From 4beb48eebcc6c0070df3ed15488b5e23d598f73e Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Mon, 24 Oct 2022 15:53:04 +0000 Subject: [PATCH 1/3] Fix package access. --- modules/context/package.go | 4 ++++ routers/api/packages/api.go | 2 ++ tests/integration/api_packages_test.go | 22 ++++++++++++++++++++++ 3 files changed, 28 insertions(+) diff --git a/modules/context/package.go b/modules/context/package.go index d12bdc4913854..72aeb40465682 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -91,6 +91,10 @@ func determineAccessMode(ctx *Context) (perm.AccessMode, error) { return accessMode, nil } + if ctx.Doer != nil && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) { + return accessMode, nil + } + if ctx.Package.Owner.IsOrganization() { org := organization.OrgFromUser(ctx.Package.Owner) diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index f6ab961f5ec5d..41fdfc5796ce8 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -58,6 +58,7 @@ func Routes(ctx gocontext.Context) *web.Route { authGroup := auth.NewGroup(authMethods...) r.Use(func(ctx *context.Context) { ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) + ctx.IsSigned = ctx.Doer != nil }) r.Group("/{username}", func() { @@ -314,6 +315,7 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route { authGroup := auth.NewGroup(authMethods...) r.Use(func(ctx *context.Context) { ctx.Doer = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) + ctx.IsSigned = ctx.Doer != nil }) r.Get("", container.ReqContainerAccess, container.DetermineSupport) diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go index 86d81994d4d22..25f5b3f2a12da 100644 --- a/tests/integration/api_packages_test.go +++ b/tests/integration/api_packages_test.go @@ -25,6 +25,7 @@ import ( func TestPackageAPI(t *testing.T) { defer tests.PrepareTestEnv(t)() + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) session := loginUser(t, user.Name) token := getTokenForLoggedInUser(t, session) @@ -144,6 +145,27 @@ func TestPackageAPI(t *testing.T) { }) } +func TestPackageAccess(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) + inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9}) + + uploadPackage := func(doer, owner *user_model.User, expectedStatus int) { + url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name) + req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1})) + AddBasicAuthHeader(req, doer.Name) + MakeRequest(t, req, expectedStatus) + } + + uploadPackage(user, inactive, http.StatusUnauthorized) + uploadPackage(inactive, inactive, http.StatusUnauthorized) + uploadPackage(inactive, user, http.StatusUnauthorized) + uploadPackage(admin, inactive, http.StatusCreated) + uploadPackage(admin, user, http.StatusCreated) +} + func TestPackageCleanup(t *testing.T) { defer tests.PrepareTestEnv(t)() From 0f6752c43b8c6a9966aa970043bbf1400f63bebe Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Mon, 24 Oct 2022 16:18:35 +0000 Subject: [PATCH 2/3] Fix container ghost user. --- modules/context/package.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/context/package.go b/modules/context/package.go index 72aeb40465682..ce0f9a511b382 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -85,16 +85,15 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) { } func determineAccessMode(ctx *Context) (perm.AccessMode, error) { - accessMode := perm.AccessModeNone - if setting.Service.RequireSignInView && ctx.Doer == nil { - return accessMode, nil + return perm.AccessModeNone, nil } - if ctx.Doer != nil && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) { - return accessMode, nil + if ctx.Doer != nil && !ctx.Doer.IsGhost() && (!ctx.Doer.IsActive || ctx.Doer.ProhibitLogin) { + return perm.AccessModeNone, nil } + accessMode := perm.AccessModeNone if ctx.Package.Owner.IsOrganization() { org := organization.OrgFromUser(ctx.Package.Owner) From 62dadbddf90f9d09b920a890cc949570e3714d99 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Mon, 24 Oct 2022 16:21:20 +0000 Subject: [PATCH 3/3] Add test. --- tests/integration/api_packages_container_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go index b8a3884371b20..ba76ee4baa7dd 100644 --- a/tests/integration/api_packages_container_test.go +++ b/tests/integration/api_packages_container_test.go @@ -471,6 +471,10 @@ func TestPackageContainer(t *testing.T) { assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length")) assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest")) + + req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest)) + addTokenAuthHeader(req, anonymousToken) + MakeRequest(t, req, http.StatusOK) }) t.Run("GetBlob", func(t *testing.T) {