289 lines
9.4 KiB
Bash
289 lines
9.4 KiB
Bash
#!/usr/bin/env zsh
|
|
|
|
if [[ -n "${CODEX_AUTH_COMMON_LOADED:-}" ]]; then
|
|
return 0
|
|
fi
|
|
CODEX_AUTH_COMMON_LOADED=1
|
|
|
|
CODEX_MCP_ENV_FILE="${CODEX_MCP_ENV_FILE:-${HOME}/.codex/mcp.env}"
|
|
MCPGW_SELECTED_SERVERS_FILE="${MCPGW_SELECTED_SERVERS_FILE:-${HOME}/.ora-gateway/selected-servers.json}"
|
|
MCPGW_OP_TOKEN_FILE="${MCPGW_OP_TOKEN_FILE:-${HOME}/.ora-gateway/op-token}"
|
|
CODEX_DEVOPS_AUTH_SCRIPT="${CODEX_DEVOPS_AUTH_SCRIPT:-${HOME}/bin/codex-devops-auth.sh}"
|
|
OCI_AUTH_CALLBACK_PORT="${OCI_AUTH_CALLBACK_PORT:-8181}"
|
|
CODEX_AUTH_COMMON_AUTH_ENV_FILE=""
|
|
CODEX_AUTH_COMMON_DEDICATED_AGENT_PID=""
|
|
CODEX_AUTH_COMMON_DEDICATED_AGENT_SOCK=""
|
|
|
|
codex_auth_log() {
|
|
print -u2 -- "$@"
|
|
}
|
|
|
|
codex_auth_cleanup() {
|
|
if [[ -n "${CODEX_AUTH_COMMON_DEDICATED_AGENT_PID}" && -n "${CODEX_AUTH_COMMON_DEDICATED_AGENT_SOCK}" ]]; then
|
|
SSH_AGENT_PID="${CODEX_AUTH_COMMON_DEDICATED_AGENT_PID}" SSH_AUTH_SOCK="${CODEX_AUTH_COMMON_DEDICATED_AGENT_SOCK}" ssh-agent -k >/dev/null 2>&1 || true
|
|
fi
|
|
|
|
if [[ -n "${CODEX_AUTH_COMMON_AUTH_ENV_FILE}" ]]; then
|
|
rm -f "${CODEX_AUTH_COMMON_AUTH_ENV_FILE}" >/dev/null 2>&1 || true
|
|
fi
|
|
}
|
|
|
|
codex_auth_sanitize_mcpgw_output() {
|
|
local line clean redacted
|
|
|
|
while IFS= read -r line || [[ -n "${line}" ]]; do
|
|
clean="$(printf '%s\n' "${line}" | perl -pe 's/\e\]8;;.*?\a//g; s/\e\[[0-?]*[ -\/]*[@-~]//g')"
|
|
redacted="$(printf '%s\n' "${clean}" | sed -E \
|
|
-e 's#https?://[^[:space:]]+#[redacted URL]#g' \
|
|
-e 's#([Aa][Cc][Cc][Ee][Ss][Ss]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
|
|
-e 's#([Ii][Dd]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
|
|
-e 's#([Rr][Ee][Ff][Rr][Ee][Ss][Hh]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
|
|
-e 's#([Ss][Ee][Cc][Uu][Rr][Ii][Tt][Yy]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
|
|
-e 's#([Cc][Ll][Ii][Ee][Nn][Tt]_[Ss][Ee][Cc][Rr][Ee][Tt]=)[^[:space:]]+#\1[redacted]#g' \
|
|
-e 's#([Pp][Uu][Bb][Ll][Ii][Cc]_[Kk][Ee][Yy]=)[^[:space:]]+#\1[redacted]#g' \
|
|
-e 's#([Aa][Uu][Tt][Hh][Oo][Rr][Ii][Zz][Aa][Tt][Ii][Oo][Nn]:[[:space:]]*).*#\1[redacted]#g' \
|
|
-e 's#([Cc][Oo][Oo][Kk][Ii][Ee]:[[:space:]]*).*#\1[redacted]#g' \
|
|
-e 's#([Ss][Ee][Tt]-[Cc][Oo][Oo][Kk][Ii][Ee]:[[:space:]]*).*#\1[redacted]#g' \
|
|
-e 's#([^[:space:]]*/)?[.]oci/config#[redacted OCI config path]#g' \
|
|
-e 's#(Config written to: ).*#\1[redacted config path]#')"
|
|
|
|
codex_auth_log "${redacted}"
|
|
done
|
|
}
|
|
|
|
codex_auth_is_truthy() {
|
|
case "${1:-}" in
|
|
1|true|TRUE|yes|YES|on|ON)
|
|
return 0
|
|
;;
|
|
*)
|
|
return 1
|
|
;;
|
|
esac
|
|
}
|
|
|
|
codex_auth_confluence_selected() {
|
|
local selected_servers_file="${MCPGW_SELECTED_SERVERS_FILE}"
|
|
|
|
if [[ -r "${selected_servers_file}" ]] && LC_ALL=C grep -Eiq '"(Confluence|CentralConfluence|central_confluence|central-confluence)"' "${selected_servers_file}"; then
|
|
return 0
|
|
fi
|
|
|
|
case ",${CODEX_MCP_SERVERS:-}," in
|
|
*,Confluence,*|*,confluence,*|*,CentralConfluence,*|*,central_confluence,*|*,central-confluence,*)
|
|
return 0
|
|
;;
|
|
esac
|
|
|
|
return 1
|
|
}
|
|
|
|
codex_auth_should_refresh_confluence_cookies() {
|
|
if codex_auth_is_truthy "${CODEX_MCP_REFRESH_COOKIES:-}" || \
|
|
codex_auth_is_truthy "${CODEX_MCP_REFRESH_CONFLUENCE_COOKIES:-}" || \
|
|
codex_auth_is_truthy "${MCPGW_REFRESH_COOKIES:-}" || \
|
|
codex_auth_is_truthy "${CODEX_MCP_CONFLUENCE_COOKIES_STALE:-}" || \
|
|
codex_auth_is_truthy "${MCPGW_CONFLUENCE_COOKIES_STALE:-}"; then
|
|
return 0
|
|
fi
|
|
|
|
codex_auth_confluence_selected
|
|
}
|
|
|
|
codex_auth_terminate_stale_oci_auth_listener() {
|
|
local port="${1:-${OCI_AUTH_CALLBACK_PORT}}" pid cmd attempt
|
|
local -a terminated_pids=()
|
|
|
|
if ! command -v lsof >/dev/null 2>&1 || ! command -v ps >/dev/null 2>&1; then
|
|
return 1
|
|
fi
|
|
|
|
while IFS= read -r pid || [[ -n "${pid}" ]]; do
|
|
[[ -n "${pid}" ]] || continue
|
|
|
|
cmd="$(ps -p "${pid}" -o command= 2>/dev/null || true)"
|
|
if [[ "${cmd}" == *"oci session authenticate"* ]]; then
|
|
codex_auth_log "MCP Gateway auth preflight: terminating stale OCI session authenticate listener on port ${port} (pid ${pid})."
|
|
kill "${pid}" >/dev/null 2>&1 || true
|
|
terminated_pids+=("${pid}")
|
|
fi
|
|
done < <(lsof -nP -t -iTCP:"${port}" -sTCP:LISTEN 2>/dev/null || true)
|
|
|
|
if [[ ${#terminated_pids[@]} -eq 0 ]]; then
|
|
return 1
|
|
fi
|
|
|
|
for pid in "${terminated_pids[@]}"; do
|
|
for attempt in {1..10}; do
|
|
if ! kill -0 "${pid}" >/dev/null 2>&1; then
|
|
break
|
|
fi
|
|
sleep 0.2
|
|
done
|
|
|
|
if kill -0 "${pid}" >/dev/null 2>&1; then
|
|
codex_auth_log "MCP Gateway auth preflight: OCI auth listener pid ${pid} did not exit; sending SIGKILL."
|
|
kill -KILL "${pid}" >/dev/null 2>&1 || true
|
|
fi
|
|
done
|
|
|
|
return 0
|
|
}
|
|
|
|
codex_auth_run_mcpgw_required() {
|
|
local mcpgw_bin="$1"
|
|
shift
|
|
local output rc
|
|
|
|
codex_auth_log "MCP Gateway auth preflight: mcpgw $*"
|
|
|
|
set +e
|
|
output="$("${mcpgw_bin}" "$@" 2>&1)"
|
|
rc=$?
|
|
set -e
|
|
printf '%s\n' "${output}" | codex_auth_sanitize_mcpgw_output
|
|
|
|
if [[ ${rc} -ne 0 && "$*" == "refresh" && "${output}" == *"port ${OCI_AUTH_CALLBACK_PORT} is already in use"* ]]; then
|
|
if codex_auth_terminate_stale_oci_auth_listener "${OCI_AUTH_CALLBACK_PORT}"; then
|
|
codex_auth_log "MCP Gateway auth preflight: retrying mcpgw refresh after clearing stale OCI auth listener."
|
|
|
|
set +e
|
|
output="$("${mcpgw_bin}" "$@" 2>&1)"
|
|
rc=$?
|
|
set -e
|
|
printf '%s\n' "${output}" | codex_auth_sanitize_mcpgw_output
|
|
fi
|
|
fi
|
|
|
|
if [[ ${rc} -ne 0 ]]; then
|
|
codex_auth_log "MCP Gateway auth preflight failed: mcpgw $* exited with ${rc}."
|
|
exit "${rc}"
|
|
fi
|
|
}
|
|
|
|
codex_auth_prepare_codex_auth() {
|
|
if [[ ! -x "${CODEX_DEVOPS_AUTH_SCRIPT}" ]]; then
|
|
codex_auth_log "Warning: Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}"
|
|
return 1
|
|
fi
|
|
|
|
if ! CODEX_AUTH_COMMON_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")"; then
|
|
codex_auth_log "Warning: could not create temporary Codex auth environment file."
|
|
return 1
|
|
fi
|
|
|
|
set +e
|
|
CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_AUTH_COMMON_AUTH_ENV_FILE}" \
|
|
TOKEN_STRICT_HOST_KEY_CHECKING="${CODEX_AUTH_TOKEN_STRICT_HOST_KEY_CHECKING:-no}" \
|
|
TOKEN_USER_KNOWN_HOSTS_FILE="${CODEX_AUTH_TOKEN_USER_KNOWN_HOSTS_FILE:-/dev/null}" \
|
|
"${CODEX_DEVOPS_AUTH_SCRIPT}"
|
|
local auth_rc=$?
|
|
set -e
|
|
|
|
if [[ ${auth_rc} -ne 0 ]]; then
|
|
codex_auth_log "Warning: Codex DevOps auth helper failed with exit code ${auth_rc}; could not refresh OP token."
|
|
return 1
|
|
fi
|
|
|
|
if [[ ! -s "${CODEX_AUTH_COMMON_AUTH_ENV_FILE}" ]]; then
|
|
codex_auth_log "Warning: Codex DevOps auth helper did not write an auth environment; could not refresh OP token."
|
|
return 1
|
|
fi
|
|
|
|
set +e
|
|
source "${CODEX_AUTH_COMMON_AUTH_ENV_FILE}"
|
|
local source_rc=$?
|
|
set -e
|
|
|
|
if [[ ${source_rc} -ne 0 ]]; then
|
|
codex_auth_log "Warning: could not load Codex auth environment from ${CODEX_AUTH_COMMON_AUTH_ENV_FILE}; could not refresh OP token."
|
|
return 1
|
|
fi
|
|
|
|
CODEX_AUTH_COMMON_DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}"
|
|
CODEX_AUTH_COMMON_DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}"
|
|
}
|
|
|
|
codex_auth_write_gateway_op_token() {
|
|
local token_file="${MCPGW_OP_TOKEN_FILE}"
|
|
local token_dir tmp
|
|
|
|
if [[ -z "${OP_TOKEN:-}" ]]; then
|
|
codex_auth_log "Warning: cannot write MCP Gateway OP token: OP_TOKEN is empty."
|
|
return 1
|
|
fi
|
|
|
|
token_dir="$(dirname -- "${token_file}")"
|
|
if ! mkdir -p "${token_dir}"; then
|
|
codex_auth_log "Warning: could not create MCP Gateway token directory: ${token_dir}"
|
|
return 1
|
|
fi
|
|
|
|
if ! tmp="$(mktemp "${token_file}.XXXXXX")"; then
|
|
codex_auth_log "Warning: could not create temporary MCP Gateway OP token file for ${token_file}."
|
|
return 1
|
|
fi
|
|
|
|
if ! printf '%s\n' "${OP_TOKEN}" > "${tmp}"; then
|
|
codex_auth_log "Warning: could not write temporary MCP Gateway OP token file: ${tmp}"
|
|
rm -f "${tmp}" >/dev/null 2>&1 || true
|
|
return 1
|
|
fi
|
|
|
|
if ! chmod 600 "${tmp}"; then
|
|
codex_auth_log "Warning: could not set permissions on temporary MCP Gateway OP token file: ${tmp}"
|
|
rm -f "${tmp}" >/dev/null 2>&1 || true
|
|
return 1
|
|
fi
|
|
|
|
if ! mv -f "${tmp}" "${token_file}"; then
|
|
codex_auth_log "Warning: could not install MCP Gateway OP token file: ${token_file}"
|
|
rm -f "${tmp}" >/dev/null 2>&1 || true
|
|
return 1
|
|
fi
|
|
|
|
codex_auth_log "MCP Gateway auth preflight: wrote fresh operator token to ${token_file}."
|
|
}
|
|
|
|
codex_auth_refresh_gateway_auth() {
|
|
local mcpgw_bin op_token_refreshed=0
|
|
mcpgw_bin="$(command -v mcpgw 2>/dev/null || true)"
|
|
|
|
if [[ -n "${mcpgw_bin}" ]]; then
|
|
codex_auth_run_mcpgw_required "${mcpgw_bin}" refresh
|
|
else
|
|
codex_auth_log "Warning: mcpgw not found on PATH; skipping MCP Gateway auth refresh."
|
|
fi
|
|
|
|
if codex_auth_prepare_codex_auth && codex_auth_write_gateway_op_token; then
|
|
op_token_refreshed=1
|
|
else
|
|
codex_auth_log "Warning: could not refresh OP token; continuing with existing MCP Gateway token state."
|
|
fi
|
|
|
|
if [[ -z "${mcpgw_bin}" ]]; then
|
|
return 0
|
|
fi
|
|
|
|
if [[ "${op_token_refreshed}" != "1" ]]; then
|
|
codex_auth_log "MCP Gateway auth preflight: skipping token-dependent checks because OP token refresh failed."
|
|
return 0
|
|
fi
|
|
|
|
if codex_auth_should_refresh_confluence_cookies; then
|
|
codex_auth_run_mcpgw_required "${mcpgw_bin}" refresh-cookies
|
|
else
|
|
codex_auth_log "MCP Gateway auth preflight: skipping mcpgw refresh-cookies; Confluence auth was not requested."
|
|
fi
|
|
|
|
codex_auth_run_mcpgw_required "${mcpgw_bin}" status
|
|
}
|
|
|
|
codex_auth_preflight() {
|
|
if [[ -r "${CODEX_MCP_ENV_FILE}" ]]; then
|
|
source "${CODEX_MCP_ENV_FILE}"
|
|
fi
|
|
|
|
codex_auth_refresh_gateway_auth
|
|
}
|