Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-01-25 04:11:05 +01:00
Code Issues Activity

Add cross repo package access test

Browse Source
This commit is contained in:
Excellencedev 2025-12-24 05:29:27 +01:00
parent 9bd8b8109d
commit 9ada493d72
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
tests/integration/actions_job_token_test.go
View File

@ -4,6 +4,7 @@
package integration
import (
"bytes"
"encoding/base64"
"fmt"
"net/http"
@ -362,5 +363,32 @@ func TestActionsCrossRepoAccess(t *testing.T) {
t.Run("Cross-Repo Access Allowed", doAPIGetRepository(testCtx, func(t *testing.T, r structs.Repository) {
assert.Equal(t, "repo-B", r.Name)
}))
// 6. Test Cross-Repo Package Access
t.Run("Cross-Repo Package Access", func(t *testing.T) {
packageName := "cross-test-pkg"
packageVersion := "1.0.0"
fileName := "test-file.bin"
content := []byte{1, 2, 3, 4, 5}
// First, upload a package to repo-B using the org owner's token
packageURL := fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", orgName, packageName, packageVersion, fileName)
uploadReq := NewRequestWithBody(t, "PUT", packageURL, bytes.NewReader(content)).AddTokenAuth(token)
MakeRequest(t, uploadReq, http.StatusCreated)
// Try to download the package with task token from repo-A (cross-repo read)
// Cross-repo access should allow read
downloadReq := NewRequest(t, "GET", packageURL)
downloadReq.Header.Set("Authorization", "Bearer "+task.Token)
resp := MakeRequest(t, downloadReq, http.StatusOK)
assert.Equal(t, content, resp.Body.Bytes(), "Should be able to read package from other repo in same org")
// Try to upload a package to org with task token from repo-A (cross-repo write)
// Cross-repo access should be read-only, so this should fail
writePackageURL := fmt.Sprintf("/api/packages/%s/generic/%s/%s/write-test.bin", orgName, packageName, packageVersion)
writeReq := NewRequestWithBody(t, "PUT", writePackageURL, bytes.NewReader(content))
writeReq.Header.Set("Authorization", "Bearer "+task.Token)
MakeRequest(t, writeReq, http.StatusForbidden)
})
})
}