#!/usr/bin/env bash set -euo pipefail repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" fail() { echo "ERROR: $*" >&2 exit 1 } script="$repo_root/scripts/backup/refresh_works_drive_token.sh" [[ -f "$script" ]] || fail "refresh_works_drive_token.sh must exist." tmp_dir="$(mktemp -d /tmp/baron-sso-works-drive-token-test.XXXXXX)" trap 'rm -rf "$tmp_dir"' EXIT INT TERM env_file="$tmp_dir/.env" cat >"$env_file" <<'EOF' WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1 WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1 WORKS_DRIVE_OAUTH_REDIRECT_URI=https://example.test/callback WORKS_DRIVE_OAUTH_REFRESH_TOKEN=old-refresh-token WORKS_DRIVE_AUTH_MODE=auto EOF chmod 600 "$env_file" curl_log="$tmp_dir/curl.log" fake_curl="$tmp_dir/fake-curl.sh" cat >"$fake_curl" <<'EOF' #!/usr/bin/env bash set -euo pipefail printf '%s\n' "$*" >>"${FAKE_CURL_LOG}" if [[ "$*" == *"grant_type=refresh_token"* ]]; then printf '{"access_token":"new-access-token","refresh_token":"new-refresh-token","expires_in":"86400","token_type":"Bearer","scope":"file"}' exit 0 fi if [[ "$*" == *"grant_type=authorization_code"* ]]; then printf '{"access_token":"code-access-token","refresh_token":"code-refresh-token","expires_in":"86400","token_type":"Bearer","scope":"file"}' exit 0 fi echo "unexpected curl arguments: $*" >&2 exit 2 EOF chmod +x "$fake_curl" WORKS_DRIVE_ENV_FILE="$env_file" \ WORKS_DRIVE_CURL_BIN="$fake_curl" \ FAKE_CURL_LOG="$curl_log" \ "$script" >"$tmp_dir/refresh.out" grep -Fq "WORKS Drive refresh token updated" "$tmp_dir/refresh.out" || fail "refresh-token mode must update the refresh token." grep -Fq "grant_type=refresh_token" "$curl_log" || fail "refresh-token mode must call refresh_token grant." grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN=new-refresh-token" "$env_file" || fail ".env must contain the rotated refresh token." grep -Fq "WORKS_DRIVE_AUTH_MODE=refresh-token" "$env_file" || fail ".env must prefer refresh-token mode after token refresh." [[ "$(stat -c '%a' "$env_file")" == "600" ]] || fail ".env mode must be preserved after refresh token update." if grep -Fq "new-access-token" "$env_file"; then fail "short-lived access token must not be persisted by default." fi auth_env_file="$tmp_dir/.env.auth-code" cat >"$auth_env_file" <<'EOF' WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1 WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1 WORKS_DRIVE_OAUTH_REDIRECT_URI=https://example.test/callback EOF WORKS_DRIVE_ENV_FILE="$auth_env_file" \ WORKS_DRIVE_CURL_BIN="$fake_curl" \ WORKS_DRIVE_TOKEN_GRANT=authorization-code \ WORKS_DRIVE_AUTH_CALLBACK_URL="https://example.test/callback?code=auth-code-1&state=state-1" \ FAKE_CURL_LOG="$curl_log" \ "$script" >"$tmp_dir/auth-code.out" grep -Fq "WORKS Drive refresh token updated" "$tmp_dir/auth-code.out" || fail "authorization-code mode must update the refresh token." grep -Fq "grant_type=authorization_code" "$curl_log" || fail "authorization-code mode must call authorization_code grant." grep -Fq "code=auth-code-1" "$curl_log" || fail "authorization-code mode must extract code from callback URL." grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN=code-refresh-token" "$auth_env_file" || fail ".env must contain authorization-code refresh token." authorize_url="$( WORKS_DRIVE_ENV_FILE="$auth_env_file" \ WORKS_DRIVE_TOKEN_GRANT=print-authorize-url \ "$script" )" grep -Fq "https://auth.worksmobile.com/oauth2/v2.0/authorize" <<<"$authorize_url" || fail "print-authorize-url mode must print WORKS authorize URL." grep -Fq "client_id=client-id-1" <<<"$authorize_url" || fail "authorize URL must include client_id." grep -Fq "response_type=code" <<<"$authorize_url" || fail "authorize URL must request an authorization code." make_dry_run="$( make --dry-run --always-make -C "$repo_root" works-drive-refresh-token WORKS_DRIVE_TOKEN_GRANT=refresh-token 2>&1 )" grep -Fq "scripts/backup/refresh_works_drive_token.sh" <<<"$make_dry_run" || fail "Makefile target must call refresh token script." grep -Fq "WORKS_DRIVE_TOKEN_GRANT=\"refresh-token\"" <<<"$make_dry_run" || fail "Makefile target must pass token grant." if grep -Fq "docker run" <<<"$make_dry_run"; then fail "Makefile target must refresh .env on the host, not inside Docker." fi echo "OK: WORKS Drive refresh token helper updates env and supports authorization-code bootstrap"