kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity
Files
dev
baron-sso/test/backup_upload_cloud_policy_test.sh
Lectom a56d68896f production 푸시 초안
2026-06-18 11:02:48 +09:00

233 lines
9.8 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
fail() {
echo "ERROR: $*" >&2
exit 1
}
tmp_dir="$(mktemp -d /tmp/baron-sso-upload-cloud-test.XXXXXX)"
trap 'rm -rf "$tmp_dir"' EXIT INT TERM
backup_dir="$tmp_dir/baron-sso-backup-20260605-000000Z"
mkdir -p "$backup_dir/postgres" "$backup_dir/reports"
printf '{"format_version":"1"}\n' >"$backup_dir/manifest.json"
printf 'postgres dump fixture\n' >"$backup_dir/postgres/baron.dump"
printf '# Baron SSO Backup Report\n' >"$backup_dir/reports/backup-report.md"
(cd "$backup_dir" && sha256sum manifest.json postgres/baron.dump > checksums.sha256)
if "$repo_root/scripts/backup/upload_cloud.sh" >/tmp/baron-sso-upload-missing.out 2>&1; then
fail "upload_cloud.sh must require BACKUP."
fi
if ! grep -Fq "BACKUP is required" /tmp/baron-sso-upload-missing.out; then
fail "missing BACKUP error must be explicit."
fi
curl_log="$tmp_dir/curl.log"
fake_curl="$tmp_dir/fake-curl.sh"
fake_bin="$tmp_dir/bin"
mkdir -p "$fake_bin"
cat >"$fake_curl" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf '%s\n' "$*" >>"${FAKE_CURL_LOG}"
last_arg="${!#}"
case "$last_arg" in
https://auth.example.test/token)
if [[ "$*" == *"grant_type=refresh_token"* ]]; then
if [[ "${ALLOW_REFRESH_TOKEN_GRANT:-false}" == "true" ]]; then
printf '{"access_token":"refresh-token-access-token"}'
exit 0
fi
echo "refresh-token grant must not be used when service-account credentials are configured" >&2
exit 2
fi
printf '{"access_token":"service-account-token"}'
;;
https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/folder-1/children)
printf '{"files":[]}'
;;
https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/folder-1/createfolder)
printf '{"fileId":"reports-folder-1","fileName":"reports","fileType":"FOLDER"}'
;;
https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/folder-1)
printf '{"uploadUrl":"https://upload.example.test/upload-1"}'
;;
https://www.worksapis.com/v1.0/sharedrives/shared-drive-1/files/reports-folder-1)
printf '{"uploadUrl":"https://upload.example.test/upload-report-1"}'
;;
https://upload.example.test/upload-1)
printf '{"fileId":"file-1"}'
;;
https://upload.example.test/upload-report-1)
printf '{"fileId":"report-file-1"}'
;;
*)
echo "unexpected curl URL: $last_arg" >&2
exit 2
;;
esac
EOF
chmod +x "$fake_curl"
cat >"$fake_bin/zstd" <<'EOF'
#!/usr/bin/env bash
cat
EOF
chmod +x "$fake_bin/zstd"
cat >"$fake_bin/openssl" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
case "${1:-}" in
base64)
base64 | tr -d '\n'
;;
dgst)
cat >/dev/null
printf 'signed-fixture'
;;
*)
echo "unexpected openssl command: $*" >&2
exit 2
;;
esac
EOF
chmod +x "$fake_bin/openssl"
WORKS_DRIVE_ACCESS_TOKEN="test-access-token" \
WORKS_DRIVE_TARGET="sharedrive" \
WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \
WORKS_DRIVE_PARENT_FILE_ID="folder-1" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/archive" \
FAKE_CURL_LOG="$curl_log" \
PATH="$fake_bin:$PATH" \
BACKUP="$backup_dir" \
"$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/upload.out"
grep -Fq "Upload complete" "$tmp_dir/upload.out" || fail "upload must complete with fake curl."
grep -Fq "sharedrives/shared-drive-1/files/folder-1" "$curl_log" || fail "must create upload URL for the configured shared drive folder."
grep -Fq "https://upload.example.test/upload-1" "$curl_log" || fail "must upload to the issued upload URL."
grep -Fq "Authorization: Bearer test-access-token" "$curl_log" || fail "must pass bearer token to WORKS API calls."
grep -Fq "Filedata=@" "$curl_log" || fail "must upload the packaged backup as multipart Filedata."
grep -Fq ".tar.zst" "$curl_log" || fail "backup directory uploads must be packaged as .tar.zst."
grep -Fq "createfolder" "$curl_log" || fail "must create or resolve a report subfolder."
grep -Fq "reports-folder-1" "$curl_log" || fail "must upload markdown reports to the reports folder."
grep -Eq "backup-report-[0-9]{8}-[0-9]{6}Z.md" "$curl_log" || fail "must upload timestamped backup markdown report."
if grep -Fq "cloud-upload.json" "$curl_log"; then
fail "cloud-upload.json must not be uploaded to WORKS Drive."
fi
report_file="$backup_dir/reports/cloud-upload.json"
[[ -f "$report_file" ]] || fail "upload must write reports/cloud-upload.json."
jq -e '.target == "sharedrive" and .files[0].status == "uploaded" and .report_files[0].status == "uploaded" and (.report_files[0].file_name | test("^backup-report-[0-9]{8}-[0-9]{6}Z[.]md$"))' "$report_file" >/dev/null || fail "upload report must include timestamped markdown report file status."
service_account_curl_log="$tmp_dir/service-account-curl.log"
WORKS_DRIVE_AUTH_MODE="auto" \
WORKS_DRIVE_ACCESS_TOKEN="" \
WORKS_DRIVE_ACCESS_TOKEN_FILE="" \
WORKS_DRIVE_ACCESS_TOKEN_CMD="" \
WORKS_DRIVE_OAUTH_REFRESH_TOKEN="stale-refresh-token" \
WORKS_DRIVE_OAUTH_CLIENT_ID="client-id-1" \
WORKS_DRIVE_OAUTH_CLIENT_SECRET="client-secret-1" \
WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT="service-account-1" \
WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY="private-key-fixture" \
WORKS_ADMIN_OAUTH_TOKEN_URL="https://auth.example.test/token" \
WORKS_DRIVE_TARGET="sharedrive" \
WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \
WORKS_DRIVE_PARENT_FILE_ID="folder-1" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/service-account-archive" \
FAKE_CURL_LOG="$service_account_curl_log" \
PATH="$fake_bin:$PATH" \
BACKUP="$backup_dir" \
"$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/service-account-upload.out"
grep -Fq "Upload complete" "$tmp_dir/service-account-upload.out" || fail "service-account upload must complete with fake curl."
grep -Fq "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" "$service_account_curl_log" || fail "service-account credentials must use jwt-bearer grant."
grep -Fq "Authorization: Bearer service-account-token" "$service_account_curl_log" || fail "service-account token must be used for WORKS API calls."
if grep -Fq "grant_type=refresh_token" "$service_account_curl_log"; then
fail "refresh-token grant must not be used when service-account credentials are configured."
fi
empty_override_env_dir="$tmp_dir/empty-override-repo"
mkdir -p "$empty_override_env_dir"
cat >"$empty_override_env_dir/.env" <<'EOF'
WORKS_DRIVE_AUTH_MODE=refresh-token
WORKS_DRIVE_OAUTH_REFRESH_TOKEN=fresh-refresh-token
WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1
WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1
WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT=service-account-1
WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY=private-key-fixture
WORKS_ADMIN_OAUTH_TOKEN_URL=https://auth.example.test/token
WORKS_DRIVE_TARGET=sharedrive
WORKS_DRIVE_SHARED_DRIVE_ID=shared-drive-1
WORKS_DRIVE_PARENT_FILE_ID=folder-1
WORKS_DRIVE_ARCHIVE_DIR=/tmp/unused-by-test
EOF
empty_override_curl_log="$tmp_dir/empty-override-curl.log"
BACKUP_REPO_ROOT="$empty_override_env_dir" \
WORKS_DRIVE_AUTH_MODE="" \
WORKS_DRIVE_ACCESS_TOKEN="" \
WORKS_DRIVE_ACCESS_TOKEN_FILE="" \
WORKS_DRIVE_ACCESS_TOKEN_CMD="" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/empty-override-archive" \
ALLOW_REFRESH_TOKEN_GRANT="true" \
FAKE_CURL_LOG="$empty_override_curl_log" \
PATH="$fake_bin:$PATH" \
BACKUP="$backup_dir" \
"$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/empty-override-upload.out"
grep -Fq "Upload complete" "$tmp_dir/empty-override-upload.out" || fail "empty WORKS_DRIVE_AUTH_MODE override must still complete with .env value."
grep -Fq "grant_type=refresh_token" "$empty_override_curl_log" || fail "empty WORKS_DRIVE_AUTH_MODE override must not mask .env refresh-token mode."
if grep -Fq "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" "$empty_override_curl_log"; then
fail "empty WORKS_DRIVE_AUTH_MODE override must not fall back to jwt-bearer when .env requests refresh-token."
fi
forced_refresh_curl_log="$tmp_dir/forced-refresh-curl.log"
WORKS_DRIVE_AUTH_MODE="refresh-token" \
WORKS_DRIVE_ACCESS_TOKEN="" \
WORKS_DRIVE_ACCESS_TOKEN_FILE="" \
WORKS_DRIVE_ACCESS_TOKEN_CMD="" \
WORKS_DRIVE_OAUTH_REFRESH_TOKEN="fresh-refresh-token" \
WORKS_DRIVE_OAUTH_CLIENT_ID="client-id-1" \
WORKS_DRIVE_OAUTH_CLIENT_SECRET="client-secret-1" \
WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT="service-account-1" \
WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY="private-key-fixture" \
WORKS_ADMIN_OAUTH_TOKEN_URL="https://auth.example.test/token" \
WORKS_DRIVE_TARGET="sharedrive" \
WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \
WORKS_DRIVE_PARENT_FILE_ID="folder-1" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/forced-refresh-archive" \
ALLOW_REFRESH_TOKEN_GRANT="true" \
FAKE_CURL_LOG="$forced_refresh_curl_log" \
PATH="$fake_bin:$PATH" \
BACKUP="$backup_dir" \
"$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/forced-refresh-upload.out"
grep -Fq "Upload complete" "$tmp_dir/forced-refresh-upload.out" || fail "forced refresh-token upload must complete with fake curl."
grep -Fq "grant_type=refresh_token" "$forced_refresh_curl_log" || fail "WORKS_DRIVE_AUTH_MODE=refresh-token must use refresh-token grant."
grep -Fq "Authorization: Bearer refresh-token-access-token" "$forced_refresh_curl_log" || fail "forced refresh-token access token must be used for WORKS API calls."
if grep -Fq "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" "$forced_refresh_curl_log"; then
fail "WORKS_DRIVE_AUTH_MODE=refresh-token must not use jwt-bearer grant."
fi
WORKS_DRIVE_DRY_RUN=true \
WORKS_DRIVE_TARGET="sharedrive" \
WORKS_DRIVE_SHARED_DRIVE_ID="shared-drive-1" \
WORKS_DRIVE_PARENT_FILE_ID="folder-1" \
WORKS_DRIVE_ARCHIVE_DIR="$tmp_dir/archive" \
PATH="$fake_bin:$PATH" \
BACKUP="$backup_dir" \
"$repo_root/scripts/backup/upload_cloud.sh" >"$tmp_dir/dry-run.out"
grep -Fq "Dry run" "$tmp_dir/dry-run.out" || fail "dry-run must not require a token or call curl."
echo "OK: upload_cloud mock upload flow packages backup artifacts for WORKS Drive"
View Git Blame Copy Permalink