Skip to content

Commit

Permalink
Add actions support to package auth verification (#23729) (#24028)
Browse files Browse the repository at this point in the history
Backport #23729 by @yp05327

Partly fixes #23642

Error info:

![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png)
ActionsUser (userID -2) is used to login in to docker in action jobs.

Due to we have no permission policy settings of ActionsUser now,
ActionsUser can only access public registry by this quick fix.

Co-authored-by: yp05327 <[email protected]>
  • Loading branch information
GiteaBot and yp05327 authored Apr 10, 2023
1 parent abf0386 commit 27dbe97
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 37 deletions.
52 changes: 20 additions & 32 deletions routers/api/packages/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,35 +43,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
}
}

// CommonRoutes provide endpoints for most package managers (except containers - see below)
// These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route {
r := web.NewRoute()

r.Use(context.PackageContexter(ctx))

authMethods := []auth.Method{
&auth.OAuth2{},
&auth.Basic{},
&nuget.Auth{},
&conan.Auth{},
&chef.Auth{},
}
func verifyAuth(r *web.Route, authMethods []auth.Method) {
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}

authGroup := auth.NewGroup(authMethods...)

r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Verify: %v", err)
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
})
}

// CommonRoutes provide endpoints for most package managers (except containers - see below)
// These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route {
r := web.NewRoute()

r.Use(context.PackageContexter(ctx))

verifyAuth(r, []auth.Method{
&auth.OAuth2{},
&auth.Basic{},
&nuget.Auth{},
&conan.Auth{},
&chef.Auth{},
})

r.Group("/{username}", func() {
r.Group("/cargo", func() {
Expand Down Expand Up @@ -401,24 +404,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {

r.Use(context.PackageContexter(ctx))

authMethods := []auth.Method{
verifyAuth(r, []auth.Method{
&auth.Basic{},
&container.Auth{},
}
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}

authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
})

r.Get("", container.ReqContainerAccess, container.DetermineSupport)
Expand Down
7 changes: 2 additions & 5 deletions routers/api/packages/container/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
if uid == 0 {
return nil, nil
}
if uid == -1 {
return user_model.NewGhostUser(), nil
}

u, err := user_model.GetUserByID(req.Context(), uid)
u, err := user_model.GetPossibleUserByID(req.Context(), uid)
if err != nil {
log.Error("GetUserByID: %v", err)
log.Error("GetPossibleUserByID: %v", err)
return nil, err
}

Expand Down

0 comments on commit 27dbe97

Please sign in to comment.