mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16727 Commits
17 Branches
Tree: 2360c7ec6c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2360c7ec6c'
${ noResults }
gitea/tests/integration/api_token_test.go

api_token_test.go 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"fmt"

  8. 	"net/http"

  9. 	"testing"

  10. 

  11. 	auth_model "code.gitea.io/gitea/models/auth"

  12. 	"code.gitea.io/gitea/models/unittest"

  13. 	user_model "code.gitea.io/gitea/models/user"

  14. 	"code.gitea.io/gitea/modules/log"

  15. 	api "code.gitea.io/gitea/modules/structs"

  16. 	"code.gitea.io/gitea/tests"

  17. 

  18. 	"github.com/stretchr/testify/assert"

  19. )

  20. 

  21. // TestAPICreateAndDeleteToken tests that token that was just created can be deleted

  22. func TestAPICreateAndDeleteToken(t *testing.T) {

  23. 	defer tests.PrepareTestEnv(t)()

  24. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})

  25. 

  26. 	newAccessToken := createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user, nil)

  27. 	deleteAPIAccessToken(t, newAccessToken, user)

  28. 

  29. 	newAccessToken = createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user, nil)

  30. 	deleteAPIAccessToken(t, newAccessToken, user)

  31. }

  32. 

  33. // TestAPIDeleteMissingToken ensures that error is thrown when token not found

  34. func TestAPIDeleteMissingToken(t *testing.T) {

  35. 	defer tests.PrepareTestEnv(t)()

  36. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})

  37. 

  38. 	req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", unittest.NonexistentID)

  39. 	req = AddBasicAuthHeader(req, user.Name)

  40. 	MakeRequest(t, req, http.StatusNotFound)

  41. }

  42. 

  43. // TestAPIGetTokensPermission ensures that only the admin can get tokens from other users

  44. func TestAPIGetTokensPermission(t *testing.T) {

  45. 	defer tests.PrepareTestEnv(t)()

  46. 

  47. 	// admin can get tokens for other users

  48. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})

  49. 	req := NewRequestf(t, "GET", "/api/v1/users/user2/tokens")

  50. 	req = AddBasicAuthHeader(req, user.Name)

  51. 	MakeRequest(t, req, http.StatusOK)

  52. 

  53. 	// non-admin can get tokens for himself

  54. 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

  55. 	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")

  56. 	req = AddBasicAuthHeader(req, user.Name)

  57. 	MakeRequest(t, req, http.StatusOK)

  58. 

  59. 	// non-admin can't get tokens for other users

  60. 	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})

  61. 	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")

  62. 	req = AddBasicAuthHeader(req, user.Name)

  63. 	MakeRequest(t, req, http.StatusForbidden)

  64. }

  65. 

  66. // TestAPIDeleteTokensPermission ensures that only the admin can delete tokens from other users

  67. func TestAPIDeleteTokensPermission(t *testing.T) {

  68. 	defer tests.PrepareTestEnv(t)()

  69. 

  70. 	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})

  71. 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

  72. 	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})

  73. 

  74. 	// admin can delete tokens for other users

  75. 	createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, nil)

  76. 	req := NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-1")

  77. 	req = AddBasicAuthHeader(req, admin.Name)

  78. 	MakeRequest(t, req, http.StatusNoContent)

  79. 

  80. 	// non-admin can delete tokens for himself

  81. 	createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, nil)

  82. 	req = NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-2")

  83. 	req = AddBasicAuthHeader(req, user2.Name)

  84. 	MakeRequest(t, req, http.StatusNoContent)

  85. 

  86. 	// non-admin can't delete tokens for other users

  87. 	createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, nil)

  88. 	req = NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-3")

  89. 	req = AddBasicAuthHeader(req, user4.Name)

  90. 	MakeRequest(t, req, http.StatusForbidden)

  91. }

  92. 

  93. type permission struct {

  94. 	category auth_model.AccessTokenScopeCategory

  95. 	level    auth_model.AccessTokenScopeLevel

  96. }

  97. 

  98. type requiredScopeTestCase struct {

  99. 	url                 string

  100. 	method              string

  101. 	requiredPermissions []permission

  102. }

  103. 

  104. func (c *requiredScopeTestCase) Name() string {

  105. 	return fmt.Sprintf("%v %v", c.method, c.url)

  106. }

  107. 

  108. // TestAPIDeniesPermissionBasedOnTokenScope tests that API routes forbid access

  109. // when the correct token scope is not included.

  110. func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {

  111. 	defer tests.PrepareTestEnv(t)()

  112. 

  113. 	// We'll assert that each endpoint, when fetched with a token with all

  114. 	// scopes *except* the ones specified, a forbidden status code is returned.

  115. 	//

  116. 	// This is to protect against endpoints having their access check copied

  117. 	// from other endpoints and not updated.

  118. 	//

  119. 	// Test cases are in alphabetical order by URL.

  120. 	//

  121. 	// Note: query parameters are not currently supported since the token is

  122. 	// appended with `?=token=<token>`.

  123. 	testCases := []requiredScopeTestCase{

  124. 		{

  125. 			"/api/v1/admin/emails",

  126. 			"GET",

  127. 			[]permission{

  128. 				{

  129. 					auth_model.AccessTokenScopeCategoryAdmin,

  130. 					auth_model.Read,

  131. 				},

  132. 			},

  133. 		},

  134. 		{

  135. 			"/api/v1/admin/users",

  136. 			"GET",

  137. 			[]permission{

  138. 				{

  139. 					auth_model.AccessTokenScopeCategoryAdmin,

  140. 					auth_model.Read,

  141. 				},

  142. 			},

  143. 		},

  144. 		{

  145. 			"/api/v1/admin/users",

  146. 			"POST",

  147. 			[]permission{

  148. 				{

  149. 					auth_model.AccessTokenScopeCategoryAdmin,

  150. 					auth_model.Write,

  151. 				},

  152. 			},

  153. 		},

  154. 		{

  155. 			"/api/v1/admin/users/user2",

  156. 			"PATCH",

  157. 			[]permission{

  158. 				{

  159. 					auth_model.AccessTokenScopeCategoryAdmin,

  160. 					auth_model.Write,

  161. 				},

  162. 			},

  163. 		},

  164. 		{

  165. 			"/api/v1/admin/users/user2/orgs",

  166. 			"GET",

  167. 			[]permission{

  168. 				{

  169. 					auth_model.AccessTokenScopeCategoryAdmin,

  170. 					auth_model.Read,

  171. 				},

  172. 			},

  173. 		},

  174. 		{

  175. 			"/api/v1/admin/users/user2/orgs",

  176. 			"POST",

  177. 			[]permission{

  178. 				{

  179. 					auth_model.AccessTokenScopeCategoryAdmin,

  180. 					auth_model.Write,

  181. 				},

  182. 			},

  183. 		},

  184. 		{

  185. 			"/api/v1/admin/orgs",

  186. 			"GET",

  187. 			[]permission{

  188. 				{

  189. 					auth_model.AccessTokenScopeCategoryAdmin,

  190. 					auth_model.Read,

  191. 				},

  192. 			},

  193. 		},

  194. 		{

  195. 			"/api/v1/notifications",

  196. 			"GET",

  197. 			[]permission{

  198. 				{

  199. 					auth_model.AccessTokenScopeCategoryNotification,

  200. 					auth_model.Read,

  201. 				},

  202. 			},

  203. 		},

  204. 		{

  205. 			"/api/v1/notifications",

  206. 			"PUT",

  207. 			[]permission{

  208. 				{

  209. 					auth_model.AccessTokenScopeCategoryNotification,

  210. 					auth_model.Write,

  211. 				},

  212. 			},

  213. 		},

  214. 		{

  215. 			"/api/v1/org/org1/repos",

  216. 			"POST",

  217. 			[]permission{

  218. 				{

  219. 					auth_model.AccessTokenScopeCategoryOrganization,

  220. 					auth_model.Write,

  221. 				},

  222. 				{

  223. 					auth_model.AccessTokenScopeCategoryRepository,

  224. 					auth_model.Write,

  225. 				},

  226. 			},

  227. 		},

  228. 		{

  229. 			"/api/v1/packages/user1/type/name/1",

  230. 			"GET",

  231. 			[]permission{

  232. 				{

  233. 					auth_model.AccessTokenScopeCategoryPackage,

  234. 					auth_model.Read,

  235. 				},

  236. 			},

  237. 		},

  238. 		{

  239. 			"/api/v1/packages/user1/type/name/1",

  240. 			"DELETE",

  241. 			[]permission{

  242. 				{

  243. 					auth_model.AccessTokenScopeCategoryPackage,

  244. 					auth_model.Write,

  245. 				},

  246. 			},

  247. 		},

  248. 		{

  249. 			"/api/v1/repos/user1/repo1",

  250. 			"GET",

  251. 			[]permission{

  252. 				{

  253. 					auth_model.AccessTokenScopeCategoryRepository,

  254. 					auth_model.Read,

  255. 				},

  256. 			},

  257. 		},

  258. 		{

  259. 			"/api/v1/repos/user1/repo1",

  260. 			"PATCH",

  261. 			[]permission{

  262. 				{

  263. 					auth_model.AccessTokenScopeCategoryRepository,

  264. 					auth_model.Write,

  265. 				},

  266. 			},

  267. 		},

  268. 		{

  269. 			"/api/v1/repos/user1/repo1",

  270. 			"DELETE",

  271. 			[]permission{

  272. 				{

  273. 					auth_model.AccessTokenScopeCategoryRepository,

  274. 					auth_model.Write,

  275. 				},

  276. 			},

  277. 		},

  278. 		{

  279. 			"/api/v1/repos/user1/repo1/branches",

  280. 			"GET",

  281. 			[]permission{

  282. 				{

  283. 					auth_model.AccessTokenScopeCategoryRepository,

  284. 					auth_model.Read,

  285. 				},

  286. 			},

  287. 		},

  288. 		{

  289. 			"/api/v1/repos/user1/repo1/archive/foo",

  290. 			"GET",

  291. 			[]permission{

  292. 				{

  293. 					auth_model.AccessTokenScopeCategoryRepository,

  294. 					auth_model.Read,

  295. 				},

  296. 			},

  297. 		},

  298. 		{

  299. 			"/api/v1/repos/user1/repo1/issues",

  300. 			"GET",

  301. 			[]permission{

  302. 				{

  303. 					auth_model.AccessTokenScopeCategoryIssue,

  304. 					auth_model.Read,

  305. 				},

  306. 			},

  307. 		},

  308. 		{

  309. 			"/api/v1/repos/user1/repo1/media/foo",

  310. 			"GET",

  311. 			[]permission{

  312. 				{

  313. 					auth_model.AccessTokenScopeCategoryRepository,

  314. 					auth_model.Read,

  315. 				},

  316. 			},

  317. 		},

  318. 		{

  319. 			"/api/v1/repos/user1/repo1/raw/foo",

  320. 			"GET",

  321. 			[]permission{

  322. 				{

  323. 					auth_model.AccessTokenScopeCategoryRepository,

  324. 					auth_model.Read,

  325. 				},

  326. 			},

  327. 		},

  328. 		{

  329. 			"/api/v1/repos/user1/repo1/teams",

  330. 			"GET",

  331. 			[]permission{

  332. 				{

  333. 					auth_model.AccessTokenScopeCategoryRepository,

  334. 					auth_model.Read,

  335. 				},

  336. 			},

  337. 		},

  338. 		{

  339. 			"/api/v1/repos/user1/repo1/teams/team1",

  340. 			"PUT",

  341. 			[]permission{

  342. 				{

  343. 					auth_model.AccessTokenScopeCategoryRepository,

  344. 					auth_model.Write,

  345. 				},

  346. 			},

  347. 		},

  348. 		{

  349. 			"/api/v1/repos/user1/repo1/transfer",

  350. 			"POST",

  351. 			[]permission{

  352. 				{

  353. 					auth_model.AccessTokenScopeCategoryRepository,

  354. 					auth_model.Write,

  355. 				},

  356. 			},

  357. 		},

  358. 		// Private repo

  359. 		{

  360. 			"/api/v1/repos/user2/repo2",

  361. 			"GET",

  362. 			[]permission{

  363. 				{

  364. 					auth_model.AccessTokenScopeCategoryRepository,

  365. 					auth_model.Read,

  366. 				},

  367. 			},

  368. 		},

  369. 		// Private repo

  370. 		{

  371. 			"/api/v1/repos/user2/repo2",

  372. 			"GET",

  373. 			[]permission{

  374. 				{

  375. 					auth_model.AccessTokenScopeCategoryRepository,

  376. 					auth_model.Read,

  377. 				},

  378. 			},

  379. 		},

  380. 		{

  381. 			"/api/v1/user",

  382. 			"GET",

  383. 			[]permission{

  384. 				{

  385. 					auth_model.AccessTokenScopeCategoryUser,

  386. 					auth_model.Read,

  387. 				},

  388. 			},

  389. 		},

  390. 		{

  391. 			"/api/v1/user/emails",

  392. 			"GET",

  393. 			[]permission{

  394. 				{

  395. 					auth_model.AccessTokenScopeCategoryUser,

  396. 					auth_model.Read,

  397. 				},

  398. 			},

  399. 		},

  400. 		{

  401. 			"/api/v1/user/emails",

  402. 			"POST",

  403. 			[]permission{

  404. 				{

  405. 					auth_model.AccessTokenScopeCategoryUser,

  406. 					auth_model.Write,

  407. 				},

  408. 			},

  409. 		},

  410. 		{

  411. 			"/api/v1/user/emails",

  412. 			"DELETE",

  413. 			[]permission{

  414. 				{

  415. 					auth_model.AccessTokenScopeCategoryUser,

  416. 					auth_model.Write,

  417. 				},

  418. 			},

  419. 		},

  420. 		{

  421. 			"/api/v1/user/applications/oauth2",

  422. 			"GET",

  423. 			[]permission{

  424. 				{

  425. 					auth_model.AccessTokenScopeCategoryUser,

  426. 					auth_model.Read,

  427. 				},

  428. 			},

  429. 		},

  430. 		{

  431. 			"/api/v1/user/applications/oauth2",

  432. 			"POST",

  433. 			[]permission{

  434. 				{

  435. 					auth_model.AccessTokenScopeCategoryUser,

  436. 					auth_model.Write,

  437. 				},

  438. 			},

  439. 		},

  440. 		{

  441. 			"/api/v1/users/search",

  442. 			"GET",

  443. 			[]permission{

  444. 				{

  445. 					auth_model.AccessTokenScopeCategoryUser,

  446. 					auth_model.Read,

  447. 				},

  448. 			},

  449. 		},

  450. 		// Private user

  451. 		{

  452. 			"/api/v1/users/user31",

  453. 			"GET",

  454. 			[]permission{

  455. 				{

  456. 					auth_model.AccessTokenScopeCategoryUser,

  457. 					auth_model.Read,

  458. 				},

  459. 			},

  460. 		},

  461. 		// Private user

  462. 		{

  463. 			"/api/v1/users/user31/gpg_keys",

  464. 			"GET",

  465. 			[]permission{

  466. 				{

  467. 					auth_model.AccessTokenScopeCategoryUser,

  468. 					auth_model.Read,

  469. 				},

  470. 			},

  471. 		},

  472. 	}

  473. 

  474. 	// User needs to be admin so that we can verify that tokens without admin

  475. 	// scopes correctly deny access.

  476. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})

  477. 	assert.True(t, user.IsAdmin, "User needs to be admin")

  478. 

  479. 	for _, testCase := range testCases {

  480. 		runTestCase(t, &testCase, user)

  481. 	}

  482. }

  483. 

  484. // runTestCase Helper function to run a single test case.

  485. func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model.User) {

  486. 	t.Run(testCase.Name(), func(t *testing.T) {

  487. 		defer tests.PrintCurrentTest(t)()

  488. 

  489. 		// Create a token with all scopes NOT required by the endpoint.

  490. 		var unauthorizedScopes []auth_model.AccessTokenScope

  491. 		for _, category := range auth_model.AllAccessTokenScopeCategories {

  492. 			// For permissions, Write > Read > NoAccess.  So we need to

  493. 			// find the minimum required, and only grant permission up to but

  494. 			// not including the minimum required.

  495. 			minRequiredLevel := auth_model.Write

  496. 			categoryIsRequired := false

  497. 			for _, requiredPermission := range testCase.requiredPermissions {

  498. 				if requiredPermission.category != category {

  499. 					continue

  500. 				}

  501. 				categoryIsRequired = true

  502. 				if requiredPermission.level < minRequiredLevel {

  503. 					minRequiredLevel = requiredPermission.level

  504. 				}

  505. 			}

  506. 			unauthorizedLevel := auth_model.Write

  507. 			if categoryIsRequired {

  508. 				if minRequiredLevel == auth_model.Read {

  509. 					unauthorizedLevel = auth_model.NoAccess

  510. 				} else if minRequiredLevel == auth_model.Write {

  511. 					unauthorizedLevel = auth_model.Read

  512. 				} else {

  513. 					assert.Failf(t, "Invalid test case", "Unknown access token scope level: %v", minRequiredLevel)

  514. 					return

  515. 				}

  516. 			}

  517. 

  518. 			if unauthorizedLevel == auth_model.NoAccess {

  519. 				continue

  520. 			}

  521. 			cateogoryUnauthorizedScopes := auth_model.GetRequiredScopes(

  522. 				unauthorizedLevel,

  523. 				category)

  524. 			unauthorizedScopes = append(unauthorizedScopes, cateogoryUnauthorizedScopes...)

  525. 		}

  526. 

  527. 		accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, &unauthorizedScopes)

  528. 		defer deleteAPIAccessToken(t, accessToken, user)

  529. 

  530. 		// Add API access token to the URL.

  531. 		url := fmt.Sprintf("%s?token=%s", testCase.url, accessToken.Token)

  532. 

  533. 		// Request the endpoint.  Verify that permission is denied.

  534. 		req := NewRequestf(t, testCase.method, url)

  535. 		MakeRequest(t, req, http.StatusForbidden)

  536. 	})

  537. }

  538. 

  539. // createAPIAccessTokenWithoutCleanUp Create an API access token and assert that

  540. // creation succeeded.  The caller is responsible for deleting the token.

  541. func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *user_model.User, scopes *[]auth_model.AccessTokenScope) api.AccessToken {

  542. 	payload := map[string]any{

  543. 		"name": tokenName,

  544. 	}

  545. 	if scopes != nil {

  546. 		for _, scope := range *scopes {

  547. 			scopes, scopesExists := payload["scopes"].([]string)

  548. 			if !scopesExists {

  549. 				scopes = make([]string, 0)

  550. 			}

  551. 			scopes = append(scopes, string(scope))

  552. 			payload["scopes"] = scopes

  553. 		}

  554. 	}

  555. 	log.Debug("Requesting creation of token with scopes: %v", scopes)

  556. 	req := NewRequestWithJSON(t, "POST", "/api/v1/users/"+user.LoginName+"/tokens", payload)

  557. 

  558. 	req = AddBasicAuthHeader(req, user.Name)

  559. 	resp := MakeRequest(t, req, http.StatusCreated)

  560. 

  561. 	var newAccessToken api.AccessToken

  562. 	DecodeJSON(t, resp, &newAccessToken)

  563. 	unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{

  564. 		ID:    newAccessToken.ID,

  565. 		Name:  newAccessToken.Name,

  566. 		Token: newAccessToken.Token,

  567. 		UID:   user.ID,

  568. 	})

  569. 

  570. 	return newAccessToken

  571. }

  572. 

  573. // createAPIAccessTokenWithoutCleanUp Delete an API access token and assert that

  574. // deletion succeeded.

  575. func deleteAPIAccessToken(t *testing.T, accessToken api.AccessToken, user *user_model.User) {

  576. 	req := NewRequestf(t, "DELETE", "/api/v1/users/"+user.LoginName+"/tokens/%d", accessToken.ID)

  577. 	req = AddBasicAuthHeader(req, user.Name)

  578. 	MakeRequest(t, req, http.StatusNoContent)

  579. 

  580. 	unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: accessToken.ID})

  581. }