kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity
Files
feature/local-dev-setup-clean
baron-sso/test/works_drive_refresh_token_policy_test.sh
Lectom a56d68896f production 푸시 초안
2026-06-18 11:02:48 +09:00

103 lines
4.2 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
fail() {
echo "ERROR: $*" >&2
exit 1
}
script="$repo_root/scripts/backup/refresh_works_drive_token.sh"
[[ -f "$script" ]] || fail "refresh_works_drive_token.sh must exist."
tmp_dir="$(mktemp -d /tmp/baron-sso-works-drive-token-test.XXXXXX)"
trap 'rm -rf "$tmp_dir"' EXIT INT TERM
env_file="$tmp_dir/.env"
cat >"$env_file" <<'EOF'
WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1
WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1
WORKS_DRIVE_OAUTH_REDIRECT_URI=https://example.test/callback
WORKS_DRIVE_OAUTH_REFRESH_TOKEN=old-refresh-token
WORKS_DRIVE_AUTH_MODE=auto
EOF
chmod 600 "$env_file"
curl_log="$tmp_dir/curl.log"
fake_curl="$tmp_dir/fake-curl.sh"
cat >"$fake_curl" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf '%s\n' "$*" >>"${FAKE_CURL_LOG}"
if [[ "$*" == *"grant_type=refresh_token"* ]]; then
printf '{"access_token":"new-access-token","refresh_token":"new-refresh-token","expires_in":"86400","token_type":"Bearer","scope":"file"}'
exit 0
fi
if [[ "$*" == *"grant_type=authorization_code"* ]]; then
printf '{"access_token":"code-access-token","refresh_token":"code-refresh-token","expires_in":"86400","token_type":"Bearer","scope":"file"}'
exit 0
fi
echo "unexpected curl arguments: $*" >&2
exit 2
EOF
chmod +x "$fake_curl"
WORKS_DRIVE_ENV_FILE="$env_file" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
FAKE_CURL_LOG="$curl_log" \
"$script" >"$tmp_dir/refresh.out"
grep -Fq "WORKS Drive refresh token updated" "$tmp_dir/refresh.out" || fail "refresh-token mode must update the refresh token."
grep -Fq "grant_type=refresh_token" "$curl_log" || fail "refresh-token mode must call refresh_token grant."
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN=new-refresh-token" "$env_file" || fail ".env must contain the rotated refresh token."
grep -Fq "WORKS_DRIVE_AUTH_MODE=refresh-token" "$env_file" || fail ".env must prefer refresh-token mode after token refresh."
[[ "$(stat -c '%a' "$env_file")" == "600" ]] || fail ".env mode must be preserved after refresh token update."
if grep -Fq "new-access-token" "$env_file"; then
fail "short-lived access token must not be persisted by default."
fi
auth_env_file="$tmp_dir/.env.auth-code"
cat >"$auth_env_file" <<'EOF'
WORKS_DRIVE_OAUTH_CLIENT_ID=client-id-1
WORKS_DRIVE_OAUTH_CLIENT_SECRET=client-secret-1
WORKS_DRIVE_OAUTH_REDIRECT_URI=https://example.test/callback
EOF
WORKS_DRIVE_ENV_FILE="$auth_env_file" \
WORKS_DRIVE_CURL_BIN="$fake_curl" \
WORKS_DRIVE_TOKEN_GRANT=authorization-code \
WORKS_DRIVE_AUTH_CALLBACK_URL="https://example.test/callback?code=auth-code-1&state=state-1" \
FAKE_CURL_LOG="$curl_log" \
"$script" >"$tmp_dir/auth-code.out"
grep -Fq "WORKS Drive refresh token updated" "$tmp_dir/auth-code.out" || fail "authorization-code mode must update the refresh token."
grep -Fq "grant_type=authorization_code" "$curl_log" || fail "authorization-code mode must call authorization_code grant."
grep -Fq "code=auth-code-1" "$curl_log" || fail "authorization-code mode must extract code from callback URL."
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN=code-refresh-token" "$auth_env_file" || fail ".env must contain authorization-code refresh token."
authorize_url="$(
WORKS_DRIVE_ENV_FILE="$auth_env_file" \
WORKS_DRIVE_TOKEN_GRANT=print-authorize-url \
"$script"
)"
grep -Fq "https://auth.worksmobile.com/oauth2/v2.0/authorize" <<<"$authorize_url" || fail "print-authorize-url mode must print WORKS authorize URL."
grep -Fq "client_id=client-id-1" <<<"$authorize_url" || fail "authorize URL must include client_id."
grep -Fq "response_type=code" <<<"$authorize_url" || fail "authorize URL must request an authorization code."
make_dry_run="$(
make --dry-run --always-make -C "$repo_root" works-drive-refresh-token WORKS_DRIVE_TOKEN_GRANT=refresh-token 2>&1
)"
grep -Fq "scripts/backup/refresh_works_drive_token.sh" <<<"$make_dry_run" || fail "Makefile target must call refresh token script."
grep -Fq "WORKS_DRIVE_TOKEN_GRANT=\"refresh-token\"" <<<"$make_dry_run" || fail "Makefile target must pass token grant."
if grep -Fq "docker run" <<<"$make_dry_run"; then
fail "Makefile target must refresh .env on the host, not inside Docker."
fi
echo "OK: WORKS Drive refresh token helper updates env and supports authorization-code bootstrap"
View Git Blame Copy Permalink