gitea-token-access/scripts/setup-reader.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONFIG="${1:-$SCRIPT_DIR/../config.ini}"

if [[ ! -f "$CONFIG" ]]; then
  echo "ERROR: config file not found: $CONFIG"
  echo "Usage: $0 [path/to/config.ini]"
  echo "Copy config.example.ini to config.ini and fill in your values."
  exit 1
fi

# --- Parse INI ---
parse_ini() {
  local file="$1" section="$2" key="$3"
  sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//'
}

GITEA_API=$(parse_ini "$CONFIG" gitea api_url)
OWNER_USER=$(parse_ini "$CONFIG" owner username)
OWNER_PASS=$(parse_ini "$CONFIG" owner password)
READER_USER=$(parse_ini "$CONFIG" reader username)
READER_PASS=$(parse_ini "$CONFIG" reader password)
READER_EMAIL=$(parse_ini "$CONFIG" reader email)
TOKEN_NAME=$(parse_ini "$CONFIG" reader token_name)
TOKEN_SCOPE=$(parse_ini "$CONFIG" reader token_scope)

if [[ -z "$GITEA_API" || -z "$OWNER_USER" || -z "$OWNER_PASS" || -z "$READER_USER" || -z "$READER_PASS" ]]; then
  echo "ERROR: missing required fields in config.ini"
  exit 1
fi

READER_EMAIL="${READER_EMAIL:-${READER_USER}@noreply.local}"
TOKEN_NAME="${TOKEN_NAME:-installer-readonly}"
TOKEN_SCOPE="${TOKEN_SCOPE:-read:repository}"

echo "=== Gitea Reader Account Setup ==="
echo "Server:  $GITEA_API"
echo "Owner:   $OWNER_USER"
echo "Reader:  $READER_USER"
echo ""

# --- Step 1: Create reader account ---
echo "[1/4] Creating reader account '$READER_USER'..."
HTTP_CODE=$(curl -s -o /tmp/gitea_create_user.json -w "%{http_code}" \
  -X POST "$GITEA_API/admin/users" \
  -u "$OWNER_USER:$OWNER_PASS" \
  -H "Content-Type: application/json" \
  -d "{
    \"username\": \"$READER_USER\",
    \"password\": \"$READER_PASS\",
    \"email\": \"$READER_EMAIL\",
    \"must_change_password\": false,
    \"visibility\": \"public\"
  }")

if [[ "$HTTP_CODE" == "201" ]]; then
  echo "  -> Account created."
elif [[ "$HTTP_CODE" == "422" ]]; then
  echo "  -> Account already exists (422), continuing."
else
  echo "  -> ERROR: HTTP $HTTP_CODE"
  cat /tmp/gitea_create_user.json
  exit 1
fi

# --- Step 2: Activate account ---
echo "[2/4] Activating account and setting visibility..."
curl -s -o /dev/null -w "" \
  -X PATCH "$GITEA_API/admin/users/$READER_USER" \
  -u "$OWNER_USER:$OWNER_PASS" \
  -H "Content-Type: application/json" \
  -d '{"active": true, "visibility": "public", "login_name": "'"$READER_USER"'"}'
echo "  -> Done."

# --- Step 3: Delete existing token with same name (if any) ---
echo "[3/4] Cleaning up old tokens..."
curl -s -o /dev/null -w "" \
  -X DELETE "$GITEA_API/users/$READER_USER/tokens/$TOKEN_NAME" \
  -u "$READER_USER:$READER_PASS" 2>/dev/null || true
echo "  -> Done."

# --- Step 4: Create API token ---
echo "[4/4] Creating API token '$TOKEN_NAME' (scope: $TOKEN_SCOPE)..."
TOKEN_RESPONSE=$(curl -s \
  -X POST "$GITEA_API/users/$READER_USER/tokens" \
  -u "$READER_USER:$READER_PASS" \
  -H "Content-Type: application/json" \
  -d "{\"name\": \"$TOKEN_NAME\", \"scopes\": [\"$TOKEN_SCOPE\"]}")

TOKEN_VALUE=$(echo "$TOKEN_RESPONSE" | grep -o '"sha1":"[^"]*"' | sed 's/"sha1":"//;s/"//')

if [[ -z "$TOKEN_VALUE" ]]; then
  echo "  -> ERROR: Failed to extract token from response:"
  echo "$TOKEN_RESPONSE"
  exit 1
fi

echo "  -> Token created: ${TOKEN_VALUE:0:8}..."

# --- Write token back to config.ini ---
if grep -q "^token\s*=" "$CONFIG" 2>/dev/null; then
  sed -i "s|^token\s*=.*|token = $TOKEN_VALUE|" "$CONFIG"
else
  # Add token under [reader] section
  sed -i "/^\[reader\]/,/^\[/{
    /^token_scope/a token = $TOKEN_VALUE
  }" "$CONFIG"
fi

echo ""
echo "=== Setup Complete ==="
echo "Reader account: $READER_USER"
echo "Token (first 8): ${TOKEN_VALUE:0:8}..."
echo "Token written to: $CONFIG"
echo ""
echo "Next steps:"
echo "  bash scripts/grant-access.sh <repo-name>"
echo "  bash scripts/test-access.sh <repo-name>"