Skip to content

Commit

Permalink
Add actions support to package auth verification (go-gitea#23729)
Browse files Browse the repository at this point in the history
Partly fixes go-gitea#23642

Error info:

![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png)
ActionsUser (userID -2) is used to login in to docker in action jobs.

Due to we have no permission policy settings of ActionsUser now,
ActionsUser can only access public registry by this quick fix.
  • Loading branch information
yp05327 authored and Linux User committed Apr 10, 2023
1 parent abf0386 commit 7f4d60d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 37 deletions.
52 changes: 20 additions & 32 deletions routers/api/packages/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,35 +43,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
}
}

// CommonRoutes provide endpoints for most package managers (except containers - see below)
// These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route {
r := web.NewRoute()

r.Use(context.PackageContexter(ctx))

authMethods := []auth.Method{
&auth.OAuth2{},
&auth.Basic{},
&nuget.Auth{},
&conan.Auth{},
&chef.Auth{},
}
func verifyAuth(r *web.Route, authMethods []auth.Method) {
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}

authGroup := auth.NewGroup(authMethods...)

r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Verify: %v", err)
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
})
}

// CommonRoutes provide endpoints for most package managers (except containers - see below)
// These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route {
r := web.NewRoute()

r.Use(context.PackageContexter(ctx))

verifyAuth(r, []auth.Method{
&auth.OAuth2{},
&auth.Basic{},
&nuget.Auth{},
&conan.Auth{},
&chef.Auth{},
})

r.Group("/{username}", func() {
r.Group("/cargo", func() {
Expand Down Expand Up @@ -401,24 +404,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {

r.Use(context.PackageContexter(ctx))

authMethods := []auth.Method{
verifyAuth(r, []auth.Method{
&auth.Basic{},
&container.Auth{},
}
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}

authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
})

r.Get("", container.ReqContainerAccess, container.DetermineSupport)
Expand Down
7 changes: 2 additions & 5 deletions routers/api/packages/container/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
if uid == 0 {
return nil, nil
}
if uid == -1 {
return user_model.NewGhostUser(), nil
}

u, err := user_model.GetUserByID(req.Context(), uid)
u, err := user_model.GetPossibleUserByID(req.Context(), uid)
if err != nil {
log.Error("GetUserByID: %v", err)
log.Error("GetPossibleUserByID: %v", err)
return nil, err
}

Expand Down

0 comments on commit 7f4d60d

Please sign in to comment.