fix(setup): Ensure built-in users exist before proceeding

Fixes #786
deviantony · Nov 17, 2022 · 54d3f71 · 54d3f71
1 parent 384e50b
commit 54d3f71
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 5 deletions.
diff --git a/setup/entrypoint.sh b/setup/entrypoint.sh
@@ -3,7 +3,7 @@
 set -eu
 set -o pipefail
 
-source "$(dirname "${BASH_SOURCE[0]}")/helpers.sh"
+source "${BASH_SOURCE[0]%/*}"/helpers.sh
 
 
 # --------------------------------------------------------
@@ -33,7 +33,7 @@ roles_files=(
 
 echo "-------- $(date) --------"
 
-state_file="$(dirname "${BASH_SOURCE[0]}")/state/.done"
+state_file="${BASH_SOURCE[0]%/*}"/state/.done
 if [[ -e "$state_file" ]]; then
  log "State file exists at '${state_file}', skipping setup"
  exit 0
@@ -65,11 +65,22 @@ fi
 
 sublog 'Elasticsearch is running'
 
+log 'Waiting for initialization of built-in users'
+
+wait_for_builtin_users || exit_code=$?
+
+if ((exit_code)); then
+ suberr 'Timed out waiting for condition'
+ exit $exit_code
+fi
+
+sublog 'Built-in users were initialized'
+
 for role in "${!roles_files[@]}"; do
  log "Role '$role'"
 
  declare body_file
- body_file="$(dirname "${BASH_SOURCE[0]}")/roles/${roles_files[$role]:-}"
+ body_file="${BASH_SOURCE[0]%/*}/roles/${roles_files[$role]:-}"
  if [[ ! -f "${body_file:-}" ]]; then
  sublog "No role body found at '${body_file}', skipping"
  continue
@@ -94,7 +105,7 @@ for user in "${!users_passwords[@]}"; do
  set_user_password "$user" "${users_passwords[$user]}"
  else
  if [[ -z "${users_roles[$user]:-}" ]]; then
- err ' No role defined, skipping creation'
+ suberr ' No role defined, skipping creation'
  continue
  fi
 
@@ -103,5 +114,5 @@ for user in "${!users_passwords[@]}"; do
  fi
 done
 
-mkdir -p "$(dirname "${state_file}")"
+mkdir -p "${state_file%/*}"
 touch "$state_file"
diff --git a/setup/helpers.sh b/setup/helpers.sh
@@ -57,6 +57,53 @@ function wait_for_elasticsearch {
  return $result
 }
 
+# Poll the Elasticsearch users API until it returns users.
+function wait_for_builtin_users {
+ local elasticsearch_host="${ELASTICSEARCH_HOST:-elasticsearch}"
+
+ local -a args=( '-s' '-D-' '-m15' "http://${elasticsearch_host}:9200/_security/user?pretty" )
+
+ if [[ -n "${ELASTIC_PASSWORD:-}" ]]; then
+ args+=( '-u' "elastic:${ELASTIC_PASSWORD}" )
+ fi
+
+ local -i result=1
+
+ local line
+ local -i exit_code
+ local -i num_users
+
+ # retry for max 30s (30*1s)
+ for _ in $(seq 1 30); do
+ num_users=0
+
+ # read exits with a non-zero code if the last read input doesn't end
+ # with a newline character. The printf without newline that follows the
+ # curl command ensures that the final input not only contains curl's
+ # exit code, but causes read to fail so we can capture the return value.
+ # Ref. https://unix.stackexchange.com/a/176703/152409
+ while IFS= read -r line || ! exit_code="$line"; do
+ if [[ "$line" =~ _reserved.+true ]]; then
+ (( num_users++ ))
+ fi
+ done < <(curl "${args[@]}"; printf '%s' "$?")
+
+ if ((exit_code)); then
+ result=$exit_code
+ fi
+
+ # we expect more than just the 'elastic' user in the result
+ if (( num_users > 1 )); then
+ result=0
+ break
+ fi
+
+ sleep 1
+ done
+
+ return $result
+}
+
 # Verify that the given Elasticsearch user exists.
 function check_user_exists {
  local username=$1