Files
explorer-monorepo/EXECUTE_DEPLOYMENT.sh

145 lines
4.6 KiB
Bash
Raw Normal View History

#!/bin/bash
# Complete deployment execution script
# Run this to complete all deployment steps
set -e
echo "=========================================="
echo " SolaceScan Deployment"
echo "=========================================="
echo ""
fix(security): fail-fast on missing JWT_SECRET, harden CSP, strip hardcoded passwords backend/api/rest/server.go: - NewServer() now delegates to loadJWTSecret(), which: - Rejects JWT_SECRET < 32 bytes (log.Fatal). - Requires JWT_SECRET when APP_ENV=production or GO_ENV=production. - Generates a 32-byte crypto/rand ephemeral secret in dev only. - Treats rand.Read failure as fatal (removes the prior time-based fallback that was deterministic and forgeable). - Default Content-Security-Policy rewritten: - Drops 'unsafe-inline' and 'unsafe-eval'. - Drops private CIDRs (192.168.11.221:854[5|6]). - Adds frame-ancestors 'none', base-uri 'self', form-action 'self'. - CSP_HEADER is required in production; fatal if unset there. backend/api/rest/server_security_test.go (new): - Covers the three loadJWTSecret() paths (valid, whitespace-trimmed, ephemeral in dev). - Covers isProductionEnv() across APP_ENV / GO_ENV combinations. - Asserts defaultDevCSP contains no unsafe directives or private CIDRs and includes the frame-ancestors / base-uri / form-action directives. scripts/*.sh: - Removed '***REDACTED-LEGACY-PW***' default value from SSH_PASSWORD / NEW_PASSWORD in 7 helper scripts. Each script now fails with exit 2 and points to docs/SECURITY.md if the password isn't supplied via env or argv. EXECUTE_DEPLOYMENT.sh, EXECUTE_NOW.sh: - Replaced hardcoded DB_PASSWORD='***REDACTED-LEGACY-PW***' with a ':?' guard that aborts with a clear error if DB_PASSWORD (and, for EXECUTE_DEPLOYMENT, RPC_URL) is not exported. Other env vars keep sensible non-secret defaults via ${VAR:-default}. README.md: - Removed the hardcoded Database Password / RPC URL lines. Replaced with an env-variable reference table pointing at docs/SECURITY.md and docs/DATABASE_CONNECTION_GUIDE.md. docs/DEPLOYMENT.md: - Replaced 'PASSWORD: SSH password (default: ***REDACTED-LEGACY-PW***)' with a required-no-default contract and a link to docs/SECURITY.md. docs/SECURITY.md (new): - Full secret inventory keyed to the env variable name and the file that consumes it. - Five-step rotation checklist covering the Postgres role, the Proxmox VM SSH password, JWT_SECRET, vendor API keys, and a gitleaks-based history audit. - Explicit note that merging secret-scrub PRs does NOT invalidate already-leaked credentials; rotation is the operator's responsibility. Verification: - go build ./... + go vet ./... pass clean. - Targeted tests (LoadJWTSecret*, IsProduction*, DefaultDevCSP*) pass. Advances completion criterion 2 (Secrets & config hardened). Residual leakage from START_HERE.md / LETSENCRYPT_CONFIGURATION_GUIDE.md is handled by PR #2 (doc consolidation), which deletes those files.
2026-04-18 19:02:27 +00:00
# Configuration. All secrets MUST be provided via environment variables; no
# credentials are committed to this repo. See docs/SECURITY.md for the
# rotation checklist.
: "${DB_PASSWORD:?DB_PASSWORD is required (export it or source your secrets file)}"
DB_HOST="${DB_HOST:-localhost}"
DB_USER="${DB_USER:-explorer}"
DB_NAME="${DB_NAME:-explorer}"
RPC_URL="${RPC_URL:?RPC_URL is required}"
CHAIN_ID="${CHAIN_ID:-138}"
PORT="${PORT:-8080}"
# Step 1: Test database connection
echo "[1/6] Testing database connection..."
export PGPASSWORD="$DB_PASSWORD"
if psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -c "SELECT 1;" > /dev/null 2>&1; then
echo " ✅ Database connected"
else
echo " ❌ Database connection failed"
echo ""
echo " Troubleshooting:"
echo " 1. Check PostgreSQL is running: systemctl status postgresql"
echo " 2. Setup database: sudo bash scripts/setup-database.sh"
echo " 3. Or manually create user/database (see DATABASE_SETUP_NEEDED.md)"
echo ""
echo " Quick fix: sudo bash scripts/setup-database.sh"
exit 1
fi
# Step 2: Check existing tables
echo "[2/6] Checking for existing tables..."
TABLE_COUNT=$(psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = 'public' AND table_name IN ('wallet_nonces', 'operator_roles', 'addresses', 'token_transfers');" -t 2>/dev/null | tr -d ' ')
echo " Found $TABLE_COUNT/4 track schema tables"
# Step 3: Run migration if needed
if [ "$TABLE_COUNT" -lt "4" ]; then
echo "[3/6] Running database migration..."
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
MIGRATION_FILE="$SCRIPT_DIR/backend/database/migrations/0010_track_schema.up.sql"
if psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -f "$MIGRATION_FILE" > /dev/null 2>&1; then
echo " ✅ Migration completed"
else
echo " ⚠️ Migration may have partially completed (some tables may already exist)"
fi
else
echo "[3/6] Migration already complete (tables exist)"
fi
# Step 4: Stop existing server
echo "[4/6] Stopping existing server..."
pkill -f api-server 2>/dev/null || true
sleep 2
echo " ✅ Server stopped"
# Step 5: Start server
echo "[5/6] Starting API server..."
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR/backend"
export DB_PASSWORD
export JWT_SECRET="deployment-secret-$(date +%s)"
export RPC_URL
export CHAIN_ID
export PORT
export DB_HOST
export DB_USER
export DB_NAME
mkdir -p logs
nohup ./bin/api-server > logs/api-server.log 2>&1 &
SERVER_PID=$!
echo $SERVER_PID > logs/api-server.pid
# Wait for server to start
echo " Waiting for server to start..."
for i in {1..10}; do
if curl -s http://localhost:8080/health > /dev/null 2>&1; then
echo " ✅ Server started (PID: $SERVER_PID)"
break
fi
if [ $i -eq 10 ]; then
echo " ❌ Server failed to start"
echo " Check logs: tail -20 logs/api-server.log"
exit 1
fi
sleep 1
done
# Step 6: Test endpoints
echo "[6/6] Testing endpoints..."
echo -n " Health endpoint... "
if curl -s http://localhost:8080/health | grep -q "healthy\|degraded"; then
echo "✅"
else
echo "⚠️"
fi
echo -n " Feature flags... "
if curl -s http://localhost:8080/api/v1/features | grep -q "track"; then
echo "✅"
else
echo "⚠️"
fi
echo -n " Track 1 blocks... "
HTTP_CODE=$(curl -s -w "%{http_code}" -o /dev/null "http://localhost:8080/api/v1/track1/blocks/latest?limit=1")
if [ "$HTTP_CODE" = "200" ]; then
echo "✅"
else
echo "⚠️ (HTTP $HTTP_CODE)"
fi
echo ""
echo "=========================================="
echo " ✅ Deployment Complete!"
echo "=========================================="
echo ""
echo "Server Information:"
echo " PID: $SERVER_PID"
echo " Port: $PORT"
echo " Logs: $SCRIPT_DIR/backend/logs/api-server.log"
echo ""
echo "Test Commands:"
echo " curl http://localhost:8080/health"
echo " curl http://localhost:8080/api/v1/features"
echo " curl http://localhost:8080/api/v1/track1/blocks/latest?limit=5"
echo ""
echo "Next Steps:"
echo " 1. Test authentication: curl -X POST http://localhost:8080/api/v1/auth/nonce -H 'Content-Type: application/json' -d '{\"address\":\"0xYourAddress\"}'"
echo " 2. Approve users: bash scripts/approve-user.sh <address> <track_level>"
echo " 3. Monitor: tail -f backend/logs/api-server.log"
echo ""
unset PGPASSWORD