d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/archive/test/test-cloudflare-permissions.sh
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

333 lines
13 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Test all Cloudflare API token permissions
# Comprehensive permission testing for API token
set -uo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[TEST]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }
log_result() {
if [ "$1" = "0" ]; then
log_success "$2"
else
log_error "$2"
fi
}
# Script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
# Source .env file if it exists
if [ -f "$PROJECT_ROOT/.env" ]; then
set +euo pipefail
source "$PROJECT_ROOT/.env" 2>/dev/null || true
set -euo pipefail
fi
# Cloudflare API Token
CLOUDFLARE_API_TOKEN="${CLOUDFLARE_API_TOKEN:-JSEO_sruWB6lf1id77gtI7HOLVdhkhaR2goPEJIk}"
# Zone IDs from .env
ZONE_SANKOFA_NEXUS="${CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS:-13e2c26acc5eda15eafa7c8735b00239}"
ZONE_D_BIS_ORG="${CLOUDFLARE_ZONE_ID_D_BIS_ORG:-43599eed5d83f1fa641f2aaa276d3c4d}"
ZONE_MIM4U_ORG="${CLOUDFLARE_ZONE_ID_MIM4U_ORG:-5dc79e6edf9b9cf353e3cca94f26f454}"
ZONE_DEFI_ORACLE_IO="${CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO:-62c1531bfb1b29d383277f8d16aab13b}"
# Function to make API request
cf_api_request() {
local method="$1"
local url="$2"
local data="${3:-}"
if [ -n "$data" ]; then
curl -s -X "$method" "$url" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data "$data"
else
curl -s -X "$method" "$url" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json"
fi
}
# Test counters (initialize to prevent errors)
TOTAL_TESTS=${TOTAL_TESTS:-0}
PASSED_TESTS=${PASSED_TESTS:-0}
FAILED_TESTS=${FAILED_TESTS:-0}
# Test function
test_permission() {
local test_name="$1"
local api_call="$2"
local expected_success="${3:-true}"
TOTAL_TESTS=$((TOTAL_TESTS + 1))
log_info "$test_name"
set +e
local response=$(eval "$api_call" 2>&1)
local api_exit_code=$?
set -e
# Handle case where response is empty or invalid JSON
if [ -z "$response" ]; then
log_error "$test_name (empty response)"
FAILED_TESTS=$((FAILED_TESTS + 1))
return 0 # Return 0 to continue script
fi
if [ $api_exit_code -ne 0 ]; then
log_error "$test_name (API call failed)"
log_error " Response: ${response:0:200}"
((FAILED_TESTS++))
return 1
fi
local success=$(echo "$response" | jq -r '.success // false' 2>/dev/null || echo "false")
local error_code=$(echo "$response" | jq -r '.errors[0].code // empty' 2>/dev/null || echo "")
local error_msg=$(echo "$response" | jq -r '.errors[0].message // empty' 2>/dev/null || echo "")
if [ "$success" = "true" ] && [ "$expected_success" = "true" ]; then
log_success "$test_name"
PASSED_TESTS=$((PASSED_TESTS + 1))
return 0
elif [ "$success" = "false" ] && [ "$expected_success" = "false" ]; then
log_success "$test_name (expected failure)"
PASSED_TESTS=$((PASSED_TESTS + 1))
return 0
else
log_error "$test_name"
if [ -n "$error_code" ] && [ "$error_code" != "null" ]; then
log_error " Error Code: $error_code"
fi
if [ -n "$error_msg" ] && [ "$error_msg" != "null" ]; then
log_error " Error: $error_msg"
fi
FAILED_TESTS=$((FAILED_TESTS + 1))
return 0 # Return 0 to continue script execution
fi
}
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🔐 Cloudflare API Token Permission Test"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
log_info "API Token: ${CLOUDFLARE_API_TOKEN:0:20}..."
echo ""
# Test 1: User Info
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "1. User & Account Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
set +e
test_permission "Get User Info" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/user'"
test_permission "List Accounts" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/accounts'"
test_permission "List Zones (All)" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones'"
set -e
echo ""
# Test 2: Zone Read Permissions
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "2. Zone Read Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
set +e
test_permission "Read sankofa.nexus Zone" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_SANKOFA_NEXUS'"
test_permission "Read d-bis.org Zone" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG'"
test_permission "Read mim4u.org Zone" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_MIM4U_ORG'"
test_permission "Read defi-oracle.io Zone" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_DEFI_ORACLE_IO'"
set -e
echo ""
# Test 3: DNS Record Read Permissions
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "3. DNS Record Read Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
set +e
test_permission "List DNS Records (d-bis.org)" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records'"
test_permission "Get Specific DNS Record (explorer.d-bis.org)" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records?name=explorer.d-bis.org'"
test_permission "List DNS Records (sankofa.nexus)" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_SANKOFA_NEXUS/dns_records'"
set -e
echo ""
# Test 4: DNS Record Write Permissions
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "4. DNS Record Write Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
# Test creating a DNS record
TEST_RECORD_DATA=$(jq -n \
--arg name "test-permission-check.d-bis.org" \
--arg content "76.53.10.36" \
'{
type: "A",
name: $name,
content: $content,
proxied: false,
ttl: 1
}')
set +e
test_permission "Create DNS A Record (test)" \
"cf_api_request 'POST' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records' '$TEST_RECORD_DATA'"
set -e
# Check if test record was created and try to delete it
TEST_RECORD_RESPONSE=$(cf_api_request "GET" "https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records?name=test-permission-check.d-bis.org")
TEST_RECORD_ID=$(echo "$TEST_RECORD_RESPONSE" | jq -r '.result[0].id // empty' 2>/dev/null || echo "")
if [ -n "$TEST_RECORD_ID" ] && [ "$TEST_RECORD_ID" != "null" ]; then
set +e
test_permission "Delete DNS Record (cleanup)" \
"cf_api_request 'DELETE' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records/$TEST_RECORD_ID'"
set -e
fi
# Test updating an existing record (if we can read them)
EXISTING_RECORD=$(cf_api_request "GET" "https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records?per_page=1")
EXISTING_RECORD_ID=$(echo "$EXISTING_RECORD" | jq -r '.result[0].id // empty' 2>/dev/null || echo "")
if [ -n "$EXISTING_RECORD_ID" ] && [ "$EXISTING_RECORD_ID" != "null" ]; then
EXISTING_RECORD_NAME=$(echo "$EXISTING_RECORD" | jq -r '.result[0].name // empty' 2>/dev/null || echo "")
EXISTING_RECORD_CONTENT=$(echo "$EXISTING_RECORD" | jq -r '.result[0].content // empty' 2>/dev/null || echo "")
UPDATE_RECORD_DATA=$(jq -n \
--arg name "$EXISTING_RECORD_NAME" \
--arg content "$EXISTING_RECORD_CONTENT" \
'{
type: "A",
name: $name,
content: $content,
proxied: false,
ttl: 1
}')
set +e
test_permission "Update DNS Record (existing)" \
"cf_api_request 'PUT' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records/$EXISTING_RECORD_ID' '$UPDATE_RECORD_DATA'"
set -e
fi
echo ""
# Test 5: Zone Settings Permissions
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "5. Zone Settings Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
set +e
test_permission "Read Zone Settings" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/settings'"
test_permission "Read Zone Analytics" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/analytics/dashboard'"
set -e
echo ""
# Test 6: SSL/TLS Permissions
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "6. SSL/TLS Certificate Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
set +e
test_permission "List SSL Certificates" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/ssl/certificate_packs'"
set -e
echo ""
# Test 7: Firewall Rules Permissions
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "7. Firewall Rules Permissions"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
set +e
test_permission "List Firewall Rules" \
"cf_api_request 'GET' 'https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/firewall/rules'"
set -e
echo ""
# Summary
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "📊 Test Summary"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
log_info "Total Tests: $TOTAL_TESTS"
log_success "Passed: $PASSED_TESTS"
if [ $FAILED_TESTS -gt 0 ]; then
log_error "Failed: $FAILED_TESTS"
else
log_success "Failed: $FAILED_TESTS"
fi
echo ""
# Permission Analysis
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🔍 Permission Analysis"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Test DNS write permission specifically
DNS_WRITE_TEST=$(cf_api_request "POST" "https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records" "$TEST_RECORD_DATA")
DNS_WRITE_SUCCESS=$(echo "$DNS_WRITE_TEST" | jq -r '.success // false' 2>/dev/null || echo "false")
DNS_WRITE_ERROR=$(echo "$DNS_WRITE_TEST" | jq -r '.errors[0].message // empty' 2>/dev/null || echo "")
if [ "$DNS_WRITE_SUCCESS" = "true" ]; then
log_success "✅ DNS Write Permission: GRANTED"
# Clean up test record
TEST_RECORD_ID=$(echo "$DNS_WRITE_TEST" | jq -r '.result.id // empty' 2>/dev/null || echo "")
if [ -n "$TEST_RECORD_ID" ] && [ "$TEST_RECORD_ID" != "null" ]; then
cf_api_request "DELETE" "https://api.cloudflare.com/client/v4/zones/$ZONE_D_BIS_ORG/dns_records/$TEST_RECORD_ID" >/dev/null 2>&1
fi
else
log_error "❌ DNS Write Permission: DENIED"
if [ -n "$DNS_WRITE_ERROR" ]; then
log_error " Error: $DNS_WRITE_ERROR"
fi
echo ""
log_warn "💡 To fix DNS write permissions:"
log_info " 1. Go to: https://dash.cloudflare.com/profile/api-tokens"
log_info " 2. Edit your API token"
log_info " 3. Add permission: Zone → DNS → Edit"
log_info " 4. Include zones: sankofa.nexus, d-bis.org, mim4u.org, defi-oracle.io"
fi
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
Reference in New Issue View Git Blame Copy Permalink