Merge pull request #72 from bcgov-nr/feat/addCheckToken

feat: add broker JWT expiration check
bcgov-nr · Nov 14, 2024 · 96f8d71 · 96f8d71
2 parents 4201f04 + 4f1d08f
commit 96f8d71
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 1 deletion.
diff --git a/generators/gh-maven-build/index.js b/generators/gh-maven-build/index.js
@@ -280,6 +280,10 @@ export default class extends Generator {
       this.templatePath('build-intention.sh'),
       this.destinationPath('.github/workflows/build-intention.sh'),
     );
+    this.fs.copyTpl(
+      this.templatePath('check-token.yaml'),
+      this.destinationPath('.github/workflows/check-token.yaml'),
+    );
     if (this.answers.deployOnPrem) {
       this.fs.copyTpl(
         this.templatePath('deploy.yaml'),

diff --git a/generators/gh-maven-build/templates/build-release.yaml b/generators/gh-maven-build/templates/build-release.yaml
@@ -20,6 +20,10 @@ env:
   SERVICE_NAME: <%= serviceName %>
 
 jobs:
+  check_token_expiration:
+    uses: ./.github/workflows/check-token.yaml
+    secrets:
+      token: ${{ secrets.<%= brokerJwt %> }}
 <% if (unitTestsPath) { -%>
   test:
     name: Test
@@ -30,7 +34,9 @@ jobs:
     name: Build and release
     runs-on: ubuntu-latest
 <% if (unitTestsPath) { -%>
-    needs: test
+    needs: [check_token_expiration, test]
+<% } else { -%>
+    needs: check_token_expiration
 <% } -%>
     permissions:
       contents: read

diff --git a/generators/gh-maven-build/templates/check-token.yaml b/generators/gh-maven-build/templates/check-token.yaml
@@ -0,0 +1,37 @@
+name: Check token expiration
+
+on:
+  workflow_call:
+    inputs:
+      url:
+        description: "The Broker URL"
+        default: https://broker.io.nrs.gov.bc.ca
+        type: string
+    secrets:
+      token:
+        description: "The Broker token"
+        required: true
+
+jobs:
+  check-jwt:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check token expiration
+        shell: bash
+        run: |
+          RESPONSE_CODE=$(curl -o /dev/null -s -w "%{http_code}" -X 'GET' \
+            ${{ inputs.url }}/v1/health/token-check \
+            -H 'accept: */*' \
+            -H 'Authorization: Bearer '"${{ secrets.token }}"'' \
+            )
+
+          if [ "$RESPONSE_CODE" -eq 401 ]; then
+            echo "Unauthorized (401)"
+            exit 1
+          elif [ "$RESPONSE_CODE" -eq 403 ]; then
+            echo "Invalid JWT: Block list has match"
+            exit 1
+          else
+            echo "Response code: $RESPONSE_CODE"
+          fi
diff --git a/generators/gh-maven-build/templates/deploy.yaml b/generators/gh-maven-build/templates/deploy.yaml
@@ -24,10 +24,15 @@ env:
 <% } -%>
 
 jobs:
+  check_token_expiration:
+    uses: ./.github/workflows/check-token.yaml
+    secrets:
+      token: ${{ secrets.<%= brokerJwt %> }}
   deploy-build:
     name: Deploy development version
     if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
+    needs: check_token_expiration
     outputs:
       project_version: ${{ steps.set-build-output.outputs.project_version }}
       build_guid: ${{ steps.set-build-output.outputs.build_guid }}
@@ -111,6 +116,7 @@ jobs:
     name: Deploy release version
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
+    needs: check_token_expiration
     outputs:
       project_version: ${{ steps.set-tag-output.outputs.project_version }}
       build_guid: ${{ steps.set-tag-output.outputs.build_guid }}