#!/usr/bin/env bash set -euo pipefail repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" fail() { echo "ERROR: $*" >&2 exit 1 } tmp_dir="$(mktemp -d /tmp/baron-sso-upload-cloud-test.XXXXXX)" trap 'rm -rf "$tmp_dir"' EXIT INT TERM backup_dir="$tmp_dir/baron-sso-backup-20260605-000000Z" mkdir -p "$backup_dir/postgres" "$backup_dir/reports" printf '{"format_version":"1"}\n' >"$backup_dir/manifest.json" printf 'postgres dump fixture\n' >"$backup_dir/postgres/baron.dump" printf '# Baron SSO Backup Report\n' >"$backup_dir/reports/backup-report.md" (cd "$backup_dir" && sha256sum manifest.json postgres/baron.dump > checksums.sha256) if "$repo_root/scripts/backup/upload_cloud.sh" >/tmp/baron-sso-upload-missing.out 2>&1; then fail "upload_cloud.sh must require BACKUP." fi if ! grep -Fq "BACKUP is required" /tmp/baron-sso-upload-missing.out; then fail "missing BACKUP error must be explicit." fi curl_log="$tmp_dir/curl.log" fake_curl="$tmp_dir/fake-curl.sh" fake_bin="$tmp_dir/bin" mkdir -p "$fake_bin" cat >"$fake_curl" <<'EOF' #!/usr/bin/env bash set -euo pipefail printf '%s\n' "$*" >>"${FAKE_CURL_LOG}" last_arg="${!#}" case "$last_arg" in https://auth.example.test/token) if [[ "$*" == *"grant_type=refresh_token"* ]]; then if [[ "${ALLOW_REFRESH_TOKEN_GRANT:-false}" == "true" ]]; then printf '{"access_token":"refresh-token-access-token"}' exit 0 fi echo "refresh-token grant must not be used when service-account credentials are configured" >&2 exit 2 fi printf '{"access_token":"service-account-token"}' ;; https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/folder-1/children) printf '{"files":[]}' ;; https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/folder-1/createfolder) printf '{"fileId":"reports-folder-1","fileName":"reports","fileType":"FOLDER"}' ;; https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/folder-1) printf '{"uploadUrl":"https://upload.example.test/upload-1"}' ;; https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/reports-folder-1) printf '{"uploadUrl":"https://upload.example.test/upload-report-1"}' ;; https://upload.example.test/upload-1) printf '{"fileId":"file-1"}' ;; https://upload.example.test/upload-report-1) printf '{"fileId":"report-file-1"}' ;; *) echo "unexpected curl URL: $last_arg" >&2 exit 2 ;; esac EOF chmod +x "$fake_curl" cat >"$fake_bin/zstd" <<'EOF' #!/usr/bin/env bash cat EOF chmod +x "$fake_bin/zstd" cat >"$fake_bin/openssl" <<'EOF' #!/usr/bin/env bash set -euo pipefail case "${1:-}" in base64) base64 | tr -d '\n' ;; dgst) cat >/dev/null printf 'signed-fixture' ;; *) echo "unexpected openssl command: $*" >&2 exit 2 ;; esac EOF chmod +x "$fake_bin/openssl" WORKS_DRIVE_ACCESS_TOKEN="test-access-token" \ WORKS_DRIVE_TARGET="sharedrive" \ WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \ WORKS_DRIVE_PARENT_FILE_ID="folder-1" \ WORKS_DRIVE_CURL_BIN="$fake_curl" \ WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/archive" \ FAKE_CURL_LOG="$curl_log" \ PATH="$fake_bin:$PATH" \ BACKUP="$backup_dir" \ "$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/upload.out" grep -Fq "Upload complete" "$tmp_dir/upload.out" || fail "upload must complete with fake curl." grep -Fq "sharedrives/shared-drive-1/files/folder-1" "$curl_log" || fail "must create upload URL for the configured shared drive folder." grep -Fq "https://upload.example.test/upload-1" "$curl_log" || fail "must upload to the issued upload URL." grep -Fq "Authorization: Bearer test-access-token" "$curl_log" || fail "must pass bearer token to WORKS API calls." grep -Fq "Filedata=@" "$curl_log" || fail "must upload the packaged backup as multipart Filedata." grep -Fq ".tar.zst" "$curl_log" || fail "backup directory uploads must be packaged as .tar.zst." grep -Fq "createfolder" "$curl_log" || fail "must create or resolve a report subfolder." grep -Fq "reports-folder-1" "$curl_log" || fail "must upload markdown reports to the reports folder." grep -Eq "backup-report-[0-9]{8}-[0-9]{6}Z.md" "$curl_log" || fail "must upload timestamped backup markdown report." if grep -Fq "cloud-upload.json" "$curl_log"; then fail "cloud-upload.json must not be uploaded to WORKS Drive." fi report_file="$backup_dir/reports/cloud-upload.json" [[ -f "$report_file" ]] || fail "upload must write reports/cloud-upload.json." jq -e '.target == "sharedrive" and .files[0].status == "uploaded" and .report_files[0].status == "uploaded" and (.report_files[0].file_name | test("^backup-report-[0-9]{8}-[0-9]{6}Z[.]md$"))' "$report_file" >/dev/null || fail "upload report must include timestamped markdown report file status." service_account_curl_log="$tmp_dir/service-account-curl.log" WORKS_DRIVE_AUTH_MODE="auto" \ WORKS_DRIVE_ACCESS_TOKEN="" \ WORKS_DRIVE_ACCESS_TOKEN_FILE="" \ WORKS_DRIVE_ACCESS_TOKEN_CMD="" \ WORKS_DRIVE_OAUTH_REFRESH_TOKEN="stale-refresh-token" \ WORKS_DRIVE_OAUTH_CLIENT_ID="client-id-1" \ WORKS_DRIVE_OAUTH_CLIENT_SECRET="client-secret-1" \ WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT="service-account-1" \ WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY="private-key-fixture" \ WORKS_ADMIN_OAUTH_TOKEN_URL="https://auth.example.test/token" \ WORKS_DRIVE_TARGET="sharedrive" \ WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \ WORKS_DRIVE_PARENT_FILE_ID="folder-1" \ WORKS_DRIVE_CURL_BIN="$fake_curl" \ WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/service-account-archive" \ FAKE_CURL_LOG="$service_account_curl_log" \ PATH="$fake_bin:$PATH" \ BACKUP="$backup_dir" \ "$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/service-account-upload.out" grep -Fq "Upload complete" "$tmp_dir/service-account-upload.out" || fail "service-account upload must complete with fake curl." grep -Fq "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" "$service_account_curl_log" || fail "service-account credentials must use jwt-bearer grant." grep -Fq "Authorization: Bearer service-account-token" "$service_account_curl_log" || fail "service-account token must be used for WORKS API calls." if grep -Fq "grant_type=refresh_token" "$service_account_curl_log"; then fail "refresh-token grant must not be used when service-account credentials are configured." fi empty_override_env_dir="$tmp_dir/empty-override-repo" mkdir -p "$empty_override_env_dir" cat >"$empty_override_env_dir/.env" <<'EOF' WORKS_DRIVE_AUTH_MODE=refresh-token WORKS_DRIVE_OAUTH_REFRESH_TOKEN=fresh-refresh-token WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1 WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1 WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT=service-account-1 WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY=private-key-fixture WORKS_ADMIN_OAUTH_TOKEN_URL=https://auth.example.test/token WORKS_DRIVE_TARGET=sharedrive WORKS_DRIVE_SHARED_DRIVE_ID=shared-drive-1 WORKS_DRIVE_PARENT_FILE_ID=folder-1 WORKS_DRIVE_ARCHIVE_DIR=/tmp/unused-by-test EOF empty_override_curl_log="$tmp_dir/empty-override-curl.log" BACKUP_REPO_ROOT="$empty_override_env_dir" \ WORKS_DRIVE_AUTH_MODE="" \ WORKS_DRIVE_ACCESS_TOKEN="" \ WORKS_DRIVE_ACCESS_TOKEN_FILE="" \ WORKS_DRIVE_ACCESS_TOKEN_CMD="" \ WORKS_DRIVE_CURL_BIN="$fake_curl" \ WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/empty-override-archive" \ ALLOW_REFRESH_TOKEN_GRANT="true" \ FAKE_CURL_LOG="$empty_override_curl_log" \ PATH="$fake_bin:$PATH" \ BACKUP="$backup_dir" \ "$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/empty-override-upload.out" grep -Fq "Upload complete" "$tmp_dir/empty-override-upload.out" || fail "empty WORKS_DRIVE_AUTH_MODE override must still complete with .env value." grep -Fq "grant_type=refresh_token" "$empty_override_curl_log" || fail "empty WORKS_DRIVE_AUTH_MODE override must not mask .env refresh-token mode." if grep -Fq "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" "$empty_override_curl_log"; then fail "empty WORKS_DRIVE_AUTH_MODE override must not fall back to jwt-bearer when .env requests refresh-token." fi forced_refresh_curl_log="$tmp_dir/forced-refresh-curl.log" WORKS_DRIVE_AUTH_MODE="refresh-token" \ WORKS_DRIVE_ACCESS_TOKEN="" \ WORKS_DRIVE_ACCESS_TOKEN_FILE="" \ WORKS_DRIVE_ACCESS_TOKEN_CMD="" \ WORKS_DRIVE_OAUTH_REFRESH_TOKEN="fresh-refresh-token" \ WORKS_DRIVE_OAUTH_CLIENT_ID="client-id-1" \ WORKS_DRIVE_OAUTH_CLIENT_SECRET="client-secret-1" \ WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT="service-account-1" \ WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY="private-key-fixture" \ WORKS_ADMIN_OAUTH_TOKEN_URL="https://auth.example.test/token" \ WORKS_DRIVE_TARGET="sharedrive" \ WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \ WORKS_DRIVE_PARENT_FILE_ID="folder-1" \ WORKS_DRIVE_CURL_BIN="$fake_curl" \ WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/forced-refresh-archive" \ ALLOW_REFRESH_TOKEN_GRANT="true" \ FAKE_CURL_LOG="$forced_refresh_curl_log" \ PATH="$fake_bin:$PATH" \ BACKUP="$backup_dir" \ "$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/forced-refresh-upload.out" grep -Fq "Upload complete" "$tmp_dir/forced-refresh-upload.out" || fail "forced refresh-token upload must complete with fake curl." grep -Fq "grant_type=refresh_token" "$forced_refresh_curl_log" || fail "WORKS_DRIVE_AUTH_MODE=refresh-token must use refresh-token grant." grep -Fq "Authorization: Bearer refresh-token-access-token" "$forced_refresh_curl_log" || fail "forced refresh-token access token must be used for WORKS API calls." if grep -Fq "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" "$forced_refresh_curl_log"; then fail "WORKS_DRIVE_AUTH_MODE=refresh-token must not use jwt-bearer grant." fi WORKS_DRIVE_DRY_RUN=true \ WORKS_DRIVE_TARGET="sharedrive" \ WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \ WORKS_DRIVE_PARENT_FILE_ID="folder-1" \ WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/archive" \ PATH="$fake_bin:$PATH" \ BACKUP="$backup_dir" \ "$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/dry-run.out" grep -Fq "Dry run" "$tmp_dir/dry-run.out" || fail "dry-run must not require a token or call curl." echo "OK: upload_cloud mock upload flow packages backup artifacts for WORKS Drive"