Files
e-tib.com/scripts/registry-auth.sh
Marc Mintel 26d325df44
Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 38s
Build & Deploy / 🧪 QA (push) Successful in 1m22s
Build & Deploy / 🏗️ Build (push) Successful in 4m27s
Build & Deploy / 🚀 Deploy (push) Failing after 39s
Build & Deploy / 🧪 Post-Deploy Verification (push) Has been skipped
Build & Deploy / 🔔 Notify (push) Successful in 2s
fix(config): ensure analytics URL has protocol to prevent build crash
2026-05-12 13:01:18 +02:00

161 lines
5.7 KiB
Bash
Executable File

#!/bin/bash
set -e
# --- CONFIGURATION ---
# The registry domain and base path for @mintel packages
DOMAINS=("git.infra.mintel.me" "registry.infra.mintel.me" "npm.infra.mintel.me")
REGISTRY_PATH="/api/packages/mmintel/npm"
# Package used for functional connectivity test (URL encoded)
TEST_PACKAGE_ENCODED="%40mintel%2Fmail"
echo "🚀 Starting Hardened Registry Authentication Discovery..."
# --- TOKEN DISCOVERY ---
# We try various candidate secrets. Gitea environment might have different names.
CANDIDATES=(
"NPM_TOKEN"
"GITEA_PAT"
"MINTEL_PRIVATE_TOKEN"
"MINTEL_REGISTRY_TOKEN"
"GITHUB_TOKEN"
"GITEA_TOKEN"
)
WORKING_TOKEN=""
WORKING_DOMAIN=""
WORKING_PATH=""
# --- LOCAL DISCOVERY (for local dev) ---
if [ -z "${NPM_TOKEN}" ]; then
echo "🔍 Searching for tokens in local config files..."
LOCAL_CANDIDATES=(
"$HOME/.npmrc"
"$HOME/.pnpmrc"
"./.npmrc.local"
)
for FILE in "${LOCAL_CANDIDATES[@]}"; do
if [ -f "${FILE}" ]; then
echo " Checking ${FILE}..."
# Try to extract _authToken
EXTRACTED=$(grep "_authToken=" "${FILE}" | sed -e 's/.*_authToken=//' -e 's/^"//' -e 's/"$//' | head -n 1)
if [ -n "${EXTRACTED}" ]; then
echo " Found candidate in ${FILE}"
# Inject into the environment for the test loop below
export NPM_TOKEN="${EXTRACTED}"
break
fi
fi
done
fi
for DOMAIN in "${DOMAINS[@]}"; do
# Determine the test path for this domain
if [ "${DOMAIN}" == "npm.infra.mintel.me" ]; then
CURRENT_PATH=""
else
CURRENT_PATH="${REGISTRY_PATH}"
fi
echo "🔍 Testing connectivity to ${DOMAIN}${CURRENT_PATH}..."
for VAR_NAME in "${CANDIDATES[@]}"; do
TOKEN_VAL="${!VAR_NAME}"
[ -z "${TOKEN_VAL}" ] && continue
echo " Testing ${VAR_NAME} (len: ${#TOKEN_VAL})..."
# Method 1: Bearer
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${TOKEN_VAL}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
if [ "$STATUS" == "200" ]; then
echo "${VAR_NAME} verified via Bearer on ${DOMAIN}"
WORKING_TOKEN="${TOKEN_VAL}"
WORKING_DOMAIN="${DOMAIN}"
WORKING_PATH="${CURRENT_PATH}"
break 2
fi
# Method 2: Basic (Token as user, empty password)
AUTH_BASIC=$(echo -n "${TOKEN_VAL}:" | base64)
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic ${AUTH_BASIC}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
if [ "$STATUS" == "200" ]; then
echo "${VAR_NAME} verified via Basic on ${DOMAIN}"
WORKING_TOKEN="${TOKEN_VAL}"
WORKING_DOMAIN="${DOMAIN}"
WORKING_PATH="${CURRENT_PATH}"
break 2
fi
# Method 3: Basic RAW (If already base64 encoded user:pass)
if [[ "${TOKEN_VAL}" =~ ^[A-Za-z0-9+/=]+$ ]] && [ ${#TOKEN_VAL} -gt 20 ]; then
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic ${TOKEN_VAL}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
if [ "$STATUS" == "200" ]; then
echo "${VAR_NAME} verified via Basic RAW on ${DOMAIN}"
WORKING_TOKEN="${TOKEN_VAL}"
WORKING_DOMAIN="${DOMAIN}"
WORKING_PATH="${CURRENT_PATH}"
break 2
fi
fi
# Method 4: Basic (User 'token', Token as password - Gitea standard)
AUTH_GITEA=$(echo -n "token:${TOKEN_VAL}" | base64)
STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Basic ${AUTH_GITEA}" "https://${DOMAIN}${CURRENT_PATH}/${TEST_PACKAGE_ENCODED}" || echo "000")
if [ "$STATUS" == "200" ]; then
echo "${VAR_NAME} verified via Gitea-Token-Basic on ${DOMAIN}"
WORKING_TOKEN="${TOKEN_VAL}"
WORKING_DOMAIN="${DOMAIN}"
WORKING_PATH="${CURRENT_PATH}"
break 2
fi
done
done
if [ -z "${WORKING_TOKEN}" ]; then
echo "⚠️ ALL functional tests failed for all domains."
if [ -n "${NPM_TOKEN}" ]; then
echo "Falling back to NPM_TOKEN (unverified) and git.infra.mintel.me"
WORKING_TOKEN="${NPM_TOKEN}"
WORKING_DOMAIN="git.infra.mintel.me"
WORKING_PATH="${REGISTRY_PATH}"
else
echo "❌ CRITICAL: No usable token found and NPM_TOKEN is empty."
exit 1
fi
fi
# --- .npmrc GENERATION ---
# We generate a .npmrc that matches the local pattern exactly to avoid resolution drift.
cat > .npmrc << EOF
@mintel:registry=https://${WORKING_DOMAIN}${WORKING_PATH}
//${WORKING_DOMAIN}${WORKING_PATH}/:_authToken=${WORKING_TOKEN}
//${WORKING_DOMAIN}${WORKING_PATH}/:always-auth=true
EOF
# Add secondary domain if we found one working
for DOMAIN in "${DOMAINS[@]}"; do
if [ "${DOMAIN}" != "${WORKING_DOMAIN}" ]; then
# Use REGISTRY_PATH for git/registry, empty for npm
if [ "${DOMAIN}" == "npm.infra.mintel.me" ]; then
DPATH=""
else
DPATH="${REGISTRY_PATH}"
fi
cat >> .npmrc << EOF
//${DOMAIN}${DPATH}/:_authToken=${WORKING_TOKEN}
//${DOMAIN}${DPATH}/:always-auth=true
EOF
fi
done
echo "✅ .npmrc hardened with verified token on ${WORKING_DOMAIN}."
echo "--- Generated .npmrc (masked) ---"
sed 's/_authToken=.*/_authToken=********/' .npmrc
echo "--------------------------------"
# --- OUTPUT FOR CI ---
if [ -n "$GITHUB_OUTPUT" ]; then
echo "working_token=${WORKING_TOKEN}" >> "$GITHUB_OUTPUT"
echo "working_domain=${WORKING_DOMAIN}" >> "$GITHUB_OUTPUT"
fi