웍스 드라이브 구조 변경

scripts/deploy/build_image_deploy_bundle.sh

@@ -29,7 +29,6 @@ require_env ADMINFRONT_URL
 require_env DEVFRONT_URL
 require_env ORGFRONT_URL
 require_env VITE_OIDC_AUTHORITY
-require_env HARBOR_HOSTNAME
 
 if ! printf '%s' "$IMAGE_TAG" | grep -Eq '^v[0-9]+\.[0-9]{4}\.[0-9a-f]{4}$'; then
   die "IMAGE_TAG must look like vX.YYMM.ab12 (got: $IMAGE_TAG)"
@@ -59,6 +58,10 @@ compose_template="${IMAGE_DEPLOY_COMPOSE_TEMPLATE:-$repo_root/deploy/templates/d
 rm -rf "$bundle_dir"
 TARGET_DIR="$bundle_dir" bash "$repo_root/deploy/create-instance.sh" "$instance_name" "$port_prefix"
 cp "$compose_template" "$bundle_dir/docker-compose.yml"
+mkdir -p "$bundle_dir/scripts/docker-image" "$bundle_dir/scripts/backup/lib"
+cp "$repo_root/scripts/docker-image/download_works_drive.sh" "$bundle_dir/scripts/docker-image/download_works_drive.sh"
+cp "$repo_root/scripts/backup/lib/common.sh" "$bundle_dir/scripts/backup/lib/common.sh"
+chmod +x "$bundle_dir/scripts/docker-image/download_works_drive.sh"
 
 sed "s/{{BACKEND_PORT}}/${IMAGE_DEPLOY_BACKEND_PORT}/g" \
   "$repo_root/deploy/templates/gateway/nginx.conf" >"$bundle_dir/gateway/nginx.conf"

scripts/deploy/upload_and_run_image_deploy.sh

@@ -15,25 +15,78 @@ require_env IMAGE_DEPLOY_BUNDLE_FILE
 require_env DEPLOY_HOST
 require_env DEPLOY_USER
 require_env DEPLOY_PATH
-require_env HARBOR_ENDPOINT
-require_env HARBOR_ROBOT_ACCOUNT
-require_env HARBOR_ROBOT_KEY
+require_env WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID
 
 [[ -f "$IMAGE_DEPLOY_BUNDLE_FILE" ]] || die "bundle file not found: $IMAGE_DEPLOY_BUNDLE_FILE"
 
+resolve_works_drive_access_token() {
+  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN:-}" ]]; then
+    printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN"
+    return
+  fi
+
+  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_INPUT:-}" ]]; then
+    printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN_INPUT"
+    return
+  fi
+
+  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_FILE:-}" ]]; then
+    [[ -f "$WORKS_DRIVE_ACCESS_TOKEN_FILE" ]] || die "WORKS_DRIVE_ACCESS_TOKEN_FILE not found: $WORKS_DRIVE_ACCESS_TOKEN_FILE"
+    sed -n '1p' "$WORKS_DRIVE_ACCESS_TOKEN_FILE"
+    return
+  fi
+
+  if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]]; then
+    sh -c "$WORKS_DRIVE_ACCESS_TOKEN_CMD"
+    return
+  fi
+
+  if [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]]; then
+    [[ -n "${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_ID is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
+    [[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
+
+    local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
+    local response
+    local access_token
+    local rotated_refresh_token
+
+    response="$(curl -fsS -X POST "$token_url" \
+      -H "Content-Type: application/x-www-form-urlencoded" \
+      --data-urlencode "grant_type=refresh_token" \
+      --data-urlencode "refresh_token=${WORKS_DRIVE_OAUTH_REFRESH_TOKEN}" \
+      --data-urlencode "client_id=${WORKS_DRIVE_OAUTH_CLIENT_ID}" \
+      --data-urlencode "client_secret=${WORKS_DRIVE_OAUTH_CLIENT_SECRET}")"
+    access_token="$(jq -er '.access_token' <<<"$response")"
+    rotated_refresh_token="$(jq -r '.refresh_token // empty' <<<"$response")"
+    if [[ -n "$rotated_refresh_token" && "$rotated_refresh_token" != "$WORKS_DRIVE_OAUTH_REFRESH_TOKEN" ]]; then
+      printf 'WARNING: WORKS returned a rotated refresh token. Update WORKS_DRIVE_REFRESH_TOKEN before the old token ages out.\n' >&2
+    fi
+    printf '%s\n' "$access_token"
+    return
+  fi
+
+  die "Missing WORKS Drive access auth. Provide WORKS_DRIVE_ACCESS_TOKEN, WORKS_DRIVE_ACCESS_TOKEN_FILE, WORKS_DRIVE_ACCESS_TOKEN_CMD, or WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
+}
+
 remote_bundle="/tmp/baron-sso-image-deploy-$(date -u '+%Y%m%d%H%M%S').tgz"
+works_drive_access_token="$(resolve_works_drive_access_token)"
 
 ssh-keyscan -H "$DEPLOY_HOST" >>~/.ssh/known_hosts
 scp "$IMAGE_DEPLOY_BUNDLE_FILE" "${DEPLOY_USER}@${DEPLOY_HOST}:${remote_bundle}"
 
-echo "$HARBOR_ROBOT_KEY" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}" \
+printf '%s\n' "$works_drive_access_token" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}" \
   "set -euo pipefail; \
+   read -r works_drive_access_token; \
    mkdir -p '${DEPLOY_PATH}'; \
    tar -xzf '${remote_bundle}' -C '${DEPLOY_PATH}'; \
    cd '${DEPLOY_PATH}'; \
    chmod 600 .env; \
    docker network inspect traefik-public >/dev/null 2>&1 || docker network create traefik-public; \
-   docker login '${HARBOR_ENDPOINT}' -u '${HARBOR_ROBOT_ACCOUNT}' --password-stdin; \
-   docker compose --env-file .env -f docker-compose.yml pull; \
+   export WORKS_DRIVE_ACCESS_TOKEN=\"\${works_drive_access_token}\"; \
+   export WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID='${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}'; \
+   export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \
+   export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \
+   export WORKS_ADMIN_API_BASE_URL='${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}'; \
+   scripts/docker-image/download_works_drive.sh; \
    docker compose --env-file .env -f docker-compose.yml up -d --remove-orphans; \
    docker compose --env-file .env -f docker-compose.yml ps"