295afe9b2a
Three-layer access scheme: owner -> reader account -> scoped API token. Includes 6 automation scripts, config template, EN/RU docs, and manual curl guide. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
77 lines
2.3 KiB
Bash
Executable File
77 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
CONFIG="${1:-$SCRIPT_DIR/../config.ini}"
|
|
|
|
if [[ ! -f "$CONFIG" ]]; then
|
|
echo "ERROR: config file not found: $CONFIG"
|
|
exit 1
|
|
fi
|
|
|
|
# --- Parse INI ---
|
|
parse_ini() {
|
|
local file="$1" section="$2" key="$3"
|
|
sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//'
|
|
}
|
|
|
|
GITEA_API=$(parse_ini "$CONFIG" gitea api_url)
|
|
READER_USER=$(parse_ini "$CONFIG" reader username)
|
|
READER_PASS=$(parse_ini "$CONFIG" reader password)
|
|
TOKEN_NAME=$(parse_ini "$CONFIG" reader token_name)
|
|
TOKEN_SCOPE=$(parse_ini "$CONFIG" reader token_scope)
|
|
|
|
TOKEN_NAME="${TOKEN_NAME:-installer-readonly}"
|
|
TOKEN_SCOPE="${TOKEN_SCOPE:-read:repository}"
|
|
|
|
echo "=== Token Rotation for '$READER_USER' ==="
|
|
|
|
# --- Delete old token ---
|
|
echo "[1/2] Deleting old token '$TOKEN_NAME'..."
|
|
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-X DELETE "$GITEA_API/users/$READER_USER/tokens/$TOKEN_NAME" \
|
|
-u "$READER_USER:$READER_PASS")
|
|
|
|
if [[ "$HTTP_CODE" == "204" || "$HTTP_CODE" == "200" ]]; then
|
|
echo " -> Old token deleted."
|
|
elif [[ "$HTTP_CODE" == "404" ]]; then
|
|
echo " -> No existing token found (404), creating fresh."
|
|
else
|
|
echo " -> WARNING: HTTP $HTTP_CODE while deleting old token."
|
|
fi
|
|
|
|
# --- Create new token ---
|
|
echo "[2/2] Creating new token '$TOKEN_NAME' (scope: $TOKEN_SCOPE)..."
|
|
TOKEN_RESPONSE=$(curl -s \
|
|
-X POST "$GITEA_API/users/$READER_USER/tokens" \
|
|
-u "$READER_USER:$READER_PASS" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"name\": \"$TOKEN_NAME\", \"scopes\": [\"$TOKEN_SCOPE\"]}")
|
|
|
|
TOKEN_VALUE=$(echo "$TOKEN_RESPONSE" | grep -o '"sha1":"[^"]*"' | sed 's/"sha1":"//;s/"//')
|
|
|
|
if [[ -z "$TOKEN_VALUE" ]]; then
|
|
echo " -> ERROR: Failed to create new token:"
|
|
echo "$TOKEN_RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
echo " -> New token: ${TOKEN_VALUE:0:8}..."
|
|
|
|
# --- Update config.ini ---
|
|
if grep -q "^token\s*=" "$CONFIG" 2>/dev/null; then
|
|
sed -i "s|^token\s*=.*|token = $TOKEN_VALUE|" "$CONFIG"
|
|
echo " -> Token updated in $CONFIG"
|
|
else
|
|
sed -i "/^\[reader\]/,/^\[/{
|
|
/^token_scope/a token = $TOKEN_VALUE
|
|
}" "$CONFIG"
|
|
echo " -> Token added to $CONFIG"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== Rotation Complete ==="
|
|
echo "New token (first 8): ${TOKEN_VALUE:0:8}..."
|
|
echo ""
|
|
echo "IMPORTANT: Update any systems using the old token!"
|