295afe9b2a
Three-layer access scheme: owner -> reader account -> scoped API token. Includes 6 automation scripts, config template, EN/RU docs, and manual curl guide. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
94 lines
2.7 KiB
Bash
Executable File
94 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
CONFIG="${SCRIPT_DIR}/../config.ini"
|
|
|
|
REPO="${1:-}"
|
|
[[ -n "${2:-}" ]] && CONFIG="$2"
|
|
|
|
if [[ ! -f "$CONFIG" ]]; then
|
|
echo "ERROR: config file not found: $CONFIG"
|
|
exit 1
|
|
fi
|
|
|
|
# --- Parse INI ---
|
|
parse_ini() {
|
|
local file="$1" section="$2" key="$3"
|
|
sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//'
|
|
}
|
|
|
|
GITEA_URL=$(parse_ini "$CONFIG" gitea url)
|
|
GITEA_API=$(parse_ini "$CONFIG" gitea api_url)
|
|
OWNER_USER=$(parse_ini "$CONFIG" owner username)
|
|
READER_USER=$(parse_ini "$CONFIG" reader username)
|
|
TOKEN=$(parse_ini "$CONFIG" reader token)
|
|
|
|
if [[ -z "$TOKEN" ]]; then
|
|
echo "ERROR: No token found in config.ini. Run setup-reader.sh first."
|
|
exit 1
|
|
fi
|
|
|
|
PASS=0
|
|
FAIL=0
|
|
|
|
check() {
|
|
local desc="$1" expected="$2" actual="$3"
|
|
if [[ "$actual" == "$expected" ]]; then
|
|
echo " PASS: $desc (HTTP $actual)"
|
|
((PASS++))
|
|
else
|
|
echo " FAIL: $desc (expected $expected, got $actual)"
|
|
((FAIL++))
|
|
fi
|
|
}
|
|
|
|
echo "=== Access Test for '$READER_USER' ==="
|
|
echo "Server: $GITEA_API"
|
|
echo ""
|
|
|
|
# --- Test 1: Token is valid (list repos) ---
|
|
echo "[Test 1] Token validity — list repos..."
|
|
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-H "Authorization: token $TOKEN" \
|
|
"$GITEA_API/user/repos")
|
|
check "GET /user/repos with token" "200" "$HTTP_CODE"
|
|
|
|
# --- Test 2: Token scope limitation (should NOT access admin endpoints) ---
|
|
echo "[Test 2] Token scope — admin API should be denied..."
|
|
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-H "Authorization: token $TOKEN" \
|
|
"$GITEA_API/admin/users")
|
|
check "GET /admin/users with read-only token" "403" "$HTTP_CODE"
|
|
|
|
if [[ -n "$REPO" ]]; then
|
|
echo ""
|
|
echo "[Test 3] Repo access — $OWNER_USER/$REPO..."
|
|
|
|
# --- Test 3a: Access with token ---
|
|
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
-H "Authorization: token $TOKEN" \
|
|
"$GITEA_API/repos/$OWNER_USER/$REPO")
|
|
check "GET /repos/$OWNER_USER/$REPO with token" "200" "$HTTP_CODE"
|
|
|
|
# --- Test 3b: Access without token (private repo should be 404) ---
|
|
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
"$GITEA_API/repos/$OWNER_USER/$REPO")
|
|
check "GET /repos/$OWNER_USER/$REPO without token (expect 404)" "404" "$HTTP_CODE"
|
|
|
|
# --- Test 3c: Clone URL with token ---
|
|
echo ""
|
|
echo "[Info] Clone URL for scripts/installers:"
|
|
echo " git clone https://${READER_USER}:${TOKEN}@${GITEA_URL#https://}/${OWNER_USER}/${REPO}.git"
|
|
echo " (or use: Authorization: token $TOKEN header)"
|
|
else
|
|
echo ""
|
|
echo "[Info] Pass a repo name to test specific repo access:"
|
|
echo " $0 <repo-name>"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== Results: $PASS passed, $FAIL failed ==="
|
|
[[ "$FAIL" -gt 0 ]] && exit 1
|
|
exit 0
|