206 lines
7.0 KiB
Bash
Executable File
206 lines
7.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
CANONICAL_DOMAIN="${1:?usage: verify-frontend-release.sh <canonical-domain> <served-domains> <expected-image-ref> [request-base-url]}"
|
|
SERVED_DOMAINS="${2:?usage: verify-frontend-release.sh <canonical-domain> <served-domains> <expected-image-ref> [request-base-url]}"
|
|
EXPECTED_IMAGE_REF="${3:?usage: verify-frontend-release.sh <canonical-domain> <served-domains> <expected-image-ref> [request-base-url]}"
|
|
REQUEST_BASE_URL="${4:-https://${CANONICAL_DOMAIN}}"
|
|
EXPECTED_DASHBOARD_URL="https://${CANONICAL_DOMAIN}"
|
|
|
|
curl_headers=(
|
|
-H 'user-agent: Mozilla/5.0 (compatible; console-release-validator/1.0; +https://www.svc.plus)'
|
|
-H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
|
|
-H 'accept-language: en-US,en;q=0.9'
|
|
)
|
|
|
|
trim() {
|
|
local value="$1"
|
|
value="${value#"${value%%[![:space:]]*}"}"
|
|
value="${value%"${value##*[![:space:]]}"}"
|
|
printf '%s' "${value}"
|
|
}
|
|
|
|
parse_image_ref() {
|
|
local image_ref="$1"
|
|
|
|
IMAGE_REF="${image_ref}" python3 - <<'PY'
|
|
import os
|
|
import re
|
|
import sys
|
|
|
|
image_ref = os.environ["IMAGE_REF"].strip()
|
|
match = re.search(r":([^:@]+)$", image_ref)
|
|
tag = match.group(1) if match else ""
|
|
commit = ""
|
|
|
|
if re.fullmatch(r"[0-9a-f]{7,40}", tag, flags=re.IGNORECASE):
|
|
commit = tag
|
|
else:
|
|
prefixed_match = re.fullmatch(r"sha-([0-9a-f]{7,40})", tag, flags=re.IGNORECASE)
|
|
if prefixed_match:
|
|
commit = prefixed_match.group(1)
|
|
|
|
if not image_ref or not tag or not commit:
|
|
sys.exit(1)
|
|
|
|
print(image_ref)
|
|
print(tag)
|
|
print(commit)
|
|
PY
|
|
}
|
|
|
|
parse_release_metadata() {
|
|
local payload="$1"
|
|
RELEASE_PAYLOAD="${payload}" python3 - <<'PY'
|
|
import json
|
|
import os
|
|
|
|
payload = json.loads(os.environ["RELEASE_PAYLOAD"])
|
|
print(payload.get("releaseImageRef", ""))
|
|
print(payload.get("releaseImageTag", ""))
|
|
print(payload.get("releaseCommit", ""))
|
|
print(payload.get("dashboardUrl", ""))
|
|
PY
|
|
}
|
|
|
|
require_http_200() {
|
|
local url="$1"
|
|
shift
|
|
|
|
local http_code
|
|
http_code="$(curl -sS -o /dev/null -w '%{http_code}' "$@" "${url}")"
|
|
if [[ "${http_code}" != "200" ]]; then
|
|
echo "Expected HTTP 200 from ${url}, got ${http_code}" >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
verify_domain() {
|
|
local domain="$1"
|
|
local request_base_url="${REQUEST_BASE_URL%/}"
|
|
local request_headers=("${curl_headers[@]}" -H "host: ${domain}")
|
|
local homepage_html asset_path release_payload release_metadata
|
|
local actual_image_ref actual_image_tag actual_release_commit actual_dashboard_url
|
|
local release_lines
|
|
|
|
require_http_200 "${request_base_url}" "${request_headers[@]}"
|
|
printf 'verified homepage for %s: 200\n' "${domain}" >&2
|
|
|
|
homepage_html="$(curl -fsSL "${request_headers[@]}" "${request_base_url}")"
|
|
asset_path="$(printf '%s' "${homepage_html}" | grep -Eo '/_next/static/[^"'"'"' ]+\.(css|js)' | head -n 1)"
|
|
if [[ -z "${asset_path}" ]]; then
|
|
echo "Could not find a _next/static asset on ${domain} via ${request_base_url}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
require_http_200 "${request_base_url}${asset_path}" "${request_headers[@]}"
|
|
printf 'verified static asset for %s: %s%s\n' "${domain}" "${request_base_url}" "${asset_path}" >&2
|
|
|
|
require_http_200 "${request_base_url}/api/ping" "${request_headers[@]}"
|
|
release_payload="$(curl -fsSL "${request_headers[@]}" "${request_base_url}/api/ping")"
|
|
release_metadata="$(parse_release_metadata "${release_payload}")"
|
|
|
|
mapfile -t release_lines <<< "${release_metadata}"
|
|
actual_image_ref="${release_lines[0]-}"
|
|
actual_image_tag="${release_lines[1]-}"
|
|
actual_release_commit="${release_lines[2]-}"
|
|
actual_dashboard_url="${release_lines[3]-}"
|
|
|
|
if [[ -z "${actual_image_ref}" || -z "${actual_image_tag}" || -z "${actual_release_commit}" ]]; then
|
|
echo "Remote release metadata is incomplete for ${domain}: ${release_payload}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! "${actual_image_tag}" =~ ^[0-9a-f]{7,40}$ ]]; then
|
|
echo "Remote image tag must contain a commit id for ${domain}, got: ${actual_image_tag}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ "${actual_release_commit}" != "${actual_image_tag}" ]]; then
|
|
echo "Remote release commit mismatch for ${domain}: expected ${actual_image_tag}, got ${actual_release_commit}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ "${actual_dashboard_url}" != "${EXPECTED_DASHBOARD_URL}" ]]; then
|
|
echo "Remote dashboardUrl mismatch for ${domain}: expected ${EXPECTED_DASHBOARD_URL}, got ${actual_dashboard_url}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
printf 'verified release image for %s: %s\n' "${domain}" "${actual_image_ref}" >&2
|
|
printf 'verified release commit for %s: %s\n' "${domain}" "${actual_release_commit}" >&2
|
|
printf 'verified dashboardUrl for %s: %s\n' "${domain}" "${actual_dashboard_url}" >&2
|
|
|
|
printf '%s\t%s\t%s\t%s\t%s\n' "${domain}" "${actual_image_ref}" "${actual_image_tag}" "${actual_release_commit}" "${actual_dashboard_url}"
|
|
}
|
|
|
|
mapfile -t expected_release_lines < <(parse_image_ref "${EXPECTED_IMAGE_REF}")
|
|
EXPECTED_RELEASE_IMAGE_REF="${expected_release_lines[0]-}"
|
|
EXPECTED_RELEASE_IMAGE_TAG="${expected_release_lines[1]-}"
|
|
EXPECTED_RELEASE_COMMIT="${expected_release_lines[2]-}"
|
|
|
|
if [[ -z "${EXPECTED_RELEASE_IMAGE_REF}" || -z "${EXPECTED_RELEASE_IMAGE_TAG}" || -z "${EXPECTED_RELEASE_COMMIT}" ]]; then
|
|
echo "Expected image ref is invalid: ${EXPECTED_IMAGE_REF}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
mapfile -t served_domains < <(
|
|
printf '%s' "${SERVED_DOMAINS}" | tr ',' '\n' | while IFS= read -r domain; do
|
|
domain="$(trim "${domain}")"
|
|
if [[ -n "${domain}" ]]; then
|
|
printf '%s\n' "${domain}"
|
|
fi
|
|
done
|
|
)
|
|
|
|
if [[ "${#served_domains[@]}" -eq 0 ]]; then
|
|
echo "No served domains were provided." >&2
|
|
exit 1
|
|
fi
|
|
|
|
canonical_found=false
|
|
declare -a verification_rows=()
|
|
|
|
for domain in "${served_domains[@]}"; do
|
|
if [[ "${domain}" == "${CANONICAL_DOMAIN}" ]]; then
|
|
canonical_found=true
|
|
fi
|
|
verification_rows+=("$(verify_domain "${domain}")")
|
|
done
|
|
|
|
if [[ "${canonical_found}" != "true" ]]; then
|
|
echo "Canonical domain ${CANONICAL_DOMAIN} must be included in served domains: ${SERVED_DOMAINS}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
reference_image_ref=""
|
|
reference_image_tag=""
|
|
reference_release_commit=""
|
|
reference_dashboard_url=""
|
|
|
|
for row in "${verification_rows[@]}"; do
|
|
IFS=$'\t' read -r domain actual_image_ref actual_image_tag actual_release_commit actual_dashboard_url <<< "${row}"
|
|
|
|
if [[ "${actual_image_ref}" != "${EXPECTED_RELEASE_IMAGE_REF}" ]]; then
|
|
echo "Release image mismatch for ${domain}: expected ${EXPECTED_RELEASE_IMAGE_REF}, got ${actual_image_ref}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ "${actual_image_tag}" != "${EXPECTED_RELEASE_IMAGE_TAG}" ]]; then
|
|
echo "Release tag mismatch for ${domain}: expected ${EXPECTED_RELEASE_IMAGE_TAG}, got ${actual_image_tag}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ "${actual_release_commit}" != "${EXPECTED_RELEASE_COMMIT}" ]]; then
|
|
echo "Release commit mismatch for ${domain}: expected ${EXPECTED_RELEASE_COMMIT}, got ${actual_release_commit}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${reference_image_ref}" ]]; then
|
|
reference_image_ref="${actual_image_ref}"
|
|
reference_image_tag="${actual_image_tag}"
|
|
reference_release_commit="${actual_release_commit}"
|
|
reference_dashboard_url="${actual_dashboard_url}"
|
|
continue
|
|
fi
|
|
done
|