Backport #27486 by @lunny Fix #27204 This PR allows `/<username>/<reponame>/attachments/<uuid>` access with personal access token and also changed attachments API download url to it so it can be download correctly. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>tags/v1.20.6
} | } | ||||
var ( | var ( | ||||
gitRawReleasePathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/))`) | |||||
lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`) | |||||
gitRawOrAttachPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`) | |||||
lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`) | |||||
) | ) | ||||
func isGitRawReleaseOrLFSPath(req *http.Request) bool { | |||||
if gitRawReleasePathRe.MatchString(req.URL.Path) { | |||||
func isGitRawOrAttachPath(req *http.Request) bool { | |||||
return gitRawOrAttachPathRe.MatchString(req.URL.Path) | |||||
} | |||||
func isGitRawOrAttachOrLFSPath(req *http.Request) bool { | |||||
if isGitRawOrAttachPath(req) { | |||||
return true | return true | ||||
} | } | ||||
if setting.LFS.StartServer { | if setting.LFS.StartServer { |
"/owner/repo/releases/download/tag/repo.tar.gz", | "/owner/repo/releases/download/tag/repo.tar.gz", | ||||
true, | true, | ||||
}, | }, | ||||
{ | |||||
"/owner/repo/attachments/6d92a9ee-5d8b-4993-97c9-6181bdaa8955", | |||||
true, | |||||
}, | |||||
} | } | ||||
lfsTests := []string{ | lfsTests := []string{ | ||||
"/owner/repo/info/lfs/", | "/owner/repo/info/lfs/", | ||||
t.Run(tt.path, func(t *testing.T) { | t.Run(tt.path, func(t *testing.T) { | ||||
req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil) | req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil) | ||||
setting.LFS.StartServer = false | setting.LFS.StartServer = false | ||||
if got := isGitRawReleaseOrLFSPath(req); got != tt.want { | |||||
if got := isGitRawOrAttachOrLFSPath(req); got != tt.want { | |||||
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) | t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) | ||||
} | } | ||||
setting.LFS.StartServer = true | setting.LFS.StartServer = true | ||||
if got := isGitRawReleaseOrLFSPath(req); got != tt.want { | |||||
if got := isGitRawOrAttachOrLFSPath(req); got != tt.want { | |||||
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) | t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) | ||||
} | } | ||||
}) | }) | ||||
t.Run(tt, func(t *testing.T) { | t.Run(tt, func(t *testing.T) { | ||||
req, _ := http.NewRequest("POST", tt, nil) | req, _ := http.NewRequest("POST", tt, nil) | ||||
setting.LFS.StartServer = false | setting.LFS.StartServer = false | ||||
if got := isGitRawReleaseOrLFSPath(req); got != setting.LFS.StartServer { | |||||
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawReleasePathRe.MatchString(tt)) | |||||
if got := isGitRawOrAttachOrLFSPath(req); got != setting.LFS.StartServer { | |||||
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawOrAttachPathRe.MatchString(tt)) | |||||
} | } | ||||
setting.LFS.StartServer = true | setting.LFS.StartServer = true | ||||
if got := isGitRawReleaseOrLFSPath(req); got != setting.LFS.StartServer { | |||||
if got := isGitRawOrAttachOrLFSPath(req); got != setting.LFS.StartServer { | |||||
t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer) | t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer) | ||||
} | } | ||||
}) | }) |
// Returns nil if header is empty or validation fails. | // Returns nil if header is empty or validation fails. | ||||
func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) { | func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) { | ||||
// Basic authentication should only fire on API, Download or on Git or LFSPaths | // Basic authentication should only fire on API, Download or on Git or LFSPaths | ||||
if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) { | |||||
if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) { | |||||
return nil, nil | return nil, nil | ||||
} | } | ||||
func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) { | func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) { | ||||
// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs | // These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs | ||||
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) && | if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) && | ||||
!gitRawReleasePathRe.MatchString(req.URL.Path) { | |||||
!isGitRawOrAttachPath(req) { | |||||
return nil, nil | return nil, nil | ||||
} | } | ||||
} | } | ||||
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session | // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session | ||||
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) { | |||||
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) { | |||||
if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) { | if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) { | ||||
handleSignIn(w, req, sess, user) | handleSignIn(w, req, sess, user) | ||||
} | } |
package convert | package convert | ||||
import ( | import ( | ||||
"strconv" | |||||
repo_model "code.gitea.io/gitea/models/repo" | repo_model "code.gitea.io/gitea/models/repo" | ||||
"code.gitea.io/gitea/modules/setting" | |||||
api "code.gitea.io/gitea/modules/structs" | api "code.gitea.io/gitea/modules/structs" | ||||
) | ) | ||||
} | } | ||||
func APIAssetDownloadURL(repo *repo_model.Repository, attach *repo_model.Attachment) string { | func APIAssetDownloadURL(repo *repo_model.Repository, attach *repo_model.Attachment) string { | ||||
if attach.CustomDownloadURL != "" { | |||||
return attach.CustomDownloadURL | |||||
} | |||||
// /repos/{owner}/{repo}/releases/{id}/assets/{attachment_id} | |||||
return setting.AppURL + "api/repos/" + repo.FullName() + "/releases/" + strconv.FormatInt(attach.ReleaseID, 10) + "/assets/" + strconv.FormatInt(attach.ID, 10) | |||||
return attach.DownloadURL() | |||||
} | } | ||||
// ToAttachment converts models.Attachment to api.Attachment for API usage | // ToAttachment converts models.Attachment to api.Attachment for API usage |