gitea/cmd/admin_user_generate_access_...

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package cmd

import (
	"fmt"

	auth_model "code.gitea.io/gitea/models/auth"
	user_model "code.gitea.io/gitea/models/user"

	"github.com/urfave/cli/v2"
)

var microcmdUserGenerateAccessToken = &cli.Command{
	Name:  "generate-access-token",
	Usage: "Generate an access token for a specific user",
	Flags: []cli.Flag{
		&cli.StringFlag{
			Name:    "username",
			Aliases: []string{"u"},
			Usage:   "Username",
		},
		&cli.StringFlag{
			Name:    "token-name",
			Aliases: []string{"t"},
			Usage:   "Token name",
			Value:   "gitea-admin",
		},
		&cli.BoolFlag{
			Name:  "raw",
			Usage: "Display only the token value",
		},
		&cli.StringFlag{
			Name:  "scopes",
			Value: "",
			Usage: "Comma separated list of scopes to apply to access token",
		},
	},
	Action: runGenerateAccessToken,
}

func runGenerateAccessToken(c *cli.Context) error {
	if !c.IsSet("username") {
		return fmt.Errorf("You must provide a username to generate a token for")
	}

	ctx, cancel := installSignals()
	defer cancel()

	if err := initDB(ctx); err != nil {
		return err
	}

	user, err := user_model.GetUserByName(ctx, c.String("username"))
	if err != nil {
		return err
	}

	// construct token with name and user so we can make sure it is unique
	t := &auth_model.AccessToken{
		Name: c.String("token-name"),
		UID:  user.ID,
	}

	exist, err := auth_model.AccessTokenByNameExists(ctx, t)
	if err != nil {
		return err
	}
	if exist {
		return fmt.Errorf("access token name has been used already")
	}

	// make sure the scopes are valid
	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
	if err != nil {
		return fmt.Errorf("invalid access token scope provided: %w", err)
	}
	t.Scope = accessTokenScope

	// create the token
	if err := auth_model.NewAccessToken(ctx, t); err != nil {
		return err
	}

	if c.Bool("raw") {
		fmt.Printf("%s\n", t.Token)
	} else {
		fmt.Printf("Access token was successfully created: %s\n", t.Token)
	}

	return nil
}
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`// Copyright 2023 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package cmd`

			`import (`
			`"fmt"`

			`auth_model "code.gitea.io/gitea/models/auth"`
			`user_model "code.gitea.io/gitea/models/user"`

Refactor to use urfave/cli/v2 (#25959) Replace #10912 And there are many new tests to cover the CLI behavior There were some concerns about the "option order in hook scripts" (https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314), it's not a problem now. Because the hook script uses `/gitea hook --config=/app.ini pre-receive` format. The "config" is a global option, it can appear anywhere. ---- ## ⚠️ BREAKING ⚠️ This PR does it best to avoid breaking anything. The major changes are: * `gitea` itself won't accept web's options: `--install-port` / `--pid` / `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's options. * Use `./gitea web --pid ....` instead * `./gitea` can still run the `web` sub-command as shorthand, with default options * The sub-command's options must follow the sub-command * Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd --sub-opt` (well, might not ...) * After: only `./gitea subcmd --sub-opt` could be used * The global options like `--config` are not affected 2023-07-21 03:28:19 -06:00			`"github.com/urfave/cli/v2"`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`)`

Refactor to use urfave/cli/v2 (#25959) Replace #10912 And there are many new tests to cover the CLI behavior There were some concerns about the "option order in hook scripts" (https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314), it's not a problem now. Because the hook script uses `/gitea hook --config=/app.ini pre-receive` format. The "config" is a global option, it can appear anywhere. ---- ## ⚠️ BREAKING ⚠️ This PR does it best to avoid breaking anything. The major changes are: * `gitea` itself won't accept web's options: `--install-port` / `--pid` / `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's options. * Use `./gitea web --pid ....` instead * `./gitea` can still run the `web` sub-command as shorthand, with default options * The sub-command's options must follow the sub-command * Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd --sub-opt` (well, might not ...) * After: only `./gitea subcmd --sub-opt` could be used * The global options like `--config` are not affected 2023-07-21 03:28:19 -06:00			`var microcmdUserGenerateAccessToken = &cli.Command{`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`Name: "generate-access-token",`
			`Usage: "Generate an access token for a specific user",`
			`Flags: []cli.Flag{`
Refactor to use urfave/cli/v2 (#25959) Replace #10912 And there are many new tests to cover the CLI behavior There were some concerns about the "option order in hook scripts" (https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314), it's not a problem now. Because the hook script uses `/gitea hook --config=/app.ini pre-receive` format. The "config" is a global option, it can appear anywhere. ---- ## ⚠️ BREAKING ⚠️ This PR does it best to avoid breaking anything. The major changes are: * `gitea` itself won't accept web's options: `--install-port` / `--pid` / `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's options. * Use `./gitea web --pid ....` instead * `./gitea` can still run the `web` sub-command as shorthand, with default options * The sub-command's options must follow the sub-command * Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd --sub-opt` (well, might not ...) * After: only `./gitea subcmd --sub-opt` could be used * The global options like `--config` are not affected 2023-07-21 03:28:19 -06:00			`&cli.StringFlag{`
			`Name: "username",`
			`Aliases: []string{"u"},`
			`Usage: "Username",`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`},`
Refactor to use urfave/cli/v2 (#25959) Replace #10912 And there are many new tests to cover the CLI behavior There were some concerns about the "option order in hook scripts" (https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314), it's not a problem now. Because the hook script uses `/gitea hook --config=/app.ini pre-receive` format. The "config" is a global option, it can appear anywhere. ---- ## ⚠️ BREAKING ⚠️ This PR does it best to avoid breaking anything. The major changes are: * `gitea` itself won't accept web's options: `--install-port` / `--pid` / `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's options. * Use `./gitea web --pid ....` instead * `./gitea` can still run the `web` sub-command as shorthand, with default options * The sub-command's options must follow the sub-command * Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd --sub-opt` (well, might not ...) * After: only `./gitea subcmd --sub-opt` could be used * The global options like `--config` are not affected 2023-07-21 03:28:19 -06:00			`&cli.StringFlag{`
			`Name: "token-name",`
			`Aliases: []string{"t"},`
			`Usage: "Token name",`
			`Value: "gitea-admin",`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`},`
Refactor to use urfave/cli/v2 (#25959) Replace #10912 And there are many new tests to cover the CLI behavior There were some concerns about the "option order in hook scripts" (https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314), it's not a problem now. Because the hook script uses `/gitea hook --config=/app.ini pre-receive` format. The "config" is a global option, it can appear anywhere. ---- ## ⚠️ BREAKING ⚠️ This PR does it best to avoid breaking anything. The major changes are: * `gitea` itself won't accept web's options: `--install-port` / `--pid` / `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's options. * Use `./gitea web --pid ....` instead * `./gitea` can still run the `web` sub-command as shorthand, with default options * The sub-command's options must follow the sub-command * Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd --sub-opt` (well, might not ...) * After: only `./gitea subcmd --sub-opt` could be used * The global options like `--config` are not affected 2023-07-21 03:28:19 -06:00			`&cli.BoolFlag{`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`Name: "raw",`
			`Usage: "Display only the token value",`
			`},`
Refactor to use urfave/cli/v2 (#25959) Replace #10912 And there are many new tests to cover the CLI behavior There were some concerns about the "option order in hook scripts" (https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314), it's not a problem now. Because the hook script uses `/gitea hook --config=/app.ini pre-receive` format. The "config" is a global option, it can appear anywhere. ---- ## ⚠️ BREAKING ⚠️ This PR does it best to avoid breaking anything. The major changes are: * `gitea` itself won't accept web's options: `--install-port` / `--pid` / `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's options. * Use `./gitea web --pid ....` instead * `./gitea` can still run the `web` sub-command as shorthand, with default options * The sub-command's options must follow the sub-command * Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd --sub-opt` (well, might not ...) * After: only `./gitea subcmd --sub-opt` could be used * The global options like `--config` are not affected 2023-07-21 03:28:19 -06:00			`&cli.StringFlag{`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`Name: "scopes",`
			`Value: "",`
			`Usage: "Comma separated list of scopes to apply to access token",`
			`},`
			`},`
			`Action: runGenerateAccessToken,`
			`}`

			`func runGenerateAccessToken(c *cli.Context) error {`
			`if !c.IsSet("username") {`
			`return fmt.Errorf("You must provide a username to generate a token for")`
			`}`

			`ctx, cancel := installSignals()`
			`defer cancel()`

			`if err := initDB(ctx); err != nil {`
			`return err`
			`}`

			`user, err := user_model.GetUserByName(ctx, c.String("username"))`
			`if err != nil {`
			`return err`
			`}`

Fix CLI allowing creation of access tokens with existing name (#26071) We are now: - Making sure there is no existing access token with the same name - Making sure the given scopes are valid (we already did this before but now we have a message) The logic is mostly taken from https://github.com/go-gitea/gitea/blob/a12a5f3652c339b17b187ff424a480631a3c1e1e/routers/api/v1/user/app.go#L101-L123 Closes #26044 Signed-off-by: Yarden Shoham <git@yardenshoham.com> 2023-07-25 17:06:11 -06:00			`// construct token with name and user so we can make sure it is unique`
			`t := &auth_model.AccessToken{`
			`Name: c.String("token-name"),`
			`UID: user.ID,`
			`}`

More refactoring of `db.DefaultContext` (#27083) Next step of #27065 2023-09-15 00:13:19 -06:00			`exist, err := auth_model.AccessTokenByNameExists(ctx, t)`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`if err != nil {`
			`return err`
			`}`
Fix CLI allowing creation of access tokens with existing name (#26071) We are now: - Making sure there is no existing access token with the same name - Making sure the given scopes are valid (we already did this before but now we have a message) The logic is mostly taken from https://github.com/go-gitea/gitea/blob/a12a5f3652c339b17b187ff424a480631a3c1e1e/routers/api/v1/user/app.go#L101-L123 Closes #26044 Signed-off-by: Yarden Shoham <git@yardenshoham.com> 2023-07-25 17:06:11 -06:00			`if exist {`
			`return fmt.Errorf("access token name has been used already")`
			`}`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00
Fix CLI allowing creation of access tokens with existing name (#26071) We are now: - Making sure there is no existing access token with the same name - Making sure the given scopes are valid (we already did this before but now we have a message) The logic is mostly taken from https://github.com/go-gitea/gitea/blob/a12a5f3652c339b17b187ff424a480631a3c1e1e/routers/api/v1/user/app.go#L101-L123 Closes #26044 Signed-off-by: Yarden Shoham <git@yardenshoham.com> 2023-07-25 17:06:11 -06:00			`// make sure the scopes are valid`
			`accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()`
			`if err != nil {`
			`return fmt.Errorf("invalid access token scope provided: %w", err)`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`}`
Fix CLI allowing creation of access tokens with existing name (#26071) We are now: - Making sure there is no existing access token with the same name - Making sure the given scopes are valid (we already did this before but now we have a message) The logic is mostly taken from https://github.com/go-gitea/gitea/blob/a12a5f3652c339b17b187ff424a480631a3c1e1e/routers/api/v1/user/app.go#L101-L123 Closes #26044 Signed-off-by: Yarden Shoham <git@yardenshoham.com> 2023-07-25 17:06:11 -06:00			`t.Scope = accessTokenScope`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00
Fix CLI allowing creation of access tokens with existing name (#26071) We are now: - Making sure there is no existing access token with the same name - Making sure the given scopes are valid (we already did this before but now we have a message) The logic is mostly taken from https://github.com/go-gitea/gitea/blob/a12a5f3652c339b17b187ff424a480631a3c1e1e/routers/api/v1/user/app.go#L101-L123 Closes #26044 Signed-off-by: Yarden Shoham <git@yardenshoham.com> 2023-07-25 17:06:11 -06:00			`// create the token`
More refactoring of `db.DefaultContext` (#27083) Next step of #27065 2023-09-15 00:13:19 -06:00			`if err := auth_model.NewAccessToken(ctx, t); err != nil {`
Add command to bulk set must-change-password (#22823) As part of administration sometimes it is appropriate to forcibly tell users to update their passwords. This PR creates a new command `gitea admin user must-change-password` which will set the `MustChangePassword` flag on the provided users. Signed-off-by: Andrew Thornton <art27@cantab.net> 2023-02-14 15:12:19 -07:00			`return err`
			`}`

			`if c.Bool("raw") {`
			`fmt.Printf("%s\n", t.Token)`
			`} else {`
			`fmt.Printf("Access token was successfully created: %s\n", t.Token)`
			`}`

			`return nil`
			`}`