diff options
| author | John Olheiser <john.olheiser@gmail.com> | 2023-04-26 19:24:03 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-26 19:24:03 -0500 |
| commit | 5e360241053f6fcfb7f8b89373cba431adaf44ce (patch) | |
| tree | 8253e76b296a437b3e288e5cc0b70070e9578946 /services | |
| parent | 8f57aa014b5642bcd33a6b22492df3c63f03d808 (diff) | |
| download | gitea-5e360241053f6fcfb7f8b89373cba431adaf44ce.tar.gz gitea-5e360241053f6fcfb7f8b89373cba431adaf44ce.zip | |
Require repo scope for PATs for private repos and basic authentication (#24362)
> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.
---------
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'services')
| -rw-r--r-- | services/auth/basic.go | 1 | ||||
| -rw-r--r-- | services/lfs/locks.go | 20 | ||||
| -rw-r--r-- | services/lfs/server.go | 15 |
3 files changed, 36 insertions, 0 deletions
diff --git a/services/auth/basic.go b/services/auth/basic.go index dc03780905..36480568ff 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -102,6 +102,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore } store.GetData()["IsApiToken"] = true + store.GetData()["ApiTokenScope"] = token.Scope return u, nil } else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) { log.Error("GetAccessTokenBySha: %v", err) diff --git a/services/lfs/locks.go b/services/lfs/locks.go index d963d9ab57..1e5db6bd20 100644 --- a/services/lfs/locks.go +++ b/services/lfs/locks.go @@ -58,6 +58,11 @@ func GetListLockHandler(ctx *context.Context) { } repository.MustOwner(ctx) + context.CheckRepoScopedToken(ctx, repository) + if ctx.Written() { + return + } + authenticated := authenticate(ctx, repository, rv.Authorization, true, false) if !authenticated { ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") @@ -145,6 +150,11 @@ func PostLockHandler(ctx *context.Context) { } repository.MustOwner(ctx) + context.CheckRepoScopedToken(ctx, repository) + if ctx.Written() { + return + } + authenticated := authenticate(ctx, repository, authorization, true, true) if !authenticated { ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") @@ -212,6 +222,11 @@ func VerifyLockHandler(ctx *context.Context) { } repository.MustOwner(ctx) + context.CheckRepoScopedToken(ctx, repository) + if ctx.Written() { + return + } + authenticated := authenticate(ctx, repository, authorization, true, true) if !authenticated { ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") @@ -278,6 +293,11 @@ func UnLockHandler(ctx *context.Context) { } repository.MustOwner(ctx) + context.CheckRepoScopedToken(ctx, repository) + if ctx.Written() { + return + } + authenticated := authenticate(ctx, repository, authorization, true, true) if !authenticated { ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") diff --git a/services/lfs/server.go b/services/lfs/server.go index 44de9ba74f..4c69e47512 100644 --- a/services/lfs/server.go +++ b/services/lfs/server.go @@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) { return } + repository := getAuthenticatedRepository(ctx, rc, true) + if repository == nil { + return + } + // Support resume download using Range header var fromByte, toByte int64 toByte = meta.Size - 1 @@ -360,6 +365,11 @@ func VerifyHandler(ctx *context.Context) { return } + repository := getAuthenticatedRepository(ctx, rc, true) + if repository == nil { + return + } + contentStore := lfs_module.NewContentStore() ok, err := contentStore.Verify(meta.Pointer) @@ -423,6 +433,11 @@ func getAuthenticatedRepository(ctx *context.Context, rc *requestContext, requir return nil } + context.CheckRepoScopedToken(ctx, repository) + if ctx.Written() { + return nil + } + return repository } |