diff options
| author | yp05327 <576951401@qq.com> | 2023-04-10 16:21:03 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-10 15:21:03 +0800 |
| commit | bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9 (patch) | |
| tree | cff6b664a200a3e47c5a4612aecd1d8de586e594 /routers/api | |
| parent | fd9d072af1ea141c96bb1cf363caf96e685217e6 (diff) | |
| download | gitea-bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9.tar.gz gitea-bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9.zip | |
Add actions support to package auth verification (#23729)
Partly fixes https://github.com/go-gitea/gitea/issues/23642
Error info:
ActionsUser (userID -2) is used to login in to docker in action jobs.
Due to we have no permission policy settings of ActionsUser now,
ActionsUser can only access public registry by this quick fix.
Diffstat (limited to 'routers/api')
| -rw-r--r-- | routers/api/packages/api.go | 52 | ||||
| -rw-r--r-- | routers/api/packages/container/auth.go | 7 |
2 files changed, 22 insertions, 37 deletions
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index c0c7b117f6..4cebabecf0 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -44,35 +44,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) { } } -// CommonRoutes provide endpoints for most package managers (except containers - see below) -// These are mounted on `/api/packages` (not `/api/v1/packages`) -func CommonRoutes(ctx gocontext.Context) *web.Route { - r := web.NewRoute() - - r.Use(context.PackageContexter(ctx)) - - authMethods := []auth.Method{ - &auth.OAuth2{}, - &auth.Basic{}, - &nuget.Auth{}, - &conan.Auth{}, - &chef.Auth{}, - } +func verifyAuth(r *web.Route, authMethods []auth.Method) { if setting.Service.EnableReverseProxyAuth { authMethods = append(authMethods, &auth.ReverseProxy{}) } - authGroup := auth.NewGroup(authMethods...) + r.Use(func(ctx *context.Context) { var err error ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) if err != nil { - log.Error("Verify: %v", err) + log.Error("Failed to verify user: %v", err) ctx.Error(http.StatusUnauthorized, "authGroup.Verify") return } ctx.IsSigned = ctx.Doer != nil }) +} + +// CommonRoutes provide endpoints for most package managers (except containers - see below) +// These are mounted on `/api/packages` (not `/api/v1/packages`) +func CommonRoutes(ctx gocontext.Context) *web.Route { + r := web.NewRoute() + + r.Use(context.PackageContexter(ctx)) + + verifyAuth(r, []auth.Method{ + &auth.OAuth2{}, + &auth.Basic{}, + &nuget.Auth{}, + &conan.Auth{}, + &chef.Auth{}, + }) r.Group("/{username}", func() { r.Group("/cargo", func() { @@ -437,24 +440,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route { r.Use(context.PackageContexter(ctx)) - authMethods := []auth.Method{ + verifyAuth(r, []auth.Method{ &auth.Basic{}, &container.Auth{}, - } - if setting.Service.EnableReverseProxyAuth { - authMethods = append(authMethods, &auth.ReverseProxy{}) - } - - authGroup := auth.NewGroup(authMethods...) - r.Use(func(ctx *context.Context) { - var err error - ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) - if err != nil { - log.Error("Failed to verify user: %v", err) - ctx.Error(http.StatusUnauthorized, "Verify") - return - } - ctx.IsSigned = ctx.Doer != nil }) r.Get("", container.ReqContainerAccess, container.DetermineSupport) diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go index 33f439ec3e..6fb32c389d 100644 --- a/routers/api/packages/container/auth.go +++ b/routers/api/packages/container/auth.go @@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS if uid == 0 { return nil, nil } - if uid == -1 { - return user_model.NewGhostUser(), nil - } - u, err := user_model.GetUserByID(req.Context(), uid) + u, err := user_model.GetPossibleUserByID(req.Context(), uid) if err != nil { - log.Error("GetUserByID: %v", err) + log.Error("GetPossibleUserByID: %v", err) return nil, err } |