From c3f4433a1ab181346413699f27bae0c5117e1e19 Mon Sep 17 00:00:00 2001 From: Khue Doan Date: Mon, 18 Jul 2022 03:48:15 +0700 Subject: [PATCH] feat: add script to setup Gitea tokens and OAuth apps --- scripts/hacks | 128 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100755 scripts/hacks diff --git a/scripts/hacks b/scripts/hacks new file mode 100755 index 00000000..8ac1998a --- /dev/null +++ b/scripts/hacks @@ -0,0 +1,128 @@ +#!/bin/python + +""" +Quick and dirty script for things that I can't/don't have time to do properly yet +TODO: retire this script + +export DOMAIN=khuedoan.com +export GITEA_USER=gitea_admin +export GITEA_PASSWORD='xxx' +export GITEA_HOST='git.khuedoan.com' +export VAULT_HOST='https://vault.khuedoan.com' +export VAULT_TOKEN='s.xxx' +./scripts/hacks +""" + +import json +import os +import sys +import requests +import urllib.parse +from rich.console import Console + + +# https://git.khuedoan.com/user/settings/applications +# Doing this properly inside the cluster requires: +# - Kubernetes service account +# - Vault Kubernetes auth +domain = os.environ['DOMAIN'] +vault_host = os.environ['VAULT_HOST'] +vault_token = os.environ['VAULT_TOKEN'] + +gitea_host = os.getenv('GITEA_HOST', "gitea-http:3000") +gitea_user = os.environ['GITEA_USER'] +gitea_pass = urllib.parse.quote_plus(os.environ['GITEA_PASSWORD']) +gitea_url = f"http://{gitea_user}:{gitea_pass}@{gitea_host}" + + +def create_vault_secret(path: str, data) -> None: + requests.post( + url=f"{vault_host}/v1/secret/data/{path}", + headers={ + 'X-Vault-Token': vault_token + }, + data=json.dumps({ + 'data': data + }) + ) + + +def setup_gitea_access_token(name: str) -> None: + current_tokens = requests.get( + url=f"{gitea_url}/api/v1/users/{gitea_user}/tokens", + ).json() + + if not any(token['name'] == name for token in current_tokens): + resp = requests.post( + url=f"{gitea_url}/api/v1/users/{gitea_user}/tokens", + headers={ + 'Content-Type': 'application/json' + }, + data=json.dumps({ + 'name': name + }) + ) + + if resp.status_code == 201: + create_vault_secret( + f"gitea/{name}", + { + 'token': resp.json()['sha1'] + } + ) + else: + print(f"Error creating access token {name} ({resp.status_code})") + print(resp.content) + sys.exit(1) + + +def setup_gitea_oauth_app(name: str, redirect_uri: str) -> None: + current_apps = requests.get( + url=f"{gitea_url}/api/v1/user/applications/oauth2", + ).json() + + if not any(app['name'] == name for app in current_apps): + resp = requests.post( + url=f"{gitea_url}/api/v1/user/applications/oauth2", + headers={ + 'Content-Type': 'application/json' + }, + data=json.dumps({ + 'name': name, + 'redirect_uris': [redirect_uri] + }) + ) + + if resp.status_code == 201: + create_vault_secret( + f"gitea/{name}", + { + 'client_id': resp.json()['client_id'], + 'client_secret': resp.json()['client_secret'] + } + ) + else: + print(f"Error creating OAuth application {name} ({resp.status_code})") + print(resp.content) + sys.exit(1) + + +def main() -> None: + with Console().status("Completing the remaining sorcery"): + gitea_access_tokens = [ + 'renovate' + ] + + gitea_oauth_apps = [ + {'name': 'dex', 'redirect_uri': f"https://dex.{domain}/callback"} + ] + + for token_name in gitea_access_tokens: + setup_gitea_access_token(token_name) + + for app in gitea_oauth_apps: + setup_gitea_oauth_app(app['name'], app['redirect_uri']) + + +if __name__ == '__main__': + main()