Harden scratch setup bootstrap and authority admin scopes
This commit is contained in:
master
@@ -470,11 +470,21 @@ function Start-Platform {
|
||||
function Test-ExpectedHttpStatus([string]$url, [int[]]$allowedStatusCodes, [int]$timeoutSeconds = 5, [int]$attempts = 6, [int]$retryDelaySeconds = 2) {
|
||||
for ($attempt = 1; $attempt -le $attempts; $attempt++) {
|
||||
$statusCode = $null
|
||||
$previousCertificateCallback = $null
|
||||
$hasCertificateCallbackOverride = $false
|
||||
|
||||
try {
|
||||
$request = [System.Net.WebRequest]::Create($url)
|
||||
$request.Method = 'GET'
|
||||
$request.Timeout = $timeoutSeconds * 1000
|
||||
if ($request -is [System.Net.HttpWebRequest]) {
|
||||
$request.AllowAutoRedirect = $false
|
||||
}
|
||||
if ($url.StartsWith('https://', [System.StringComparison]::OrdinalIgnoreCase)) {
|
||||
$previousCertificateCallback = [System.Net.ServicePointManager]::ServerCertificateValidationCallback
|
||||
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
|
||||
$hasCertificateCallbackOverride = $true
|
||||
}
|
||||
$response = [System.Net.HttpWebResponse]$request.GetResponse()
|
||||
|
||||
try {
|
||||
@@ -492,6 +502,10 @@ function Test-ExpectedHttpStatus([string]$url, [int[]]$allowedStatusCodes, [int]
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
} finally {
|
||||
if ($hasCertificateCallbackOverride) {
|
||||
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $previousCertificateCallback
|
||||
}
|
||||
}
|
||||
|
||||
if ($null -ne $statusCode -and $allowedStatusCodes -contains $statusCode) {
|
||||
@@ -506,6 +520,52 @@ function Test-ExpectedHttpStatus([string]$url, [int[]]$allowedStatusCodes, [int]
|
||||
return $null
|
||||
}
|
||||
|
||||
function Test-FrontdoorBootstrap {
|
||||
$baseUrl = 'https://stella-ops.local'
|
||||
$probes = @(
|
||||
@{
|
||||
Name = 'Frontdoor readiness'
|
||||
Url = "$baseUrl/health/ready"
|
||||
AllowedStatusCodes = @(200)
|
||||
},
|
||||
@{
|
||||
Name = 'Frontdoor welcome page'
|
||||
Url = "$baseUrl/welcome"
|
||||
AllowedStatusCodes = @(200)
|
||||
},
|
||||
@{
|
||||
Name = 'Frontdoor environment settings'
|
||||
Url = "$baseUrl/envsettings.json"
|
||||
AllowedStatusCodes = @(200)
|
||||
},
|
||||
@{
|
||||
Name = 'Authority discovery'
|
||||
Url = "$baseUrl/.well-known/openid-configuration"
|
||||
AllowedStatusCodes = @(200)
|
||||
},
|
||||
@{
|
||||
Name = 'Authority authorize bootstrap'
|
||||
Url = "$baseUrl/connect/authorize?client_id=stella-ops-ui&redirect_uri=https%3A%2F%2Fstella-ops.local%2Fauth%2Fcallback&response_type=code&scope=openid%20profile%20email&state=setup-smoke&nonce=setup-smoke&code_challenge=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&code_challenge_method=S256"
|
||||
AllowedStatusCodes = @(200, 302, 303)
|
||||
}
|
||||
)
|
||||
|
||||
Write-Step 'Waiting for frontdoor bootstrap readiness'
|
||||
|
||||
foreach ($probe in $probes) {
|
||||
$statusCode = Test-ExpectedHttpStatus $probe.Url $probe.AllowedStatusCodes -timeoutSeconds 5 -attempts 24 -retryDelaySeconds 5
|
||||
if ($null -ne $statusCode) {
|
||||
Write-Ok "$($probe.Name) (HTTP $statusCode)"
|
||||
continue
|
||||
}
|
||||
|
||||
Write-Fail "$($probe.Name) did not reach an expected status ($($probe.AllowedStatusCodes -join '/'))"
|
||||
return $false
|
||||
}
|
||||
|
||||
return $true
|
||||
}
|
||||
|
||||
# ─── 8. Smoke test ─────────────────────────────────────────────────────────
|
||||
|
||||
function Test-Smoke {
|
||||
@@ -559,6 +619,14 @@ function Test-Smoke {
|
||||
$hasBlockingFailures = $true
|
||||
}
|
||||
|
||||
if (-not $InfraOnly) {
|
||||
if (Test-FrontdoorBootstrap) {
|
||||
Write-Ok 'Frontdoor bootstrap path is ready for first-user sign-in'
|
||||
} else {
|
||||
$hasBlockingFailures = $true
|
||||
}
|
||||
}
|
||||
|
||||
# Platform container health summary
|
||||
Write-Step 'Container health summary'
|
||||
Push-Location $ComposeDir
|
||||
@@ -679,7 +747,8 @@ if ($InfraOnly) {
|
||||
Start-Infrastructure
|
||||
$infraSmokeFailed = Test-Smoke
|
||||
if ($infraSmokeFailed) {
|
||||
Write-Warn 'Infrastructure started with blocking smoke failures. Review output and docker compose logs.'
|
||||
Write-Fail 'Infrastructure setup did not pass blocking smoke tests. Review output and docker compose logs.'
|
||||
exit 1
|
||||
}
|
||||
Write-Host "`nDone (infra only). Infrastructure is running." -ForegroundColor Green
|
||||
exit 0
|
||||
@@ -696,7 +765,8 @@ if (-not $SkipImages) {
|
||||
Start-Platform
|
||||
$platformSmokeFailed = Test-Smoke
|
||||
if ($platformSmokeFailed) {
|
||||
Write-Warn 'Setup completed with blocking smoke failures. Review output and docker compose logs.'
|
||||
Write-Fail 'Setup did not pass blocking smoke tests. Review output and docker compose logs.'
|
||||
exit 1
|
||||
}
|
||||
|
||||
Write-Host "`n=============================================" -ForegroundColor Green
|
||||
|
||||
@@ -339,7 +339,7 @@ http_status() {
|
||||
local status=""
|
||||
|
||||
for (( attempt=1; attempt<=attempts; attempt++ )); do
|
||||
status=$(curl -s -o /dev/null --connect-timeout 5 -w '%{http_code}' "$url" 2>/dev/null || true)
|
||||
status=$(curl -sk -o /dev/null --connect-timeout 5 -w '%{http_code}' "$url" 2>/dev/null || true)
|
||||
if [[ -n "$status" && "$status" != "000" ]]; then
|
||||
printf '%s' "$status"
|
||||
return 0
|
||||
@@ -353,16 +353,54 @@ http_status() {
|
||||
return 0
|
||||
}
|
||||
|
||||
frontdoor_bootstrap_ready() {
|
||||
step 'Waiting for frontdoor bootstrap readiness'
|
||||
|
||||
local probes=(
|
||||
"Frontdoor readiness|https://stella-ops.local/health/ready|200"
|
||||
"Frontdoor welcome page|https://stella-ops.local/welcome|200"
|
||||
"Frontdoor environment settings|https://stella-ops.local/envsettings.json|200"
|
||||
"Authority discovery|https://stella-ops.local/.well-known/openid-configuration|200"
|
||||
"Authority authorize bootstrap|https://stella-ops.local/connect/authorize?client_id=stella-ops-ui&redirect_uri=https%3A%2F%2Fstella-ops.local%2Fauth%2Fcallback&response_type=code&scope=openid%20profile%20email&state=setup-smoke&nonce=setup-smoke&code_challenge=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&code_challenge_method=S256|200,302,303"
|
||||
)
|
||||
|
||||
local entry name url allowed status matched
|
||||
for entry in "${probes[@]}"; do
|
||||
IFS='|' read -r name url allowed <<<"$entry"
|
||||
status="$(http_status "$url" 24 5)"
|
||||
matched=false
|
||||
IFS=',' read -ra allowed_codes <<<"$allowed"
|
||||
for code in "${allowed_codes[@]}"; do
|
||||
if [[ "$status" == "$code" ]]; then
|
||||
matched=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$matched" == "true" ]]; then
|
||||
ok "$name (HTTP $status)"
|
||||
continue
|
||||
fi
|
||||
|
||||
fail "$name did not reach an expected status ($allowed)"
|
||||
return 1
|
||||
done
|
||||
|
||||
ok 'Frontdoor bootstrap path is ready for first-user sign-in'
|
||||
}
|
||||
|
||||
# ─── 8. Smoke test ─────────────────────────────────────────────────────────
|
||||
|
||||
smoke_test() {
|
||||
step 'Running smoke tests'
|
||||
local has_blocking_failures=false
|
||||
|
||||
# Infrastructure checks
|
||||
if docker exec stellaops-dev-postgres pg_isready -U stellaops &>/dev/null; then
|
||||
ok 'PostgreSQL'
|
||||
else
|
||||
warn 'PostgreSQL not responding'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
local pong; pong=$(docker exec stellaops-dev-valkey valkey-cli ping 2>/dev/null || true)
|
||||
@@ -370,6 +408,7 @@ smoke_test() {
|
||||
ok 'Valkey'
|
||||
else
|
||||
warn 'Valkey not responding'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
local rustfs_url rustfs_status
|
||||
@@ -379,6 +418,7 @@ smoke_test() {
|
||||
ok "RustFS S3 endpoint (HTTP $rustfs_status)"
|
||||
else
|
||||
warn 'RustFS S3 endpoint did not respond with an expected status (wanted 200/403)'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
local registry_url registry_status
|
||||
@@ -388,6 +428,13 @@ smoke_test() {
|
||||
ok "Zot registry endpoint (HTTP $registry_status)"
|
||||
else
|
||||
warn 'Zot registry endpoint did not respond with an expected status (wanted 200/401)'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
if [[ "$INFRA_ONLY" != "true" ]]; then
|
||||
if ! frontdoor_bootstrap_ready; then
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Platform container health summary
|
||||
@@ -429,9 +476,14 @@ smoke_test() {
|
||||
ok 'Platform listening on https://stella-ops.local (TLS handshake pending)'
|
||||
else
|
||||
warn 'Platform not yet accessible at https://stella-ops.local (may still be starting)'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
cd "$ROOT"
|
||||
|
||||
if [[ "$has_blocking_failures" == "true" ]]; then
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# ─── Main ───────────────────────────────────────────────────────────────────
|
||||
@@ -454,7 +506,10 @@ ensure_env
|
||||
start_infra
|
||||
|
||||
if [[ "$INFRA_ONLY" == "true" ]]; then
|
||||
smoke_test
|
||||
if ! smoke_test; then
|
||||
fail 'Infrastructure setup did not pass blocking smoke tests. Review output and docker compose logs.'
|
||||
exit 1
|
||||
fi
|
||||
echo ''
|
||||
echo 'Done (infra only). Infrastructure is running.'
|
||||
exit 0
|
||||
@@ -473,7 +528,10 @@ if [[ "$SKIP_IMAGES" != "true" ]]; then
|
||||
fi
|
||||
|
||||
start_platform
|
||||
smoke_test
|
||||
if ! smoke_test; then
|
||||
fail 'Setup did not pass blocking smoke tests. Review output and docker compose logs.'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ''
|
||||
echo '============================================='
|
||||
|
||||
Reference in New Issue
Block a user