b9c5cdff12
- Systemd service and timer for deployment orchestration - Webhook listener for Git-triggered deployments - Forgejo Actions workflow for CI/CD pipeline - Deployment scripts with rollback capability - Deploy token validation for security
31 lines
948 B
Django/Jinja
31 lines
948 B
Django/Jinja
#!/bin/bash
|
|
# Timing-safe token validation wrapper for deployment webhook
|
|
# Usage: validate-deploy-token.sh <token> <app> <version> <env>
|
|
# Exits 0 if token is valid, 1 otherwise
|
|
|
|
set -e
|
|
|
|
EXPECTED_TOKEN="{{ vault_deploy_token }}"
|
|
PROVIDED_TOKEN="$1"
|
|
APP="$2"
|
|
VERSION="$3"
|
|
ENV="$4"
|
|
|
|
if [ -z "$PROVIDED_TOKEN" ] || [ -z "$APP" ] || [ -z "$VERSION" ] || [ -z "$ENV" ]; then
|
|
echo "Usage: $0 <token> <app> <version> <env>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Timing-safe comparison using sha256sum
|
|
# This prevents timing attacks by ensuring comparison takes constant time
|
|
EXPECTED_HASH=$(echo -n "$EXPECTED_TOKEN" | sha256sum | awk '{print $1}')
|
|
PROVIDED_HASH=$(echo -n "$PROVIDED_TOKEN" | sha256sum | awk '{print $1}')
|
|
|
|
if [ "$EXPECTED_HASH" != "$PROVIDED_HASH" ]; then
|
|
echo "Invalid token" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Token is valid - execute deploy
|
|
echo "Token valid - deploying $APP @ $VERSION to $ENV"
|
|
sudo /opt/deploy/scripts/deploy.sh "$APP" "$VERSION" "$ENV"
|