mirror of
https://github.com/go-gitea/gitea.git
synced 2026-04-26 21:53:25 +02:00
45809c8f54
## Overview This PR introduces granular permission controls for Gitea Actions tokens (`GITEA_TOKEN`), aligning Gitea's security model with GitHub Actions standards while maintaining compatibility with Gitea's unique repository unit system. It addresses the need for finer access control by allowing administrators and repository owners to define default token permissions, set maximum permission ceilings, and control cross-repository access within organizations. ## Key Features ### 1. Granular Token Permissions - **Standard Keyword Support**: Implements support for the `permissions:` keyword in workflow and job YAML files (e.g., `contents: read`, `issues: write`). - **Permission Modes**: - **Permissive**: Default write access for most units (backwards compatible). - **Restricted**: Default read-only access for `contents` and `packages`, with no access to other units. - ~~**Custom**: Allows defining specific default levels for each unit type (Code, Issues, PRs, Packages, etc.).~~**EDIT removed UI was confusing** - **Clamping Logic**: Workflow-defined permissions are automatically "clamped" by repository or organization-level maximum settings. Workflows cannot escalate their own permissions beyond these limits. ### 2. Organization & Repository Settings - **Settings UI**: Added new settings pages at both Organization and Repository levels to manage Actions token defaults and maximums. - **Inheritance**: Repositories can be configured to "Follow organization-level configuration," simplifying management across large organizations. - **Cross-Repository Access**: Added a policy to control whether Actions workflows can access other repositories or packages within the same organization. This can be set to "None," "All," or restricted to a "Selected" list of repositories. ### 3. Security Hardening - **Fork Pull Request Protection**: Tokens for workflows triggered by pull requests from forks are strictly enforced as read-only, regardless of repository settings. - ~~**Package Access**: Actions tokens can now only access packages explicitly linked to a repository, with cross-repo access governed by the organization's security policy.~~ **EDIT removed https://github.com/go-gitea/gitea/pull/36173#issuecomment-3873675346** - **Git Hook Integration**: Propagates Actions Task IDs to git hooks to ensure that pushes performed by Actions tokens respect the specific permissions granted at runtime. ### 4. Technical Implementation - **Permission Persistence**: Parsed permissions are calculated at job creation and stored in the `action_run_job` table. This ensures the token's authority is deterministic throughout the job's lifecycle. - **Parsing Priority**: Implemented a priority system in the YAML parser where the broad `contents` scope is applied first, allowing granular scopes like `code` or `releases` to override it for precise control. - **Re-runs**: Permissions are re-evaluated during a job re-run to incorporate any changes made to repository settings in the interim. ### How to Test 1. **Unit Tests**: Run `go test ./services/actions/...` and `go test ./models/repo/...` to verify parsing logic and permission clamping. 2. **Integration Tests**: Comprehensive tests have been added to `tests/integration/actions_job_token_test.go` covering: - Permissive vs. Restricted mode behavior. - YAML `permissions:` keyword evaluation. - Organization cross-repo access policies. - Resource access (Git, API, and Packages) under various permission configs. 3. **Manual Verification**: - Navigate to **Site/Org/Repo Settings -> Actions -> General**. - Change "Default Token Permissions" and verify that newly triggered workflows reflect these changes in their `GITEA_TOKEN` capabilities. - Attempt a cross-repo API call from an Action and verify the Org policy is enforced. ## Documentation Added a PR in gitea's docs for this : https://gitea.com/gitea/docs/pulls/318 ## UI: <img width="1366" height="619" alt="Screenshot 2026-01-24 174112" src="https://github.com/user-attachments/assets/bfa29c9a-4ea5-4346-9410-16d491ef3d44" /> <img width="1360" height="621" alt="Screenshot 2026-01-24 174048" src="https://github.com/user-attachments/assets/d5ec46c8-9a13-4874-a6a4-fb379936cef5" /> /fixes #24635 /claim #24635 --------- Signed-off-by: Excellencedev <ademiluyisuccessandexcellence@gmail.com> Signed-off-by: ChristopherHX <christopher.homberger@web.de> Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: ChristopherHX <christopher.homberger@web.de> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
329 lines
8.0 KiB
Go
329 lines
8.0 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package doctor
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
|
"code.gitea.io/gitea/models/unit"
|
|
"code.gitea.io/gitea/modules/json"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/timeutil"
|
|
|
|
"xorm.io/builder"
|
|
)
|
|
|
|
// #16831 revealed that the dump command that was broken in 1.14.3-1.14.6 and 1.15.0 (#15885).
|
|
// This led to repo_unit and login_source cfg not being converted to JSON in the dump
|
|
// Unfortunately although it was hoped that there were only a few users affected it
|
|
// appears that many users are affected.
|
|
|
|
// We therefore need to provide a doctor command to fix this repeated issue #16961
|
|
|
|
func parseBool16961(bs []byte) (bool, error) {
|
|
if bytes.EqualFold(bs, []byte("%!s(bool=false)")) {
|
|
return false, nil
|
|
}
|
|
|
|
if bytes.EqualFold(bs, []byte("%!s(bool=true)")) {
|
|
return true, nil
|
|
}
|
|
|
|
return false, fmt.Errorf("unexpected bool format: %s", string(bs))
|
|
}
|
|
|
|
func fixUnitConfig16961(bs []byte, cfg *repo_model.UnitConfig) (fixed bool, err error) {
|
|
err = json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
|
|
// Handle #16961
|
|
if string(bs) != "&{}" && len(bs) != 0 {
|
|
return false, err
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
func fixExternalWikiConfig16961(bs []byte, cfg *repo_model.ExternalWikiConfig) (fixed bool, err error) {
|
|
err = json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
|
|
if len(bs) < 3 {
|
|
return false, err
|
|
}
|
|
if bs[0] != '&' || bs[1] != '{' || bs[len(bs)-1] != '}' {
|
|
return false, err
|
|
}
|
|
cfg.ExternalWikiURL = string(bs[2 : len(bs)-1])
|
|
return true, nil
|
|
}
|
|
|
|
func fixExternalTrackerConfig16961(bs []byte, cfg *repo_model.ExternalTrackerConfig) (fixed bool, err error) {
|
|
err = json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
// Handle #16961
|
|
if len(bs) < 3 {
|
|
return false, err
|
|
}
|
|
|
|
if bs[0] != '&' || bs[1] != '{' || bs[len(bs)-1] != '}' {
|
|
return false, err
|
|
}
|
|
|
|
parts := bytes.Split(bs[2:len(bs)-1], []byte{' '})
|
|
if len(parts) != 3 {
|
|
return false, err
|
|
}
|
|
|
|
cfg.ExternalTrackerURL = string(bytes.Join(parts[:len(parts)-2], []byte{' '}))
|
|
cfg.ExternalTrackerFormat = string(parts[len(parts)-2])
|
|
cfg.ExternalTrackerStyle = string(parts[len(parts)-1])
|
|
return true, nil
|
|
}
|
|
|
|
func fixPullRequestsConfig16961(bs []byte, cfg *repo_model.PullRequestsConfig) (fixed bool, err error) {
|
|
err = json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
|
|
// Handle #16961
|
|
if len(bs) < 3 {
|
|
return false, err
|
|
}
|
|
|
|
if bs[0] != '&' || bs[1] != '{' || bs[len(bs)-1] != '}' {
|
|
return false, err
|
|
}
|
|
|
|
// PullRequestsConfig was the following in 1.14
|
|
// type PullRequestsConfig struct {
|
|
// IgnoreWhitespaceConflicts bool
|
|
// AllowMerge bool
|
|
// AllowRebase bool
|
|
// AllowRebaseMerge bool
|
|
// AllowSquash bool
|
|
// AllowManualMerge bool
|
|
// AutodetectManualMerge bool
|
|
// }
|
|
//
|
|
// 1.15 added in addition:
|
|
// DefaultDeleteBranchAfterMerge bool
|
|
// DefaultMergeStyle MergeStyle
|
|
parts := bytes.Split(bs[2:len(bs)-1], []byte{' '})
|
|
if len(parts) < 7 {
|
|
return false, err
|
|
}
|
|
|
|
var parseErr error
|
|
cfg.IgnoreWhitespaceConflicts, parseErr = parseBool16961(parts[0])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AllowMerge, parseErr = parseBool16961(parts[1])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AllowRebase, parseErr = parseBool16961(parts[2])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AllowRebaseMerge, parseErr = parseBool16961(parts[3])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AllowSquash, parseErr = parseBool16961(parts[4])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AllowManualMerge, parseErr = parseBool16961(parts[5])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AutodetectManualMerge, parseErr = parseBool16961(parts[6])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
|
|
// 1.14 unit
|
|
if len(parts) == 7 {
|
|
return true, nil
|
|
}
|
|
|
|
if len(parts) < 9 {
|
|
return false, err
|
|
}
|
|
|
|
cfg.DefaultDeleteBranchAfterMerge, parseErr = parseBool16961(parts[7])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
|
|
cfg.DefaultMergeStyle = repo_model.MergeStyle(string(bytes.Join(parts[8:], []byte{' '})))
|
|
return true, nil
|
|
}
|
|
|
|
func fixIssuesConfig16961(bs []byte, cfg *repo_model.IssuesConfig) (fixed bool, err error) {
|
|
err = json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
|
|
// Handle #16961
|
|
if len(bs) < 3 {
|
|
return false, err
|
|
}
|
|
|
|
if bs[0] != '&' || bs[1] != '{' || bs[len(bs)-1] != '}' {
|
|
return false, err
|
|
}
|
|
|
|
parts := bytes.Split(bs[2:len(bs)-1], []byte{' '})
|
|
if len(parts) != 3 {
|
|
return false, err
|
|
}
|
|
var parseErr error
|
|
cfg.EnableTimetracker, parseErr = parseBool16961(parts[0])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.AllowOnlyContributorsToTrackTime, parseErr = parseBool16961(parts[1])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
cfg.EnableDependencies, parseErr = parseBool16961(parts[2])
|
|
if parseErr != nil {
|
|
return false, errors.Join(err, parseErr)
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
func fixBrokenRepoUnit16961(repoUnit *repo_model.RepoUnit, bs []byte) (fixed bool, err error) {
|
|
// Shortcut empty or null values
|
|
if len(bs) == 0 {
|
|
return false, nil
|
|
}
|
|
|
|
var cfg any
|
|
err = json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
if err == nil {
|
|
return false, nil
|
|
}
|
|
|
|
switch repoUnit.Type {
|
|
case unit.TypeCode, unit.TypeReleases, unit.TypeWiki, unit.TypeProjects:
|
|
cfg := &repo_model.UnitConfig{}
|
|
repoUnit.Config = cfg
|
|
if fixed, err := fixUnitConfig16961(bs, cfg); !fixed {
|
|
return false, err
|
|
}
|
|
case unit.TypeExternalWiki:
|
|
cfg := &repo_model.ExternalWikiConfig{}
|
|
repoUnit.Config = cfg
|
|
|
|
if fixed, err := fixExternalWikiConfig16961(bs, cfg); !fixed {
|
|
return false, err
|
|
}
|
|
case unit.TypeExternalTracker:
|
|
cfg := &repo_model.ExternalTrackerConfig{}
|
|
repoUnit.Config = cfg
|
|
if fixed, err := fixExternalTrackerConfig16961(bs, cfg); !fixed {
|
|
return false, err
|
|
}
|
|
case unit.TypePullRequests:
|
|
cfg := &repo_model.PullRequestsConfig{}
|
|
repoUnit.Config = cfg
|
|
|
|
if fixed, err := fixPullRequestsConfig16961(bs, cfg); !fixed {
|
|
return false, err
|
|
}
|
|
case unit.TypeIssues:
|
|
cfg := &repo_model.IssuesConfig{}
|
|
repoUnit.Config = cfg
|
|
if fixed, err := fixIssuesConfig16961(bs, cfg); !fixed {
|
|
return false, err
|
|
}
|
|
default:
|
|
panic(fmt.Sprintf("unrecognized repo unit type: %v", repoUnit.Type))
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
func fixBrokenRepoUnits16961(ctx context.Context, logger log.Logger, autofix bool) error {
|
|
// RepoUnit describes all units of a repository
|
|
type RepoUnit struct {
|
|
ID int64
|
|
RepoID int64
|
|
Type unit.Type
|
|
Config []byte
|
|
CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
|
|
}
|
|
|
|
count := 0
|
|
|
|
err := db.Iterate(
|
|
ctx,
|
|
builder.Gt{
|
|
"id": 0,
|
|
},
|
|
func(ctx context.Context, unit *RepoUnit) error {
|
|
bs := unit.Config
|
|
repoUnit := &repo_model.RepoUnit{
|
|
ID: unit.ID,
|
|
RepoID: unit.RepoID,
|
|
Type: unit.Type,
|
|
CreatedUnix: unit.CreatedUnix,
|
|
}
|
|
|
|
if fixed, err := fixBrokenRepoUnit16961(repoUnit, bs); !fixed {
|
|
return err
|
|
}
|
|
|
|
count++
|
|
if !autofix {
|
|
return nil
|
|
}
|
|
|
|
return repo_model.UpdateRepoUnitConfig(ctx, repoUnit)
|
|
},
|
|
)
|
|
if err != nil {
|
|
logger.Critical("Unable to iterate across repounits to fix the broken units: Error %v", err)
|
|
return err
|
|
}
|
|
|
|
if !autofix {
|
|
if count == 0 {
|
|
logger.Info("Found no broken repo_units")
|
|
} else {
|
|
logger.Warn("Found %d broken repo_units", count)
|
|
}
|
|
return nil
|
|
}
|
|
logger.Info("Fixed %d broken repo_units", count)
|
|
|
|
return nil
|
|
}
|
|
|
|
func init() {
|
|
Register(&Check{
|
|
Title: "Check for incorrectly dumped repo_units (See #16961)",
|
|
Name: "fix-broken-repo-units",
|
|
IsDefault: false,
|
|
Run: fixBrokenRepoUnits16961,
|
|
Priority: 7,
|
|
})
|
|
}
|