[chore] update installer scripts (#7197)

* [chore] update installer scripts

* fix shellcheck and windows test

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: jinja2

.github/workflows/installer-token-verification-test.yml

@@ -0,0 +1,124 @@
+name: installer-token-verification-test
+
+# Regression test for the v2/event API token validation.
+# Verifies that install.sh and install.ps1 check the HTTP status code (200)
+# rather than the response body.
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/installer-token-verification-test.yml'
+      - 'packaging/installer/install.sh'
+      - 'packaging/installer/install.ps1'
+      - '.github/workflows/scripts/mock-http-server.py'
+
+concurrency:
+  group: installer-token-verification-test-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+env:
+  MOCK_SERVER: .github/workflows/scripts/mock-http-server.py
+
+jobs:
+  linux-curl:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Start mock servers
+        run: |
+          python3 "$MOCK_SERVER" 200 8199 &
+          python3 "$MOCK_SERVER" 401 8200 &
+          sleep 1
+
+      - name: "curl: 200 with non-OK body passes"
+        run: |
+          eval "$(sed -n '/^verify_access_token()/,/^}/p' packaging/installer/install.sh)"
+          verify_access_token "test-token" "http://127.0.0.1:8199" "false"
+
+      - name: "curl: 401 fails validation"
+        run: |
+          eval "$(sed -n '/^verify_access_token()/,/^}/p' packaging/installer/install.sh)"
+          if verify_access_token "bad-token" "http://127.0.0.1:8200" "false"; then
+            echo "FAIL: should have rejected 401" >&2; exit 1
+          fi
+
+  linux-wget:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Remove curl to force wget code path
+        run: |
+          sudo apt-get remove -y curl
+          if command -v curl; then
+            echo "curl still installed" >&2
+            exit 1
+          fi
+          command -v wget
+
+      - name: Start mock servers
+        run: |
+          python3 "$MOCK_SERVER" 200 8199 &
+          python3 "$MOCK_SERVER" 401 8200 &
+          sleep 1
+
+      - name: "wget: 200 with non-OK body passes"
+        run: |
+          eval "$(sed -n '/^verify_access_token()/,/^}/p' packaging/installer/install.sh)"
+          verify_access_token "test-token" "http://127.0.0.1:8199" "false"
+
+      - name: "wget: 401 fails validation"
+        run: |
+          eval "$(sed -n '/^verify_access_token()/,/^}/p' packaging/installer/install.sh)"
+          if verify_access_token "bad-token" "http://127.0.0.1:8200" "false"; then
+            echo "FAIL: should have rejected 401" >&2; exit 1
+          fi
+
+  windows:
+    runs-on: windows-2022
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: "PowerShell: test verify_access_token"
+        shell: pwsh
+        run: |
+          # Start mock servers (must be in same step — Start-Job doesn't survive across steps)
+          $mockServer = "$env:MOCK_SERVER"
+          $job200 = Start-Job -ScriptBlock { python3 $using:mockServer 200 8199 }
+          $job401 = Start-Job -ScriptBlock { python3 $using:mockServer 401 8200 }
+          Start-Sleep -Seconds 2
+
+          # Extract verify_access_token function from install.ps1
+          $scriptContent = Get-Content -Raw .\packaging\installer\install.ps1
+          if ($scriptContent -match '(?s)(function verify_access_token\(.+?\n\})') {
+            Invoke-Expression $matches[1]
+          } else {
+            throw "Could not extract verify_access_token function from install.ps1"
+          }
+
+          # Test 1: 200 with non-OK body should pass
+          $result = verify_access_token -access_token "test-token" -ingest_url "http://127.0.0.1:8199" -insecure $false
+          if (-not $result) {
+            throw "FAIL: should have accepted 200 with non-OK body"
+          }
+          echo "PASS: 200 with non-OK body accepted"
+
+          # Test 2: 401 should fail
+          $failed = $false
+          try {
+            $result = verify_access_token -access_token "bad-token" -ingest_url "http://127.0.0.1:8200" -insecure $false
+            if (-not $result) { $failed = $true }
+          } catch {
+            $failed = $true
+          }
+          if (-not $failed) {
+            throw "FAIL: should have rejected 401"
+          }
+          echo "PASS: 401 correctly rejected"
+
+          Stop-Job $job200, $job401
+          Remove-Job $job200, $job401

.github/workflows/scripts/mock-http-server.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python3
+"""Minimal HTTP server that responds with a fixed status code and empty JSON body.
+
+Usage: python3 mock-http-server.py <status_code> <port>
+"""
+import http.server
+import sys
+
+if len(sys.argv) != 3:
+    print(f"Usage: {sys.argv[0]} <status_code> <port>", file=sys.stderr)
+    sys.exit(1)
+
+try:
+    status = int(sys.argv[1])
+    port = int(sys.argv[2])
+except (ValueError, TypeError):
+    print("Error: <status_code> and <port> must be integers.", file=sys.stderr)
+    sys.exit(1)
+class Handler(http.server.BaseHTTPRequestHandler):
+    def do_POST(self):
+        self.send_response(status)
+        self.send_header("Content-Type", "application/json")
+        self.end_headers()
+        self.wfile.write(b"{}")
+
+    def log_message(self, *a):
+        pass
+
+http.server.HTTPServer(("127.0.0.1", port), Handler).serve_forever()

packaging/installer/install.ps1

@@ -559,7 +559,7 @@ if ($force_skip_verify_access_token) {
         # verify access token
         echo 'Verifying Access Token...'
         if (!(verify_access_token -access_token $access_token -ingest_url $ingest_url -insecure $insecure)) {
-            throw "Access token authentication failed. Verify that your access token is correct."
+            throw "Access token authentication failed. Verify that your access token is correct. If your access token is valid, you can skip validation by rerunning with -force_skip_verify_access_token `$true or setting the VERIFY_ACCESS_TOKEN=false environment variable."
         }
         else {
             echo '- Verified Access Token'

packaging/installer/install.sh

@@ -141,38 +141,56 @@ verify_access_token() {
   local access_token="$1"
   local ingest_url="$2"
   local insecure="$3"
+  local http_code
 
   if command -v curl > /dev/null; then
-    api_output=$(curl \
+    http_code=$(curl \
       -d '[]' \
       -H "X-Sf-Token: $access_token" \
       -H "Content-Type:application/json" \
       -X POST \
+      -w "%{http_code}" \
+      -o /dev/null \
+      -s \
       $([ "$insecure" = "true" ] && echo -n "--insecure") \
-      "$ingest_url"/v2/event 2>/dev/null)
+      "$ingest_url"/v2/event)
+    if [ $? -ne 0 ]; then
+      echo "Failed to verify access token: curl request failed" >&2
+      return 1
+    fi
   elif command -v wget > /dev/null; then
-    api_output=$(wget \
+    # --server-response prints HTTP headers to stderr
+    local wget_output
+    wget_output=$(wget \
       --header="Content-Type: application/json" \
       --header="X-Sf-Token: $access_token" \
       --post-data='[]' \
       $([ "$insecure" = "true" ] && echo -n "--no-check-certificate") \
-      -O - \
-      -o /dev/null \
-      "$ingest_url"/v2/event)
-    if [ $? -eq 5 ]; then
+      --server-response \
+      -O /dev/null \
+      "$ingest_url"/v2/event 2>&1)
+    local wget_exit=$?
+    if [ $wget_exit -eq 5 ]; then
       echo "TLS cert for Splunk ingest could not be verified, does your system have TLS certs installed?" >&2
-      exit 1
+      return 1
+    fi
+    # Extract HTTP status code from response headers (format: "  HTTP/1.1 200 OK")
+    http_code=$(echo "$wget_output" | grep -i "^[[:space:]]*HTTP/" | tail -1 | awk '{print $2}')
+    if [ -z "$http_code" ]; then
+      echo "Failed to verify access token: wget request failed" >&2
+      return 1
     fi
   else
     echo "Either curl or wget is required to verify the access token" >&2
-    exit 1
+    return 1
   fi
 
-  if [ "$api_output" = "\"OK\"" ]; then
-    true
+  # Check if status code is 200
+  if [ "$http_code" -eq 200 ]; then
+    return 0
   else
-    echo "$api_output"
-    false
+    echo "Access token verification failed with HTTP status code: $http_code" >&2
+    return 1
   fi
 }
 
@@ -1405,6 +1423,7 @@ parse_args_and_install() {
 
   if [ "${VERIFY_ACCESS_TOKEN:-true}" = "true" ] && ! verify_access_token "$access_token" "$ingest_url" "$insecure"; then
     echo "Your access token could not be verified. This may be due to a network connectivity issue or an invalid access token." >&2
+    echo "If your access token is valid, you can skip validation by setting VERIFY_ACCESS_TOKEN=false and rerunning the installer." >&2
     exit 1
   fi