#!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" CONFIG="${SCRIPT_DIR}/../config.ini" REPO="${1:-}" [[ -n "${2:-}" ]] && CONFIG="$2" if [[ ! -f "$CONFIG" ]]; then echo "ERROR: config file not found: $CONFIG" exit 1 fi # --- Parse INI --- parse_ini() { local file="$1" section="$2" key="$3" sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//' } GITEA_URL=$(parse_ini "$CONFIG" gitea url) GITEA_API=$(parse_ini "$CONFIG" gitea api_url) OWNER_USER=$(parse_ini "$CONFIG" owner username) READER_USER=$(parse_ini "$CONFIG" reader username) TOKEN=$(parse_ini "$CONFIG" reader token) if [[ -z "$TOKEN" ]]; then echo "ERROR: No token found in config.ini. Run setup-reader.sh first." exit 1 fi PASS=0 FAIL=0 check() { local desc="$1" expected="$2" actual="$3" if [[ "$actual" == "$expected" ]]; then echo " PASS: $desc (HTTP $actual)" ((PASS++)) else echo " FAIL: $desc (expected $expected, got $actual)" ((FAIL++)) fi } echo "=== Access Test for '$READER_USER' ===" echo "Server: $GITEA_API" echo "" # --- Test 1: Token is valid (list repos) --- echo "[Test 1] Token validity — list repos..." HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token $TOKEN" \ "$GITEA_API/user/repos") check "GET /user/repos with token" "200" "$HTTP_CODE" # --- Test 2: Token scope limitation (should NOT access admin endpoints) --- echo "[Test 2] Token scope — admin API should be denied..." HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token $TOKEN" \ "$GITEA_API/admin/users") check "GET /admin/users with read-only token" "403" "$HTTP_CODE" if [[ -n "$REPO" ]]; then echo "" echo "[Test 3] Repo access — $OWNER_USER/$REPO..." # --- Test 3a: Access with token --- HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token $TOKEN" \ "$GITEA_API/repos/$OWNER_USER/$REPO") check "GET /repos/$OWNER_USER/$REPO with token" "200" "$HTTP_CODE" # --- Test 3b: Access without token (private repo should be 404) --- HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ "$GITEA_API/repos/$OWNER_USER/$REPO") check "GET /repos/$OWNER_USER/$REPO without token (expect 404)" "404" "$HTTP_CODE" # --- Test 3c: Clone URL with token --- echo "" echo "[Info] Clone URL for scripts/installers:" echo " git clone https://${READER_USER}:${TOKEN}@${GITEA_URL#https://}/${OWNER_USER}/${REPO}.git" echo " (or use: Authorization: token $TOKEN header)" else echo "" echo "[Info] Pass a repo name to test specific repo access:" echo " $0 " fi echo "" echo "=== Results: $PASS passed, $FAIL failed ===" [[ "$FAIL" -gt 0 ]] && exit 1 exit 0