Harden scratch setup bootstrap and authority admin scopes
This commit is contained in:
master
@@ -339,7 +339,7 @@ http_status() {
|
||||
local status=""
|
||||
|
||||
for (( attempt=1; attempt<=attempts; attempt++ )); do
|
||||
status=$(curl -s -o /dev/null --connect-timeout 5 -w '%{http_code}' "$url" 2>/dev/null || true)
|
||||
status=$(curl -sk -o /dev/null --connect-timeout 5 -w '%{http_code}' "$url" 2>/dev/null || true)
|
||||
if [[ -n "$status" && "$status" != "000" ]]; then
|
||||
printf '%s' "$status"
|
||||
return 0
|
||||
@@ -353,16 +353,54 @@ http_status() {
|
||||
return 0
|
||||
}
|
||||
|
||||
frontdoor_bootstrap_ready() {
|
||||
step 'Waiting for frontdoor bootstrap readiness'
|
||||
|
||||
local probes=(
|
||||
"Frontdoor readiness|https://stella-ops.local/health/ready|200"
|
||||
"Frontdoor welcome page|https://stella-ops.local/welcome|200"
|
||||
"Frontdoor environment settings|https://stella-ops.local/envsettings.json|200"
|
||||
"Authority discovery|https://stella-ops.local/.well-known/openid-configuration|200"
|
||||
"Authority authorize bootstrap|https://stella-ops.local/connect/authorize?client_id=stella-ops-ui&redirect_uri=https%3A%2F%2Fstella-ops.local%2Fauth%2Fcallback&response_type=code&scope=openid%20profile%20email&state=setup-smoke&nonce=setup-smoke&code_challenge=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&code_challenge_method=S256|200,302,303"
|
||||
)
|
||||
|
||||
local entry name url allowed status matched
|
||||
for entry in "${probes[@]}"; do
|
||||
IFS='|' read -r name url allowed <<<"$entry"
|
||||
status="$(http_status "$url" 24 5)"
|
||||
matched=false
|
||||
IFS=',' read -ra allowed_codes <<<"$allowed"
|
||||
for code in "${allowed_codes[@]}"; do
|
||||
if [[ "$status" == "$code" ]]; then
|
||||
matched=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$matched" == "true" ]]; then
|
||||
ok "$name (HTTP $status)"
|
||||
continue
|
||||
fi
|
||||
|
||||
fail "$name did not reach an expected status ($allowed)"
|
||||
return 1
|
||||
done
|
||||
|
||||
ok 'Frontdoor bootstrap path is ready for first-user sign-in'
|
||||
}
|
||||
|
||||
# ─── 8. Smoke test ─────────────────────────────────────────────────────────
|
||||
|
||||
smoke_test() {
|
||||
step 'Running smoke tests'
|
||||
local has_blocking_failures=false
|
||||
|
||||
# Infrastructure checks
|
||||
if docker exec stellaops-dev-postgres pg_isready -U stellaops &>/dev/null; then
|
||||
ok 'PostgreSQL'
|
||||
else
|
||||
warn 'PostgreSQL not responding'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
local pong; pong=$(docker exec stellaops-dev-valkey valkey-cli ping 2>/dev/null || true)
|
||||
@@ -370,6 +408,7 @@ smoke_test() {
|
||||
ok 'Valkey'
|
||||
else
|
||||
warn 'Valkey not responding'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
local rustfs_url rustfs_status
|
||||
@@ -379,6 +418,7 @@ smoke_test() {
|
||||
ok "RustFS S3 endpoint (HTTP $rustfs_status)"
|
||||
else
|
||||
warn 'RustFS S3 endpoint did not respond with an expected status (wanted 200/403)'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
local registry_url registry_status
|
||||
@@ -388,6 +428,13 @@ smoke_test() {
|
||||
ok "Zot registry endpoint (HTTP $registry_status)"
|
||||
else
|
||||
warn 'Zot registry endpoint did not respond with an expected status (wanted 200/401)'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
if [[ "$INFRA_ONLY" != "true" ]]; then
|
||||
if ! frontdoor_bootstrap_ready; then
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Platform container health summary
|
||||
@@ -429,9 +476,14 @@ smoke_test() {
|
||||
ok 'Platform listening on https://stella-ops.local (TLS handshake pending)'
|
||||
else
|
||||
warn 'Platform not yet accessible at https://stella-ops.local (may still be starting)'
|
||||
has_blocking_failures=true
|
||||
fi
|
||||
|
||||
cd "$ROOT"
|
||||
|
||||
if [[ "$has_blocking_failures" == "true" ]]; then
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# ─── Main ───────────────────────────────────────────────────────────────────
|
||||
@@ -454,7 +506,10 @@ ensure_env
|
||||
start_infra
|
||||
|
||||
if [[ "$INFRA_ONLY" == "true" ]]; then
|
||||
smoke_test
|
||||
if ! smoke_test; then
|
||||
fail 'Infrastructure setup did not pass blocking smoke tests. Review output and docker compose logs.'
|
||||
exit 1
|
||||
fi
|
||||
echo ''
|
||||
echo 'Done (infra only). Infrastructure is running.'
|
||||
exit 0
|
||||
@@ -473,7 +528,10 @@ if [[ "$SKIP_IMAGES" != "true" ]]; then
|
||||
fi
|
||||
|
||||
start_platform
|
||||
smoke_test
|
||||
if ! smoke_test; then
|
||||
fail 'Setup did not pass blocking smoke tests. Review output and docker compose logs.'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ''
|
||||
echo '============================================='
|
||||
|
||||
Reference in New Issue
Block a user