Add actions support to package auth verification (#23729) (#24028)

Backport #23729 by @yp05327

Partly fixes https://github.com/go-gitea/gitea/issues/23642

Error info:

![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png)
ActionsUser (userID -2) is used to login in to docker in action jobs.

Due to we have no permission policy settings of ActionsUser now,
ActionsUser can only access public registry by this quick fix.

Co-authored-by: yp05327 <576951401@qq.com>
pull/24032/head
Giteabot 2 years ago committed by GitHub
parent abf0386e2e
commit 27dbe97542
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 52
      routers/api/packages/api.go
  2. 7
      routers/api/packages/container/auth.go

@ -43,35 +43,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
} }
} }
// CommonRoutes provide endpoints for most package managers (except containers - see below) func verifyAuth(r *web.Route, authMethods []auth.Method) {
// These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route {
r := web.NewRoute()
r.Use(context.PackageContexter(ctx))
authMethods := []auth.Method{
&auth.OAuth2{},
&auth.Basic{},
&nuget.Auth{},
&conan.Auth{},
&chef.Auth{},
}
if setting.Service.EnableReverseProxyAuth { if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{}) authMethods = append(authMethods, &auth.ReverseProxy{})
} }
authGroup := auth.NewGroup(authMethods...) authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) { r.Use(func(ctx *context.Context) {
var err error var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil { if err != nil {
log.Error("Verify: %v", err) log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify") ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return return
} }
ctx.IsSigned = ctx.Doer != nil ctx.IsSigned = ctx.Doer != nil
}) })
}
// CommonRoutes provide endpoints for most package managers (except containers - see below)
// These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route {
r := web.NewRoute()
r.Use(context.PackageContexter(ctx))
verifyAuth(r, []auth.Method{
&auth.OAuth2{},
&auth.Basic{},
&nuget.Auth{},
&conan.Auth{},
&chef.Auth{},
})
r.Group("/{username}", func() { r.Group("/{username}", func() {
r.Group("/cargo", func() { r.Group("/cargo", func() {
@ -401,24 +404,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
r.Use(context.PackageContexter(ctx)) r.Use(context.PackageContexter(ctx))
authMethods := []auth.Method{ verifyAuth(r, []auth.Method{
&auth.Basic{}, &auth.Basic{},
&container.Auth{}, &container.Auth{},
}
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
}) })
r.Get("", container.ReqContainerAccess, container.DetermineSupport) r.Get("", container.ReqContainerAccess, container.DetermineSupport)

@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
if uid == 0 { if uid == 0 {
return nil, nil return nil, nil
} }
if uid == -1 {
return user_model.NewGhostUser(), nil
}
u, err := user_model.GetUserByID(req.Context(), uid) u, err := user_model.GetPossibleUserByID(req.Context(), uid)
if err != nil { if err != nil {
log.Error("GetUserByID: %v", err) log.Error("GetPossibleUserByID: %v", err)
return nil, err return nil, err
} }

Loading…
Cancel
Save