ROOH/openclaw_oauth_sync
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
feature/webhook-security-integration
openclaw_oauth_sync/scripts/uninstall.sh
sol 2db7d7d90a feat: merge Gitea webhook security into setup wizard (issue #2) 
Integrates the 5-layer Gitea webhook security system from
sol/clawgravity-hook-security (v2.0) into the setup wizard.

## What's added

### New files (from clawgravity-hook-security v2.0)
- scripts/webhook-security/gitea-hmac-verify.js    -- njs HMAC-SHA256 module
- scripts/webhook-security/gitea-approve-repo       -- allowlist helper
- scripts/webhook-security/rotate-webhook-secret.sh -- monthly secret rotation (templated)
- scripts/webhook-security/webhook-audit-alert.sh   -- daily audit summaries (templated)
- scripts/webhook-security/ntfy-blocked-pickup.sh   -- blocked webhook alerts (templated)
- templates/webhook-security/nginx-site.conf.example
- templates/webhook-security/nginx.conf.example
- templates/webhook-security/gitea-repo-allowlist.json.example
- docs/WEBHOOK-SECURITY.md   -- full documentation
- docs/SECURITY-AUDIT.md     -- 35-case test matrix
- tests/test-webhook-security.sh  -- 48 offline tests

### Modified files
- setup.sh: Step 11 (webhook security wizard with 6 sub-sections)
- scripts/uninstall.sh: webhook security cleanup section
- README.md: Webhook Security section after Quick Start
- Makefile: test target now runs test-webhook-security.sh
- .secret-scan-allowlist: allowlist docs/SECURITY-AUDIT.md (test fixture)

## Security layers
1. IP allowlisting (nginx)
2. Rate limiting 10 req/s burst 20 (nginx)
3. Payload size 1MB (nginx)
4. HMAC-SHA256 signature verification (njs)
5. Per-repository allowlist (njs)

## make check
- prettier: PASS
- secret-scan: PASS
- tests: 48/48 PASS

Closes #2
2026-03-01 08:43:02 +00:00

115 lines
4.1 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# uninstall.sh — Remove the OAuth token sync service
set -uo pipefail
LOG_PREFIX="[uninstall]"
log() { echo "$LOG_PREFIX $*"; }
echo ""
echo "Removing OAuth Token Sync for OpenClaw"
echo "======================================="
echo ""
# Stop and disable systemd services
for svc in sync-oauth-token.service refresh-claude-token.service refresh-claude-token.timer trigger-claude-refresh.service trigger-claude-refresh.timer; do
if systemctl is-active --quiet "$svc" 2>/dev/null; then
log "Stopping $svc..."
systemctl stop "$svc"
fi
if systemctl is-enabled --quiet "$svc" 2>/dev/null; then
log "Disabling $svc..."
systemctl disable "$svc"
fi
if [ -f "/etc/systemd/system/$svc" ]; then
log "Removing /etc/systemd/system/$svc"
rm -f "/etc/systemd/system/$svc"
fi
done
systemctl daemon-reload 2>/dev/null
# Remove installed scripts
for script in /usr/local/bin/sync-oauth-token.sh /usr/local/bin/refresh-claude-token.sh /usr/local/bin/trigger-claude-refresh.sh; do
if [ -f "$script" ]; then
log "Removing $script"
rm -f "$script"
fi
done
# ============================================================================
# Webhook Security Cleanup (if installed)
# ============================================================================
WH_INSTALLED=false
for wh_file in /etc/nginx/njs/gitea-hmac-verify.js /etc/nginx/gitea-webhook-secret /etc/nginx/gitea-repo-allowlist.json /opt/webhook-security /usr/local/bin/gitea-approve-repo; do
if [ -e "$wh_file" ]; then
WH_INSTALLED=true
break
fi
done
if $WH_INSTALLED; then
echo ""
echo "Webhook security files detected."
read -rp "[uninstall] Remove webhook security files? [y/N]: " WH_CONFIRM
WH_CONFIRM="${WH_CONFIRM:-N}"
if [[ "$WH_CONFIRM" =~ ^[Yy] ]]; then
# Remove njs module
if [ -f /etc/nginx/njs/gitea-hmac-verify.js ]; then
log "Removing /etc/nginx/njs/gitea-hmac-verify.js"
rm -f /etc/nginx/njs/gitea-hmac-verify.js
fi
# Remove secret file
if [ -f /etc/nginx/gitea-webhook-secret ]; then
log "Removing /etc/nginx/gitea-webhook-secret"
rm -f /etc/nginx/gitea-webhook-secret
fi
# Remove allowlist
if [ -f /etc/nginx/gitea-repo-allowlist.json ]; then
log "Removing /etc/nginx/gitea-repo-allowlist.json"
rm -f /etc/nginx/gitea-repo-allowlist.json
fi
# Remove scripts directory
if [ -d /opt/webhook-security ]; then
log "Removing /opt/webhook-security/"
rm -rf /opt/webhook-security
fi
# Remove gitea-approve-repo helper
if [ -f /usr/local/bin/gitea-approve-repo ]; then
log "Removing /usr/local/bin/gitea-approve-repo"
rm -f /usr/local/bin/gitea-approve-repo
fi
# Remove webhook-security cron entries
if crontab -l 2>/dev/null | grep -q 'webhook-security\|ntfy-blocked-pickup\|rotate-webhook-secret\|webhook-audit-alert'; then
log "Removing webhook-security cron entries..."
crontab -l 2>/dev/null | grep -v 'webhook-security\|ntfy-blocked-pickup\|rotate-webhook-secret\|webhook-audit-alert' | crontab -
log "Cron entries removed"
fi
log "Webhook security files removed."
echo ""
log "IMPORTANT: You must also remove the webhook security configuration"
log "from your nginx config manually:"
log " - Remove js_path, js_import, and limit_req_zone from nginx.conf http block"
log " - Remove the 'location = /hooks/gitea' block from your site config"
log " - Remove the 'location /hooks/gitea-upstream' block from your site config"
log " - Run: nginx -t && nginx -s reload"
else
log "Skipping webhook security cleanup."
fi
fi
echo ""
log "Done. The following files were NOT removed (contain your credentials):"
log " - /root/.openclaw/credentials/oauth.json"
log " - /root/openclaw/.env (ANTHROPIC_OAUTH_TOKEN)"
log " - /root/.openclaw/agents/*/agent/auth-profiles.json"
echo ""
log "To fully clean up, remove those manually if needed."
Reference in New Issue View Git Blame Copy Permalink