49 lines
2.4 KiB
TypeScript
49 lines
2.4 KiB
TypeScript
import { readFileSync } from "node:fs";
|
|
import { rootPath } from "./src/config";
|
|
|
|
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
|
|
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
|
|
}
|
|
|
|
const sub2apiConfigPath = rootPath("config", "platform-infra", "sub2api.yaml");
|
|
const codexPoolConfigPath = rootPath("config", "platform-infra", "sub2api-codex-pool.yaml");
|
|
const manifestPath = rootPath("src", "components", "platform-infra", "sub2api", "sub2api.k8s.yaml");
|
|
|
|
const sub2api = Bun.YAML.parse(readFileSync(sub2apiConfigPath, "utf8")) as {
|
|
security?: {
|
|
urlAllowlist?: {
|
|
enabled?: boolean;
|
|
allowInsecureHttp?: boolean;
|
|
allowPrivateHosts?: boolean;
|
|
upstreamHosts?: string[];
|
|
};
|
|
};
|
|
};
|
|
const codexPool = Bun.YAML.parse(readFileSync(codexPoolConfigPath, "utf8")) as {
|
|
profiles?: {
|
|
entries?: Array<{
|
|
accountName?: string;
|
|
}>;
|
|
};
|
|
};
|
|
const manifest = readFileSync(manifestPath, "utf8");
|
|
|
|
assertCondition((codexPool.profiles?.entries ?? []).length > 0, "Codex pool must have YAML-selected upstream accounts", codexPool.profiles);
|
|
assertCondition(sub2api.security?.urlAllowlist?.enabled === false, "Sub2API URL allowlist must be disabled for current HTTP upstream pool policy", sub2api.security);
|
|
assertCondition(sub2api.security?.urlAllowlist?.allowInsecureHttp === true, "Sub2API must allow http:// upstream base URLs for account tests and normal scheduling", {
|
|
security: sub2api.security,
|
|
accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName),
|
|
});
|
|
assertCondition(sub2api.security?.urlAllowlist?.allowPrivateHosts === false, "Sub2API must not allow private hosts for this public HTTP upstream exception", sub2api.security);
|
|
assertCondition(Array.isArray(sub2api.security?.urlAllowlist?.upstreamHosts), "Sub2API upstreamHosts must be YAML-controlled even when empty", sub2api.security);
|
|
assertCondition(manifest.includes('SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP: "__SUB2API_SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP__"'), "Sub2API manifest must render allowInsecureHttp from YAML", manifest);
|
|
|
|
console.log(JSON.stringify({
|
|
ok: true,
|
|
checks: [
|
|
"Sub2API runtime URL policy explicitly allows http:// upstream base URLs",
|
|
"Sub2API manifest renders URL policy from YAML instead of hardcoding the old value",
|
|
],
|
|
accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName),
|
|
}));
|