Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-19 22:40:30 +02:00
Code Issues Activity

Refactor merge conan and container auth preserve actions taskID (#36560)

Browse Source 
* Remove duplicated code
* Allow further ActionsUser package permission checks

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
ChristopherHX 2026-02-09 04:04:56 +01:00 committed by GitHub
parent c401cda108
commit 34b34d2328
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 32 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
routers/api/packages/api.go
View File

@ -117,7 +117,7 @@ func CommonRoutes() *web.Router {
&auth.OAuth2{}, &auth.OAuth2{},
&auth.Basic{}, &auth.Basic{},
&nuget.Auth{}, &nuget.Auth{},
&conan.Auth{}, &Auth{},
&chef.Auth{}, &chef.Auth{},
}) })
@ -537,7 +537,8 @@ func ContainerRoutes() *web.Router {
verifyAuth(r, []auth.Method{ verifyAuth(r, []auth.Method{
&auth.Basic{}, &auth.Basic{},
&container.Auth{}, // container auth requires an token, so container.Authenticate issues a Ghost user token for anonymous access
&Auth{AllowGhostUser: true},
}) })
// TODO: Content Discovery / References (not implemented yet) // TODO: Content Discovery / References (not implemented yet)

29
routers/api/packages/conan/auth.go → routers/api/packages/auth.go
View File

@ -1,7 +1,7 @@
// Copyright 2022 The Gitea Authors. All rights reserved. // Copyright 2026 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT // SPDX-License-Identifier: MIT
package conan package packages
import ( import (
"net/http" "net/http"
@ -14,10 +14,13 @@ import (
var _ auth.Method = &Auth{} var _ auth.Method = &Auth{}
type Auth struct{} // Auth is for conan and container
type Auth struct {
AllowGhostUser bool
}
func (a *Auth) Name() string { func (a *Auth) Name() string {
return "conan" return "packages"
} }
// Verify extracts the user from the Bearer token // Verify extracts the user from the Bearer token
@ -32,10 +35,22 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
return nil, nil return nil, nil
} }
u, err := user_model.GetUserByID(req.Context(), packageMeta.UserID) var u *user_model.User
if err != nil { switch packageMeta.UserID {
return nil, err case user_model.GhostUserID:
if !a.AllowGhostUser {
return nil, nil
}
u = user_model.NewGhostUser()
case user_model.ActionsUserID:
u = user_model.NewActionsUserWithTaskID(packageMeta.ActionsUserTaskID)
default:
u, err = user_model.GetUserByID(req.Context(), packageMeta.UserID)
if err != nil {
return nil, err
}
} }
if packageMeta.Scope != "" { if packageMeta.Scope != "" {
store.GetData()["IsApiToken"] = true store.GetData()["IsApiToken"] = true
store.GetData()["ApiTokenScope"] = packageMeta.Scope store.GetData()["ApiTokenScope"] = packageMeta.Scope

47
routers/api/packages/container/auth.go
View File

@ -1,47 +0,0 @@
// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package container
import (
"net/http"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/packages"
)
var _ auth.Method = &Auth{}
type Auth struct{}
func (a *Auth) Name() string {
return "container"
}
// Verify extracts the user from the Bearer token
// If it's an anonymous session, a ghost user is returned
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
packageMeta, err := packages.ParseAuthorizationRequest(req)
if err != nil {
log.Trace("ParseAuthorizationToken: %v", err)
return nil, err
}
if packageMeta == nil || packageMeta.UserID == 0 {
return nil, nil
}
u, err := user_model.GetPossibleUserByID(req.Context(), packageMeta.UserID)
if err != nil {
return nil, err
}
if packageMeta.Scope != "" {
store.GetData()["IsApiToken"] = true
store.GetData()["ApiTokenScope"] = packageMeta.Scope
}
return u, nil
}

11
services/packages/auth.go
View File

@ -23,21 +23,24 @@ type packageClaims struct {
PackageMeta PackageMeta
} }
type PackageMeta struct { type PackageMeta struct {
UserID int64 UserID int64
Scope auth_model.AccessTokenScope Scope auth_model.AccessTokenScope
ActionsUserTaskID int64
} }
func CreateAuthorizationToken(u *user_model.User, packageScope auth_model.AccessTokenScope) (string, error) { func CreateAuthorizationToken(u *user_model.User, packageScope auth_model.AccessTokenScope) (string, error) {
now := time.Now() now := time.Now()
actionsUserTaskID, _ := user_model.GetActionsUserTaskID(u)
claims := packageClaims{ claims := packageClaims{
RegisteredClaims: jwt.RegisteredClaims{ RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)), ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),
NotBefore: jwt.NewNumericDate(now), NotBefore: jwt.NewNumericDate(now),
}, },
PackageMeta: PackageMeta{ PackageMeta: PackageMeta{
UserID: u.ID, UserID: u.ID,
Scope: packageScope, Scope: packageScope,
ActionsUserTaskID: actionsUserTaskID,
}, },
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)