From e0bcf72a09ca8531a1613643eb955ebc32c5ae0c Mon Sep 17 00:00:00 2001 From: TronoSfera <119615520+TronoSfera@users.noreply.github.com> Date: Mon, 2 Mar 2026 16:30:14 +0300 Subject: [PATCH] add security test 01 --- scripts/ops/check_chat_health.sh | 2 +- scripts/ops/prod_security_audit.sh | 75 +++++++++++++++++++++--------- scripts/ops/security_smoke.sh | 4 +- 3 files changed, 57 insertions(+), 24 deletions(-) diff --git a/scripts/ops/check_chat_health.sh b/scripts/ops/check_chat_health.sh index 39e7d48..33a57ff 100755 --- a/scripts/ops/check_chat_health.sh +++ b/scripts/ops/check_chat_health.sh @@ -8,7 +8,7 @@ EMAIL_HEALTH_URL="${BASE_URL%/}/email-health" check_http_200() { url="$1" - code="$(curl -sS -o /dev/null -w "%{http_code}" "$url" || true)" + code="$(curl -L -sS -o /dev/null -w "%{http_code}" "$url" || true)" [ "$code" = "200" ] } diff --git a/scripts/ops/prod_security_audit.sh b/scripts/ops/prod_security_audit.sh index 241d050..12ea0c8 100755 --- a/scripts/ops/prod_security_audit.sh +++ b/scripts/ops/prod_security_audit.sh @@ -93,9 +93,60 @@ PY run_local_smoke() { log "Running local smoke checks via localhost" - ./scripts/ops/check_chat_health.sh http://localhost >/dev/null - ./scripts/ops/security_smoke.sh http://localhost >/dev/null - log "Local smoke checks passed" + local max_attempts="${LOCAL_SMOKE_MAX_ATTEMPTS:-24}" + local sleep_seconds="${LOCAL_SMOKE_SLEEP_SECONDS:-5}" + local attempt=1 + + while (( attempt <= max_attempts )); do + if ./scripts/ops/check_chat_health.sh http://localhost >/dev/null 2>&1 && \ + ./scripts/ops/security_smoke.sh http://localhost >/dev/null 2>&1; then + log "Local smoke checks passed (attempt ${attempt}/${max_attempts})" + return 0 + fi + + warn "Local smoke not ready yet (attempt ${attempt}/${max_attempts}), retrying in ${sleep_seconds}s" + sleep "$sleep_seconds" + attempt=$((attempt + 1)) + done + + fail "Local smoke checks failed after ${max_attempts} attempts" +} + +run_domain_quick_health_wait() { + local url="$1" + local max_attempts="${DOMAIN_HEALTH_MAX_ATTEMPTS:-24}" + local sleep_seconds="${DOMAIN_HEALTH_SLEEP_SECONDS:-5}" + local attempt=1 + + while (( attempt <= max_attempts )); do + if https_health_ok "$url"; then + return 0 + fi + warn "HTTPS health not ready for ${url} (attempt ${attempt}/${max_attempts}), retrying in ${sleep_seconds}s" + sleep "$sleep_seconds" + attempt=$((attempt + 1)) + done + + return 1 +} + +run_domain_smoke() { + local domain="$1" + [[ -z "$domain" ]] && return 0 + local url="https://${domain}" + + if ! run_domain_quick_health_wait "$url"; then + if [[ "$AUTO_CERT_INIT" == "1" ]]; then + cert_bootstrap + run_domain_quick_health_wait "$url" || fail "HTTPS health still failing after cert bootstrap: ${url}/health" + else + fail "HTTPS health check failed: ${url}/health (set AUTO_CERT_INIT=1 to auto-bootstrap certs)" + fi + fi + + log "Running security smoke for $url" + ./scripts/ops/security_smoke.sh "$url" >/dev/null + log "Domain security smoke passed: $url" } https_health_ok() { @@ -114,24 +165,6 @@ cert_bootstrap() { "${PROD_COMPOSE[@]}" up -d --build edge } -run_domain_smoke() { - local domain="$1" - [[ -z "$domain" ]] && return 0 - local url="https://${domain}" - - if ! https_health_ok "$url"; then - if [[ "$AUTO_CERT_INIT" == "1" ]]; then - cert_bootstrap - https_health_ok "$url" || fail "HTTPS health still failing after cert bootstrap: ${url}/health" - else - fail "HTTPS health check failed: ${url}/health (set AUTO_CERT_INIT=1 to auto-bootstrap certs)" - fi - fi - - log "Running security smoke for $url" - ./scripts/ops/security_smoke.sh "$url" >/dev/null -} - run_incident_report() { log "Generating incident checklist snapshot" ./scripts/ops/incident_checklist.sh \ diff --git a/scripts/ops/security_smoke.sh b/scripts/ops/security_smoke.sh index 1500a12..8537187 100755 --- a/scripts/ops/security_smoke.sh +++ b/scripts/ops/security_smoke.sh @@ -42,14 +42,14 @@ is_truthy() { http_status_ok() { local url="$1" local code - code="$(curl -k -sS -o /dev/null -w "%{http_code}" "$url" || true)" + code="$(curl -k -L -sS -o /dev/null -w "%{http_code}" "$url" || true)" [[ "$code" == "200" ]] } check_required_headers() { local url="$1" local head - head="$(curl -k -sS -I "$url" || true)" + head="$(curl -k -L -sS -I "$url" || true)" local normalized normalized="$(echo "$head" | tr -d '\r' | tr '[:upper:]' '[:lower:]')"