gendesign/scripts/auth/add_user.sh
Light1YT 7aced2a5e0 fix(auth): scripts/auth/*.sh — правильный SNIPPET path
Bug: `dirname` x2 от $0 даёт `<repo>/scripts`, не `<repo>` →
скрипт ищет snippet в `<repo>/scripts/caddy/...` (не существует)
вместо `<repo>/caddy/users.caddy.snippet`.

Discovered 2026-05-26 QA RBAC сессия:
> grep: /opt/gendesign/scripts/caddy/users.caddy.snippet: No such file
> ERROR: cannot find closing brace in /opt/gendesign/scripts/caddy/...

Все 3 скрипта (add_user.sh, list_users.sh, remove_user.sh) имели
одинаковый баг — теперь все используют explicit REPO_ROOT:

```bash
SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
SNIPPET="$REPO_ROOT/caddy/users.caddy.snippet"
```

Так понятнее (explicit `../..` от script-dir) и устойчиво к любой
глубине перемещения файла.

PR #426 (2026-05-23) изначально создавал 11 юзеров через add_user.sh
— скрипт работал в той worktree-сессии (видимо запускался из dir
где realpath давал нужный depth, e.g. через `cd scripts/auth && bash add_user.sh`),
но после compaction worktree удалён, реальный run-context утерян.

Production runs 2026-05-23 → user1..user10 + admin + kopylov были добавлены.
После 2026-05-26 manual workflow (`awk ... > tmp && mv tmp; docker restart caddy`)
заменил bash скрипт; теперь скрипт снова работает.

Detail: vault [[Bug_AddUser_Sh_Snippet_Path_Fixed]].

Verified locally: `realpath` resolves к `/Users/anton/Птица/gendesign/caddy/users.caddy.snippet` (correct).
2026-05-26 13:39:01 +05:00

107 lines
4.3 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
# add_user.sh — добавить пользователя в caddy/users.caddy.snippet
# Usage: ./scripts/auth/add_user.sh <username> "<comment>"
#
# - Читает пароль из stdin (pipe) или генерирует 16-char random если интерактивен.
# - Bcrypt через `docker run --rm caddy:2 caddy hash-password`.
# - Печатает plain password на stdout ОДИН РАЗ.
# - НЕ коммитит изменения — это задача разработчика.
set -euo pipefail
# Скрипт лежит в `<repo>/scripts/auth/`; snippet — в `<repo>/caddy/`.
# Нужно 3× `dirname`: $0 (.../scripts/auth/add_user.sh) → .../scripts/auth → .../scripts → .../<repo>.
# Bug fix 2026-05-26 — было 2× dirname (см. [[Bug_AddUser_Sh_Snippet_Path_Fixed]]).
SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
SNIPPET="$REPO_ROOT/caddy/users.caddy.snippet"
usage() {
echo "Usage: $0 <username> \"<comment>\"" >&2
exit 1
}
# ─── args ────────────────────────────────────────────────────────────────────
[[ $# -lt 2 ]] && usage
USERNAME="$1"
COMMENT="$2"
DATE="$(date -u +%Y-%m-%d)"
# Validate username: ^[a-z][a-z0-9-]{2,30}$
if ! [[ "$USERNAME" =~ ^[a-z][a-z0-9-]{2,30}$ ]]; then
echo "ERROR: invalid username '$USERNAME'. Must match ^[a-z][a-z0-9-]{2,30}$" >&2
exit 1
fi
# ─── idempotency guard ────────────────────────────────────────────────────────
if grep -qP "^\s+${USERNAME}\s" "$SNIPPET" 2>/dev/null; then
echo "ERROR: user '$USERNAME' already exists in $SNIPPET. Remove first with remove_user.sh." >&2
exit 1
fi
# ─── password ─────────────────────────────────────────────────────────────────
if [ -t 0 ]; then
# Interactive — generate random password
PLAIN_PASS="$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 16)"
else
# Piped input
read -r PLAIN_PASS
fi
if [[ -z "$PLAIN_PASS" ]]; then
echo "ERROR: empty password" >&2
exit 1
fi
# ─── bcrypt via caddy container ───────────────────────────────────────────────
# Caddy 2.11+ requires base64-encoded bcrypt in Caddyfile basic_auth.
# Password passed via stdin to avoid exposure in process list.
HASH="$(printf '%s' "$PLAIN_PASS" | docker run --rm -i caddy:2 sh -c '
pass=$(cat)
raw=$(caddy hash-password --algorithm bcrypt --plaintext "$pass")
printf "%s" "$raw" | base64 | tr -d "\n"
')"
if [[ -z "$HASH" ]]; then
echo "ERROR: caddy hash-password returned empty hash" >&2
exit 1
fi
# ─── insert into snippet ─────────────────────────────────────────────────────
# Insert before the closing brace of basic_auth block
if ! grep -q '^}' "$SNIPPET"; then
echo "ERROR: cannot find closing brace in $SNIPPET" >&2
exit 1
fi
# Use a temp file for safe in-place edit
TMP="$(mktemp)"
trap 'rm -f "$TMP"' EXIT
# Insert new user line before the last closing `}` of the basic_auth block
awk -v user="$USERNAME" -v hash="$HASH" -v comment="$COMMENT" -v date="$DATE" '
/^}/ && !done {
printf " %-7s %s # %s (%s)\n", user, hash, comment, date
done=1
}
{ print }
' "$SNIPPET" > "$TMP"
mv "$TMP" "$SNIPPET"
# ─── output ───────────────────────────────────────────────────────────────────
echo "Added user '$USERNAME' to $SNIPPET"
echo ""
echo "Plain password (save now — not stored anywhere):"
echo "$PLAIN_PASS"
echo ""
echo "Next steps:"
echo " 1. Commit caddy/users.caddy.snippet → PR → merge → GHA deploy"
echo " 2. After deploy, Caddy auto-reloads (deploy.yml does caddy reload)"
echo " 3. Send username + password to stakeholder via secure channel"