Some checks failed
CI / changes (push) Successful in 7s
CI / backend-tests (push) Has been skipped
CI / frontend-tests (push) Has been skipped
CI / changes (pull_request) Successful in 6s
CI / backend-tests (pull_request) Has been skipped
CI / frontend-tests (pull_request) Has been skipped
Deploy / build-backend (push) Blocked by required conditions
Deploy / build-worker (push) Blocked by required conditions
Deploy / build-frontend (push) Blocked by required conditions
Deploy / deploy (push) Blocked by required conditions
Deploy / changes (push) Has been cancelled
#71 (CRITICAL): backup.sh committed 100644 → git reset --hard on deploy re-asserts non-exec mode → raw-path cron fails Permission denied (last good dump 2026-05-27, no S3). Commit 100755 + chmod ops/*.sh in deploy.yml + size sanity-check (never prune good dumps for a truncated one) + keep-N retention + optional S3 (redacted /etc/default template). Modeled on the working backup-tradein-db.sh. #427: widen basic_auth username regex ^[a-z][a-z0-9_.-]{1,62}$ + literal-escape dotted names in grep probes. #429: replace list_users.sh false-positive grep with anchored awk over basic_auth block. #428: PILOT_ACCESS.md support email → pilot@gendsgn.ru. Closes #71 Closes #427 Closes #429 Closes #428
49 lines
1.6 KiB
Bash
49 lines
1.6 KiB
Bash
#!/usr/bin/env bash
|
||
# remove_user.sh — удалить пользователя из caddy/users.caddy.snippet
|
||
# Usage: ./scripts/auth/remove_user.sh <username>
|
||
#
|
||
# НЕ коммитит изменения — это задача разработчика.
|
||
set -euo pipefail
|
||
|
||
# 3× dirname от $0 (.../scripts/auth/remove_user.sh) → repo root. Bug fix 2026-05-26.
|
||
SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
|
||
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
||
SNIPPET="$REPO_ROOT/caddy/users.caddy.snippet"
|
||
|
||
usage() {
|
||
echo "Usage: $0 <username>" >&2
|
||
exit 1
|
||
}
|
||
|
||
[[ $# -lt 1 ]] && usage
|
||
|
||
USERNAME="$1"
|
||
|
||
# Validate username format: ^[a-z][a-z0-9_.-]{1,62}$ (matches add_user.sh, #427)
|
||
if ! [[ "$USERNAME" =~ ^[a-z][a-z0-9_.-]{1,62}$ ]]; then
|
||
echo "ERROR: invalid username '$USERNAME'. Must match ^[a-z][a-z0-9_.-]{1,62}$" >&2
|
||
exit 1
|
||
fi
|
||
|
||
# Escape regex metachars (notably the now-allowed '.') so the username is matched
|
||
# literally — otherwise `john.doe` could match/remove an unintended line (#427).
|
||
USERNAME_RE=$(printf '%s' "$USERNAME" | sed -E 's/[.[\^$*+?(){}|]/\\&/g')
|
||
|
||
# Check user exists
|
||
if ! grep -qP "^\s+${USERNAME_RE}\s" "$SNIPPET" 2>/dev/null; then
|
||
echo "ERROR: user '$USERNAME' not found in $SNIPPET" >&2
|
||
exit 1
|
||
fi
|
||
|
||
# Remove the line with this username (safe in-place via temp file)
|
||
TMP="$(mktemp)"
|
||
trap 'rm -f "$TMP"' EXIT
|
||
|
||
grep -vP "^\s+${USERNAME_RE}\s" "$SNIPPET" > "$TMP"
|
||
mv "$TMP" "$SNIPPET"
|
||
|
||
echo "Removed user '$USERNAME' from $SNIPPET"
|
||
echo ""
|
||
echo "Next steps:"
|
||
echo " 1. Commit caddy/users.caddy.snippet → PR → merge → GHA deploy"
|
||
echo " 2. After deploy, Caddy auto-reloads — user access revoked"
|