Better VPN detection in smile-exec.

- Fetch the DNS record only once. - Check that the VPN connection and the requested environment match.

Better VPN detection in smile-exec.
5b9343f5 · nimrod · 973c7eeb · 5b9343f5
Commit 5b9343f5 authored 3 years ago by nimrod
--- a/Documents/bin/smile-exec
+++ b/Documents/bin/smile-exec
@@ -19,10 +19,6 @@ vault_addr() {
    esac
 }

-connected_to_vpn() {
-    [ "$(dig env.smile.config TXT)" = "$SMILE_ENV" ]
-}
-
 aws_account() {
    case "$1" in
        sandbox-1) echo "696774765305";;
@@ -64,8 +60,8 @@ fi

 if ! echo "$envs" | grep --quiet --fixed-strings --word-regex "$SMILE_ENV"
 then
-    echo "Environment $SMILE_ENV is not a valid one." >&2;
-    echo "Valid environments are: $envs"
+    echo "Environment $SMILE_ENV is not a valid one." >&2
+    echo "Valid environments are: $envs" >&2
    exit 1
 fi

@@ -83,9 +79,19 @@ export VAULT_ADDR="$(vault_addr "$SMILE_ENV")"
 VAULT_CAPATH="$(bundle show smile-cli)/lib/vault_ca"
 export VAULT_CAPATH

-if [ -n "$VAULT_ADDR" ] && connected_to_vpn
+connected_vpn="$(dig env.smile.config TXT | xargs)"
+if [ -n "$connected_vpn" ]
+then
+    if [ "$connected_vpn" != "$SMILE_ENV" ]
+    then
+        echo 'Connected to a different VPN than the requested environment.' >&2
+        exit 1
+    fi
+    if [ -n "$VAULT_ADDR" ]
    then
        aws-vault exec "smile-$SMILE_ENV-admin" -- \
                vault login -method aws -no-print role=smile-ops
    fi
+fi
+
 eval exec aws-vault exec "smile-$SMILE_ENV-admin" -- "$@"