Add code to save client secret

equinor · Dec 11, 2023 · 8631199 · 8631199
1 parent e30b415
commit 8631199
Show file tree

Hide file tree

Showing 5 changed files with 103 additions and 2 deletions.
diff --git a/ex-01/authCode.http b/ex-01/authCode.http
@@ -15,14 +15,15 @@ GET https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/authorize
     &state={{state}}
 
 ### The Second Leg, assuming client_secret to be available in env variable prior to starting vs code
-# @prompt client_secret The Client Secret of the app registration
+### We could use a promt to ask for the client secret
+## @prompt client_secret The Client Secret of the app registration
 POST https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token
 content-type: application/x-www-form-urlencoded
 
 client_id={{client_id}}
 &scope={{scope}}
 &redirect_uri={{redirect_uri}}
 &grant_type=authorization_code
-&client_secret={{client_secret}}
+&client_secret={{$processEnv APPSEC_AA_CLIENT_SECRET}}
 &code=
 &state={{state}}
diff --git a/src/aa-delete-client-secret.sh b/src/aa-delete-client-secret.sh
@@ -0,0 +1,31 @@
+#!/bin/bash -e
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+
+if [ -z "$PIPELINE" ]
+then
+  printf "Missing PIPELINE environment variable.\nValue must match a file in the ./config folder\n"
+  exit 1
+fi
+
+CONFIG_FILE="$SCRIPTDIR/config/$PIPELINE.cfg"
+
+if [ ! -f  "$CONFIG_FILE" ]
+then
+  printf "Unable to find config file %s\n" "$CONFIG_FILE"
+  exit 1
+fi
+
+source "$CONFIG_FILE" 2> /dev/null
+
+printf "Successfully read config file (%s)\n" "$CONFIG_FILE"
+
+gh secret delete "$GH_CLIENT_SECRET_NAME" --user 
+
+# Check if the curl command was successful
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to delete the secret (%s)" "$GH_CLIENT_SECRET_NAME"
+  exit 1
+fi
+
+printf "Successfully deleted the secret (%s)\n" "$GH_CLIENT_SECRET_NAME"
diff --git a/src/aa-save-client-secret.sh b/src/aa-save-client-secret.sh
@@ -0,0 +1,61 @@
+#!/bin/bash -e
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+
+if [ -z "$PIPELINE" ]
+then
+  printf "Missing PIPELINE environment variable.\nValue must match a file in the ./config folder\n"
+  exit 1
+fi
+
+CONFIG_FILE="$SCRIPTDIR/config/$PIPELINE.cfg"
+
+if [ ! -f  "$CONFIG_FILE" ]
+then
+  printf "Unable to find config file %s\n" "$CONFIG_FILE"
+  exit 1
+fi
+
+source "$CONFIG_FILE" 2> /dev/null
+
+printf "Successfully read config file (%s)\n" "$CONFIG_FILE"
+
+# Ask the user for the content Client client_secret
+printf "Enter the content of client_secret for the Client App Registration: "
+read -r AAD_CLIENT_CLIENT_SECRET
+
+echo "$AAD_CLIENT_CLIENT_SECRET" | gh secret set "$GH_CLIENT_SECRET_NAME" --user 
+
+# Grant access to the secret for the Codespace
+
+REPO_INFO=$(curl --silent -H "Authorization: token $GITHUB_TOKEN" \
+  -H "Accept: application/vnd.github.v3+json" \
+  https://api.github.com/repos/$GITHUB_REPOSITORY)
+
+# Check if the curl command was successful
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to fetch repository information"
+  exit 1
+fi
+
+REPO_ID=$(echo $REPO_INFO | jq .id)
+
+# Check if the jq command was successful
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to parse repository information"
+  exit 1
+fi
+
+
+curl -X PUT \
+  -H "Authorization: token $GITHUB_TOKEN" \
+  -H "Accept: application/vnd.github.v3+json" \
+  https://api.github.com/user/codespaces/secrets/$GH_CLIENT_SECRET_NAME/repositories/$REPO_ID
+
+# Check if the curl command was successful
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to give repository access to the secret"
+  exit 1
+fi
+
+printf "Sucessfully granted the repo %s (%s) access to %s\'s user secret %s containing the Client appreg client_secret\n" "$GITHUB_REPOSITORY" "$REPO_ID" "$GITHUB_USER" "$GH_CLIENT_SECRET_NAME"
diff --git a/src/config/development.cfg b/src/config/development.cfg
@@ -3,6 +3,7 @@
 #
 
 GH_SECRET_NAME="APPSEC_AA_ENVFILES"
+GH_CLIENT_SECRET_NAME="APPSEC_AA_CLIENT_SECRET"
 
 # Environment files created from scripts
 CFG_ENV_FILE_DIRECTORY="$HOME/envs/"

diff --git a/src/readme.md b/src/readme.md
@@ -22,3 +22,10 @@ This script will store all .env files in **CFG_ENV_FILE_DIRECTORY** into a user
 
 This script will read the local environment variable named **GH_SECRET_NAME** and extract .env files which are then stored into the **CFG_ENV_FILE_DIRECTORY** 
 
+### `aa-save-client-secret.sh`
+
+This script will ask the user for the value of the Client client_secret and store the value as a codespace user secret named by the value of **GH_CLIENT_SECRET_NAME**
+
+### `aa-delete-client-secret.sh`
+
+This script will try to delete the codespace user secret named in the value of **GH_CLIENT_SECRET_NAME**