ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: validate bridge token consistency

Browse Source
This commit is contained in:
Haitao Pan 2026-06-01 10:02:13 +08:00
parent ce0dd3cee1
commit 402faa02e1
1 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
roles/vhosts/xworkmate_bridge/tasks/validate.yml
View File

@ -8,6 +8,14 @@
cmd: cat "{{ xworkmate_bridge_service_caddy_fragment_path }}" cmd: cat "{{ xworkmate_bridge_service_caddy_fragment_path }}"
changed_when: false changed_when: false
register: xworkmate_bridge_fragment register: xworkmate_bridge_fragment
no_log: true
- name: Read deployed xworkmate-bridge systemd unit
ansible.builtin.command:
cmd: cat "{{ xworkmate_bridge_systemd_unit_path }}"
changed_when: false
register: xworkmate_bridge_systemd_unit_text
no_log: true
- name: Assert Caddy fragment only exposes app-facing bridge routes - name: Assert Caddy fragment only exposes app-facing bridge routes
ansible.builtin.assert: ansible.builtin.assert:
@ -26,6 +34,33 @@
- "'127.0.0.1:38992' not in xworkmate_bridge_fragment.stdout" - "'127.0.0.1:38992' not in xworkmate_bridge_fragment.stdout"
- "'127.0.0.1:8791' not in xworkmate_bridge_fragment.stdout" - "'127.0.0.1:8791' not in xworkmate_bridge_fragment.stdout"
- "'127.0.0.1:3920' not in xworkmate_bridge_fragment.stdout" - "'127.0.0.1:3920' not in xworkmate_bridge_fragment.stdout"
no_log: true
- name: Assert Caddy and systemd use the same bridge token set
ansible.builtin.assert:
that:
- >-
'Bearer ' ~ (xworkmate_bridge_effective_auth_token | default(xworkmate_bridge_auth_token))
in xworkmate_bridge_fragment.stdout
- >-
'Environment="BRIDGE_AUTH_TOKEN=' ~ (xworkmate_bridge_effective_auth_token | default(xworkmate_bridge_auth_token)) ~ '"'
in xworkmate_bridge_systemd_unit_text.stdout
- >-
((xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token) | trim | length) == 0)
or
(
'Bearer ' ~ (xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token))
in xworkmate_bridge_fragment.stdout
)
- >-
((xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token) | trim | length) == 0)
or
(
'Environment="BRIDGE_REVIEW_AUTH_TOKEN=' ~ (xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token)) ~ '"'
in xworkmate_bridge_systemd_unit_text.stdout
)
fail_msg: "xworkmate-bridge Caddy and systemd token configuration are not aligned"
no_log: true
- name: Check xworkmate-bridge systemd service status - name: Check xworkmate-bridge systemd service status
ansible.builtin.systemd: ansible.builtin.systemd:
@ -100,6 +135,25 @@
changed_when: false changed_when: false
no_log: true no_log: true
- name: Check xworkmate-bridge public domain ping with review token
ansible.builtin.uri:
url: "https://{{ xworkmate_bridge_service_domain }}/api/ping"
headers:
Authorization: "Bearer {{ xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token) }}"
Origin: "{{ xworkmate_bridge_validation_origin }}"
return_content: true
register: xworkmate_bridge_review_service_ping
until:
- xworkmate_bridge_review_service_ping.status == 200
- xworkmate_bridge_review_service_ping.json is defined
- xworkmate_bridge_review_service_ping.json.status | default('') == "ok"
retries: 3
delay: 5
changed_when: false
no_log: true
when:
- xworkmate_bridge_effective_review_auth_token | default(xworkmate_bridge_review_auth_token) | trim | length > 0
- name: Assert xworkmate-bridge capabilities expose app contract providers - name: Assert xworkmate-bridge capabilities expose app contract providers
ansible.builtin.assert: ansible.builtin.assert:
that: that: