def check_database(project, service, secrets):
header("Database checks")
database_name = service["spec"]["template"]["metadata"]["annotations"][
"run.googleapis.com/cloudsql-instances"]
echo(f"Associated database: {database_name}")
_, dbregion, dbinstance = database_name.split(":")
result(
f"Associated database instance matches secret connection URL instance",
success=(secrets["dbinstance"] == database_name),
)
dbapi = build("sqladmin", "v1beta4")
instance = dbapi.instances().get(project=project,
instance=dbinstance).execute()
result(
f"Instance exists: {instance['name']}, running {instance['databaseVersion']}"
)
database = (dbapi.databases().get(project=project,
instance=dbinstance,
database=secrets["dbname"]).execute())
result(
f"Database exists: {database['name']}, collation {database['collation']}"
)
users = dbapi.users().list(project=project, instance=dbinstance).execute()
result(
f"User exists: {secrets['dbuser']}",
details=users["items"],
success=(secrets["dbuser"]
in [user["name"] for user in users["items"]]),
)
def check_bucket(media_bucket):
header("Object storage checks")
sapi = build("storage", "v1")
try:
bucket = sapi.buckets().get(bucket=media_bucket).execute()
result(
f"Storage bucket {bucket['name']} exists in {bucket['location']}")
except googleapiclient.errors.HttpError as e:
result(f"Storage bucket error {e}", success=False)
def check_run(service):
header(f"Service configuration checks")
sn = service["metadata"]["name"]
result(f"Service {sn} exists")
def check_secrets(values):
header("Settings checks")
for key in ["DATABASE_URL", "GS_BUCKET_NAME", "SECRET_KEY"]:
result(f"{key} is defined", success=(key in values.keys()))
def check_unicodex(project, service):
header("Deployed service checks")
fixture_code = "1F44B"
fixture_slug = f"/u/{fixture_code}"
login_slug = "/admin/login/?next=/admin/"
model_admin_slug = "/admin/unicodex/codepoint/"
if "url" not in service["status"].keys():
message = service["status"]["conditions"][0]["message"]
result(f"Service does not have a deployed URL: {message}",
success=False)
else:
url = service["status"]["url"]
echo(f"Service deployment URL: {url}")
try:
response = httpx.get(url, timeout=30)
except httpx.ReadTimeout as e:
result(e, success=False)
return
print(cleanhtml(response.text))
if response.status_code == 200:
result("Index page loaded successfully")
else:
result(f"Index page returns an error: {response.status_code}",
success=False)
if "Unicodex" in response.text:
result("Index page contains 'Unicodex'")
else:
result("Index page does not contain the string 'Unicodex'",
success=False)
fixture = httpx.get(url + fixture_slug)
print(cleanhtml(fixture.text))
admin = httpx.get(url + login_slug)
if not admin.is_error:
result(f"Django admin returns status okay ({admin.status_code})")
else:
result(f"Django admin returns an error: {admin.status_code}",
success=False)
if "Log in" in admin.text and "Django administration" in admin.text:
result("Django admin login screen successfully loaded")
else:
result("Django admin login not found",
success=False,
details=admin.text)
headers = {"Referer": url}
with httpx.Client(headers=headers, follow_redirects=True,
timeout=30) as client:
# Login
admin_username = get_secret(project, "SUPERUSER")
admin_password = get_secret(project, "SUPERPASS")
header("Test Django Admin")
client.get(url + login_slug)
response = client.post(
url + login_slug,
data={
"username": admin_username,
"password": admin_password,
"csrfmiddlewaretoken": client.cookies["csrftoken"],
},
)
assert not response.is_error
assert "Site administration" in response.text
assert "Codepoints" in response.text
result(f"Django Admin logged in")
# Try admin action
response = client.post(
url + model_admin_slug,
data={
"action": "generate_designs",
"_selected_action": 1,
"csrfmiddlewaretoken": client.cookies["csrftoken"],
},
)
assert not response.is_error
assert "Imported vendor versions" in response.text
result(f"Django Admin action completed")
# check updated feature
response = client.get(url + f"/u/{fixture_code}")
assert fixture_code in response.text
assert "Android" in response.text
result(f"Django Admin action verified")
print(cleanhtml(response.text))
def check_deploy(project, service_name, region, secret_name):
click.secho(f"🛠Checking {service_name} in {region} in {project}", bold=True)
header(f"Service configuration checks")
api = build("run", "v1")
fqname = f"projects/{project}/locations/{region}/services/{service_name}"
service = api.projects().locations().services().get(name=fqname).execute()
sn = service["metadata"]["name"]
result(f"Service {sn} exists")
sa = service["spec"]["template"]["spec"]["serviceAccountName"]
echo(f"Associated service account: {sa}")
###
result(
f"Associated service account is not default",
details="Ensure a custom service account is associated to the service",
success=("compute-" not in sa),
)
###
success = True
crm = build("cloudresourcemanager", "v1")
iam = crm.projects().getIamPolicy(resource=f"{project}").execute()
for binding in iam["bindings"]:
if binding["role"] == "roles/owner":
echo("Checking roles/owner bindings")
for member in binding["members"]:
echo(member, indent="> ")
if member == sa:
success = True
result(
"Associated service account permissions aren't owner",
details="Ensure the service account isn't using owner permissions",
success=success,
)
###
header("Deployed service checks")
url = service["status"]["url"]
echo(f"Service deployment URL: {url}")
page = httpx.get(url)
if page.status_code == 200:
result("Index page loaded successfully")
else:
result(f"Index page returns an error: {page.status_code}", success=False)
if "Unicodex" in page.text:
result("Index page contains 'Unicodex'")
else:
result("Index page does not contain the string 'Unicodex'", success=False)
admin = httpx.get(url + "/admin")
if admin.status_code == 200:
result("Django admin returns status 200")
else:
result(f"Django admin returns an error: {page.status_code}", success=False)
if "Log in" in admin.text and "Django administration" in admin.text:
result("Django admin login screen successfully loaded")
else:
result("Django admin login not found", success=False, details=admin.text)
###
header("Secret checks")
sm = sml.SecretManagerServiceClient() # using static library
secret_path = f"projects/{project}/secrets/{secret_name}/versions/latest"
payload = sm.access_secret_version(name=secret_path).payload.data.decode("UTF-8")
result(f"Secret {secret_path} exist")
# https://github.com/theskumar/python-dotenv#in-memory-filelikes
values = dotenv_values(stream=StringIO(payload))
for key in ["DATABASE_URL", "GS_BUCKET_NAME", "SECRET_KEY"]:
result(f"{key} is defined", success=(key in values.keys()))
secret_dburl = urlparse(values["DATABASE_URL"])
secret_dbuser = secret_dburl.netloc.split(":")[0]
secret_dbinstance, secret_dbname = secret_dburl.path.split("/")[3:]
media_bucket = values["GS_BUCKET_NAME"]
###
header("Object storage checks")
sapi = build("storage", "v1")
bucket = sapi.buckets().get(bucket=media_bucket).execute()
result(f"Storage bucket {bucket['name']} exists in {bucket['location']}")
# TODO check bucket permissions.
###
header("Database checks")
database_name = service["spec"]["template"]["metadata"]["annotations"][
"run.googleapis.com/cloudsql-instances"
]
echo(f"Associated database: {database_name}")
_, dbregion, dbinstance = database_name.split(":")
result(
f"Associated database instance matches secret connection URL instance",
success=(secret_dbinstance == database_name),
)
dbapi = build("sqladmin", "v1beta4")
instance = dbapi.instances().get(project=project, instance=dbinstance).execute()
result(
f"Instance exists: {instance['name']}, running {instance['databaseVersion']}"
)
database = (
dbapi.databases()
.get(project=project, instance=dbinstance, database=secret_dbname)
.execute()
)
result(f"Database exists: {database['name']}, collation {database['collation']}")
users = dbapi.users().list(project=project, instance=dbinstance).execute()
result(
f"User exists: {secret_dbuser}",
details=users["items"],
success=(secret_dbuser in [user["name"] for user in users["items"]]),
)
# All checks complete; show results.
summary()