kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity
Files
1341f07ef92df485c82c1b02ea6ae729c335ac1f
baron-sso/test/kratos_identity_write_path_policy_test.sh

84 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
policy_doc="$repo_root/docs/identity-redis-mirror-policy-2026-06-09.md"
allowed_files="$(
cat <<'EOF'
backend/cmd/adminctl/main.go
backend/cmd/fix_kratos_roles.go
backend/internal/bootstrap/admin_account.go
backend/internal/bootstrap/kratos_seed.go
backend/internal/handler/auth_handler.go
backend/internal/handler/user_handler.go
backend/internal/service/kratos_admin_service.go
backend/internal/service/ory_service.go
backend/internal/service/user_group_service.go
scripts/clear_orphan_tenant_memberships.sh
EOF
)"
pattern='admin/identities|KratosAdmin[.]UpdateIdentity|KratosAdmin[.]DeleteIdentity|kratos[.]UpdateIdentity|kratosAdmin[.]UpdateIdentity|identityAdmin[.]CreateUser|identityAdmin[.]UpdateIdentityPassword|idp[.]CreateUser|IdpProvider[.]CreateUser|IdpProvider[.]UpdateUserPassword|OryProvider[.]CreateUser|OryProvider[.]UpdateUserPassword|UPDATE identities'
findings="$(
git -C "$repo_root" grep -nE "$pattern" -- \
backend \
scripts \
':(exclude)backend/**/*_test.go' \
':(exclude)scripts/backup' || true
)"
unexpected=""
if [ -n "$findings" ]; then
while IFS= read -r finding; do
file="${finding%%:*}"
if ! grep -Fxq "$file" <<<"$allowed_files"; then
unexpected="${unexpected}${finding}"$'\n'
fi
done <<<"$findings"
fi
if [ -n "$unexpected" ]; then
echo "ERROR: undocumented Kratos identity write path detected." >&2
printf '%s' "$unexpected" >&2
exit 1
fi
if [ ! -f "$policy_doc" ]; then
echo "ERROR: missing identity Redis mirror policy document: $policy_doc" >&2
exit 1
fi
if grep -Fq "admin/identities/" "$repo_root/backend/internal/handler/auth_handler.go"; then
echo "ERROR: auth_handler must not call Kratos admin identity endpoints directly; use KratosAdminService or IdentityWriteService." >&2
exit 1
fi
if ! grep -Fq "maintenance-window" "$repo_root/backend/cmd/fix_kratos_roles.go" || \
! grep -Fq "dry-run" "$repo_root/backend/cmd/fix_kratos_roles.go" || \
! grep -Fq "mark-mirror-stale" "$repo_root/backend/cmd/fix_kratos_roles.go"; then
echo "ERROR: fix_kratos_roles must require dry-run/maintenance-window/mark-mirror-stale guards." >&2
exit 1
fi
if ! grep -Fq "CONFIRM_KRATOS_DB_MAINTENANCE" "$repo_root/scripts/clear_orphan_tenant_memberships.sh" || \
! grep -Fq "MARK_IDENTITY_MIRROR_STALE" "$repo_root/scripts/clear_orphan_tenant_memberships.sh"; then
echo "ERROR: clear_orphan_tenant_memberships.sh must require explicit Kratos DB maintenance and mirror-stale guards." >&2
exit 1
fi
if ! grep -Fq "## Kratos write 경로 감사" "$policy_doc"; then
echo "ERROR: policy document must include the Kratos write path audit section." >&2
exit 1
fi
while IFS= read -r file; do
if [ -n "$file" ] && ! grep -Fq "$file" "$policy_doc"; then
echo "ERROR: allowed Kratos write path is not documented: $file" >&2
exit 1
fi
done <<<"$allowed_files"
echo "kratos identity write path policy checks passed"
View Git Blame Copy Permalink