
+  readFile: jest.fn(),
+  writeFile: jest.fn(),
+  mkdirp: jest.fn(),
+  rimraf: jest.fn(),
+  tar: jest.fn(),
+  rename: jest.fn(),
+  untar: jest.fn(),
+  exists: jest.fn(),
+  run: jest.fn()
+};
+jest.mock('alwaysai/lib/util/spawner', () => {
+  return {
+    ...jest.requireActual('alwaysai/lib/util/spawner'),
+    JsSpawner: jest.fn(() => mockJsSpawner)
+  };
+});
+
+jest.mock('../util/system-info', () => ({
+  getArch: jest.fn(),
+  getOsVersion: jest.fn(),
+  getDistribution: jest.fn()
+}));
+
+jest.mock('../util/download-file', () => ({
+  downloadFile: jest.fn()
+}));
+
+jest.mock('./spawner-detached', () => ({
+  runDetachedProcess: jest.fn(),
+  killDetachedProcess: jest.fn()
+}));
+
+//-----------------------------------------------------------------------------
+// constants
+//-----------------------------------------------------------------------------
+const ST_START_PORT_NUMBER = 5010;
+type ReadOnlyPortInfo = {
+  readonly enabled: boolean;
+  readonly type: string;
+  readonly ip: string;
+  readonly port: number;
+};
+type DeepReadonly<T> = {
+  readonly [K in keyof T]: DeepReadonly<T[K]>;
+};
+
+const disabledSshPortInfo: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: false,
+  type: 'SSH',
+  ip: '0.0.0.0',
+  port: 22
+};
+const enabledSshPortInfo: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: true,
+  type: 'SSH',
+  ip: '0.0.0.0',
+  port: 22
+};
+const invalidSshPortInfo: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: true,
+  type: 'SSH',
+  ip: '192.168.0.255',
+  port: 80
+};
+const disabledHttpPortInfo_1: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: false,
+  type: 'HTTP',
+  ip: '192.168.0.10',
+  port: 1
+};
+const enabledHttpPortInfo_1: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: true,
+  type: 'HTTP',
+  ip: '192.168.0.10',
+  port: 1
+};
+const disabledHttpPortInfo_2: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: false,
+  type: 'HTTP',
+  ip: '192.168.0.20',
+  port: 2
+};
+const enabledHttpPortInfo_2: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: true,
+  type: 'HTTP',
+  ip: '192.168.0.20',
+  port: 2
+};
+const disabledHttpPortInfo_3: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: false,
+  type: 'HTTP',
+  ip: '192.168.0.30',
+  port: 3
+};
+const enabledHttpPortInfo_3: DeepReadonly<ReadOnlyPortInfo> = {
+  enabled: true,
+  type: 'HTTP',
+  ip: '192.168.0.30',
+  port: 3
+};
+
+type SecureTunnelNotifyMsg = {
+  readonly clientAccessToken: string;
+  readonly region: string;
+  readonly services: string[];
+};
+
+describe('SecureTunnelHandlerSingleton', () => {
+  //---------------------------------------------------------------------------
+  // test variables
+  //---------------------------------------------------------------------------
+  let testStHandlerSingleton: SecureTunnelHandlerSingleton;
+  let shadowVersion = 0;
+  let shadowTimestamp = 1708726929;
+  const testDefaultShadow = {
+    st_ports: [disabledSshPortInfo]
+  } as const;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    jest.resetModules();
+    testStHandlerSingleton = SecureTunnelHandlerSingleton.getInstance();
+    shadowVersion++;
+    shadowTimestamp++;
+  });
+
+  afterEach(async () => {
+    await testStHandlerSingleton.destroy();
+  });
+
+  //---------------------------------------------------------------------------
+  // help functions
+  //---------------------------------------------------------------------------
+  function createDeltaShadowMsg(
+    stPorts: SecureTunnelPortInfo[]
+  ): SecureTunnelShadowUpdateDelta {
+    const stPortsCopy = JSON.parse(JSON.stringify(stPorts));
+    const deltaShadowMsg: SecureTunnelShadowUpdateDelta = {
+      version: shadowVersion,
+      timestamp: shadowTimestamp,
+      state: { st_ports: stPortsCopy }
+    };
+    return deltaShadowMsg;
+  }
+
+  function transformDeltaToUpdateReported(
+    deltaMsg: SecureTunnelShadowUpdateDelta
+  ): SecureTunnelShadowDesRep {
+    const { version, state } = deltaMsg;
+    const reportedStateReported: SecureTunnelShadowDesRep = JSON.parse(
+      JSON.stringify(state)
+    );
+    return reportedStateReported;
+  }
+
+  //---------------------------------------------------------------------------
+  // test class methods
+  //---------------------------------------------------------------------------
+  it('should be a singleton', () => {
+    const handler = SecureTunnelHandlerSingleton.getInstance();
+    expect(testStHandlerSingleton).toBe(handler);
+  });
+
+  it('should have a getSecureTunnelShadow method', () => {
+    expect(testStHandlerSingleton.getSecureTunnelShadow).toBeDefined();
+  });
+
+  it('should have a syncShadowToDeviceState method', () => {
+    expect(testStHandlerSingleton.syncShadowToDeviceState).toBeDefined();
+  });
+
+  it('should have a secureTunnelNotifyHandler method', () => {
+    expect(testStHandlerSingleton.secureTunnelNotifyHandler).toBeDefined();
+  });
+
+  it('should have a destroy method', () => {
+    expect(testStHandlerSingleton.destroy).toBeDefined();
+  });
+
+  it('should initialize reportedShadowState to default', () => {
+    const actualReportedShadow = testStHandlerSingleton.getSecureTunnelShadow();
+    expect(actualReportedShadow).toEqual(testDefaultShadow);
+  });
+
+  //---------------------------------------------------------------------------
+  // test syncShadowToDeviceState function
+  //---------------------------------------------------------------------------
+  it('should update reportedShadowSate to 1 SSH and 1 HTTP port config', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const deltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      disabledHttpPortInfo_1
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState to 1 SSH and 2 HTTP port config', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const deltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      disabledHttpPortInfo_1,
+      disabledHttpPortInfo_2
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState to 1 SSH and 2 HTTP port config, order is important', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const deltaShadowMsg = createDeltaShadowMsg([
+      disabledHttpPortInfo_1,
+      disabledSshPortInfo,
+      disabledHttpPortInfo_2
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState to only 1 HTTP port config', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const deltaShadowMsg = createDeltaShadowMsg([disabledHttpPortInfo_1]);
+    const expUpdateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState from 1 SSH port to 3 HTTP ports config', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const deltaShadowMsg = createDeltaShadowMsg([
+      disabledHttpPortInfo_1,
+      disabledHttpPortInfo_2,
+      disabledHttpPortInfo_3
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState from 3 HTTP ports to only 1 SSH port config', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const orgDeltaShadowMsg = createDeltaShadowMsg([
+      disabledHttpPortInfo_1,
+      disabledHttpPortInfo_2,
+      disabledHttpPortInfo_3
+    ]);
+    const orgUpdateReported = transformDeltaToUpdateReported(orgDeltaShadowMsg);
+    let actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(orgDeltaShadowMsg);
+    expect(actualReportedShadow).toEqual(orgUpdateReported);
+    const expDeltaShadowMsg = createDeltaShadowMsg([disabledSshPortInfo]);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    actualReportedShadow = await testStHandlerSingleton.syncShadowToDeviceState(
+      expDeltaShadowMsg
+    );
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState, when the 1st HTTP shadow changes from disabled to enabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const orgDeltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      disabledHttpPortInfo_1,
+      disabledHttpPortInfo_2
+    ]);
+    const orgUpdateReported = transformDeltaToUpdateReported(orgDeltaShadowMsg);
+    let actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(orgDeltaShadowMsg);
+    expect(actualReportedShadow).toEqual(orgUpdateReported);
+    const expDeltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      disabledHttpPortInfo_2
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+
+    // Act
+    // --------------------------------------------------------------------
+    actualReportedShadow = await testStHandlerSingleton.syncShadowToDeviceState(
+      expDeltaShadowMsg
+    );
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(1);
+    expect(runDetachedProcess).toBeCalledWith('socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ]);
+    expect(killDetachedProcess).not.toBeCalled();
+  });
+
+  it('should update reportedShadowState, when the 1st HTTP shadow changes from enabled to disabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const orgDeltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      disabledHttpPortInfo_2
+    ]);
+    const orgUpdateReported = transformDeltaToUpdateReported(orgDeltaShadowMsg);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    let actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(orgDeltaShadowMsg);
+    expect(actualReportedShadow).toEqual(orgUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(1);
+    const socatArgs = [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ];
+    expect(runDetachedProcess).toHaveBeenCalledWith('socat', socatArgs);
+    const expDeltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      disabledHttpPortInfo_1,
+      disabledHttpPortInfo_2
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+    jest.clearAllMocks();
+    jest.resetModules();
+    jest.mocked(killDetachedProcess).mockResolvedValueOnce(undefined);
+
+    // Act
+    // --------------------------------------------------------------------
+    actualReportedShadow = await testStHandlerSingleton.syncShadowToDeviceState(
+      expDeltaShadowMsg
+    );
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).not.toBeCalled();
+    expect(killDetachedProcess).toHaveBeenCalledTimes(1);
+    expect(killDetachedProcess).toHaveBeenCalledWith({}, [
+      ['socat', ...socatArgs].join(' ')
+    ]);
+  });
+
+  it('should update reportedShadowState, all 3 HTTP services enabled, with SSH disabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const expDeltaShadowMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      enabledHttpPortInfo_2,
+      enabledHttpPortInfo_3
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(expDeltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(3);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(1, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(2, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 2},fork`,
+      `tcp4:${enabledHttpPortInfo_2.ip}:${enabledHttpPortInfo_2.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(3, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 3},fork`,
+      `tcp4:${enabledHttpPortInfo_3.ip}:${enabledHttpPortInfo_3.port}`
+    ]);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState, all 1 SSH and 2 HTTP services enabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const expDeltaShadowMsg = createDeltaShadowMsg([
+      enabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      enabledHttpPortInfo_2
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(expDeltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(2);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(1, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(2, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 2},fork`,
+      `tcp4:${enabledHttpPortInfo_2.ip}:${enabledHttpPortInfo_2.port}`
+    ]);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update reportedShadowState, SSH1, HTTP1 and HTTP3 services enabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const expDeltaShadowMsg = createDeltaShadowMsg([
+      enabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      disabledHttpPortInfo_2,
+      enabledHttpPortInfo_3
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(expDeltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(2);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(1, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ]);
+    expect(runDetachedProcess).not.toHaveBeenCalledWith('socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 2},fork`,
+      `tcp4:${enabledHttpPortInfo_2.ip}:${enabledHttpPortInfo_2.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(2, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 2},fork`,
+      `tcp4:${enabledHttpPortInfo_3.ip}:${enabledHttpPortInfo_3.port}`
+    ]);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update last HTTP reportedShadowState, all 1 SSH and 3 HTTP services enabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const expectedShadow = createDeltaShadowMsg([
+      enabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      enabledHttpPortInfo_2,
+      enabledHttpPortInfo_3
+    ]);
+    const expUpdateReported = transformDeltaToUpdateReported(expectedShadow);
+    const desiredDeltaMsg = createDeltaShadowMsg([
+      enabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      enabledHttpPortInfo_2,
+      enabledHttpPortInfo_3
+    ]);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(desiredDeltaMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(3);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(1, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(2, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 2},fork`,
+      `tcp4:${enabledHttpPortInfo_2.ip}:${enabledHttpPortInfo_2.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenCalledWith('socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 3},fork`,
+      `tcp4:${enabledHttpPortInfo_3.ip}:${enabledHttpPortInfo_3.port}`
+    ]);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  it('should update last HTTP reportedShadowState, when ports changing the state from disabled to enabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const disableDeltaMsg = createDeltaShadowMsg([
+      disabledSshPortInfo,
+      disabledHttpPortInfo_1,
+      disabledHttpPortInfo_2,
+      disabledHttpPortInfo_3
+    ]);
+    const disableUpdateReported =
+      transformDeltaToUpdateReported(disableDeltaMsg);
+    const disabledReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(disableDeltaMsg);
+    expect(disabledReportedShadow).toEqual(disableUpdateReported);
+    const enableDeltaMsg = createDeltaShadowMsg([
+      enabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      enabledHttpPortInfo_2,
+      enabledHttpPortInfo_3
+    ]);
+    const expectedDeltaShadow = createDeltaShadowMsg([
+      enabledSshPortInfo,
+      enabledHttpPortInfo_1,
+      enabledHttpPortInfo_2,
+      enabledHttpPortInfo_3
+    ]);
+    const expectedUpdateReported =
+      transformDeltaToUpdateReported(expectedDeltaShadow);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(enableDeltaMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expectedUpdateReported);
+    expect(runDetachedProcess).toHaveBeenCalledTimes(3);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(1, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenNthCalledWith(2, 'socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 2},fork`,
+      `tcp4:${enabledHttpPortInfo_2.ip}:${enabledHttpPortInfo_2.port}`
+    ]);
+    expect(runDetachedProcess).toHaveBeenCalledWith('socat', [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 3},fork`,
+      `tcp4:${enabledHttpPortInfo_3.ip}:${enabledHttpPortInfo_3.port}`
+    ]);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+  });
+
+  //---------------------------------------------------------------------------
+  // test destroy function
+  //---------------------------------------------------------------------------
+  it('should destroy all socat processes', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const stConfig = [enabledSshPortInfo, enabledHttpPortInfo_1];
+    const deltaShadowMsg = createDeltaShadowMsg(stConfig);
+    const updateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+    stConfig
+      .filter((portInfo) => portInfo.type === 'HTTP')
+      .forEach((portInfo) => {
+        jest
+          .mocked(runDetachedProcess)
+          .mockResolvedValueOnce({} as ChildProcess);
+      });
+    const newReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+    expect(newReportedShadow).toEqual(updateReported);
+    jest.clearAllMocks(); // after setting up the shadow, we need to reset mocks again
+    jest.resetModules();
+    const expStConfig = [disabledSshPortInfo];
+    const expDeltaShadowMsg = createDeltaShadowMsg(expStConfig);
+    const expUpdateReported = transformDeltaToUpdateReported(expDeltaShadowMsg);
+
+    // Act
+    // --------------------------------------------------------------------
+    await testStHandlerSingleton.destroy();
+    const actualReportedShadow = testStHandlerSingleton.getSecureTunnelShadow();
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(expUpdateReported);
+  });
+
+  //---------------------------------------------------------------------------
+  // test secureTunnelNotifyHandler function
+  //---------------------------------------------------------------------------
+  it('should start Secure Tunnel, given localproxy already downloaded and default shadow is not enabled, that is default SSH connection', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    mockJsSpawner.exists.mockResolvedValueOnce(true); // mock that localproxy already exists on file system
+    const message: SecureTunnelNotifyMsg = {
+      clientAccessToken: 'DefaultSSHConnection_001',
+      region: 'us-west-2',
+      services: ['SSH']
+    };
+    const expectedLocalproxyArgs = [
+      '--destination-app',
+      '22',
+      '--region',
+      message.region,
+      '--capath',
+      AWS_ROOT_CERTIFICATE_FILE_PATH,
+      '--local-bind-address',
+      '0.0.0.0',
+      '-t',
+      message.clientAccessToken
+    ];
+
+    // Act
+    // --------------------------------------------------------------------
+    await testStHandlerSingleton.secureTunnelNotifyHandler(message);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(mockJsSpawner.exists).toHaveBeenCalledTimes(1);
+    expect(getArch).not.toHaveBeenCalled();
+    expect(getOsVersion).not.toHaveBeenCalled();
+    expect(getDistribution).not.toHaveBeenCalled();
+    expect(mockJsSpawner.mkdirp).not.toHaveBeenCalled();
+    expect(mockJsSpawner.run).not.toHaveBeenCalled();
+    expect(downloadFile).not.toHaveBeenCalled();
+    expect(runDetachedProcess).toHaveBeenCalledTimes(1);
+    expect(runDetachedProcess).toHaveBeenCalledWith(
+      SECURE_TUNNEL_BIN_PATH,
+      expectedLocalproxyArgs
+    );
+    expect(killDetachedProcess).not.toHaveBeenCalled();
+  });
+
+  const testCasesForDIfferentLocalproxyEnv: [string, string, string][] = [
+    // linuxDistro, osVersion, arch
+    ['debian', '12', 'aarch64'],
+    ['debian', '12', 'arm64'],
+    ['macos', '13.4', 'arm64v8'],
+    ['raspbian', '9.13', 'armhf'],
+    ['raspbian', '11', 'armhf'],
+    ['ubuntu', '18.04', 'amd64'],
+    ['ubuntu', '18.04', 'arm64'],
+    ['ubuntu', '18.04', 'armhf'],
+    ['ubuntu', '20.04', 'amd64'],
+    ['ubuntu', '20.04', 'arm64'],
+    ['ubuntu', '20.04', 'armhf'],
+    ['ubuntu', '22.04', 'amd64'],
+    ['ubuntu', '22.04', 'arm64'],
+    ['ubuntu', '23.04', 'amd64'],
+    ['ubuntu', '23.04', 'arm64'],
+    ['ubuntu', '23.10', 'amd64'],
+    ['ubuntu', '23.10', 'arm64']
+  ];
+  test.each(testCasesForDIfferentLocalproxyEnv)(
+    'should start Secure Tunnel, given localproxy downloaded needed and default shadow is not enabled, that is default SSH connection',
+    async (linuxDistro: string, osVersion: string, arch: string) => {
+      // Arrange
+      // --------------------------------------------------------------------
+      mockJsSpawner.exists.mockResolvedValueOnce(false); // mock that localproxy does not exist on file system
+      jest.mocked(getArch).mockResolvedValueOnce(arch);
+      jest.mocked(getOsVersion).mockResolvedValueOnce(osVersion);
+      jest.mocked(getDistribution).mockResolvedValueOnce(linuxDistro);
+      const expectedUrl = `${aaiArtifactsBucketUrl}/securetunnel/${linuxDistro}/${osVersion}/${arch}/${SECURE_TUNNEL_BIN_NAME}`;
+      const message: SecureTunnelNotifyMsg = {
+        clientAccessToken: 'DefaultSSHConnection_001',
+        region: 'us-west-2',
+        services: ['SSH']
+      };
+      const expectedLocalproxyArgs = [
+        '--destination-app',
+        '22',
+        '--region',
+        message.region,
+        '--capath',
+        AWS_ROOT_CERTIFICATE_FILE_PATH,
+        '--local-bind-address',
+        '0.0.0.0',
+        '-t',
+        message.clientAccessToken
+      ];
+
+      // Act
+      // --------------------------------------------------------------------
+      await testStHandlerSingleton.secureTunnelNotifyHandler(message);
+
+      // Assert
+      // --------------------------------------------------------------------
+      expect(mockJsSpawner.exists).toHaveBeenCalledTimes(1);
+      expect(mockJsSpawner.exists).toHaveBeenCalledWith(SECURE_TUNNEL_BIN_PATH);
+      expect(getArch).toHaveBeenCalledTimes(1);
+      expect(getOsVersion).toHaveBeenCalledTimes(1);
+      expect(getDistribution).toHaveBeenCalledTimes(1);
+      expect(mockJsSpawner.mkdirp).toHaveBeenCalledTimes(1);
+      expect(mockJsSpawner.mkdirp).toHaveBeenCalledWith(
+        join(AAI_DIR, SECURE_TUNNEL_BIN_DIR)
+      );
+      expect(mockJsSpawner.run).toHaveBeenCalledTimes(1);
+      expect(mockJsSpawner.run).toHaveBeenCalledWith({
+        exe: 'chmod',
+        args: ['+x', SECURE_TUNNEL_BIN_PATH]
+      });
+      expect(downloadFile).toHaveBeenCalledTimes(1);
+      expect(downloadFile).toHaveBeenCalledWith({
+        url: expectedUrl,
+        path: SECURE_TUNNEL_BIN_PATH,
+        errorMessage: `Secure Tunnel bin for ${linuxDistro} ${osVersion} ${arch} not found}`
+      });
+      expect(runDetachedProcess).toHaveBeenCalledTimes(1);
+      expect(runDetachedProcess).toHaveBeenCalledWith(
+        SECURE_TUNNEL_BIN_PATH,
+        expectedLocalproxyArgs
+      );
+      expect(killDetachedProcess).not.toHaveBeenCalled();
+    }
+  );
+
+  const testCasesForInvalidSecureTunnelNotificationParameters: [
+    SecureTunnelNotifyMsg
+  ][] = [
+    [{ clientAccessToken: '', region: '', services: [] }], // invalid everything
+    [
+      {
+        clientAccessToken: '', // invalid token
+        region: 'us-west-2',
+        services: ['SSH']
+      }
+    ],
+    [
+      {
+        clientAccessToken: '001',
+        region: 'us-west-1', // not supported region
+        services: ['SSH']
+      }
+    ],
+    [
+      {
+        clientAccessToken: '002',
+        region: 'us-east-2', // not valid region
+        services: ['SSH']
+      }
+    ],
+    [
+      {
+        clientAccessToken: '003',
+        region: 'eu-central-1', // not valid region
+        services: ['SSH']
+      }
+    ],
+    [
+      {
+        clientAccessToken: '004',
+        region: 'invalid region', // invalid region
+        services: ['SSH']
+      }
+    ],
+    [
+      {
+        clientAccessToken: '005',
+        region: 'us-west-2',
+        services: [] // no service field
+      }
+    ],
+    [
+      {
+        clientAccessToken: '006',
+        region: 'us-west-2',
+        services: [''] // empty field in service
+      }
+    ],
+    [
+      {
+        clientAccessToken: '007',
+        region: 'us-west-2',
+        services: ['SSH', ''] // one of the fields is empty in service
+      }
+    ],
+    [
+      {
+        clientAccessToken: '008',
+        region: 'us-west-2',
+        services: ['SSH1', '', 'HTTP1'] // one of the fields is empty in service
+      }
+    ],
+    [
+      {
+        clientAccessToken: '009',
+        region: 'us-west-2',
+        services: ['SSH1', 'NOT_VALID'] // one of the fields is invalid
+      }
+    ],
+    [
+      {
+        clientAccessToken: '010',
+        region: 'us-west-2',
+        services: ['FTP', 'HTTP1'] // one of the fields is invalid
+      }
+    ],
+    [
+      {
+        clientAccessToken: '011',
+        region: 'us-west-2',
+        services: ['SSH1', 'FTP1', 'HTTP1'] // one of the fields is invalid
+      }
+    ]
+  ];
+  test.each(testCasesForInvalidSecureTunnelNotificationParameters)(
+    'should NOT start Secure Tunnel, given one of the fields of message is invalid',
+    async (message) => {
+      // Arrange
+      // --------------------------------------------------------------------
+      mockJsSpawner.exists.mockResolvedValueOnce(true); // mock that localproxy already exists on file system
+      const expectedLocalproxyArgs = [
+        '--destination-app',
+        '22',
+        '--region',
+        message.region,
+        '--capath',
+        AWS_ROOT_CERTIFICATE_FILE_PATH,
+        '--local-bind-address',
+        '0.0.0.0',
+        '-t',
+        message.clientAccessToken
+      ];
+
+      // Act
+      // --------------------------------------------------------------------
+      await testStHandlerSingleton.secureTunnelNotifyHandler(message);
+
+      // Assert
+      // --------------------------------------------------------------------
+      expect(mockJsSpawner.exists).toHaveBeenCalledTimes(0);
+      expect(getArch).not.toHaveBeenCalled();
+      expect(getOsVersion).not.toHaveBeenCalled();
+      expect(getDistribution).not.toHaveBeenCalled();
+      expect(mockJsSpawner.mkdirp).not.toHaveBeenCalled();
+      expect(downloadFile).not.toHaveBeenCalled();
+      expect(mockJsSpawner.run).not.toHaveBeenCalled();
+      expect(runDetachedProcess).not.toHaveBeenCalled();
+      expect(killDetachedProcess).not.toHaveBeenCalled();
+    }
+  );
+
+  const testCasesMismatchBetweenServicesAndConfig: [
+    SecureTunnelNotifyMsg,
+    ReadOnlyPortInfo[]
+  ][] = [
+    [
+      {
+        clientAccessToken: '001',
+        region: 'us-west-2',
+        services: ['SSH']
+      },
+      [enabledHttpPortInfo_1]
+    ],
+    [
+      {
+        clientAccessToken: '002',
+        region: 'us-west-2',
+        services: ['SSH1', 'HTTP1', 'HTTP2']
+      },
+      [enabledHttpPortInfo_1, enabledHttpPortInfo_2, enabledHttpPortInfo_3]
+    ],
+    [
+      {
+        clientAccessToken: '003',
+        region: 'us-west-2',
+        services: ['HTTP1', 'HTTP2']
+      },
+      [enabledHttpPortInfo_1, enabledHttpPortInfo_2, enabledHttpPortInfo_3]
+    ],
+    [
+      {
+        clientAccessToken: '004',
+        region: 'us-west-2',
+        services: ['HTTP1', 'HTTP2', 'HTTP3']
+      },
+      [enabledHttpPortInfo_1, enabledHttpPortInfo_2]
+    ],
+    [
+      {
+        clientAccessToken: '005',
+        region: 'us-west-2',
+        services: ['HTTP1', 'HTTP2', 'HTTP3', 'HTTP4']
+      },
+      [enabledHttpPortInfo_1, enabledHttpPortInfo_2, enabledHttpPortInfo_3]
+    ],
+    [
+      {
+        clientAccessToken: '006',
+        region: 'us-west-2',
+        services: ['SSH', 'HTTP1']
+      },
+      [enabledSshPortInfo]
+    ],
+    [
+      {
+        clientAccessToken: '006',
+        region: 'us-west-2',
+        services: ['SSH1', 'SSH2']
+      },
+      [enabledSshPortInfo, invalidSshPortInfo]
+    ]
+  ];
+  test.each(testCasesMismatchBetweenServicesAndConfig)(
+    'should NOT start Secure Tunnel, given services mismatch received config',
+    async (message, stConfig) => {
+      // Arrange
+      // --------------------------------------------------------------------
+      const deltaShadowMsg = createDeltaShadowMsg(stConfig);
+      const updateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+      stConfig
+        .filter((portInfo) => portInfo.type === 'HTTP')
+        .forEach((portInfo) => {
+          jest
+            .mocked(runDetachedProcess)
+            .mockResolvedValueOnce({} as ChildProcess);
+        });
+      const actualReportedShadow =
+        await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+      expect(actualReportedShadow).toEqual(updateReported);
+      jest.clearAllMocks(); // after setting up the shadow, we need to reset mocks again
+      jest.resetModules();
+      mockJsSpawner.exists.mockResolvedValueOnce(true); // mock that localproxy already exists on file system
+      const expectedLocalproxyArgs = [
+        '--destination-app',
+        '22',
+        '--region',
+        message.region,
+        '--capath',
+        AWS_ROOT_CERTIFICATE_FILE_PATH,
+        '--local-bind-address',
+        '0.0.0.0',
+        '-t',
+        message.clientAccessToken
+      ];
+
+      // Act
+      // --------------------------------------------------------------------
+      await testStHandlerSingleton.secureTunnelNotifyHandler(message);
+
+      // Assert
+      // --------------------------------------------------------------------
+      expect(mockJsSpawner.exists).toHaveBeenCalledTimes(0);
+      expect(getArch).not.toHaveBeenCalled();
+      expect(getOsVersion).not.toHaveBeenCalled();
+      expect(getDistribution).not.toHaveBeenCalled();
+      expect(mockJsSpawner.mkdirp).not.toHaveBeenCalled();
+      expect(downloadFile).not.toHaveBeenCalled();
+      expect(runDetachedProcess).not.toHaveBeenCalled();
+      expect(killDetachedProcess).not.toHaveBeenCalled();
+    }
+  );
+
+  const testCasesMatchBetweenServicesAndConfig: [
+    SecureTunnelNotifyMsg,
+    ReadOnlyPortInfo[],
+    string
+  ][] = [
+    [
+      {
+        clientAccessToken: '001',
+        region: 'us-west-2',
+        services: ['SSH']
+      },
+      [enabledSshPortInfo],
+      '22'
+    ],
+    [
+      {
+        clientAccessToken: '002',
+        region: 'us-west-2',
+        services: ['SSH1', 'HTTP1', 'HTTP2']
+      },
+      [
+        enabledSshPortInfo,
+        enabledHttpPortInfo_1,
+        enabledHttpPortInfo_2,
+        disabledHttpPortInfo_3
+      ],
+      'SSH1=22,HTTP1=5011,HTTP2=5012'
+    ],
+    [
+      {
+        clientAccessToken: '003',
+        region: 'us-west-2',
+        services: ['HTTP1', 'HTTP2']
+      },
+      [enabledHttpPortInfo_1, enabledHttpPortInfo_2],
+      'HTTP1=5011,HTTP2=5012'
+    ],
+    [
+      {
+        clientAccessToken: '004',
+        region: 'us-west-2',
+        services: ['HTTP1', 'HTTP2', 'HTTP3']
+      },
+      [enabledHttpPortInfo_1, enabledHttpPortInfo_2, enabledHttpPortInfo_3],
+      'HTTP1=5011,HTTP2=5012,HTTP3=5013'
+    ],
+    [
+      {
+        clientAccessToken: '005',
+        region: 'us-west-2',
+        services: ['HTTP1', 'HTTP2', 'HTTP3']
+      },
+      [
+        disabledSshPortInfo,
+        enabledHttpPortInfo_1,
+        enabledHttpPortInfo_2,
+        enabledHttpPortInfo_3
+      ],
+      'HTTP1=5011,HTTP2=5012,HTTP3=5013'
+    ],
+    [
+      {
+        clientAccessToken: '006',
+        region: 'us-west-2',
+        services: ['SSH1', 'HTTP1']
+      },
+      [
+        enabledSshPortInfo,
+        disabledHttpPortInfo_1,
+        enabledHttpPortInfo_2,
+        disabledHttpPortInfo_3
+      ],
+      'SSH1=22,HTTP1=5011'
+    ]
+  ];
+  test.each(testCasesMatchBetweenServicesAndConfig)(
+    'should start Secure Tunnel, given services and port config match',
+    async (message, stConfig, expectedPortMapping) => {
+      // Arrange
+      // --------------------------------------------------------------------
+      const deltaShadowMsg = createDeltaShadowMsg(stConfig);
+      const updateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+      stConfig
+        .filter((portInfo) => portInfo.type === 'HTTP')
+        .forEach((portInfo) => {
+          jest
+            .mocked(runDetachedProcess)
+            .mockResolvedValueOnce({} as ChildProcess);
+        });
+      const actualReportedShadow =
+        await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+      expect(actualReportedShadow).toEqual(updateReported);
+      jest.clearAllMocks(); // after setting up the shadow, we need to reset mocks again
+      jest.resetModules();
+      mockJsSpawner.exists.mockResolvedValueOnce(true); // mock that localproxy already exists on file system
+      const expectedLocalproxyArgs = [
+        '--destination-app',
+        expectedPortMapping,
+        '--region',
+        message.region,
+        '--capath',
+        AWS_ROOT_CERTIFICATE_FILE_PATH,
+        '--local-bind-address',
+        '0.0.0.0',
+        '-t',
+        message.clientAccessToken
+      ];
+
+      // Act
+      // --------------------------------------------------------------------
+      await testStHandlerSingleton.secureTunnelNotifyHandler(message);
+
+      // Assert
+      // --------------------------------------------------------------------
+      expect(mockJsSpawner.exists).toHaveBeenCalledTimes(1);
+      expect(getArch).not.toHaveBeenCalled();
+      expect(getOsVersion).not.toHaveBeenCalled();
+      expect(getDistribution).not.toHaveBeenCalled();
+      expect(mockJsSpawner.mkdirp).not.toHaveBeenCalled();
+      expect(downloadFile).not.toHaveBeenCalled();
+      expect(mockJsSpawner.run).not.toHaveBeenCalled();
+      expect(runDetachedProcess).toHaveBeenCalledTimes(1);
+      expect(runDetachedProcess).toHaveBeenCalledWith(
+        SECURE_TUNNEL_BIN_PATH,
+        expectedLocalproxyArgs
+      );
+      expect(killDetachedProcess).toHaveBeenCalledTimes(0);
+    }
+  );
+
+  it('should start Secure Tunnel, given 1 SSH and 1 HTTP ports enabled', async () => {
+    // Arrange
+    // --------------------------------------------------------------------
+    const message = {
+      clientAccessToken: '089',
+      region: 'us-west-2',
+      services: ['SSH1', 'HTTP1']
+    };
+    let stConfig = [enabledSshPortInfo, enabledHttpPortInfo_1];
+    const expectedPortMapping = 'SSH1=22,HTTP1=5011';
+    let deltaShadowMsg = createDeltaShadowMsg(stConfig);
+    let updateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+    stConfig
+      .filter((portInfo) => portInfo.type === 'HTTP')
+      .forEach((portInfo) => {
+        jest
+          .mocked(runDetachedProcess)
+          .mockResolvedValueOnce({} as ChildProcess);
+      });
+    const socatArgs = [
+      `tcp4-listen:${ST_START_PORT_NUMBER + 1},fork`,
+      `tcp4:${enabledHttpPortInfo_1.ip}:${enabledHttpPortInfo_1.port}`
+    ];
+    const beforeReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+    expect(beforeReportedShadow).toEqual(updateReported);
+    jest.clearAllMocks(); // after setting up the shadow, we need to reset mocks again
+    jest.resetModules();
+    mockJsSpawner.exists.mockResolvedValueOnce(true); // mock that localproxy already exists on file system
+    const expectedLocalproxyArgs = [
+      '--destination-app',
+      expectedPortMapping,
+      '--region',
+      message.region,
+      '--capath',
+      AWS_ROOT_CERTIFICATE_FILE_PATH,
+      '--local-bind-address',
+      '0.0.0.0',
+      '-t',
+      message.clientAccessToken
+    ];
+    await testStHandlerSingleton.secureTunnelNotifyHandler(message);
+    jest.clearAllMocks(); // after setting up the shadow, we need to reset mocks again
+    jest.resetModules();
+    stConfig = [disabledSshPortInfo, disabledHttpPortInfo_1];
+    deltaShadowMsg = createDeltaShadowMsg(stConfig);
+    updateReported = transformDeltaToUpdateReported(deltaShadowMsg);
+    stConfig.forEach((portInfo) => {
+      jest.mocked(runDetachedProcess).mockResolvedValueOnce({} as ChildProcess);
+    });
+
+    // Act
+    // --------------------------------------------------------------------
+    const actualReportedShadow =
+      await testStHandlerSingleton.syncShadowToDeviceState(deltaShadowMsg);
+
+    // Assert
+    // --------------------------------------------------------------------
+    expect(actualReportedShadow).toEqual(updateReported);
+    expect(mockJsSpawner.exists).not.toHaveBeenCalled();
+    expect(getArch).not.toHaveBeenCalled();
+    expect(getOsVersion).not.toHaveBeenCalled();
+    expect(getDistribution).not.toHaveBeenCalled();
+    expect(mockJsSpawner.mkdirp).not.toHaveBeenCalled();
+    expect(downloadFile).not.toHaveBeenCalled();
+    expect(mockJsSpawner.run).not.toHaveBeenCalled();
+    expect(runDetachedProcess).toHaveBeenCalledTimes(0);
+    expect(killDetachedProcess).toHaveBeenCalledTimes(2);
+    expect(killDetachedProcess).toHaveBeenCalledWith({}, [
+      ['socat', ...socatArgs].join(' ')
+    ]);
+  });
+});