Allow Token/Basic auth on raw paths (#15987)

It appears that people have been using token authentication to navigate to raw paths
and recent changes have broken this. Whilst ideally these paths would not be being used
like this - it was not the intention to be a breaking change.

This PR restores access to these paths.

Fix #13772

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/modules/auth/sso/basic.go b/modules/auth/sso/basic.go
index a18e127ff93f068ba964a593c63e01c18baa2d72..555128812851f0d4c3cbfd949e8f5cbe7e492889 100644 (file)
--- a/modules/auth/sso/basic.go
+++ b/modules/auth/sso/basic.go
@@ -51,7 +51,7 @@ func (b *Basic) IsEnabled() bool {
 func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
 
        // Basic authentication should only fire on API, Download or on Git or LFSPaths
-       if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+       if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
                return nil
        }
 

diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
index d4fae9d5f425b39dab9dce54d99f4a6cd5947ef3..f8d17a3cf5a7f988f6233d2e8187649e2e1ae772 100644 (file)
--- a/modules/auth/sso/reverseproxy.go
+++ b/modules/auth/sso/reverseproxy.go
@@ -78,7 +78,7 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
        }
 
        // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
-       if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+       if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
                if sess.Get("uid").(int64) != user.ID {
                        handleSignIn(w, req, sess, user)
                }

diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
index 2f949cb0f8584a6e0c4f5913b5632f8c4362612b..8543ceb2ffc0bf7bb5ee87ec537de963bfad3330 100644 (file)
--- a/modules/auth/sso/sso.go
+++ b/modules/auth/sso/sso.go
@@ -104,11 +104,11 @@ func isAttachmentDownload(req *http.Request) bool {
        return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
 }
 
-var gitPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/))`)
+var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`)
 var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
 
-func isGitOrLFSPath(req *http.Request) bool {
-       if gitPathRe.MatchString(req.URL.Path) {
+func isGitRawOrLFSPath(req *http.Request) bool {
+       if gitRawPathRe.MatchString(req.URL.Path) {
                return true
        }
        if setting.LFS.StartServer {

diff --git a/modules/auth/sso/sso_test.go b/modules/auth/sso/sso_test.go
index b6a7f099e3a2f8d7fa4cdccea136a64934149adc..e57788f35aecc10a32000d75e7fd25535f5f8d61 100644 (file)
--- a/modules/auth/sso/sso_test.go
+++ b/modules/auth/sso/sso_test.go
@@ -12,7 +12,7 @@ import (
        "code.gitea.io/gitea/modules/setting"
 )
 
-func Test_isGitOrLFSPath(t *testing.T) {
+func Test_isGitRawOrLFSPath(t *testing.T) {
 
        tests := []struct {
                path string
@@ -63,6 +63,10 @@ func Test_isGitOrLFSPath(t *testing.T) {
                        "/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx",
                        true,
                },
+               {
+                       "/owner/repo/raw/branch/foo/fanaso",
+                       true,
+               },
                {
                        "/owner/repo/stars",
                        false,
@@ -98,11 +102,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
                t.Run(tt.path, func(t *testing.T) {
                        req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
                        setting.LFS.StartServer = false
-                       if got := isGitOrLFSPath(req); got != tt.want {
+                       if got := isGitRawOrLFSPath(req); got != tt.want {
                                t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
                        }
                        setting.LFS.StartServer = true
-                       if got := isGitOrLFSPath(req); got != tt.want {
+                       if got := isGitRawOrLFSPath(req); got != tt.want {
                                t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
                        }
                })
@@ -111,11 +115,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
                t.Run(tt, func(t *testing.T) {
                        req, _ := http.NewRequest("POST", tt, nil)
                        setting.LFS.StartServer = false
-                       if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
-                               t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitPathRe.MatchString(tt))
+                       if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
+                               t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt))
                        }
                        setting.LFS.StartServer = true
-                       if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
+                       if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
                                t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
                        }
                })