#!/bin/sh # OAuth Client Secrets Generation Script # Generates secure client secrets for OAuth/OIDC integration set -e # Color codes for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Script directory and workspace root SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" SECRETS_DIR="$WORKSPACE_ROOT/secrets" CLIENTS_DIR="$SECRETS_DIR/clients" print_header() { echo "${BLUE}================================${NC}" echo "${BLUE} OAuth Client Secrets Generator${NC}" echo "${BLUE}================================${NC}" echo } print_warning() { echo "${YELLOW}⚠️ WARNING: This will generate new OAuth client secrets!${NC}" echo "${YELLOW} - Any existing client secrets will be replaced${NC}" echo "${YELLOW} - You must update your CI/CD vault with new secrets${NC}" echo "${YELLOW} - Services using old secrets will fail authentication${NC}" echo } ensure_directories() { echo "${BLUE}Creating directories...${NC}" mkdir -p "$SECRETS_DIR" mkdir -p "$CLIENTS_DIR" } ensure_gitignore() { echo "${BLUE}Ensuring secrets are gitignored...${NC}" # Create .gitignore if it doesn't exist touch "$WORKSPACE_ROOT/.gitignore" # Check and add secrets directory to gitignore if ! grep -q "^secrets/" "$WORKSPACE_ROOT/.gitignore" 2>/dev/null; then echo "" >> "$WORKSPACE_ROOT/.gitignore" echo "# OAuth and other secrets - never commit!" >> "$WORKSPACE_ROOT/.gitignore" echo "secrets/" >> "$WORKSPACE_ROOT/.gitignore" echo "${GREEN}✅ Added secrets/ to .gitignore${NC}" else echo "${GREEN}✅ secrets/ already in .gitignore${NC}" fi } generate_secret() { # Generate a 64-character random string using available tools if command -v openssl >/dev/null 2>&1; then openssl rand -base64 48 | tr -d '\n' elif [ -r /dev/urandom ]; then dd if=/dev/urandom bs=48 count=1 2>/dev/null | base64 | tr -d '\n' else # Fallback for systems without openssl or /dev/urandom date +%s%N | sha256sum | head -c 64 fi } generate_client_secret() { local client_name="$1" local file_name="$2" echo "${BLUE}Generating secret for $client_name...${NC}" local secret secret=$(generate_secret) # Write to individual file echo "$secret" > "$CLIENTS_DIR/$file_name" # Add to environment file local env_var_name env_var_name=$(echo "CLIENT_SECRET_$(echo "$client_name" | tr '[:lower:]' '[:upper:]')" | tr '-' '_') echo "${env_var_name}=$secret" >> "$SECRETS_DIR/oauth-secrets.env" echo "${GREEN}✅ Generated secret for $client_name${NC}" echo " File: secrets/clients/$file_name" echo " Env: $env_var_name" echo } create_vault_instructions() { echo "${BLUE}Creating CI/CD vault instructions...${NC}" cat > "$SECRETS_DIR/VAULT_SECRETS.md" << 'EOF' # CI/CD Vault Secrets Add these secrets to your Woodpecker CI vault: ## OAuth Client Secrets ### Portainer OAuth - **Variable Name**: `CLIENT_SECRET_PORTAINER` - **Secret File**: `secrets/clients/portainer-secret.txt` - **Value**: (copy content from the file above) ### Gitea OAuth - **Variable Name**: `CLIENT_SECRET_GITEA` - **Secret File**: `secrets/clients/gitea-secret.txt` - **Value**: (copy content from the file above) ## Important Notes 1. **Never commit these files** - they are automatically gitignored 2. **Copy the exact content** from each secret file to the CI vault 3. **Update vault immediately** after generating new secrets 4. **Services will fail** until vault is updated with new secrets ## Vault Update Commands If using Woodpecker CLI: ```bash # Update Portainer secret woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)" # Update Gitea secret woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)" ``` ## Verification After updating the vault, check that services can access secrets: ```bash # Check deployment logs for secret access ssh macmini7 'docker service logs authelia_authelia | grep -i "secret"' ``` EOF echo "${GREEN}✅ Created vault instructions: secrets/VAULT_SECRETS.md${NC}" } print_summary() { echo "${GREEN}================================${NC}" echo "${GREEN} 🎉 OAuth Secrets Generated! ${NC}" echo "${GREEN}================================${NC}" echo echo "${YELLOW}📁 Generated Files:${NC}" echo " • secrets/oauth-secrets.env" echo " • secrets/clients/portainer-secret.txt" echo " • secrets/clients/gitea-secret.txt" echo " • secrets/VAULT_SECRETS.md" echo echo "${YELLOW}🔑 Required CI/CD Vault Updates:${NC}" echo " • CLIENT_SECRET_PORTAINER" echo " • CLIENT_SECRET_GITEA" echo echo "${RED}⚠️ NEXT STEPS:${NC}" echo " 1. Update your CI/CD vault with new secrets" echo " 2. Deploy Authelia to use new client configurations" echo " 3. Configure OAuth in Portainer and Gitea admin panels" echo " 4. Test authentication flows" echo echo "${BLUE}📖 Full setup guide: docs/OAUTH_SETUP.md${NC}" } # Main execution main() { print_header print_warning # Prompt for confirmation printf "${YELLOW}Continue? (y/N): ${NC}" read -r confirm case "$confirm" in [yY]|[yY][eE][sS]) echo "${GREEN}Proceeding with secret generation...${NC}" echo ;; *) echo "${YELLOW}Cancelled by user.${NC}" exit 0 ;; esac ensure_directories ensure_gitignore # Clear previous oauth-secrets.env > "$SECRETS_DIR/oauth-secrets.env" echo "# OAuth Client Secrets - Generated $(date)" >> "$SECRETS_DIR/oauth-secrets.env" echo "# NEVER COMMIT THIS FILE" >> "$SECRETS_DIR/oauth-secrets.env" echo "" >> "$SECRETS_DIR/oauth-secrets.env" # Generate client secrets generate_client_secret "portainer" "portainer-secret.txt" generate_client_secret "gitea" "gitea-secret.txt" create_vault_instructions print_summary } # Run main function main "$@"