Harden scratch setup bootstrap and authority admin scopes

2026-03-12 13:12:32 +02:00
parent 29b68f5bee
commit 509b97a1a7
7 changed files with 144 additions and 12 deletions
--- a/scripts/setup.ps1
+++ b/scripts/setup.ps1
@@ -470,11 +470,21 @@ function Start-Platform {
 function Test-ExpectedHttpStatus([string]$url, [int[]]$allowedStatusCodes, [int]$timeoutSeconds = 5, [int]$attempts = 6, [int]$retryDelaySeconds = 2) {
    for ($attempt = 1; $attempt -le $attempts; $attempt++) {
        $statusCode = $null
+        $previousCertificateCallback = $null
+        $hasCertificateCallbackOverride = $false

        try {
            $request = [System.Net.WebRequest]::Create($url)
            $request.Method = 'GET'
            $request.Timeout = $timeoutSeconds * 1000
+            if ($request -is [System.Net.HttpWebRequest]) {
+                $request.AllowAutoRedirect = $false
+            }
+            if ($url.StartsWith('https://', [System.StringComparison]::OrdinalIgnoreCase)) {
+                $previousCertificateCallback = [System.Net.ServicePointManager]::ServerCertificateValidationCallback
+                [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
+                $hasCertificateCallbackOverride = $true
+            }
            $response = [System.Net.HttpWebResponse]$request.GetResponse()

            try {
@@ -492,6 +502,10 @@ function Test-ExpectedHttpStatus([string]$url, [int[]]$allowedStatusCodes, [int]
                }
            }
        } catch {
+        } finally {
+            if ($hasCertificateCallbackOverride) {
+                [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $previousCertificateCallback
+            }
        }

        if ($null -ne $statusCode -and $allowedStatusCodes -contains $statusCode) {
@@ -506,6 +520,52 @@ function Test-ExpectedHttpStatus([string]$url, [int[]]$allowedStatusCodes, [int]
    return $null
 }

+function Test-FrontdoorBootstrap {
+    $baseUrl = 'https://stella-ops.local'
+    $probes = @(
+        @{
+            Name = 'Frontdoor readiness'
+            Url = "$baseUrl/health/ready"
+            AllowedStatusCodes = @(200)
+        },
+        @{
+            Name = 'Frontdoor welcome page'
+            Url = "$baseUrl/welcome"
+            AllowedStatusCodes = @(200)
+        },
+        @{
+            Name = 'Frontdoor environment settings'
+            Url = "$baseUrl/envsettings.json"
+            AllowedStatusCodes = @(200)
+        },
+        @{
+            Name = 'Authority discovery'
+            Url = "$baseUrl/.well-known/openid-configuration"
+            AllowedStatusCodes = @(200)
+        },
+        @{
+            Name = 'Authority authorize bootstrap'
+            Url = "$baseUrl/connect/authorize?client_id=stella-ops-ui&redirect_uri=https%3A%2F%2Fstella-ops.local%2Fauth%2Fcallback&response_type=code&scope=openid%20profile%20email&state=setup-smoke&nonce=setup-smoke&code_challenge=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&code_challenge_method=S256"
+            AllowedStatusCodes = @(200, 302, 303)
+        }
+    )
+
+    Write-Step 'Waiting for frontdoor bootstrap readiness'
+
+    foreach ($probe in $probes) {
+        $statusCode = Test-ExpectedHttpStatus $probe.Url $probe.AllowedStatusCodes -timeoutSeconds 5 -attempts 24 -retryDelaySeconds 5
+        if ($null -ne $statusCode) {
+            Write-Ok "$($probe.Name) (HTTP $statusCode)"
+            continue
+        }
+
+        Write-Fail "$($probe.Name) did not reach an expected status ($($probe.AllowedStatusCodes -join '/'))"
+        return $false
+    }
+
+    return $true
+}
+
 # ─── 8. Smoke test ─────────────────────────────────────────────────────────

 function Test-Smoke {
@@ -559,6 +619,14 @@ function Test-Smoke {
        $hasBlockingFailures = $true
    }

+    if (-not $InfraOnly) {
+        if (Test-FrontdoorBootstrap) {
+            Write-Ok 'Frontdoor bootstrap path is ready for first-user sign-in'
+        } else {
+            $hasBlockingFailures = $true
+        }
+    }
+
    # Platform container health summary
    Write-Step 'Container health summary'
    Push-Location $ComposeDir
@@ -679,7 +747,8 @@ if ($InfraOnly) {
    Start-Infrastructure
    $infraSmokeFailed = Test-Smoke
    if ($infraSmokeFailed) {
-        Write-Warn 'Infrastructure started with blocking smoke failures. Review output and docker compose logs.'
+        Write-Fail 'Infrastructure setup did not pass blocking smoke tests. Review output and docker compose logs.'
+        exit 1
    }
    Write-Host "`nDone (infra only). Infrastructure is running." -ForegroundColor Green
    exit 0
@@ -696,7 +765,8 @@ if (-not $SkipImages) {
 Start-Platform
 $platformSmokeFailed = Test-Smoke
 if ($platformSmokeFailed) {
-    Write-Warn 'Setup completed with blocking smoke failures. Review output and docker compose logs.'
+    Write-Fail 'Setup did not pass blocking smoke tests. Review output and docker compose logs.'
+    exit 1
 }

 Write-Host "`n=============================================" -ForegroundColor Green