forked from baron/baron-sso
118 lines
5.1 KiB
Bash
Executable File
118 lines
5.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
die() {
|
|
printf 'ERROR: %s\n' "$*" >&2
|
|
exit 1
|
|
}
|
|
|
|
require_env() {
|
|
local key="$1"
|
|
[[ -n "${!key:-}" ]] || die "Missing required env: $key"
|
|
}
|
|
|
|
require_env IMAGE_DEPLOY_BUNDLE_FILE
|
|
require_env DEPLOY_HOST
|
|
require_env DEPLOY_USER
|
|
require_env DEPLOY_PATH
|
|
require_env WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID
|
|
|
|
[[ -f "$IMAGE_DEPLOY_BUNDLE_FILE" ]] || die "bundle file not found: $IMAGE_DEPLOY_BUNDLE_FILE"
|
|
|
|
log() {
|
|
printf '==> %s\n' "$*" >&2
|
|
}
|
|
|
|
refresh_works_drive_access_token() {
|
|
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_ID is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
|
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
|
[[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]] || die "WORKS_DRIVE_OAUTH_REFRESH_TOKEN is required for refresh-token mode."
|
|
|
|
local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
|
|
local response
|
|
local access_token
|
|
local rotated_refresh_token
|
|
|
|
log "Refreshing WORKS Drive access token"
|
|
response="$(curl -fsS -X POST "$token_url" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
--data-urlencode "grant_type=refresh_token" \
|
|
--data-urlencode "refresh_token=${WORKS_DRIVE_OAUTH_REFRESH_TOKEN}" \
|
|
--data-urlencode "client_id=${WORKS_DRIVE_OAUTH_CLIENT_ID}" \
|
|
--data-urlencode "client_secret=${WORKS_DRIVE_OAUTH_CLIENT_SECRET}")"
|
|
access_token="$(jq -er '.access_token' <<<"$response")"
|
|
rotated_refresh_token="$(jq -r '.refresh_token // empty' <<<"$response")"
|
|
if [[ -n "$rotated_refresh_token" && "$rotated_refresh_token" != "$WORKS_DRIVE_OAUTH_REFRESH_TOKEN" ]]; then
|
|
printf 'WARNING: WORKS returned a rotated refresh token. Update WORKS_DRIVE_REFRESH_TOKEN before the old token ages out.\n' >&2
|
|
fi
|
|
printf '%s\n' "$access_token"
|
|
}
|
|
|
|
resolve_works_drive_access_token() {
|
|
if [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]]; then
|
|
refresh_works_drive_access_token
|
|
return
|
|
fi
|
|
|
|
if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN:-}" ]]; then
|
|
printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN"
|
|
return
|
|
fi
|
|
|
|
if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_INPUT:-}" ]]; then
|
|
printf '%s\n' "$WORKS_DRIVE_ACCESS_TOKEN_INPUT"
|
|
return
|
|
fi
|
|
|
|
if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_FILE:-}" ]]; then
|
|
[[ -f "$WORKS_DRIVE_ACCESS_TOKEN_FILE" ]] || die "WORKS_DRIVE_ACCESS_TOKEN_FILE not found: $WORKS_DRIVE_ACCESS_TOKEN_FILE"
|
|
sed -n '1p' "$WORKS_DRIVE_ACCESS_TOKEN_FILE"
|
|
return
|
|
fi
|
|
|
|
if [[ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]]; then
|
|
sh -c "$WORKS_DRIVE_ACCESS_TOKEN_CMD"
|
|
return
|
|
fi
|
|
|
|
die "Missing WORKS Drive access auth. Provide WORKS_DRIVE_ACCESS_TOKEN, WORKS_DRIVE_ACCESS_TOKEN_FILE, WORKS_DRIVE_ACCESS_TOKEN_CMD, or WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
|
|
}
|
|
|
|
remote_bundle="/tmp/baron-sso-image-deploy-$(date -u '+%Y%m%d%H%M%S').tgz"
|
|
works_drive_access_token="$(resolve_works_drive_access_token)"
|
|
|
|
ssh-keyscan -H "$DEPLOY_HOST" >>~/.ssh/known_hosts
|
|
scp "$IMAGE_DEPLOY_BUNDLE_FILE" "${DEPLOY_USER}@${DEPLOY_HOST}:${remote_bundle}"
|
|
|
|
printf '%s\n' "$works_drive_access_token" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}" \
|
|
"set -euo pipefail; \
|
|
read -r works_drive_access_token; \
|
|
mkdir -p '${DEPLOY_PATH}'; \
|
|
tar -xzf '${remote_bundle}' -C '${DEPLOY_PATH}'; \
|
|
cd '${DEPLOY_PATH}'; \
|
|
chmod 600 .env; \
|
|
docker network inspect traefik-public >/dev/null 2>&1 || docker network create traefik-public; \
|
|
export WORKS_DRIVE_ACCESS_TOKEN=\"\${works_drive_access_token}\"; \
|
|
export WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID='${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}'; \
|
|
export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \
|
|
export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \
|
|
export WORKS_DRIVE_API_BASE_URL='${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}'; \
|
|
echo '==> Validating image deploy compose config'; \
|
|
docker compose --env-file .env -f docker-compose.yml config >/dev/null; \
|
|
echo '==> Downloading and loading WORKS Drive application images'; \
|
|
scripts/docker-image/download_works_drive.sh; \
|
|
set -a; \
|
|
. ./.env; \
|
|
set +a; \
|
|
echo '==> Verifying loaded application images'; \
|
|
for image_ref in \"\${BACKEND_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${USERFRONT_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${ADMINFRONT_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${DEVFRONT_IMAGE_NAME}:\${IMAGE_TAG}\" \"\${ORGFRONT_IMAGE_NAME}:\${IMAGE_TAG}\"; do \
|
|
docker image inspect \"\${image_ref}\" >/dev/null; \
|
|
done; \
|
|
echo '==> Prefetching runtime images before compose up'; \
|
|
docker compose --env-file .env -f docker-compose.yml pull --ignore-pull-failures; \
|
|
echo '==> Starting production image stack'; \
|
|
docker compose --env-file .env -f docker-compose.yml up -d --remove-orphans; \
|
|
echo '==> Refreshing frontend edge containers'; \
|
|
docker compose --env-file .env -f docker-compose.yml up -d --force-recreate --no-deps gateway adminfront devfront orgfront; \
|
|
docker compose --env-file .env -f docker-compose.yml ps"
|