niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e9338dec28f413d51f88966d0c6deef7d53920fb
lijiaoqiao/scripts/supply-gate/tok005_boundary_dryrun.sh

164 lines
4.9 KiB
Bash
Raw Normal View History

feat: sync lijiaoqiao implementation and staging validation artifacts
2026-03-31 13:40:00 +08:00
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
ROOT_DIR="$(cd "${SCRIPT_DIR}/../.." && pwd)"
ENV_FILE="${1:-${SCRIPT_DIR}/.env}"
OUT_DIR="${ROOT_DIR}/reports/gates"
ART_ROOT="${ROOT_DIR}/tests/supply/artifacts"
TS="$(date +%F_%H%M%S)"
CASE_ID="tok005_dryrun_${TS}"
ART_DIR="${ART_ROOT}/${CASE_ID}"
REPORT_FILE="${OUT_DIR}/${CASE_ID}.md"
LOG_FILE="${OUT_DIR}/${CASE_ID}.log"
mkdir -p "${OUT_DIR}" "${ART_DIR}"
if [[ ! -f "${ENV_FILE}" ]]; then
echo "[FAIL] env file not found: ${ENV_FILE}" | tee -a "${LOG_FILE}"
exit 1
fi
# shellcheck disable=SC1090
source "${ENV_FILE}"
GO_BIN="${ROOT_DIR}/.tools/go-current/bin/go"
if [[ ! -x "${GO_BIN}" ]]; then
if command -v go >/dev/null 2>&1; then
GO_BIN="$(command -v go)"
else
echo "[FAIL] go binary not found. expected: ${ROOT_DIR}/.tools/go-current/bin/go" | tee -a "${LOG_FILE}"
exit 1
fi
fi
PLATFORM_RT_DIR="${ROOT_DIR}/platform-token-runtime"
if [[ ! -d "${PLATFORM_RT_DIR}" ]]; then
echo "[FAIL] missing runtime dir: ${PLATFORM_RT_DIR}" | tee -a "${LOG_FILE}"
exit 1
fi
{
echo "[INFO] TOK-005 dry-run started at ${TS}"
echo "[INFO] go bin: ${GO_BIN}"
"${GO_BIN}" version
} | tee "${LOG_FILE}"
GO_TEST_STATUS="PASS"
set +e
(
cd "${PLATFORM_RT_DIR}"
export PATH="$(dirname "${GO_BIN}"):${PATH}"
export GOCACHE="${ROOT_DIR}/.tools/go-cache"
export GOPATH="${ROOT_DIR}/.tools/go"
"${GO_BIN}" test ./...
) > "${ART_DIR}/go_test_output.txt" 2>&1
GO_TEST_RC=$?
set -e
if [[ "${GO_TEST_RC}" -ne 0 ]]; then
GO_TEST_STATUS="FAIL"
fi
cat "${ART_DIR}/go_test_output.txt" >> "${LOG_FILE}"
# M-016: query key 外拒能力静态检查
QUERY_KEY_STATUS="PASS"
if ! grep -Eq 'disallowedQueryKeys = \[\]string\{"key", "api_key", "token"\}' \
"${PLATFORM_RT_DIR}/internal/auth/middleware/query_key_reject_middleware.go"; then
QUERY_KEY_STATUS="FAIL"
fi
# M-013: 敏感值不落审计(用例断言存在性)
REDACTION_STATUS="PASS"
if ! grep -q 'TestTOKAud006QueryKeyRejectedEvent' "${PLATFORM_RT_DIR}/internal/token/audit_executable_test.go"; then
REDACTION_STATUS="FAIL"
fi
if ! grep -q 'must not contain raw query key value' "${PLATFORM_RT_DIR}/internal/token/audit_executable_test.go"; then
REDACTION_STATUS="FAIL"
fi
# TOK-LIFE/TOK-AUD 全量可执行用例覆盖检查
CASE_COVERAGE_STATUS="PASS"
for case_id in TOKLife001 TOKLife002 TOKLife003 TOKLife004 TOKLife005 TOKLife006 TOKLife007 TOKLife008; do
if ! grep -q "Test${case_id}" "${PLATFORM_RT_DIR}/internal/token/lifecycle_executable_test.go"; then
CASE_COVERAGE_STATUS="FAIL"
fi
done
for case_id in TOKAud001 TOKAud002 TOKAud003 TOKAud004 TOKAud005 TOKAud006 TOKAud007; do
if ! grep -q "Test${case_id}" "${PLATFORM_RT_DIR}/internal/token/audit_executable_test.go"; then
CASE_COVERAGE_STATUS="FAIL"
fi
done
# 真实 staging 准备度(当前阶段预期为 BLOCKED
LIVE_READY="YES"
LIVE_BLOCK_REASON=""
required=(API_BASE_URL OWNER_BEARER_TOKEN VIEWER_BEARER_TOKEN ADMIN_BEARER_TOKEN)
for v in "${required[@]}"; do
if [[ -z "${!v:-}" ]]; then
LIVE_READY="NO"
LIVE_BLOCK_REASON="missing ${v}"
break
fi
done
if [[ "${LIVE_READY}" == "YES" ]]; then
for t in "${OWNER_BEARER_TOKEN}" "${VIEWER_BEARER_TOKEN}" "${ADMIN_BEARER_TOKEN}"; do
if [[ "${t}" == replace-me-* ]]; then
LIVE_READY="NO"
LIVE_BLOCK_REASON="placeholder token detected"
break
fi
done
fi
if [[ "${LIVE_READY}" == "YES" && "${API_BASE_URL}" == *"example.com"* ]]; then
LIVE_READY="NO"
LIVE_BLOCK_REASON="placeholder API_BASE_URL detected"
fi
cat > "${REPORT_FILE}" <<EOF
# TOK-005 凭证边界 Dry-Run 报告
- 时间戳:${TS}
- 环境文件:${ENV_FILE}
- 用途:开发阶段预联调(不替代真实 staging 结论)
## 1. 结果总览
| 检查项 | 结果 | 说明 |
|---|---|---|
| Go 测试执行 | ${GO_TEST_STATUS} | \`go test ./...\` 输出见 artifacts |
| Query Key 外拒检查M-016 | ${QUERY_KEY_STATUS} | 中间件规则静态校验 |
| 审计脱敏检查M-013 | ${REDACTION_STATUS} | 审计测试中存在敏感值禁止断言 |
| TOK 用例全量可执行覆盖 | ${CASE_COVERAGE_STATUS} | TOK-LIFE-001~008 / TOK-AUD-001~007 |
| staging 实测就绪性 | ${LIVE_READY} | ${LIVE_BLOCK_REASON:-ready} |
## 2. 证据路径
1. \`${ART_DIR}/go_test_output.txt\`
2. \`${LOG_FILE}\`
## 3. 判定
1. Dry-run 通过条件:
1. Go 测试执行=PASS
2. Query Key 外拒检查=PASS
3. 审计脱敏检查=PASS
4. TOK 用例全量可执行覆盖=PASS
2. staging 就绪性为 NO 时,仅表示“真实联调暂不可启动”,不影响开发阶段 dry-run 结论。
EOF
RESULT="PASS"
if [[ "${GO_TEST_STATUS}" != "PASS" || "${QUERY_KEY_STATUS}" != "PASS" || "${REDACTION_STATUS}" != "PASS" || "${CASE_COVERAGE_STATUS}" != "PASS" ]]; then
RESULT="FAIL"
fi
{
echo "[INFO] report: ${REPORT_FILE}"
echo "[INFO] artifact: ${ART_DIR}"
echo "[RESULT] ${RESULT}"
} | tee -a "${LOG_FILE}"
if [[ "${RESULT}" != "PASS" ]]; then
exit 1
fi
Reference in New Issue Copy Permalink