114 lines
4.8 KiB
TypeScript
114 lines
4.8 KiB
TypeScript
import {
|
|
baiduNetdiskAuthHealthGateStatus,
|
|
baiduNetdiskRuntimeSecretRequirements,
|
|
runtimeSecretContractFromEnvText,
|
|
runtimeSecretPresenceFromEnvText,
|
|
} from "./src/artifact-registry";
|
|
|
|
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
|
|
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
|
|
}
|
|
|
|
const secretEnvText = [
|
|
"UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000",
|
|
"UNIDESK_BAIDU_NETDISK_CLIENT_SECRET=\"clientsecret-clientsecret-0001\"",
|
|
"UNIDESK_BAIDU_NETDISK_TOKEN_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
|
|
].join("\n");
|
|
|
|
const present = runtimeSecretPresenceFromEnvText(secretEnvText, baiduNetdiskRuntimeSecretRequirements);
|
|
assertCondition(present.every((item) => item.present), "all baidu-netdisk secrets should be present", present);
|
|
assertCondition(present.map((item) => item.length).join(",") === "31,30,64", "presence reports only lengths", present);
|
|
assertCondition(!JSON.stringify(present).includes("0123456789abcdef"), "secret values must not be exposed", present);
|
|
|
|
const presentContract = runtimeSecretContractFromEnvText(secretEnvText, baiduNetdiskRuntimeSecretRequirements, {
|
|
path: "/root/unidesk/.state/docker-compose.env",
|
|
exists: true,
|
|
workDir: "/root/unidesk",
|
|
composeEnvFile: ".state/docker-compose.env",
|
|
composeService: "baidu-netdisk",
|
|
containerName: "baidu-netdisk-backend",
|
|
});
|
|
assertCondition(presentContract.secretSource.kind === "compose-env-file", "secret source should name canonical compose env file", presentContract);
|
|
assertCondition(presentContract.requiredSecretsPresent === true, "present contract should pass", presentContract);
|
|
assertCondition(presentContract.missingSecretKeys.length === 0, "present contract should not list missing keys", presentContract);
|
|
assertCondition(presentContract.recommendedAction === "none", "present contract should recommend no action", presentContract);
|
|
assertCondition(presentContract.valuesPrinted === false, "present contract must not print values", presentContract);
|
|
assertCondition(!JSON.stringify(presentContract).includes("clientsecret"), "contract must not expose fake secret values", presentContract);
|
|
|
|
const missing = runtimeSecretPresenceFromEnvText(
|
|
"UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000\n",
|
|
baiduNetdiskRuntimeSecretRequirements,
|
|
);
|
|
assertCondition(!missing.every((item) => item.present), "missing env should fail presence contract", missing);
|
|
assertCondition(
|
|
missing.filter((item) => !item.present).map((item) => item.sourceEnvName).join(",") === "UNIDESK_BAIDU_NETDISK_CLIENT_SECRET,UNIDESK_BAIDU_NETDISK_TOKEN_KEY",
|
|
"missing env should identify absent keys without values",
|
|
missing,
|
|
);
|
|
|
|
const missingContract = runtimeSecretContractFromEnvText(
|
|
"UNIDESK_BAIDU_NETDISK_CLIENT_ID=clientid-clientid-clientid-0000\n",
|
|
baiduNetdiskRuntimeSecretRequirements,
|
|
{
|
|
path: "/root/unidesk/.state/docker-compose.env",
|
|
exists: true,
|
|
workDir: "/root/unidesk",
|
|
composeEnvFile: ".state/docker-compose.env",
|
|
composeService: "baidu-netdisk",
|
|
containerName: "baidu-netdisk-backend",
|
|
},
|
|
);
|
|
assertCondition(missingContract.requiredSecretsPresent === false, "missing contract should fail", missingContract);
|
|
assertCondition(
|
|
missingContract.missingSecretKeys.join(",") === "UNIDESK_BAIDU_NETDISK_CLIENT_SECRET,UNIDESK_BAIDU_NETDISK_TOKEN_KEY",
|
|
"missing contract should expose missing source keys",
|
|
missingContract,
|
|
);
|
|
assertCondition(
|
|
String(missingContract.recommendedAction).includes("canonical Compose env file"),
|
|
"missing contract should recommend the canonical source",
|
|
missingContract,
|
|
);
|
|
|
|
const healthy = baiduNetdiskAuthHealthGateStatus({
|
|
auth: {
|
|
configured: true,
|
|
clientIdConfigured: true,
|
|
clientSecretConfigured: true,
|
|
tokenKeyConfigured: true,
|
|
loggedIn: true,
|
|
},
|
|
});
|
|
assertCondition(healthy.ok, "healthy auth fields should pass", healthy);
|
|
|
|
const degraded = baiduNetdiskAuthHealthGateStatus({
|
|
auth: {
|
|
configured: false,
|
|
clientIdConfigured: true,
|
|
clientSecretConfigured: true,
|
|
tokenKeyConfigured: false,
|
|
loggedIn: true,
|
|
},
|
|
});
|
|
assertCondition(!degraded.ok, "missing auth fields should fail", degraded);
|
|
assertCondition(
|
|
degraded.failedFields.join(",") === "configured,tokenKeyConfigured",
|
|
"auth gate should report failed boolean fields",
|
|
degraded,
|
|
);
|
|
|
|
process.stdout.write(`${JSON.stringify({
|
|
ok: true,
|
|
checks: [
|
|
"runtime secret presence reports booleans and lengths only",
|
|
"runtime secret contract exposes secretSource/requiredSecretsPresent/missingSecretKeys/recommendedAction without values",
|
|
"missing Baidu Netdisk env cannot pass the deploy contract",
|
|
"auth health gate requires configured/clientId/clientSecret/tokenKey/loggedIn",
|
|
],
|
|
present,
|
|
presentContract,
|
|
missing: missing.map((item) => ({ ...item, length: item.length })),
|
|
missingContract,
|
|
degraded,
|
|
}, null, 2)}\n`);
|