authelia/scripts/generate-oauth-secrets.sh

#!/bin/sh

# OAuth Client Secrets Generation Script
# Generates secure client secrets for OAuth/OIDC integration

set -e

# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Script directory and workspace root
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
SECRETS_DIR="$WORKSPACE_ROOT/secrets"
CLIENTS_DIR="$SECRETS_DIR/clients"

print_header() {
    echo "${BLUE}================================${NC}"
    echo "${BLUE}  OAuth Client Secrets Generator${NC}"
    echo "${BLUE}================================${NC}"
    echo
}

print_warning() {
    echo "${YELLOW}⚠️  WARNING: This will generate new OAuth client secrets!${NC}"
    echo "${YELLOW}   - Any existing client secrets will be replaced${NC}"
    echo "${YELLOW}   - You must update your CI/CD vault with new secrets${NC}"
    echo "${YELLOW}   - Services using old secrets will fail authentication${NC}"
    echo
}

ensure_directories() {
    echo "${BLUE}Creating directories...${NC}"
    mkdir -p "$SECRETS_DIR"
    mkdir -p "$CLIENTS_DIR"
}

ensure_gitignore() {
    echo "${BLUE}Ensuring secrets are gitignored...${NC}"
    
    # Create .gitignore if it doesn't exist
    touch "$WORKSPACE_ROOT/.gitignore"
    
    # Check and add secrets directory to gitignore
    if ! grep -q "^secrets/" "$WORKSPACE_ROOT/.gitignore" 2>/dev/null; then
        echo "" >> "$WORKSPACE_ROOT/.gitignore"
        echo "# OAuth and other secrets - never commit!" >> "$WORKSPACE_ROOT/.gitignore"
        echo "secrets/" >> "$WORKSPACE_ROOT/.gitignore"
        echo "${GREEN}✅ Added secrets/ to .gitignore${NC}"
    else
        echo "${GREEN}✅ secrets/ already in .gitignore${NC}"
    fi
}

generate_secret() {
    # Generate a 64-character random string using available tools
    if command -v openssl >/dev/null 2>&1; then
        openssl rand -base64 48 | tr -d '\n'
    elif [ -r /dev/urandom ]; then
        dd if=/dev/urandom bs=48 count=1 2>/dev/null | base64 | tr -d '\n'
    else
        # Fallback for systems without openssl or /dev/urandom
        date +%s%N | sha256sum | head -c 64
    fi
}

generate_client_secret() {
    local client_name="$1"
    local file_name="$2"
    
    echo "${BLUE}Generating secret for $client_name...${NC}"
    
    local secret
    secret=$(generate_secret)
    
    # Write to individual file
    echo "$secret" > "$CLIENTS_DIR/$file_name"
    
    # Add to environment file
    local env_var_name
    env_var_name=$(echo "CLIENT_SECRET_$(echo "$client_name" | tr '[:lower:]' '[:upper:]')" | tr '-' '_')
    echo "${env_var_name}=$secret" >> "$SECRETS_DIR/oauth-secrets.env"
    
    echo "${GREEN}✅ Generated secret for $client_name${NC}"
    echo "   File: secrets/clients/$file_name"
    echo "   Env: $env_var_name"
    echo
}

create_vault_instructions() {
    echo "${BLUE}Creating CI/CD vault instructions...${NC}"
    
    cat > "$SECRETS_DIR/VAULT_SECRETS.md" << 'EOF'
# CI/CD Vault Secrets

Add these secrets to your Woodpecker CI vault:

## OAuth Client Secrets

### Portainer OAuth
- **Variable Name**: `CLIENT_SECRET_PORTAINER`
- **Secret File**: `secrets/clients/portainer-secret.txt`
- **Value**: (copy content from the file above)

### Gitea OAuth
- **Variable Name**: `CLIENT_SECRET_GITEA`
- **Secret File**: `secrets/clients/gitea-secret.txt`
- **Value**: (copy content from the file above)

## Important Notes

1. **Never commit these files** - they are automatically gitignored
2. **Copy the exact content** from each secret file to the CI vault
3. **Update vault immediately** after generating new secrets
4. **Services will fail** until vault is updated with new secrets

## Vault Update Commands

If using Woodpecker CLI:
```bash
# Update Portainer secret
woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)"

# Update Gitea secret
woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)"
```

## Verification

After updating the vault, check that services can access secrets:
```bash
# Check deployment logs for secret access
ssh macmini7 'docker service logs authelia_authelia | grep -i "secret"'
```
EOF

    echo "${GREEN}✅ Created vault instructions: secrets/VAULT_SECRETS.md${NC}"
}

print_summary() {
    echo "${GREEN}================================${NC}"
    echo "${GREEN}  🎉 OAuth Secrets Generated!   ${NC}"
    echo "${GREEN}================================${NC}"
    echo
    echo "${YELLOW}📁 Generated Files:${NC}"
    echo "   • secrets/oauth-secrets.env"
    echo "   • secrets/clients/portainer-secret.txt"
    echo "   • secrets/clients/gitea-secret.txt"
    echo "   • secrets/VAULT_SECRETS.md"
    echo
    echo "${YELLOW}🔑 Required CI/CD Vault Updates:${NC}"
    echo "   • CLIENT_SECRET_PORTAINER"
    echo "   • CLIENT_SECRET_GITEA"
    echo
    echo "${RED}⚠️  NEXT STEPS:${NC}"
    echo "   1. Update your CI/CD vault with new secrets"
    echo "   2. Deploy Authelia to use new client configurations"
    echo "   3. Configure OAuth in Portainer and Gitea admin panels"
    echo "   4. Test authentication flows"
    echo
    echo "${BLUE}📖 Full setup guide: docs/OAUTH_SETUP.md${NC}"
}

# Main execution
main() {
    print_header
    print_warning
    
    # Prompt for confirmation
    printf "${YELLOW}Continue? (y/N): ${NC}"
    read -r confirm
    case "$confirm" in
        [yY]|[yY][eE][sS])
            echo "${GREEN}Proceeding with secret generation...${NC}"
            echo
            ;;
        *)
            echo "${YELLOW}Cancelled by user.${NC}"
            exit 0
            ;;
    esac
    
    ensure_directories
    ensure_gitignore
    
    # Clear previous oauth-secrets.env
    > "$SECRETS_DIR/oauth-secrets.env"
    echo "# OAuth Client Secrets - Generated $(date)" >> "$SECRETS_DIR/oauth-secrets.env"
    echo "# NEVER COMMIT THIS FILE" >> "$SECRETS_DIR/oauth-secrets.env"
    echo "" >> "$SECRETS_DIR/oauth-secrets.env"
    
    # Generate client secrets
    generate_client_secret "portainer" "portainer-secret.txt"
    generate_client_secret "gitea" "gitea-secret.txt"
    
    create_vault_instructions
    print_summary
}

# Run main function
main "$@"