Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require repo scope for PATs for private repos and basic authentication #24362

Merged
merged 6 commits into from
Apr 27, 2023
Merged

Require repo scope for PATs for private repos and basic authentication #24362

merged 6 commits into from
Apr 27, 2023

Conversation

jolheiser
Copy link
Member

The scoped token PR just checked all API routes but in fact, some web routes like LFS, git HTTP, container, and attachments supports basic auth. This PR added scoped token check for them.

@jolheiser jolheiser added type/bug outdated/backport/v1.19 This PR should be backported to Gitea 1.19 labels Apr 26, 2023
@jolheiser jolheiser added this to the 1.20.0 milestone Apr 26, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 26, 2023
@pull-request-size pull-request-size bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 26, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 26, 2023
@jolheiser
chore: placate linter
3d9cefa 
Signed-off-by: jolheiser <john.olheiser@gmail.com>
wxiaoguang
wxiaoguang reviewed Apr 26, 2023
View reviewed changes
modules/context/permission.go
}

var err error
scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
Copy link
Contributor

@wxiaoguang wxiaoguang Apr 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If no test covers it, it is very fragile.

Maybe next refactoring changes the key "ApiTokenScope", then this "check" will become a noop, the accesses just pass it.

@jolheiser
chore: add token scope to npm
1aadb78 
Signed-off-by: jolheiser <john.olheiser@gmail.com>
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 26, 2023
@delvh delvh added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 26, 2023
@jolheiser
chore: fix token scopes for other packages
f27aaa2 
Signed-off-by: jolheiser <john.olheiser@gmail.com>
@jolheiser jolheiser merged commit 5e36024 into go-gitea:main Apr 27, 2023
@jolheiser jolheiser deleted the scoped-token-web-route branch April 27, 2023 00:24
@GiteaBot GiteaBot mentioned this pull request Apr 27, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Apr 27, 2023
@jolheiser @lunny @GiteaBot
Require repo scope for PATs for private repos and basic authentication (
9c83bdc 
go-gitea#24362)

> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

---------

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Apr 27, 2023
techknowlogick pushed a commit that referenced this pull request Apr 27, 2023
@GiteaBot @jolheiser @lunny
Require repo scope for PATs for private repos and basic authentication (
d2efd2b 
#24362) (#24364)

Backport #24362 by @jolheiser

> The scoped token PR just checked all API routes but in fact, some web
routes like `LFS`, git `HTTP`, container, and attachments supports basic
auth. This PR added scoped token check for them.

Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Apr 27, 2023
edited
Loading

This PR breaks my LFS client.

Reverting these 2 "lfs/*.go" files , then my client works again.

The error logs:


gitea-app_1     | 2023/04/27 20:37:14 ...rvices/lfs/server.go:547:authenticate() [W] [644a6c7a-2] Authentication failure for provided token with Error: invalid token claim
gitea-app_1     | 2023/04/27 20:37:14 [644a6c7a-2] router: completed GET /org/repo.git/info/lfs/objects/xxxxxxxxxxxxxxxxxxxxxxxxxx for 1.2.3.4:0, 401 Unauthorized in 5.9ms @ lfs/server.go:80(lfs.DownloadHandler)

@wxiaoguang wxiaoguang mentioned this pull request Apr 27, 2023
Merged
wxiaoguang
wxiaoguang reviewed Apr 27, 2023
View reviewed changes
services/lfs/server.go
@@ -86,6 +86,11 @@ func DownloadHandler(ctx *context.Context) {
return
}

repository := getAuthenticatedRepository(ctx, rc, true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DownloadHandler: getAuthenticatedRepository(requireWrite=true) ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lines should be removed.

zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 28, 2023
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
85e30e2 
* giteaofficial/main: (26 commits)
  Refactor docs (go-gitea#23752)
  Fix layouts of admin table / adapt repo / email test  (go-gitea#24370)
  Move secrets and runners settings to actions settings (go-gitea#24200)
  Gitea Actions add `base_ref`, `head_ref`, `api_url`, `ref_type` fields (go-gitea#24356)
  Fix auth check bug (go-gitea#24382)
  Display 'Unknown' when runner.version is empty (go-gitea#24378)
  Fix incorrect last online time in runner_edit.tmpl (go-gitea#24376)
  Refactor "route" related code, fix Safari cookie bug (go-gitea#24330)
  Add custom helm repo name generated from url (go-gitea#24363)
  Add API for gitignore templates (go-gitea#22783)
  Add eslint-plugin-regexp (go-gitea#24361)
  Support uploading file to empty repo by API (go-gitea#24357)
  [skip ci] Updated translations via Crowdin
  Require repo scope for PATs for private repos and basic authentication (go-gitea#24362)
  Alert error message if open dependencies are included in the issues that try to batch close (go-gitea#24329)
  Fix 404 error when leaving the last private org team (go-gitea#24322)
  Modify width of ui container, fine tune css for settings pages and org header (go-gitea#24315)
  Add .livemd as a markdown extension (go-gitea#22730)
  Display when a repo was archived (go-gitea#22664)
  Fix wrong error info in RepoRefForAPI (go-gitea#24344)
  ...
@lunny lunny mentioned this pull request May 31, 2023
Merged
silverwind pushed a commit that referenced this pull request May 31, 2023
@lunny @GiteaBot
Fix users cannot visit issue attachment bug (#25019)
5d23c88 
Caused by #24362

Co-authored-by: Giteabot <teabot@gitea.io>
@GiteaBot GiteaBot mentioned this pull request May 31, 2023
Merged
GiteaBot added a commit to GiteaBot/gitea that referenced this pull request May 31, 2023
@lunny @GiteaBot
Fix users cannot visit issue attachment bug (go-gitea#25019)
949a7e7 
Caused by go-gitea#24362

Co-authored-by: Giteabot <teabot@gitea.io>
silverwind pushed a commit that referenced this pull request Jun 1, 2023
@GiteaBot @lunny @jolheiser
Fix users cannot visit issue attachment bug (#25019) (#25027)
73ae6b2 
Backport #25019 by @lunny

Caused by #24362

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Codeberg-org pushed a commit to Codeberg-org/gitea that referenced this pull request Jun 7, 2023
@GiteaBot @earl-warren
Fix users cannot visit issue attachment bug (go-gitea#25019) (go-gite…
05a3e85 
…a#25027)

Backport go-gitea#25019 by @lunny

Caused by go-gitea#24362

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit 73ae6b2)
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

@lunny lunny lunny left review comments

@delvh delvh delvh approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. outdated/backport/v1.19 This PR should be backported to Gitea 1.19 size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/bug
Projects
None yet
Milestone
1.20.0
Development

Successfully merging this pull request may close these issues.
6 participants
@jolheiser @wxiaoguang @lunny @techknowlogick @delvh @GiteaBot