feat: Implement provisioning pipelines for subscription management
- Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes. - Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging. - Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR. - Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes. - Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots. - Introduce XiboFeatureManifests for hardcoded feature ACLs per role. - Add docker-compose.dev.yml for local development with PostgreSQL setup.
This commit is contained in:
Matt Batchelder
@@ -0,0 +1,59 @@
|
||||
using OTSSignsOrchestrator.Server.Clients;
|
||||
using OTSSignsOrchestrator.Server.Data.Entities;
|
||||
|
||||
namespace OTSSignsOrchestrator.Server.Health.Checks;
|
||||
|
||||
/// <summary>
|
||||
/// Verifies the OAuth2 app in <see cref="OauthAppRegistry"/> can still authenticate
|
||||
/// by testing a <c>client_credentials</c> flow against the Xibo CMS instance.
|
||||
/// AutoRemediate=false — credential rotation requires a separate job.
|
||||
/// </summary>
|
||||
public sealed class OauthAppHealthCheck : IHealthCheck
|
||||
{
|
||||
private readonly XiboClientFactory _clientFactory;
|
||||
private readonly IServiceProvider _services;
|
||||
private readonly ILogger<OauthAppHealthCheck> _logger;
|
||||
|
||||
public string CheckName => "OauthApp";
|
||||
public bool AutoRemediate => false;
|
||||
|
||||
public OauthAppHealthCheck(
|
||||
XiboClientFactory clientFactory,
|
||||
IServiceProvider services,
|
||||
ILogger<OauthAppHealthCheck> logger)
|
||||
{
|
||||
_clientFactory = clientFactory;
|
||||
_services = services;
|
||||
_logger = logger;
|
||||
}
|
||||
|
||||
public async Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
|
||||
{
|
||||
var oauthApp = instance.OauthAppRegistries.FirstOrDefault();
|
||||
if (oauthApp is null)
|
||||
return new HealthCheckResult(HealthStatus.Critical, "No OAuth app registered");
|
||||
|
||||
var abbrev = instance.Customer.Abbreviation;
|
||||
var settings = _services.GetRequiredService<Core.Services.SettingsService>();
|
||||
var secret = await settings.GetAsync(Core.Services.SettingsService.InstanceOAuthSecretId(abbrev));
|
||||
|
||||
if (string.IsNullOrEmpty(secret))
|
||||
return new HealthCheckResult(HealthStatus.Critical,
|
||||
"OAuth client secret not found in Bitwarden — cannot authenticate");
|
||||
|
||||
try
|
||||
{
|
||||
// Attempt to create a client (which fetches a token via client_credentials)
|
||||
var client = await _clientFactory.CreateAsync(instance.XiboUrl, oauthApp.ClientId, secret);
|
||||
|
||||
// If we got here, the token was obtained successfully
|
||||
return new HealthCheckResult(HealthStatus.Healthy, "OAuth2 client_credentials flow successful");
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
return new HealthCheckResult(HealthStatus.Critical,
|
||||
$"OAuth2 authentication failed: {ex.Message}",
|
||||
"Credential rotation job may be required");
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user