recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

1c/E2E-TESTME: bootstrap-drone-oauth.sh handles OAuth auto-approve (re-auth: no consent form -> follow 302 callback)
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
Found during the e2e: when the bot already granted the shared Drone OAuth app, Gitea 302s straight to
the code callback (no consent form), so the consent-form parse yielded empty _csrf/state and set -e
aborted. Now: if authorize returns a Location, use it directly; else POST the consent form.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 19:21:47 +01:00
parent b74a59ea08
commit ee585ef6b4
1 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
scripts/bootstrap-drone-oauth.sh
View File

@ -33,16 +33,22 @@ curl -s -b "$cj" -c "$cj" -o /dev/null \
# 2) Drone /login -> Gitea authorize URL.
loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" \
| awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
curl -sk -b "$cj" -c "$cj" -o "$az" "$loc"
azh=$(mktemp); trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT
curl -sk -b "$cj" -c "$cj" -o "$az" -D "$azh" "$loc"
# 3) Grant consent -> code callback -> complete Drone login (sets Drone session).
acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \
--data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \
--data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \
"$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
# 3) Either the OAuth app auto-approves (bot already granted it earlier => Gitea 302s straight to the
# code callback, no consent form) or it shows a consent form we must POST. Handle both.
cb=$(awk 'tolower($1)=="location:"{print $2}' "$azh" | tr -d '\r')
if [ -z "$cb" ]; then
acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \
--data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \
--data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \
"$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
fi
# code callback -> complete Drone login (sets Drone session + persists the token in Drone's volume).
curl -sk -b "$dj" -c "$dj" -o /dev/null -L "${RES[@]}" "$cb"
# 4) Verify + sync + activate the repo.