gitea-token-access/scripts/grant-access.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONFIG="${SCRIPT_DIR}/../config.ini"

if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <repo-name> [config.ini]"
  echo "Grant read access to a repository for the reader account."
  exit 1
fi

REPO="$1"
[[ -n "${2:-}" ]] && CONFIG="$2"

if [[ ! -f "$CONFIG" ]]; then
  echo "ERROR: config file not found: $CONFIG"
  exit 1
fi

# --- Parse INI ---
parse_ini() {
  local file="$1" section="$2" key="$3"
  sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//'
}

GITEA_API=$(parse_ini "$CONFIG" gitea api_url)
OWNER_USER=$(parse_ini "$CONFIG" owner username)
OWNER_PASS=$(parse_ini "$CONFIG" owner password)
READER_USER=$(parse_ini "$CONFIG" reader username)
READER_PASS=$(parse_ini "$CONFIG" reader password)
TOKEN=$(parse_ini "$CONFIG" reader token)

echo "=== Grant Access: $OWNER_USER/$REPO -> $READER_USER ==="

# --- Add as collaborator (read permission) ---
echo "[1/3] Adding '$READER_USER' as collaborator (read)..."
HTTP_CODE=$(curl -s -o /tmp/gitea_grant.json -w "%{http_code}" \
  -X PUT "$GITEA_API/repos/$OWNER_USER/$REPO/collaborators/$READER_USER" \
  -u "$OWNER_USER:$OWNER_PASS" \
  -H "Content-Type: application/json" \
  -d '{"permission": "read"}')

if [[ "$HTTP_CODE" == "204" || "$HTTP_CODE" == "200" ]]; then
  echo "  -> Collaborator added."
else
  echo "  -> ERROR: HTTP $HTTP_CODE"
  cat /tmp/gitea_grant.json
  exit 1
fi

# --- Accept invitation (if required by Gitea) ---
echo "[2/3] Accepting collaboration invite (if any)..."
# List pending notifications/invitations and accept
PENDING=$(curl -s \
  -u "$READER_USER:$READER_PASS" \
  "$GITEA_API/user/repos" | grep -c "\"name\":\"$REPO\"" 2>/dev/null || echo "0")

if [[ "$PENDING" == "0" ]]; then
  # Try to accept via notifications — some Gitea versions auto-accept
  echo "  -> Auto-accepted or no invite needed."
else
  echo "  -> Already accessible."
fi

# --- Verify access with token ---
echo "[3/3] Verifying access with token..."
if [[ -z "$TOKEN" ]]; then
  echo "  -> WARNING: No token in config.ini, skipping verification."
  echo "  -> Run setup-reader.sh first to create a token."
else
  HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
    -H "Authorization: token $TOKEN" \
    "$GITEA_API/repos/$OWNER_USER/$REPO")

  if [[ "$HTTP_CODE" == "200" ]]; then
    echo "  -> Access confirmed (HTTP 200)."
  else
    echo "  -> WARNING: HTTP $HTTP_CODE — access may not be working yet."
  fi
fi

echo ""
echo "=== Done ==="
echo "Repo '$OWNER_USER/$REPO' is now readable by '$READER_USER'."