fix(omnl-portal): auth-source mapping for omdnl LXCs and LXC env fragments
Some checks failed
CI/CD Pipeline / Solidity Contracts (push) Failing after 1m35s
CI/CD Pipeline / Security Scanning (push) Successful in 2m27s
CI/CD Pipeline / Lint and Format (push) Failing after 55s
CI/CD Pipeline / Terraform Validation (push) Failing after 28s
CI/CD Pipeline / Kubernetes Validation (push) Successful in 27s
Deploy ChainID 138 / Deploy ChainID 138 (push) Failing after 46s
Validation / validate-genesis (push) Successful in 35s
Validation / validate-terraform (push) Failing after 27s
Validation / validate-kubernetes (push) Failing after 13s
Validation / validate-smart-contracts (push) Failing after 13s
Validation / validate-security (push) Failing after 1m24s
Validation / validate-documentation (push) Failing after 20s
Verify Deployment / Verify Deployment (push) Failing after 1m9s
Some checks failed
CI/CD Pipeline / Solidity Contracts (push) Failing after 1m35s
CI/CD Pipeline / Security Scanning (push) Successful in 2m27s
CI/CD Pipeline / Lint and Format (push) Failing after 55s
CI/CD Pipeline / Terraform Validation (push) Failing after 28s
CI/CD Pipeline / Kubernetes Validation (push) Successful in 27s
Deploy ChainID 138 / Deploy ChainID 138 (push) Failing after 46s
Validation / validate-genesis (push) Successful in 35s
Validation / validate-terraform (push) Failing after 27s
Validation / validate-kubernetes (push) Failing after 13s
Validation / validate-smart-contracts (push) Failing after 13s
Validation / validate-security (push) Failing after 1m24s
Validation / validate-documentation (push) Failing after 20s
Verify Deployment / Verify Deployment (push) Failing after 1m9s
Allow nginx auth snippets to use super-admin keys from paired d-bis.org VMIDs (5820→5826 exchange, etc.), generate snippets for all 5820–5828 on deploy, and add build-portal-lxc-env-fragment.sh for sync-time .env push with internal secret. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
44
scripts/deployment/build-portal-lxc-env-fragment.sh
Executable file
44
scripts/deployment/build-portal-lxc-env-fragment.sh
Executable file
@@ -0,0 +1,44 @@
|
||||
#!/usr/bin/env bash
|
||||
# Build portal .env fragment for LXC sync (stdout). Never commit output.
|
||||
# Usage: build-portal-lxc-env-fragment.sh CTID [AUTH_SOURCE_CTID]
|
||||
set -euo pipefail
|
||||
|
||||
CTID="${1:?CTID required}"
|
||||
AUTH_SOURCE_CTID="${2:-$CTID}"
|
||||
REPO_DIR="${OMNL_BANK_ROOT:-$HOME/smom-dbis-138}"
|
||||
ENV_FILE="${OMNL_BANK_ENV:-$REPO_DIR/.env}"
|
||||
CONFIG="$REPO_DIR/config/omnl-super-admins.v1.json"
|
||||
|
||||
[[ -f "$ENV_FILE" ]] || { echo "Missing $ENV_FILE" >&2; exit 1; }
|
||||
|
||||
set -a
|
||||
set +u
|
||||
# shellcheck disable=SC1090
|
||||
source "$ENV_FILE"
|
||||
set -u
|
||||
set +a
|
||||
|
||||
grep -E '^(OMNL_FINERACT_|OMNL_PUBLIC_MONEY_SUPPLY=|OMNL_REQUIRE_API_KEY=|OMNL_CUSTOMER_SECURITY_PRODUCTION=|OMNL_CUSTOMER_API_KEYS=|OFFICE24_OPENING_M1_USD=|OMNL_PORTAL_INTERNAL_SECRET=|JWT_SECRET=|DATABASE_URL=|RPC_URL_138=|CHAIN_138_RPC_URL=|SETTLEMENT_ALLOW_CHAIN_MINT_EXECUTE=|SETTLEMENT_ALLOW_HYBX_PRODUCTION=|OMNL_ALLOW_CHAIN_MINT_EXECUTE=|OMNL_MINT_OPERATOR_PRIVATE_KEY=|TOKEN_AGGREGATION_URL=|SWIFT_LISTENER_URL=|HYBX_MIFOS_FINERACT_SIDECAR_URL=|INFURA_PROJECT_ID=|INFURA_PROJECT_SECRET=)' "$ENV_FILE" || true
|
||||
|
||||
for key in OMNL_SUPER_ADMIN_OFFICE24_KEY OMNL_SUPER_ADMIN_EXCHANGE_KEY OMNL_SUPER_ADMIN_SECURE_KEY OMNL_SUPER_ADMIN_FOREX_KEY; do
|
||||
val="${!key:-}"
|
||||
[[ -n "$val" ]] && echo "${key}=${val}"
|
||||
done
|
||||
|
||||
ADMIN_ENV_KEY="$(node -e "
|
||||
const fs = require('fs');
|
||||
const cfg = JSON.parse(fs.readFileSync('$CONFIG', 'utf8'));
|
||||
const ct = Number('$AUTH_SOURCE_CTID');
|
||||
const admin = cfg.superAdmins.find(a => a.portalCtid === ct);
|
||||
if (!admin) process.exit(0);
|
||||
console.log(admin.envKey);
|
||||
")"
|
||||
|
||||
if [[ -n "$ADMIN_ENV_KEY" ]]; then
|
||||
API_VAL="${!ADMIN_ENV_KEY:-}"
|
||||
if [[ -n "$API_VAL" ]]; then
|
||||
echo "OMNL_API_KEY=${API_VAL}"
|
||||
fi
|
||||
elif [[ -n "${OMNL_API_KEY:-}" ]]; then
|
||||
echo "OMNL_API_KEY=${OMNL_API_KEY}"
|
||||
fi
|
||||
@@ -56,10 +56,18 @@ if [[ -f "$ENV_FILE" ]] && ! grep -q '^OMNL_SUPER_ADMIN_OFFICE24_KEY=' "$ENV_FIL
|
||||
fi
|
||||
|
||||
if [[ -f "$ENV_FILE" ]]; then
|
||||
for CTID in 5825 5826 5827 5828; do
|
||||
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" "$CTID" "$REPO_DIR/deploy/nginx/omnl-portal-auth-${CTID}.conf.inc" || true
|
||||
# omdnl.org LXCs (5820–5824) reuse super-admin keys from d-bis.org twins (5826–5828 / 5825).
|
||||
declare -A PORTAL_AUTH_SOURCE=(
|
||||
[5820]=5826 [5821]=5827 [5822]=5827 [5823]=5828 [5824]=5825
|
||||
[5825]=5825 [5826]=5826 [5827]=5827 [5828]=5828
|
||||
)
|
||||
for CTID in 5820 5821 5822 5823 5824 5825 5826 5827 5828; do
|
||||
AUTH_SRC="${PORTAL_AUTH_SOURCE[$CTID]}"
|
||||
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" \
|
||||
"$CTID" "$REPO_DIR/deploy/nginx/omnl-portal-auth-${CTID}.conf.inc" "$AUTH_SRC" || true
|
||||
done
|
||||
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" 5827 "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" || true
|
||||
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" \
|
||||
5827 "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" 5827 || true
|
||||
if [[ -f "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" ]]; then
|
||||
sudo cp "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" /etc/nginx/omnl-portal-auth-current.conf.inc 2>/dev/null || \
|
||||
cp "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" 2>/dev/null || true
|
||||
|
||||
@@ -6,6 +6,7 @@ REPO_DIR="${OMNL_BANK_ROOT:-$HOME/smom-dbis-138}"
|
||||
ENV_FILE="${OMNL_BANK_ENV:-$REPO_DIR/.env}"
|
||||
CTID="${1:-5827}"
|
||||
OUT="${2:-$REPO_DIR/deploy/nginx/omnl-portal-auth-${CTID}.conf.inc}"
|
||||
AUTH_SOURCE_CTID="${3:-$CTID}"
|
||||
|
||||
CONFIG="$REPO_DIR/config/omnl-super-admins.v1.json"
|
||||
|
||||
@@ -24,7 +25,7 @@ set +a
|
||||
ENV_KEY="$(node -e "
|
||||
const fs = require('fs');
|
||||
const cfg = JSON.parse(fs.readFileSync('$CONFIG', 'utf8'));
|
||||
const ct = Number('$CTID');
|
||||
const ct = Number('$AUTH_SOURCE_CTID');
|
||||
const admin = cfg.superAdmins.find(a => a.portalCtid === ct);
|
||||
if (!admin) process.exit(2);
|
||||
console.log(admin.envKey);
|
||||
@@ -34,13 +35,18 @@ API_KEY="${!ENV_KEY:-${OMNL_API_KEY:-}}"
|
||||
INTERNAL="${OMNL_PORTAL_INTERNAL_SECRET:-}"
|
||||
|
||||
if [[ -z "$API_KEY" ]]; then
|
||||
echo "No API key for CT $CTID ($ENV_KEY unset)" >&2
|
||||
echo "No API key for CT $CTID (auth source $AUTH_SOURCE_CTID, $ENV_KEY unset)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
AUTH_NOTE="CT $CTID portal upstream auth"
|
||||
if [[ "$AUTH_SOURCE_CTID" != "$CTID" ]]; then
|
||||
AUTH_NOTE="CT $CTID portal upstream auth (key from CT $AUTH_SOURCE_CTID)"
|
||||
fi
|
||||
|
||||
mkdir -p "$(dirname "$OUT")"
|
||||
cat >"$OUT" <<EOF
|
||||
# Auto-generated — do not commit. CT $CTID portal upstream auth.
|
||||
# Auto-generated — do not commit. ${AUTH_NOTE}.
|
||||
proxy_set_header Authorization "Bearer ${API_KEY}";
|
||||
proxy_set_header X-OMNL-Portal-Auth "${INTERNAL}";
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user