forked from baron/baron-sso
118 lines
5.0 KiB
Bash
118 lines
5.0 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
|
|
fail() {
|
|
echo "ERROR: $*" >&2
|
|
exit 1
|
|
}
|
|
|
|
if [[ "${RUN_PERSONNEL_DATASET_LIVE_E2E:-}" != "1" ]]; then
|
|
echo "SKIP: set RUN_PERSONNEL_DATASET_LIVE_E2E=1 to run the Docker-backed personnel dataset E2E test"
|
|
exit 0
|
|
fi
|
|
|
|
tmp_dir="$(mktemp -d /tmp/baron-sso-personnel-live-e2e.XXXXXX)"
|
|
trap 'rm -rf "$tmp_dir"' EXIT INT TERM
|
|
|
|
backup_dir="$tmp_dir/backup"
|
|
filtered_backup_dir="$tmp_dir/filtered-personnel"
|
|
source_full_backup="${PERSONNEL_FILTER_SOURCE_BACKUP:-backups/baron-sso-backup-20260622-023904Z}"
|
|
restore_report="$tmp_dir/restore-report.json"
|
|
restore_exec_report="$tmp_dir/restore-exec-report.json"
|
|
restore_db="baron_personnel_restore_e2e_$$"
|
|
|
|
BACKUP_USE_DOCKER=false \
|
|
BACKUP="$backup_dir" \
|
|
DUMP_SERVICES="postgres,ory-postgres" \
|
|
DUMP_DATASET="personnel" \
|
|
DUMP_MODE="maintenance" \
|
|
"$repo_root/scripts/backup/dump.sh"
|
|
|
|
BACKUP_USE_DOCKER=false \
|
|
BACKUP="$source_full_backup" \
|
|
OUTPUT_BACKUP="$filtered_backup_dir" \
|
|
"$repo_root/scripts/backup/filter_personnel_dump.sh"
|
|
|
|
[[ -f "$filtered_backup_dir/datasets/personnel/dataset-manifest.json" ]] || fail "filtered dataset manifest must be created"
|
|
[[ ! -f "$filtered_backup_dir/postgres/ory_hydra.dump" ]] || fail "filtered personnel backup must not contain Hydra dump"
|
|
[[ ! -f "$filtered_backup_dir/postgres/baron.dump" ]] || fail "filtered personnel backup must not contain full Baron dump"
|
|
|
|
filtered_users="$(wc -l <"$filtered_backup_dir/datasets/personnel/postgres/users.jsonl" | tr -d '[:space:]')"
|
|
direct_users="$(wc -l <"$backup_dir/datasets/personnel/postgres/users.jsonl" | tr -d '[:space:]')"
|
|
[[ "$filtered_users" == "$direct_users" ]] || fail "filtered personnel users count mismatch: got $filtered_users, want $direct_users"
|
|
|
|
[[ -f "$backup_dir/datasets/personnel/dataset-manifest.json" ]] || fail "dataset manifest must be created"
|
|
[[ -f "$backup_dir/datasets/personnel/postgres/users.jsonl" ]] || fail "users JSONL must be created"
|
|
[[ -f "$backup_dir/datasets/personnel/postgres/tenants.jsonl" ]] || fail "tenants JSONL must be created"
|
|
[[ ! -f "$backup_dir/postgres/ory_hydra.dump" ]] || fail "Hydra dump must not be created for personnel dataset"
|
|
[[ ! -f "$backup_dir/postgres/baron.dump" ]] || fail "full Baron dump must not be created for personnel dataset"
|
|
|
|
if grep -R '"password_hash"' "$backup_dir/datasets/personnel/postgres/users.jsonl"; then
|
|
fail "personnel users export must not contain password_hash"
|
|
fi
|
|
|
|
if grep -R '"relying_party_id":"[^"]' "$backup_dir/datasets/personnel/postgres/users.jsonl"; then
|
|
fail "personnel users export must not keep RP ownership"
|
|
fi
|
|
|
|
BACKUP_USE_DOCKER=false \
|
|
BACKUP="$filtered_backup_dir" \
|
|
RESTORE_SERVICES="postgres,ory-postgres" \
|
|
RESTORE_DATASET="personnel" \
|
|
CONFIRM_RESTORE="baron-sso" \
|
|
RESTORE_REPORT="$restore_report" \
|
|
"$repo_root/scripts/backup/restore-plan.sh"
|
|
|
|
jq -e '
|
|
.status == "planned"
|
|
and .dataset == "personnel"
|
|
and (.restore_policy.excluded.databases | index("ory_hydra"))
|
|
and (.restore_policy.excluded.tables | index("public.relying_parties"))
|
|
' "$restore_report" >/dev/null || fail "restore plan report must describe personnel exclusions"
|
|
|
|
docker exec -e PGPASSWORD=password baron_postgres \
|
|
psql -U baron -d postgres -v ON_ERROR_STOP=1 \
|
|
-c "drop database if exists ${restore_db} with (force)" \
|
|
-c "create database ${restore_db}"
|
|
docker exec -e PGPASSWORD=password baron_postgres \
|
|
pg_dump -U baron -d baron_sso --schema-only \
|
|
| docker exec -i -e PGPASSWORD=password baron_postgres \
|
|
psql -U baron -d "$restore_db" -v ON_ERROR_STOP=1 >/dev/null
|
|
|
|
cleanup_restore_db() {
|
|
docker exec -e PGPASSWORD=password baron_postgres \
|
|
psql -U baron -d postgres -v ON_ERROR_STOP=1 \
|
|
-c "drop database if exists ${restore_db} with (force)" >/dev/null || true
|
|
}
|
|
trap 'cleanup_restore_db; rm -rf "$tmp_dir"' EXIT INT TERM
|
|
|
|
BACKUP_USE_DOCKER=false \
|
|
BACKUP="$filtered_backup_dir" \
|
|
RESTORE_SERVICES="postgres" \
|
|
RESTORE_DATASET="personnel" \
|
|
CONFIRM_RESTORE="baron-sso" \
|
|
ALLOW_NON_EMPTY_RESTORE="true" \
|
|
RESTORE_REPORT="$restore_exec_report" \
|
|
DB_NAME="$restore_db" \
|
|
"$repo_root/scripts/backup/restore.sh"
|
|
|
|
restored_users="$(
|
|
docker exec -e PGPASSWORD=password baron_postgres \
|
|
psql -U baron -d "$restore_db" -Atc "select count(*) from public.users"
|
|
)"
|
|
source_users="$(wc -l <"$filtered_backup_dir/datasets/personnel/postgres/users.jsonl" | tr -d '[:space:]')"
|
|
[[ "$restored_users" == "$source_users" ]] || fail "restored users count mismatch: got $restored_users, want $source_users"
|
|
|
|
rp_link_count="$(
|
|
docker exec -e PGPASSWORD=password baron_postgres \
|
|
psql -U baron -d "$restore_db" -Atc "select count(*) from public.users where relying_party_id is not null"
|
|
)"
|
|
[[ "$rp_link_count" == "0" ]] || fail "restored personnel users must not keep relying_party_id"
|
|
|
|
jq -e '.status == "succeeded" and .dataset == "personnel"' "$restore_exec_report" >/dev/null \
|
|
|| fail "personnel restore execution report must succeed"
|
|
|
|
echo "OK: personnel dataset live E2E dump, restore-plan, and scoped restore passed"
|