forked from baron/baron-sso
production 푸시 초안
This commit is contained in:
102
test/works_drive_refresh_token_policy_test.sh
Executable file
102
test/works_drive_refresh_token_policy_test.sh
Executable file
@@ -0,0 +1,102 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
|
||||
fail() {
|
||||
echo "ERROR: $*" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
script="$repo_root/scripts/backup/refresh_works_drive_token.sh"
|
||||
[[ -f "$script" ]] || fail "refresh_works_drive_token.sh must exist."
|
||||
|
||||
tmp_dir="$(mktemp -d /tmp/baron-sso-works-drive-token-test.XXXXXX)"
|
||||
trap 'rm -rf "$tmp_dir"' EXIT INT TERM
|
||||
|
||||
env_file="$tmp_dir/.env"
|
||||
cat >"$env_file" <<'EOF'
|
||||
WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1
|
||||
WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1
|
||||
WORKS_DRIVE_OAUTH_REDIRECT_URI=https://example.test/callback
|
||||
WORKS_DRIVE_OAUTH_REFRESH_TOKEN=old-refresh-token
|
||||
WORKS_DRIVE_AUTH_MODE=auto
|
||||
EOF
|
||||
chmod 600 "$env_file"
|
||||
|
||||
curl_log="$tmp_dir/curl.log"
|
||||
fake_curl="$tmp_dir/fake-curl.sh"
|
||||
cat >"$fake_curl" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
printf '%s\n' "$*" >>"${FAKE_CURL_LOG}"
|
||||
|
||||
if [[ "$*" == *"grant_type=refresh_token"* ]]; then
|
||||
printf '{"access_token":"new-access-token","refresh_token":"new-refresh-token","expires_in":"86400","token_type":"Bearer","scope":"file"}'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ "$*" == *"grant_type=authorization_code"* ]]; then
|
||||
printf '{"access_token":"code-access-token","refresh_token":"code-refresh-token","expires_in":"86400","token_type":"Bearer","scope":"file"}'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "unexpected curl arguments: $*" >&2
|
||||
exit 2
|
||||
EOF
|
||||
chmod +x "$fake_curl"
|
||||
|
||||
WORKS_DRIVE_ENV_FILE="$env_file" \
|
||||
WORKS_DRIVE_CURL_BIN="$fake_curl" \
|
||||
FAKE_CURL_LOG="$curl_log" \
|
||||
"$script" >"$tmp_dir/refresh.out"
|
||||
|
||||
grep -Fq "WORKS Drive refresh token updated" "$tmp_dir/refresh.out" || fail "refresh-token mode must update the refresh token."
|
||||
grep -Fq "grant_type=refresh_token" "$curl_log" || fail "refresh-token mode must call refresh_token grant."
|
||||
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN=new-refresh-token" "$env_file" || fail ".env must contain the rotated refresh token."
|
||||
grep -Fq "WORKS_DRIVE_AUTH_MODE=refresh-token" "$env_file" || fail ".env must prefer refresh-token mode after token refresh."
|
||||
[[ "$(stat -c '%a' "$env_file")" == "600" ]] || fail ".env mode must be preserved after refresh token update."
|
||||
if grep -Fq "new-access-token" "$env_file"; then
|
||||
fail "short-lived access token must not be persisted by default."
|
||||
fi
|
||||
|
||||
auth_env_file="$tmp_dir/.env.auth-code"
|
||||
cat >"$auth_env_file" <<'EOF'
|
||||
WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1
|
||||
WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1
|
||||
WORKS_DRIVE_OAUTH_REDIRECT_URI=https://example.test/callback
|
||||
EOF
|
||||
|
||||
WORKS_DRIVE_ENV_FILE="$auth_env_file" \
|
||||
WORKS_DRIVE_CURL_BIN="$fake_curl" \
|
||||
WORKS_DRIVE_TOKEN_GRANT=authorization-code \
|
||||
WORKS_DRIVE_AUTH_CALLBACK_URL="https://example.test/callback?code=auth-code-1&state=state-1" \
|
||||
FAKE_CURL_LOG="$curl_log" \
|
||||
"$script" >"$tmp_dir/auth-code.out"
|
||||
|
||||
grep -Fq "WORKS Drive refresh token updated" "$tmp_dir/auth-code.out" || fail "authorization-code mode must update the refresh token."
|
||||
grep -Fq "grant_type=authorization_code" "$curl_log" || fail "authorization-code mode must call authorization_code grant."
|
||||
grep -Fq "code=auth-code-1" "$curl_log" || fail "authorization-code mode must extract code from callback URL."
|
||||
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN=code-refresh-token" "$auth_env_file" || fail ".env must contain authorization-code refresh token."
|
||||
|
||||
authorize_url="$(
|
||||
WORKS_DRIVE_ENV_FILE="$auth_env_file" \
|
||||
WORKS_DRIVE_TOKEN_GRANT=print-authorize-url \
|
||||
"$script"
|
||||
)"
|
||||
|
||||
grep -Fq "https://auth.worksmobile.com/oauth2/v2.0/authorize" <<<"$authorize_url" || fail "print-authorize-url mode must print WORKS authorize URL."
|
||||
grep -Fq "client_id=client-id-1" <<<"$authorize_url" || fail "authorize URL must include client_id."
|
||||
grep -Fq "response_type=code" <<<"$authorize_url" || fail "authorize URL must request an authorization code."
|
||||
|
||||
make_dry_run="$(
|
||||
make --dry-run --always-make -C "$repo_root" works-drive-refresh-token WORKS_DRIVE_TOKEN_GRANT=refresh-token 2>&1
|
||||
)"
|
||||
|
||||
grep -Fq "scripts/backup/refresh_works_drive_token.sh" <<<"$make_dry_run" || fail "Makefile target must call refresh token script."
|
||||
grep -Fq "WORKS_DRIVE_TOKEN_GRANT=\"refresh-token\"" <<<"$make_dry_run" || fail "Makefile target must pass token grant."
|
||||
if grep -Fq "docker run" <<<"$make_dry_run"; then
|
||||
fail "Makefile target must refresh .env on the host, not inside Docker."
|
||||
fi
|
||||
|
||||
echo "OK: WORKS Drive refresh token helper updates env and supports authorization-code bootstrap"
|
||||
Reference in New Issue
Block a user