diff options
author | yp05327 <576951401@qq.com> | 2023-04-10 16:21:03 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-10 15:21:03 +0800 |
commit | bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9 (patch) | |
tree | cff6b664a200a3e47c5a4612aecd1d8de586e594 | |
parent | fd9d072af1ea141c96bb1cf363caf96e685217e6 (diff) | |
download | gitea-bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9.tar.gz gitea-bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9.zip |
Add actions support to package auth verification (#23729)
Partly fixes https://github.com/go-gitea/gitea/issues/23642
Error info:
![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png)
ActionsUser (userID -2) is used to login in to docker in action jobs.
Due to we have no permission policy settings of ActionsUser now,
ActionsUser can only access public registry by this quick fix.
-rw-r--r-- | routers/api/packages/api.go | 52 | ||||
-rw-r--r-- | routers/api/packages/container/auth.go | 7 |
2 files changed, 22 insertions, 37 deletions
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index c0c7b117f6..4cebabecf0 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -44,35 +44,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) { } } -// CommonRoutes provide endpoints for most package managers (except containers - see below) -// These are mounted on `/api/packages` (not `/api/v1/packages`) -func CommonRoutes(ctx gocontext.Context) *web.Route { - r := web.NewRoute() - - r.Use(context.PackageContexter(ctx)) - - authMethods := []auth.Method{ - &auth.OAuth2{}, - &auth.Basic{}, - &nuget.Auth{}, - &conan.Auth{}, - &chef.Auth{}, - } +func verifyAuth(r *web.Route, authMethods []auth.Method) { if setting.Service.EnableReverseProxyAuth { authMethods = append(authMethods, &auth.ReverseProxy{}) } - authGroup := auth.NewGroup(authMethods...) + r.Use(func(ctx *context.Context) { var err error ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) if err != nil { - log.Error("Verify: %v", err) + log.Error("Failed to verify user: %v", err) ctx.Error(http.StatusUnauthorized, "authGroup.Verify") return } ctx.IsSigned = ctx.Doer != nil }) +} + +// CommonRoutes provide endpoints for most package managers (except containers - see below) +// These are mounted on `/api/packages` (not `/api/v1/packages`) +func CommonRoutes(ctx gocontext.Context) *web.Route { + r := web.NewRoute() + + r.Use(context.PackageContexter(ctx)) + + verifyAuth(r, []auth.Method{ + &auth.OAuth2{}, + &auth.Basic{}, + &nuget.Auth{}, + &conan.Auth{}, + &chef.Auth{}, + }) r.Group("/{username}", func() { r.Group("/cargo", func() { @@ -437,24 +440,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route { r.Use(context.PackageContexter(ctx)) - authMethods := []auth.Method{ + verifyAuth(r, []auth.Method{ &auth.Basic{}, &container.Auth{}, - } - if setting.Service.EnableReverseProxyAuth { - authMethods = append(authMethods, &auth.ReverseProxy{}) - } - - authGroup := auth.NewGroup(authMethods...) - r.Use(func(ctx *context.Context) { - var err error - ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) - if err != nil { - log.Error("Failed to verify user: %v", err) - ctx.Error(http.StatusUnauthorized, "Verify") - return - } - ctx.IsSigned = ctx.Doer != nil }) r.Get("", container.ReqContainerAccess, container.DetermineSupport) diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go index 33f439ec3e..6fb32c389d 100644 --- a/routers/api/packages/container/auth.go +++ b/routers/api/packages/container/auth.go @@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS if uid == 0 { return nil, nil } - if uid == -1 { - return user_model.NewGhostUser(), nil - } - u, err := user_model.GetUserByID(req.Context(), uid) + u, err := user_model.GetPossibleUserByID(req.Context(), uid) if err != nil { - log.Error("GetUserByID: %v", err) + log.Error("GetPossibleUserByID: %v", err) return nil, err } |