92 lines
2.8 KiB
Bash
Executable File
92 lines
2.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
# shellcheck disable=SC2329
|
|
|
|
# =============================================================================
|
|
# phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded
|
|
# Checks:
|
|
# 1. HTTPS works with valid cert
|
|
# 2. HTTP redirects to HTTPS
|
|
# 3. All repos accessible via HTTPS
|
|
# 4. GitHub repos are marked as offsite backup
|
|
# Exits 0 only if ALL checks pass.
|
|
# =============================================================================
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
source "${SCRIPT_DIR}/lib/common.sh"
|
|
|
|
load_env
|
|
require_vars GITEA_DOMAIN GITEA_ADMIN_TOKEN GITEA_ORG_NAME \
|
|
GITHUB_USERNAME GITHUB_TOKEN \
|
|
REPO_1_NAME REPO_2_NAME REPO_3_NAME
|
|
|
|
log_info "=== Phase 8 Post-Check ==="
|
|
|
|
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
|
|
PASS=0
|
|
FAIL=0
|
|
|
|
run_check() {
|
|
local description="$1"; shift
|
|
if "$@" 2>/dev/null; then
|
|
log_success "$description"
|
|
PASS=$((PASS + 1))
|
|
else
|
|
log_error "FAIL: $description"
|
|
FAIL=$((FAIL + 1))
|
|
fi
|
|
}
|
|
|
|
# Check 1: HTTPS works
|
|
run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" \
|
|
curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"
|
|
|
|
# Check 2: HTTP redirects to HTTPS (returns 301)
|
|
# shellcheck disable=SC2329
|
|
check_redirect() {
|
|
local http_code
|
|
http_code=$(curl -sI -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
|
|
[[ "$http_code" == "301" ]]
|
|
}
|
|
run_check "HTTP → HTTPS redirect (301)" check_redirect
|
|
|
|
# Check 3: SSL certificate is valid (not self-signed)
|
|
# shellcheck disable=SC2329
|
|
check_ssl_cert() {
|
|
# Verify openssl can connect and the cert is issued by a recognized CA
|
|
local issuer
|
|
issuer=$(echo | openssl s_client -connect "${GITEA_DOMAIN}:443" -servername "${GITEA_DOMAIN}" 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "")
|
|
# Check that the issuer is not empty (meaning cert is valid)
|
|
[[ -n "$issuer" ]]
|
|
}
|
|
run_check "SSL certificate is valid" check_ssl_cert
|
|
|
|
# Check 4: All repos accessible via HTTPS
|
|
for repo in "${REPOS[@]}"; do
|
|
run_check "Repo ${repo} accessible at https://${GITEA_DOMAIN}/${GITEA_ORG_NAME}/${repo}" \
|
|
curl -sf -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "https://${GITEA_DOMAIN}/api/v1/repos/${GITEA_ORG_NAME}/${repo}"
|
|
done
|
|
|
|
# Check 5: GitHub repos are marked as offsite backup
|
|
for repo in "${REPOS[@]}"; do
|
|
# shellcheck disable=SC2329
|
|
check_mirror_marked() {
|
|
local desc
|
|
desc=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.description // ""')
|
|
[[ "$desc" == "[MIRROR]"* ]]
|
|
}
|
|
run_check "GitHub repo ${repo} marked as mirror" check_mirror_marked "$repo"
|
|
done
|
|
|
|
# Summary
|
|
printf '\n'
|
|
log_info "Results: ${PASS} passed, ${FAIL} failed"
|
|
|
|
if [[ $FAIL -gt 0 ]]; then
|
|
log_error "Phase 8 post-check FAILED"
|
|
exit 1
|
|
else
|
|
log_success "Phase 8 post-check PASSED — Gitea is live with HTTPS"
|
|
exit 0
|
|
fi
|