From bb6c670cff1a081d9f5f8bdb3dc91abe5d9e35b9 Mon Sep 17 00:00:00 2001 From: yp05327 <576951401@qq.com> Date: Mon, 10 Apr 2023 16:21:03 +0900 Subject: [PATCH] Add actions support to package auth verification (#23729) Partly fixes https://github.com/go-gitea/gitea/issues/23642 Error info: ![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png) ActionsUser (userID -2) is used to login in to docker in action jobs. Due to we have no permission policy settings of ActionsUser now, ActionsUser can only access public registry by this quick fix. --- routers/api/packages/api.go | 52 ++++++++++---------------- routers/api/packages/container/auth.go | 7 +--- 2 files changed, 22 insertions(+), 37 deletions(-) diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index c0c7b117f696..4cebabecf02b 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -44,6 +44,24 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) { } } +func verifyAuth(r *web.Route, authMethods []auth.Method) { + if setting.Service.EnableReverseProxyAuth { + authMethods = append(authMethods, &auth.ReverseProxy{}) + } + authGroup := auth.NewGroup(authMethods...) + + r.Use(func(ctx *context.Context) { + var err error + ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) + if err != nil { + log.Error("Failed to verify user: %v", err) + ctx.Error(http.StatusUnauthorized, "authGroup.Verify") + return + } + ctx.IsSigned = ctx.Doer != nil + }) +} + // CommonRoutes provide endpoints for most package managers (except containers - see below) // These are mounted on `/api/packages` (not `/api/v1/packages`) func CommonRoutes(ctx gocontext.Context) *web.Route { @@ -51,27 +69,12 @@ func CommonRoutes(ctx gocontext.Context) *web.Route { r.Use(context.PackageContexter(ctx)) - authMethods := []auth.Method{ + verifyAuth(r, []auth.Method{ &auth.OAuth2{}, &auth.Basic{}, &nuget.Auth{}, &conan.Auth{}, &chef.Auth{}, - } - if setting.Service.EnableReverseProxyAuth { - authMethods = append(authMethods, &auth.ReverseProxy{}) - } - - authGroup := auth.NewGroup(authMethods...) - r.Use(func(ctx *context.Context) { - var err error - ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) - if err != nil { - log.Error("Verify: %v", err) - ctx.Error(http.StatusUnauthorized, "authGroup.Verify") - return - } - ctx.IsSigned = ctx.Doer != nil }) r.Group("/{username}", func() { @@ -437,24 +440,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route { r.Use(context.PackageContexter(ctx)) - authMethods := []auth.Method{ + verifyAuth(r, []auth.Method{ &auth.Basic{}, &container.Auth{}, - } - if setting.Service.EnableReverseProxyAuth { - authMethods = append(authMethods, &auth.ReverseProxy{}) - } - - authGroup := auth.NewGroup(authMethods...) - r.Use(func(ctx *context.Context) { - var err error - ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) - if err != nil { - log.Error("Failed to verify user: %v", err) - ctx.Error(http.StatusUnauthorized, "Verify") - return - } - ctx.IsSigned = ctx.Doer != nil }) r.Get("", container.ReqContainerAccess, container.DetermineSupport) diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go index 33f439ec3e58..6fb32c389d86 100644 --- a/routers/api/packages/container/auth.go +++ b/routers/api/packages/container/auth.go @@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS if uid == 0 { return nil, nil } - if uid == -1 { - return user_model.NewGhostUser(), nil - } - u, err := user_model.GetUserByID(req.Context(), uid) + u, err := user_model.GetPossibleUserByID(req.Context(), uid) if err != nil { - log.Error("GetUserByID: %v", err) + log.Error("GetPossibleUserByID: %v", err) return nil, err }