kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity
Files
dev
baron-sso/test/traefik_forward_auth_config_policy_test.sh
Lectom a56d68896f production 푸시 초안
2026-06-18 11:02:48 +09:00

47 lines
2.3 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
compose_file="$repo_root/config/traefik-compose.yml"
fail() {
echo "$1" >&2
exit 1
}
[[ -f "$compose_file" ]] || fail "config/traefik-compose.yml must exist."
if grep -Eq 'thomseddon/traefik-forward-auth:2\.3\.0' "$compose_file"; then
fail "traefik-forward-auth image tag 2.3.0 is unavailable; use a runnable pinned tag."
fi
if grep -Eq 'auth/realms/master|PROVIDER_GENERIC_' "$compose_file"; then
fail "Traefik forward-auth must use Baron/Ory Hydra endpoint variables, not legacy Keycloak or unsupported provider keys."
fi
if grep -Eq 'CLIENT_SECRET=[^$]|SECRET=[^$]' "$compose_file"; then
fail "Traefik forward-auth secrets must be injected from environment variables, not hardcoded in compose."
fi
grep -Fq 'DEFAULT_PROVIDER=generic-oauth' "$compose_file" \
|| fail "Traefik bootstrap must use generic-oauth provider to avoid OIDC discovery before Baron/Ory is running."
grep -Fq 'PROVIDERS_GENERIC_OAUTH_AUTH_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/auth' "$compose_file" \
|| fail "Traefik forward-auth auth URL must point to Hydra authorize endpoint."
grep -Fq 'PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/oauth2/token' "$compose_file" \
|| fail "Traefik forward-auth token URL must point to Hydra token endpoint."
grep -Fq 'PROVIDERS_GENERIC_OAUTH_USER_URL=${HYDRA_PUBLIC_URL:-https://app.brsw.kr/oidc}/userinfo' "$compose_file" \
|| fail "Traefik forward-auth user URL must point to Hydra userinfo endpoint."
grep -Fq 'traefik.http.routers.traefik-dashboard.middlewares=auth-forward@docker' "$compose_file" \
|| fail "Traefik dashboard router must be protected by auth-forward middleware."
grep -Fq 'traefik.http.services.forward-auth.loadbalancer.server.port=4181' "$compose_file" \
|| fail "forward-auth service port must be declared for Traefik docker provider."
grep -Fq 'traefik-public:' "$compose_file" \
|| fail "traefik-public external network must be declared."
grep -Fq 'name: traefik-public' "$compose_file" \
|| fail "traefik-public network name must be explicit."
TRAEFIK_FORWARD_AUTH_CLIENT_SECRET=dummy \
TRAEFIK_FORWARD_AUTH_COOKIE_SECRET=dummy \
docker compose -f "$compose_file" config >/dev/null
View Git Blame Copy Permalink