mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14191 Commits
17 Branches
Tree: e81ccc406b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e81ccc406b'
${ noResults }
gitea/models/auth/token.go

token.go 6.4KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. package auth

  6. 

  7. import (

  8. 	"crypto/subtle"

  9. 	"fmt"

  10. 	"time"

  11. 

  12. 	"code.gitea.io/gitea/models/db"

  13. 	"code.gitea.io/gitea/modules/base"

  14. 	"code.gitea.io/gitea/modules/setting"

  15. 	"code.gitea.io/gitea/modules/timeutil"

  16. 	"code.gitea.io/gitea/modules/util"

  17. 

  18. 	gouuid "github.com/google/uuid"

  19. 	lru "github.com/hashicorp/golang-lru"

  20. )

  21. 

  22. // ErrAccessTokenNotExist represents a "AccessTokenNotExist" kind of error.

  23. type ErrAccessTokenNotExist struct {

  24. 	Token string

  25. }

  26. 

  27. // IsErrAccessTokenNotExist checks if an error is a ErrAccessTokenNotExist.

  28. func IsErrAccessTokenNotExist(err error) bool {

  29. 	_, ok := err.(ErrAccessTokenNotExist)

  30. 	return ok

  31. }

  32. 

  33. func (err ErrAccessTokenNotExist) Error() string {

  34. 	return fmt.Sprintf("access token does not exist [sha: %s]", err.Token)

  35. }

  36. 

  37. func (err ErrAccessTokenNotExist) Unwrap() error {

  38. 	return util.ErrNotExist

  39. }

  40. 

  41. // ErrAccessTokenEmpty represents a "AccessTokenEmpty" kind of error.

  42. type ErrAccessTokenEmpty struct{}

  43. 

  44. // IsErrAccessTokenEmpty checks if an error is a ErrAccessTokenEmpty.

  45. func IsErrAccessTokenEmpty(err error) bool {

  46. 	_, ok := err.(ErrAccessTokenEmpty)

  47. 	return ok

  48. }

  49. 

  50. func (err ErrAccessTokenEmpty) Error() string {

  51. 	return "access token is empty"

  52. }

  53. 

  54. func (err ErrAccessTokenEmpty) Unwrap() error {

  55. 	return util.ErrInvalidArgument

  56. }

  57. 

  58. var successfulAccessTokenCache *lru.Cache

  59. 

  60. // AccessToken represents a personal access token.

  61. type AccessToken struct {

  62. 	ID             int64 `xorm:"pk autoincr"`

  63. 	UID            int64 `xorm:"INDEX"`

  64. 	Name           string

  65. 	Token          string `xorm:"-"`

  66. 	TokenHash      string `xorm:"UNIQUE"` // sha256 of token

  67. 	TokenSalt      string

  68. 	TokenLastEight string `xorm:"INDEX token_last_eight"`

  69. 

  70. 	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX created"`

  71. 	UpdatedUnix       timeutil.TimeStamp `xorm:"INDEX updated"`

  72. 	HasRecentActivity bool               `xorm:"-"`

  73. 	HasUsed           bool               `xorm:"-"`

  74. }

  75. 

  76. // AfterLoad is invoked from XORM after setting the values of all fields of this object.

  77. func (t *AccessToken) AfterLoad() {

  78. 	t.HasUsed = t.UpdatedUnix > t.CreatedUnix

  79. 	t.HasRecentActivity = t.UpdatedUnix.AddDuration(7*24*time.Hour) > timeutil.TimeStampNow()

  80. }

  81. 

  82. func init() {

  83. 	db.RegisterModel(new(AccessToken), func() error {

  84. 		if setting.SuccessfulTokensCacheSize > 0 {

  85. 			var err error

  86. 			successfulAccessTokenCache, err = lru.New(setting.SuccessfulTokensCacheSize)

  87. 			if err != nil {

  88. 				return fmt.Errorf("unable to allocate AccessToken cache: %w", err)

  89. 			}

  90. 		} else {

  91. 			successfulAccessTokenCache = nil

  92. 		}

  93. 		return nil

  94. 	})

  95. }

  96. 

  97. // NewAccessToken creates new access token.

  98. func NewAccessToken(t *AccessToken) error {

  99. 	salt, err := util.CryptoRandomString(10)

  100. 	if err != nil {

  101. 		return err

  102. 	}

  103. 	t.TokenSalt = salt

  104. 	t.Token = base.EncodeSha1(gouuid.New().String())

  105. 	t.TokenHash = HashToken(t.Token, t.TokenSalt)

  106. 	t.TokenLastEight = t.Token[len(t.Token)-8:]

  107. 	_, err = db.GetEngine(db.DefaultContext).Insert(t)

  108. 	return err

  109. }

  110. 

  111. func getAccessTokenIDFromCache(token string) int64 {

  112. 	if successfulAccessTokenCache == nil {

  113. 		return 0

  114. 	}

  115. 	tInterface, ok := successfulAccessTokenCache.Get(token)

  116. 	if !ok {

  117. 		return 0

  118. 	}

  119. 	t, ok := tInterface.(int64)

  120. 	if !ok {

  121. 		return 0

  122. 	}

  123. 	return t

  124. }

  125. 

  126. // GetAccessTokenBySHA returns access token by given token value

  127. func GetAccessTokenBySHA(token string) (*AccessToken, error) {

  128. 	if token == "" {

  129. 		return nil, ErrAccessTokenEmpty{}

  130. 	}

  131. 	// A token is defined as being SHA1 sum these are 40 hexadecimal bytes long

  132. 	if len(token) != 40 {

  133. 		return nil, ErrAccessTokenNotExist{token}

  134. 	}

  135. 	for _, x := range []byte(token) {

  136. 		if x < '0' || (x > '9' && x < 'a') || x > 'f' {

  137. 			return nil, ErrAccessTokenNotExist{token}

  138. 		}

  139. 	}

  140. 

  141. 	lastEight := token[len(token)-8:]

  142. 

  143. 	if id := getAccessTokenIDFromCache(token); id > 0 {

  144. 		token := &AccessToken{

  145. 			TokenLastEight: lastEight,

  146. 		}

  147. 		// Re-get the token from the db in case it has been deleted in the intervening period

  148. 		has, err := db.GetEngine(db.DefaultContext).ID(id).Get(token)

  149. 		if err != nil {

  150. 			return nil, err

  151. 		}

  152. 		if has {

  153. 			return token, nil

  154. 		}

  155. 		successfulAccessTokenCache.Remove(token)

  156. 	}

  157. 

  158. 	var tokens []AccessToken

  159. 	err := db.GetEngine(db.DefaultContext).Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens)

  160. 	if err != nil {

  161. 		return nil, err

  162. 	} else if len(tokens) == 0 {

  163. 		return nil, ErrAccessTokenNotExist{token}

  164. 	}

  165. 

  166. 	for _, t := range tokens {

  167. 		tempHash := HashToken(token, t.TokenSalt)

  168. 		if subtle.ConstantTimeCompare([]byte(t.TokenHash), []byte(tempHash)) == 1 {

  169. 			if successfulAccessTokenCache != nil {

  170. 				successfulAccessTokenCache.Add(token, t.ID)

  171. 			}

  172. 			return &t, nil

  173. 		}

  174. 	}

  175. 	return nil, ErrAccessTokenNotExist{token}

  176. }

  177. 

  178. // AccessTokenByNameExists checks if a token name has been used already by a user.

  179. func AccessTokenByNameExists(token *AccessToken) (bool, error) {

  180. 	return db.GetEngine(db.DefaultContext).Table("access_token").Where("name = ?", token.Name).And("uid = ?", token.UID).Exist()

  181. }

  182. 

  183. // ListAccessTokensOptions contain filter options

  184. type ListAccessTokensOptions struct {

  185. 	db.ListOptions

  186. 	Name   string

  187. 	UserID int64

  188. }

  189. 

  190. // ListAccessTokens returns a list of access tokens belongs to given user.

  191. func ListAccessTokens(opts ListAccessTokensOptions) ([]*AccessToken, error) {

  192. 	sess := db.GetEngine(db.DefaultContext).Where("uid=?", opts.UserID)

  193. 

  194. 	if len(opts.Name) != 0 {

  195. 		sess = sess.Where("name=?", opts.Name)

  196. 	}

  197. 

  198. 	sess = sess.Desc("created_unix")

  199. 

  200. 	if opts.Page != 0 {

  201. 		sess = db.SetSessionPagination(sess, &opts)

  202. 

  203. 		tokens := make([]*AccessToken, 0, opts.PageSize)

  204. 		return tokens, sess.Find(&tokens)

  205. 	}

  206. 

  207. 	tokens := make([]*AccessToken, 0, 5)

  208. 	return tokens, sess.Find(&tokens)

  209. }

  210. 

  211. // UpdateAccessToken updates information of access token.

  212. func UpdateAccessToken(t *AccessToken) error {

  213. 	_, err := db.GetEngine(db.DefaultContext).ID(t.ID).AllCols().Update(t)

  214. 	return err

  215. }

  216. 

  217. // CountAccessTokens count access tokens belongs to given user by options

  218. func CountAccessTokens(opts ListAccessTokensOptions) (int64, error) {

  219. 	sess := db.GetEngine(db.DefaultContext).Where("uid=?", opts.UserID)

  220. 	if len(opts.Name) != 0 {

  221. 		sess = sess.Where("name=?", opts.Name)

  222. 	}

  223. 	return sess.Count(&AccessToken{})

  224. }

  225. 

  226. // DeleteAccessTokenByID deletes access token by given ID.

  227. func DeleteAccessTokenByID(id, userID int64) error {

  228. 	cnt, err := db.GetEngine(db.DefaultContext).ID(id).Delete(&AccessToken{

  229. 		UID: userID,

  230. 	})

  231. 	if err != nil {

  232. 		return err

  233. 	} else if cnt != 1 {

  234. 		return ErrAccessTokenNotExist{}

  235. 	}

  236. 	return nil

  237. }