첫 커밋: 로컬 프로젝트 업로드
This commit is contained in:
@@ -0,0 +1,53 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
failures=0
|
||||
|
||||
rule_files=()
|
||||
while IFS= read -r file; do
|
||||
rule_files+=("$file")
|
||||
done < <(find \
|
||||
"$repo_root/docker/ory/oathkeeper" \
|
||||
"$repo_root/config/.generated/ory/oathkeeper" \
|
||||
-maxdepth 1 -name 'rules*.json' -print | sort)
|
||||
|
||||
for file in "${rule_files[@]}"; do
|
||||
if grep -Eq '"id"[[:space:]]*:[[:space:]]*"kratos-public"' "$file"; then
|
||||
echo "ERROR: $file must not define a public Kratos proxy rule." >&2
|
||||
failures=$((failures + 1))
|
||||
fi
|
||||
if grep -Eq '"url"[[:space:]]*:[[:space:]]*"[^"]*/kratos/<\.\*>"' "$file"; then
|
||||
echo "ERROR: $file must not expose Kratos under /kratos." >&2
|
||||
failures=$((failures + 1))
|
||||
fi
|
||||
if grep -Eq '"url"[[:space:]]*:[[:space:]]*"http://kratos:4433"' "$file"; then
|
||||
echo "ERROR: $file must not proxy public requests directly to kratos:4433." >&2
|
||||
failures=$((failures + 1))
|
||||
fi
|
||||
done
|
||||
|
||||
for compose_file in \
|
||||
"$repo_root/compose.ory.yaml" \
|
||||
"$repo_root/docker/compose.ory.yaml" \
|
||||
"$repo_root/docker/staging_pull_compose.template.yaml" \
|
||||
"$repo_root/deploy/templates/docker-compose.yaml"
|
||||
do
|
||||
kratos_block="$(
|
||||
awk '
|
||||
/^[[:space:]]+kratos:/ { in_block=1; print; next }
|
||||
in_block && /^[[:space:]]+[A-Za-z0-9_-]+:/ { exit }
|
||||
in_block { print }
|
||||
' "$compose_file"
|
||||
)"
|
||||
if grep -Eq '^[[:space:]]+ports:' <<<"$kratos_block"; then
|
||||
echo "ERROR: $compose_file must not publish Kratos ports directly." >&2
|
||||
failures=$((failures + 1))
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$failures" -gt 0 ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "OK: Kratos public API is not exposed through Oathkeeper rules or compose ports."
|
||||
Reference in New Issue
Block a user