forked from baron/baron-sso
Harden WORKS image deploy startup path
This commit is contained in:
@@ -19,7 +19,41 @@ require_env WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID
|
||||
|
||||
[[ -f "$IMAGE_DEPLOY_BUNDLE_FILE" ]] || die "bundle file not found: $IMAGE_DEPLOY_BUNDLE_FILE"
|
||||
|
||||
log() {
|
||||
printf '==> %s\n' "$*" >&2
|
||||
}
|
||||
|
||||
refresh_works_drive_access_token() {
|
||||
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_ID is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
||||
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
||||
[[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]] || die "WORKS_DRIVE_OAUTH_REFRESH_TOKEN is required for refresh-token mode."
|
||||
|
||||
local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
|
||||
local response
|
||||
local access_token
|
||||
local rotated_refresh_token
|
||||
|
||||
log "Refreshing WORKS Drive access token"
|
||||
response="$(curl -fsS -X POST "$token_url" \
|
||||
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||
--data-urlencode "grant_type=refresh_token" \
|
||||
--data-urlencode "refresh_token=${WORKS_DRIVE_OAUTH_REFRESH_TOKEN}" \
|
||||
--data-urlencode "client_id=${WORKS_DRIVE_OAUTH_CLIENT_ID}" \
|
||||
--data-urlencode "client_secret=${WORKS_DRIVE_OAUTH_CLIENT_SECRET}")"
|
||||
access_token="$(jq -er '.access_token' <<<"$response")"
|
||||
rotated_refresh_token="$(jq -r '.refresh_token // empty' <<<"$response")"
|
||||
if [[ -n "$rotated_refresh_token" && "$rotated_refresh_token" != "$WORKS_DRIVE_OAUTH_REFRESH_TOKEN" ]]; then
|
||||
printf 'WARNING: WORKS returned a rotated refresh token. Update WORKS_DRIVE_REFRESH_TOKEN before the old token ages out.\n' >&2
|
||||
fi
|
||||
printf '%s\n' "$access_token"
|
||||
}
|
||||
|
||||
resolve_works_drive_access_token() {
|
||||
if [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]]; then
|
||||
refresh_works_drive_access_token
|
||||
return
|
||||
fi
|
||||
|
||||
if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN:-}" ]]; then
|
||||
printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN"
|
||||
return
|
||||
@@ -41,30 +75,6 @@ resolve_works_drive_access_token() {
|
||||
return
|
||||
fi
|
||||
|
||||
if [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]]; then
|
||||
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_ID is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
||||
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
||||
|
||||
local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
|
||||
local response
|
||||
local access_token
|
||||
local rotated_refresh_token
|
||||
|
||||
response="$(curl -fsS -X POST "$token_url" \
|
||||
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||
--data-urlencode "grant_type=refresh_token" \
|
||||
--data-urlencode "refresh_token=${WORKS_DRIVE_OAUTH_REFRESH_TOKEN}" \
|
||||
--data-urlencode "client_id=${WORKS_DRIVE_OAUTH_CLIENT_ID}" \
|
||||
--data-urlencode "client_secret=${WORKS_DRIVE_OAUTH_CLIENT_SECRET}")"
|
||||
access_token="$(jq -er '.access_token' <<<"$response")"
|
||||
rotated_refresh_token="$(jq -r '.refresh_token // empty' <<<"$response")"
|
||||
if [[ -n "$rotated_refresh_token" && "$rotated_refresh_token" != "$WORKS_DRIVE_OAUTH_REFRESH_TOKEN" ]]; then
|
||||
printf 'WARNING: WORKS returned a rotated refresh token. Update WORKS_DRIVE_REFRESH_TOKEN before the old token ages out.\n' >&2
|
||||
fi
|
||||
printf '%s\n' "$access_token"
|
||||
return
|
||||
fi
|
||||
|
||||
die "Missing WORKS Drive access auth. Provide WORKS_DRIVE_ACCESS_TOKEN, WORKS_DRIVE_ACCESS_TOKEN_FILE, WORKS_DRIVE_ACCESS_TOKEN_CMD, or WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
||||
}
|
||||
|
||||
@@ -87,6 +97,19 @@ printf '%s\n' "$works_drive_access_token" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}"
|
||||
export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \
|
||||
export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \
|
||||
export WORKS_ADMIN_API_BASE_URL='${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}'; \
|
||||
echo '==> Validating image deploy compose config'; \
|
||||
docker compose --env-file .env -f docker-compose.yml config >/dev/null; \
|
||||
echo '==> Downloading and loading WORKS Drive application images'; \
|
||||
scripts/docker-image/download_works_drive.sh; \
|
||||
set -a; \
|
||||
. ./.env; \
|
||||
set +a; \
|
||||
echo '==> Verifying loaded application images'; \
|
||||
for image_ref in \"\${BACKEND_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${USERFRONT_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${ADMINFRONT_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${DEVFRONT_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${ORGFRONT_IMAGE_NAME}:\${IMAGE_TAG}\"; do \
|
||||
docker image inspect \"\${image_ref}\" >/dev/null; \
|
||||
done; \
|
||||
echo '==> Prefetching runtime images before compose up'; \
|
||||
docker compose --env-file .env -f docker-compose.yml pull --ignore-pull-failures; \
|
||||
echo '==> Starting production image stack'; \
|
||||
docker compose --env-file .env -f docker-compose.yml up -d --remove-orphans; \
|
||||
docker compose --env-file .env -f docker-compose.yml ps"
|
||||
|
||||
Reference in New Issue
Block a user