#!/usr/bin/env bash set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" ENV_FILE="${1:-"$ROOT_DIR/plane-app/plane.env.staging"}" if [[ ! -f "$ENV_FILE" ]]; then echo "Missing Tasker staging env file: $ENV_FILE" >&2 exit 1 fi set -a # shellcheck disable=SC1090 source "$ENV_FILE" set +a failures=0 fail() { echo "FAIL: $*" >&2 failures=$((failures + 1)) } require_value() { local name="$1" local value="${!name:-}" if [[ -z "$value" ]]; then fail "$name is required" fi } require_secret() { local name="$1" local value="${!name:-}" require_value "$name" if [[ "$value" =~ change-me|local-dev|replace-with|example|plane|secret-key|access-key ]]; then fail "$name uses a placeholder/dev value" fi if [[ ${#value} -lt 32 ]]; then fail "$name must be at least 32 characters" fi } require_https_url() { local name="$1" local value="${!name:-}" require_value "$name" if [[ "$value" != https://* ]]; then fail "$name must use https://" fi } require_staging_domain() { local name="$1" local value="${!name:-}" require_value "$name" if [[ "$value" == *.local.nodedc || "$value" == "localhost" || "$value" == 127.* ]]; then fail "$name must not use local/dev domain" fi } require_staging_domain APP_DOMAIN require_https_url WEB_URL require_https_url PLANE_OIDC_ISSUER require_https_url PLANE_OIDC_REDIRECT_URI require_https_url PLANE_NODEDC_ACCESS_CHECK_URL require_https_url PLANE_NODEDC_ACCESS_DENIED_REDIRECT_URL require_https_url PLANE_NODEDC_GLOBAL_LOGOUT_URL require_https_url PLANE_NODEDC_LAUNCHER_PUBLIC_URL require_https_url PLANE_NODEDC_HANDOFF_URL require_https_url PLANE_NODEDC_WORKSPACE_POLICY_URL require_value CORS_ALLOWED_ORIGINS IFS=',' read -ra cors_origins <<< "$CORS_ALLOWED_ORIGINS" for origin in "${cors_origins[@]}"; do origin="${origin//[[:space:]]/}" if [[ "$origin" != https://* ]]; then fail "CORS_ALLOWED_ORIGINS contains non-HTTPS origin: $origin" fi done require_secret POSTGRES_PASSWORD require_secret RABBITMQ_PASSWORD require_secret SECRET_KEY require_secret AWS_ACCESS_KEY_ID require_secret AWS_SECRET_ACCESS_KEY require_secret LIVE_SERVER_SECRET_KEY require_secret PLANE_OIDC_CLIENT_SECRET require_secret PLANE_NODEDC_ACCESS_TOKEN if [[ "${COOKIE_DOMAIN:-}" == *.local.nodedc || "${COOKIE_DOMAIN:-}" == "localhost" ]]; then fail "COOKIE_DOMAIN must not use local/dev domain" fi if [[ "${ENABLE_SIGNUP:-}" != "0" ]]; then fail "ENABLE_SIGNUP must be 0" fi if [[ "${ENABLE_EMAIL_PASSWORD:-}" != "0" ]]; then fail "ENABLE_EMAIL_PASSWORD must be 0 for staging OIDC-only access" fi if [[ "${ENABLE_MAGIC_LINK_LOGIN:-}" != "0" ]]; then fail "ENABLE_MAGIC_LINK_LOGIN must be 0" fi if [[ "${PLANE_NODEDC_ACCESS_ENFORCEMENT:-}" != "1" ]]; then fail "PLANE_NODEDC_ACCESS_ENFORCEMENT must be 1" fi if [[ "${PLANE_NODEDC_ACCESS_ENFORCE_UNLINKED:-}" != "1" ]]; then fail "PLANE_NODEDC_ACCESS_ENFORCE_UNLINKED must be 1" fi if [[ "${TRUSTED_PROXIES:-}" =~ change-me|local-dev|replace-with|example ]]; then fail "TRUSTED_PROXIES uses a placeholder/dev value" fi case "${TRUSTED_PROXIES:-}" in *"0.0.0.0/0"*|*"::/0"*|*"10.0.0.0/8"*|*"172.16.0.0/12"*|*"192.168.0.0/16"*|*"127.0.0.0/8"*) fail "TRUSTED_PROXIES must be limited to the actual platform edge proxy or ingress subnet" ;; esac if [[ $failures -gt 0 ]]; then echo "Tasker staging env check failed with $failures issue(s)." >&2 exit 1 fi echo "Tasker staging env check passed: $ENV_FILE"