aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoryp05327 <576951401@qq.com>2023-04-10 16:21:03 +0900
committerGitHub <noreply@github.com>2023-04-10 15:21:03 +0800
commitbb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9 (patch)
treecff6b664a200a3e47c5a4612aecd1d8de586e594
parentfd9d072af1ea141c96bb1cf363caf96e685217e6 (diff)
downloadgitea-bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9.tar.gz
gitea-bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9.zip
Add actions support to package auth verification (#23729)
Partly fixes https://github.com/go-gitea/gitea/issues/23642 Error info: ![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png) ActionsUser (userID -2) is used to login in to docker in action jobs. Due to we have no permission policy settings of ActionsUser now, ActionsUser can only access public registry by this quick fix.
-rw-r--r--routers/api/packages/api.go52
-rw-r--r--routers/api/packages/container/auth.go7
2 files changed, 22 insertions, 37 deletions
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index c0c7b117f6..4cebabecf0 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -44,35 +44,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
}
}
-// CommonRoutes provide endpoints for most package managers (except containers - see below)
-// These are mounted on `/api/packages` (not `/api/v1/packages`)
-func CommonRoutes(ctx gocontext.Context) *web.Route {
- r := web.NewRoute()
-
- r.Use(context.PackageContexter(ctx))
-
- authMethods := []auth.Method{
- &auth.OAuth2{},
- &auth.Basic{},
- &nuget.Auth{},
- &conan.Auth{},
- &chef.Auth{},
- }
+func verifyAuth(r *web.Route, authMethods []auth.Method) {
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}
-
authGroup := auth.NewGroup(authMethods...)
+
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
- log.Error("Verify: %v", err)
+ log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
})
+}
+
+// CommonRoutes provide endpoints for most package managers (except containers - see below)
+// These are mounted on `/api/packages` (not `/api/v1/packages`)
+func CommonRoutes(ctx gocontext.Context) *web.Route {
+ r := web.NewRoute()
+
+ r.Use(context.PackageContexter(ctx))
+
+ verifyAuth(r, []auth.Method{
+ &auth.OAuth2{},
+ &auth.Basic{},
+ &nuget.Auth{},
+ &conan.Auth{},
+ &chef.Auth{},
+ })
r.Group("/{username}", func() {
r.Group("/cargo", func() {
@@ -437,24 +440,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
r.Use(context.PackageContexter(ctx))
- authMethods := []auth.Method{
+ verifyAuth(r, []auth.Method{
&auth.Basic{},
&container.Auth{},
- }
- if setting.Service.EnableReverseProxyAuth {
- authMethods = append(authMethods, &auth.ReverseProxy{})
- }
-
- authGroup := auth.NewGroup(authMethods...)
- r.Use(func(ctx *context.Context) {
- var err error
- ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
- if err != nil {
- log.Error("Failed to verify user: %v", err)
- ctx.Error(http.StatusUnauthorized, "Verify")
- return
- }
- ctx.IsSigned = ctx.Doer != nil
})
r.Get("", container.ReqContainerAccess, container.DetermineSupport)
diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go
index 33f439ec3e..6fb32c389d 100644
--- a/routers/api/packages/container/auth.go
+++ b/routers/api/packages/container/auth.go
@@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
if uid == 0 {
return nil, nil
}
- if uid == -1 {
- return user_model.NewGhostUser(), nil
- }
- u, err := user_model.GetUserByID(req.Context(), uid)
+ u, err := user_model.GetPossibleUserByID(req.Context(), uid)
if err != nil {
- log.Error("GetUserByID: %v", err)
+ log.Error("GetPossibleUserByID: %v", err)
return nil, err
}