#!/usr/bin/env bash set -euo pipefail BASE="${BASE:-https://dev1.aptivaai.com}" GOOD_ORIGIN="${GOOD_ORIGIN:-$BASE}" BAD_ORIGIN="${BAD_ORIGIN:-https://evil.example.com}" pass(){ echo "✅ $*"; } fail(){ echo "❌ $*"; exit 1; } # curl JSON helper: capture status, validate JSON, show snippet on fail json_check () { local url="$1" label="$2" local tmp tmp="$(mktemp)" local code code="$(curl -sSL --max-redirs 5 -H 'Accept: application/json' -o "$tmp" -w '%{http_code}' "$url")" || { echo "⚠️ curl transport error for $label"; rm -f "$tmp"; fail "$label"; } if [[ "$code" != "200" ]]; then echo "⚠️ $label HTTP $code" echo "--- $label body (first 400 bytes) ---" head -c 400 "$tmp" | sed 's/[^[:print:]\t]/./g' echo rm -f "$tmp"; fail "$label" fi if ! jq -e . < "$tmp" >/dev/null 2>&1; then echo "⚠️ $label returned non-JSON or invalid JSON" echo "--- $label body (first 400 bytes) ---" head -c 400 "$tmp" | sed 's/[^[:print:]\t]/./g' echo rm -f "$tmp"; fail "$label" fi rm -f "$tmp" } # --- Health checks (server1/2/3) --- for p in /livez /readyz /healthz; do curl -fsS "$BASE$p" >/dev/null || fail "server2 $p" done pass "server2 health endpoints up" # try server1 + server3 via Nginx locations if you expose them (adjust paths if prefixed) for SVC in server1 server3; do curl -fsS "$BASE/$SVC/healthz" >/dev/null && pass "$SVC healthz OK" || echo "ℹ️ $SVC /healthz not routed publicly (ok if intentional)" done # --- CORS: allowed origin (expect 200 for a safe GET) --- code=$(curl -s -o /dev/null -w '%{http_code}' -H "Origin: $GOOD_ORIGIN" "$BASE/api/data/career-clusters") [[ "$code" == "200" ]] || fail "CORS allowed origin should be 200, got $code" pass "CORS allowed origin OK" # --- CORS: bad origin (expect 403) --- code=$(curl -s -o /dev/null -w '%{http_code}' -H "Origin: $BAD_ORIGIN" "$BASE/api/data/career-clusters") [[ "$code" == "403" ]] || fail "CORS bad origin should be 403, got $code" pass "CORS bad origin blocked" # --- Public data flows (server2) --- json_check "$BASE/api/projections/15-1252?state=GA" "projections" json_check "$BASE/api/salary?socCode=15-1252&area=Atlanta-Sandy%20Springs-Roswell%2C%20GA" "salary" json_check "$BASE/api/tuition?cipCodes=1101,1103&state=GA" "tuition" pass "public data endpoints OK (JSON + 200 verified)" echo "✓ SMOKE PASSED"