Prevent anonymous container access if RequireSignInView is enabled (#28877) (#28882)

GiteaBot · KN4CK3R · web-flow · commit b7c944b9e4e9 · 2024-01-22T01:44:38.000+08:00
Backport #28877 by @KN4CK3R Fixes #28875 If `RequireSignInView` is enabled, the ghost user has no access rights. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
diff --git a/modules/context/package.go b/modules/context/package.go
@@ -93,7 +93,7 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, string, any))
 }
 
 func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.AccessMode, error) {
-	if setting.Service.RequireSignInView && doer == nil {
+	if setting.Service.RequireSignInView && (doer == nil || doer.IsGhost()) {
 		return perm.AccessModeNone, nil
 	}
 
diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
@@ -114,11 +114,15 @@ func apiErrorDefined(ctx *context.Context, err *namedError) {
 	})
 }
 
-// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost for anonymous access)
+func apiUnauthorizedError(ctx *context.Context) {
+	ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
+	apiErrorDefined(ctx, errUnauthorized)
+}
+
+// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
 func ReqContainerAccess(ctx *context.Context) {
-	if ctx.Doer == nil {
-		ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
-		apiErrorDefined(ctx, errUnauthorized)
+	if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {
+		apiUnauthorizedError(ctx)
 	}
 }
 
@@ -138,10 +142,15 @@ func DetermineSupport(ctx *context.Context) {
 }
 
 // Authenticate creates a token for the current user
-// If the current user is anonymous, the ghost user is used
+// If the current user is anonymous, the ghost user is used unless RequireSignInView is enabled.
 func Authenticate(ctx *context.Context) {
 	u := ctx.Doer
 	if u == nil {
+		if setting.Service.RequireSignInView {
+			apiUnauthorizedError(ctx)
+			return
+		}
+
 		u = user_model.NewGhostUser()
 	}
 
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
@@ -21,6 +21,7 @@ import (
 	container_module "code.gitea.io/gitea/modules/packages/container"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/minio/sha256-simd"
@@ -106,6 +107,14 @@ func TestPackageContainer(t *testing.T) {
 			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
 			addTokenAuthHeader(req, anonymousToken)
 			MakeRequest(t, req, http.StatusOK)
+
+			defer test.MockVariableValue(&setting.Service.RequireSignInView, true)()
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
+			MakeRequest(t, req, http.StatusUnauthorized)
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
+			MakeRequest(t, req, http.StatusUnauthorized)
 		})
 
 		t.Run("User", func(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, string, any))`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`func determineAccessMode(ctx Base, pkg Package, doer *user_model.User) (perm.AccessMode, error) {`
`96`		`- if setting.Service.RequireSignInView && doer == nil {`
	`96`	`+ if setting.Service.RequireSignInView && (doer == nil \|\| doer.IsGhost()) {`
`97`	`97`	`return perm.AccessModeNone, nil`
`98`	`98`	`}`
`99`	`99`