139 lines
3.4 KiB
Bash
Executable File
139 lines
3.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
ENV_FILE="${1:-"$ROOT_DIR/plane-app/plane.env.staging"}"
|
|
|
|
if [[ ! -f "$ENV_FILE" ]]; then
|
|
echo "Missing Tasker staging env file: $ENV_FILE" >&2
|
|
exit 1
|
|
fi
|
|
|
|
set -a
|
|
# shellcheck disable=SC1090
|
|
source "$ENV_FILE"
|
|
set +a
|
|
|
|
failures=0
|
|
|
|
fail() {
|
|
echo "FAIL: $*" >&2
|
|
failures=$((failures + 1))
|
|
}
|
|
|
|
require_value() {
|
|
local name="$1"
|
|
local value="${!name:-}"
|
|
|
|
if [[ -z "$value" ]]; then
|
|
fail "$name is required"
|
|
fi
|
|
}
|
|
|
|
require_secret() {
|
|
local name="$1"
|
|
local value="${!name:-}"
|
|
|
|
require_value "$name"
|
|
|
|
if [[ "$value" =~ change-me|local-dev|replace-with|example|plane|secret-key|access-key ]]; then
|
|
fail "$name uses a placeholder/dev value"
|
|
fi
|
|
|
|
if [[ ${#value} -lt 32 ]]; then
|
|
fail "$name must be at least 32 characters"
|
|
fi
|
|
}
|
|
|
|
require_https_url() {
|
|
local name="$1"
|
|
local value="${!name:-}"
|
|
|
|
require_value "$name"
|
|
|
|
if [[ "$value" != https://* ]]; then
|
|
fail "$name must use https://"
|
|
fi
|
|
}
|
|
|
|
require_staging_domain() {
|
|
local name="$1"
|
|
local value="${!name:-}"
|
|
|
|
require_value "$name"
|
|
|
|
if [[ "$value" == *.local.nodedc || "$value" == "localhost" || "$value" == 127.* ]]; then
|
|
fail "$name must not use local/dev domain"
|
|
fi
|
|
}
|
|
|
|
require_staging_domain APP_DOMAIN
|
|
require_https_url WEB_URL
|
|
require_https_url PLANE_OIDC_ISSUER
|
|
require_https_url PLANE_OIDC_REDIRECT_URI
|
|
require_https_url PLANE_NODEDC_ACCESS_CHECK_URL
|
|
require_https_url PLANE_NODEDC_ACCESS_DENIED_REDIRECT_URL
|
|
require_https_url PLANE_NODEDC_GLOBAL_LOGOUT_URL
|
|
require_https_url PLANE_NODEDC_LAUNCHER_PUBLIC_URL
|
|
require_https_url PLANE_NODEDC_HANDOFF_URL
|
|
require_https_url PLANE_NODEDC_WORKSPACE_POLICY_URL
|
|
|
|
require_value CORS_ALLOWED_ORIGINS
|
|
IFS=',' read -ra cors_origins <<< "$CORS_ALLOWED_ORIGINS"
|
|
for origin in "${cors_origins[@]}"; do
|
|
origin="${origin//[[:space:]]/}"
|
|
if [[ "$origin" != https://* ]]; then
|
|
fail "CORS_ALLOWED_ORIGINS contains non-HTTPS origin: $origin"
|
|
fi
|
|
done
|
|
|
|
require_secret POSTGRES_PASSWORD
|
|
require_secret RABBITMQ_PASSWORD
|
|
require_secret SECRET_KEY
|
|
require_secret AWS_ACCESS_KEY_ID
|
|
require_secret AWS_SECRET_ACCESS_KEY
|
|
require_secret LIVE_SERVER_SECRET_KEY
|
|
require_secret PLANE_OIDC_CLIENT_SECRET
|
|
require_secret PLANE_NODEDC_ACCESS_TOKEN
|
|
|
|
if [[ "${COOKIE_DOMAIN:-}" == *.local.nodedc || "${COOKIE_DOMAIN:-}" == "localhost" ]]; then
|
|
fail "COOKIE_DOMAIN must not use local/dev domain"
|
|
fi
|
|
|
|
if [[ "${ENABLE_SIGNUP:-}" != "0" ]]; then
|
|
fail "ENABLE_SIGNUP must be 0"
|
|
fi
|
|
|
|
if [[ "${ENABLE_EMAIL_PASSWORD:-}" != "0" ]]; then
|
|
fail "ENABLE_EMAIL_PASSWORD must be 0 for staging OIDC-only access"
|
|
fi
|
|
|
|
if [[ "${ENABLE_MAGIC_LINK_LOGIN:-}" != "0" ]]; then
|
|
fail "ENABLE_MAGIC_LINK_LOGIN must be 0"
|
|
fi
|
|
|
|
if [[ "${PLANE_NODEDC_ACCESS_ENFORCEMENT:-}" != "1" ]]; then
|
|
fail "PLANE_NODEDC_ACCESS_ENFORCEMENT must be 1"
|
|
fi
|
|
|
|
if [[ "${PLANE_NODEDC_ACCESS_ENFORCE_UNLINKED:-}" != "1" ]]; then
|
|
fail "PLANE_NODEDC_ACCESS_ENFORCE_UNLINKED must be 1"
|
|
fi
|
|
|
|
if [[ "${TRUSTED_PROXIES:-}" =~ change-me|local-dev|replace-with|example ]]; then
|
|
fail "TRUSTED_PROXIES uses a placeholder/dev value"
|
|
fi
|
|
|
|
case "${TRUSTED_PROXIES:-}" in
|
|
*"0.0.0.0/0"*|*"::/0"*|*"10.0.0.0/8"*|*"172.16.0.0/12"*|*"192.168.0.0/16"*|*"127.0.0.0/8"*)
|
|
fail "TRUSTED_PROXIES must be limited to the actual platform edge proxy or ingress subnet"
|
|
;;
|
|
esac
|
|
|
|
if [[ $failures -gt 0 ]]; then
|
|
echo "Tasker staging env check failed with $failures issue(s)." >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "Tasker staging env check passed: $ENV_FILE"
|