From 024024b1983cf9eac44f82c3f78fba3537779850 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Mon, 4 May 2020 21:44:34 +0300 Subject: [PATCH] ref(relay): More robust Relay credentials setting (#470) This patch does two things: 1. Separate creating of Relay credentials from syncing them to Sentry config 2. Has a more flexible Relay credentials check and sync: look for the quoted public key in the config file, if it is there, assume this must be correctly set as it is very unlikely to have that random key in a different context with quotes around. The second one is to allow having other whitelisted relay keys by using an append method when adding the new key. --- install.sh | 49 ++++++++++++++++++++----------------------------- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/install.sh b/install.sh index e944da3..eee2209 100755 --- a/install.sh +++ b/install.sh @@ -175,38 +175,29 @@ fi if [ ! -f "$RELAY_CREDENTIALS_JSON" ]; then - echo "" - echo "Generating Relay credentials..." + echo "" + echo "Generating Relay credentials..." - # We need the ugly hack below as `relay generate credentials` tries to read the config and the credentials - # even with the `--stdout` and `--overwrite` flags and then errors out when the credentials file exists but - # not valid JSON. We hit this case as we redirect output to the same config folder, creating an empty - # credentials file before relay runs. - $dcr --no-deps -v $(pwd)/$RELAY_CONFIG_YML:/tmp/config.yml relay --config /tmp credentials generate --stdout > "$RELAY_CREDENTIALS_JSON" - CREDENTIALS=$(sed -n 's/^.*"public_key"[[:space:]]*:[[:space:]]*"\([a-zA-Z0-9_-]\{1,\}\)".*$/\1/p' "$RELAY_CREDENTIALS_JSON") - if [ -z "$CREDENTIALS" ]; then - >&2 echo "FAIL: Cannot read credentials back from $RELAY_CREDENTIALS_JSON." - >&2 echo " Please ensure this file is readable and contains valid credentials." - >&2 echo "" - exit 1 - else - echo "Relay credentials written to $RELAY_CREDENTIALS_JSON" - fi + # We need the ugly hack below as `relay generate credentials` tries to read the config and the credentials + # even with the `--stdout` and `--overwrite` flags and then errors out when the credentials file exists but + # not valid JSON. We hit this case as we redirect output to the same config folder, creating an empty + # credentials file before relay runs. + $dcr --no-deps -v $(pwd)/$RELAY_CONFIG_YML:/tmp/config.yml relay --config /tmp credentials generate --stdout > "$RELAY_CREDENTIALS_JSON" + echo "Relay credentials written to $RELAY_CREDENTIALS_JSON" +fi - CREDENTIALS="SENTRY_RELAY_WHITELIST_PK = [\"$CREDENTIALS\"]" +RELAY_CREDENTIALS=$(sed -n 's/^.*"public_key"[[:space:]]*:[[:space:]]*"\([a-zA-Z0-9_-]\{1,\}\)".*$/\1/p' "$RELAY_CREDENTIALS_JSON") +if [ -z "$RELAY_CREDENTIALS" ]; then + >&2 echo "FAIL: Cannot read credentials back from $RELAY_CREDENTIALS_JSON." + >&2 echo " Please ensure this file is readable and contains valid credentials." + >&2 echo "" + exit 1 +fi - if grep -xq SENTRY_RELAY_WHITELIST_PK "$SENTRY_CONFIG_PY"; then - >&2 echo "FAIL: SENTRY_RELAY_WHITELIST_PK already exists in $SENTRY_CONFIG_PY, please replace with:" - >&2 echo "" - >&2 echo " $CREDENTIALS" - >&2 echo "" - exit 1 - fi - - echo "" >> "$SENTRY_CONFIG_PY" - echo "$CREDENTIALS" >> "$SENTRY_CONFIG_PY" - echo "Relay public key written to $SENTRY_CONFIG_PY" - echo "" +if ! grep -q "\"$RELAY_CREDENTIALS\"" "$SENTRY_CONFIG_PY"; then + echo "SENTRY_RELAY_WHITELIST_PK = (SENTRY_RELAY_WHITELIST_PK or []) + ([\"$RELAY_CREDENTIALS\"])" >> "$SENTRY_CONFIG_PY" + echo "Relay public key written to $SENTRY_CONFIG_PY" + echo "" fi cleanup