worksmobile 연동 & ory stack 26.2.0으로 업그레이드

test/env_secret_file_policy_test.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+env_file="$repo_root/.env"
+gitignore_file="$repo_root/.gitignore"
+
+if [[ -f "$env_file" ]] && grep -q -- "-----BEGIN PRIVATE KEY-----" "$env_file"; then
+  echo "ERROR: .env must not contain a multi-line PEM private key; put it under config/ and reference WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE." >&2
+  exit 1
+fi
+
+if [[ -f "$env_file" ]] && ! grep -q '^WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE=' "$env_file"; then
+  echo "ERROR: .env must reference WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE." >&2
+  exit 1
+fi
+
+if ! grep -Eq '(^|/)config/\*\.pem$' "$gitignore_file"; then
+  echo "ERROR: .gitignore must ignore config/*.pem secret files." >&2
+  exit 1
+fi
+
+make --dry-run --always-make -C "$repo_root" dev DEV_SERVICES="backend adminfront" >/dev/null

test/oathkeeper_access_log_e2e_test.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+require_container() {
+  local name="$1"
+  if ! docker inspect "$name" >/dev/null 2>&1; then
+    echo "ERROR: required container is missing: $name" >&2
+    exit 1
+  fi
+}
+
+for container in ory_oathkeeper ory_vector ory_clickhouse baron_backend; do
+  require_container "$container"
+done
+
+vector_state="$(docker inspect -f '{{.State.Status}}' ory_vector)"
+if [[ "$vector_state" != "running" ]]; then
+  echo "ERROR: ory_vector must be running, got: $vector_state" >&2
+  docker logs --tail 100 ory_vector >&2 || true
+  exit 1
+fi
+
+before_lines="$(docker exec ory_oathkeeper sh -lc 'test -f /var/log/oathkeeper/access.log && wc -l < /var/log/oathkeeper/access.log || echo 0')"
+before_rows="$(docker exec ory_clickhouse clickhouse-client --user "${ORY_CLICKHOUSE_USER:-ory}" --password "${ORY_CLICKHOUSE_PASSWORD:-orypass}" --query "SELECT count() FROM ory.oathkeeper_access_logs")"
+
+docker run --rm --network public_net curlimages/curl:8.10.1 \
+  -fsS http://ory_oathkeeper:4455/health >/dev/null
+
+deadline=$((SECONDS + 20))
+after_lines="$before_lines"
+while (( SECONDS < deadline )); do
+  after_lines="$(docker exec ory_oathkeeper sh -lc 'test -f /var/log/oathkeeper/access.log && wc -l < /var/log/oathkeeper/access.log || echo 0')"
+  if (( after_lines > before_lines )); then
+    break
+  fi
+  sleep 1
+done
+
+if (( after_lines <= before_lines )); then
+  echo "ERROR: Oathkeeper access log did not grow after a proxied request." >&2
+  docker exec ory_oathkeeper sh -lc 'ls -l /var/log/oathkeeper && tail -n 50 /var/log/oathkeeper/access.log 2>/dev/null || true' >&2
+  exit 1
+fi
+
+deadline=$((SECONDS + 30))
+after_rows="$before_rows"
+while (( SECONDS < deadline )); do
+  after_rows="$(docker exec ory_clickhouse clickhouse-client --user "${ORY_CLICKHOUSE_USER:-ory}" --password "${ORY_CLICKHOUSE_PASSWORD:-orypass}" --query "SELECT count() FROM ory.oathkeeper_access_logs")"
+  if (( after_rows > before_rows )); then
+    break
+  fi
+  sleep 2
+done
+
+if (( after_rows <= before_rows )); then
+  echo "ERROR: Vector did not insert the new Oathkeeper access log into ClickHouse." >&2
+  echo "before_rows=$before_rows after_rows=$after_rows" >&2
+  docker logs --tail 100 ory_vector >&2 || true
+  exit 1
+fi

test/ory_log_pipeline_policy_test.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+docker run --rm \
+  -e ORY_CLICKHOUSE_USER=ory \
+  -e ORY_CLICKHOUSE_PASSWORD=orypass \
+  -v "$repo_root/docker/ory/vector:/etc/vector:ro" \
+  timberio/vector:0.36.0-alpine validate --no-environment /etc/vector/vector.toml >/dev/null
+
+if grep -q '/etc/config/oathkeeper/rules.active.json' "$repo_root/docker/ory/oathkeeper/entrypoint.sh"; then
+  echo "ERROR: Oathkeeper entrypoint must not write active rules into the bind-mounted config directory." >&2
+  exit 1
+fi
+
+if ! grep -q 'file:///tmp/oathkeeper/rules.active.json' "$repo_root/docker/ory/oathkeeper/oathkeeper.yml"; then
+  echo "ERROR: Oathkeeper config must load active rules from writable runtime storage." >&2
+  exit 1
+fi
+
+if ! grep -q '^version: v26.2.0$' "$repo_root/docker/ory/kratos/kratos.yml"; then
+  echo "ERROR: Kratos config version must match the v26.2.0 runtime." >&2
+  exit 1
+fi
+
+cookie_secret="$(grep -E '^COOKIE_SECRET=' "$repo_root/.env" | cut -d= -f2-)"
+if [[ ${#cookie_secret} -ne 32 ]]; then
+  echo "ERROR: COOKIE_SECRET must be exactly 32 bytes/chars for backend encryptcookie." >&2
+  exit 1
+fi
+
+root_config="$(
+  docker compose --env-file "$repo_root/.env" -f "$repo_root/compose.ory.yaml" config
+)"
+if ! grep -q "oathkeeper_logs_init:" <<<"$root_config"; then
+  echo "ERROR: compose.ory.yaml must initialize the Oathkeeper log volume permissions." >&2
+  exit 1
+fi

test/ory_v26_compose_policy_test.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+root_config="$(
+  docker compose --env-file "$repo_root/.env" -f "$repo_root/compose.ory.yaml" config
+)"
+docker_config="$(
+  docker compose --env-file "$repo_root/.env" -f "$repo_root/docker/compose.ory.yaml" config
+)"
+
+for service in kratos hydra keto oathkeeper; do
+  version_key="$(tr '[:lower:]' '[:upper:]' <<<"$service")_VERSION"
+  expected_version="$(grep -E "^${version_key}=" "$repo_root/.env" | cut -d= -f2-)"
+  if [[ -z "$expected_version" ]]; then
+    echo "ERROR: $version_key must be set in .env" >&2
+    exit 1
+  fi
+  if ! grep -q "image: oryd/${service}:${expected_version}" <<<"$root_config"; then
+    echo "ERROR: compose.ory.yaml must render oryd/${service}:${expected_version}" >&2
+    exit 1
+  fi
+done
+
+if grep -q "oryd/hydra:v25.4.0" <<<"$root_config"; then
+  echo "ERROR: compose.ory.yaml must not hard-code init-rp to hydra v25.4.0." >&2
+  exit 1
+fi
+
+root_init_rp="$(
+  awk 'in_block && /^    [A-Za-z0-9_-]+:/ { exit } /^    init-rp:/ { in_block=1 } in_block { print }' "$repo_root/compose.ory.yaml"
+)"
+docker_init_rp="$(
+  awk 'in_block && /^    [A-Za-z0-9_-]+:/ { exit } /^    init-rp:/ { in_block=1 } in_block { print }' "$repo_root/docker/compose.ory.yaml"
+)"
+if grep -q "image: oryd/hydra" <<<"$root_init_rp$docker_init_rp"; then
+  echo "ERROR: init-rp must not use the Hydra service image because distroless tags do not provide /bin/sh." >&2
+  exit 1
+fi
+
+if ! grep -q "migrate sql up" "$repo_root/compose.ory.yaml"; then
+  echo "ERROR: compose.ory.yaml Kratos migration must use migrate sql up." >&2
+  exit 1
+fi
+
+if ! grep -q "keto-migrate:" <<<"$docker_config"; then
+  echo "ERROR: docker/compose.ory.yaml must include keto-migrate for clean Ory installs." >&2
+  exit 1
+fi
+
+if grep -q "releases/download/v25.4.0" "$repo_root/docker/staging_pull_compose.template.yaml"; then
+  echo "ERROR: staging pull compose must not download a hard-coded Hydra v25.4.0 CLI." >&2
+  exit 1
+fi