mirror
/
gitea
mirror of https://github.com/go-gitea/gitea
2
0
Fork 0
Code Issues Releases Wiki Activity

no setting requirement for additional grant scopes

Browse Source 
- the logic introduced with this PR will be applied by default, even though it
introduces breaking changes if anyone relied on the previous behavior
regarding personal access tokens or full access for OAuth2 third parties.
pull/32180/head
Marcell Mars 1 month ago
parent 4885397d18
commit 33da8f1e71
5 changed files with 24 additions and 32 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 34
      modules/setting/oauth2.go
  2. 1
      routers/web/user/setting/applications.go
  3. 12
      services/oauth2_provider/access_token.go
  4. 1
      services/oauth2_provider/additional_scopes_test.go
  5. 8
      tests/integration/oauth_test.go

34
modules/setting/oauth2.go
Unescape View File

@ -90,25 +90,23 @@ func parseScopes(sec ConfigSection, name string) []string {
} }
var OAuth2 = struct { var OAuth2 = struct {
Enabled bool Enabled bool
AccessTokenExpirationTime int64 AccessTokenExpirationTime int64
RefreshTokenExpirationTime int64 RefreshTokenExpirationTime int64
InvalidateRefreshTokens bool InvalidateRefreshTokens bool
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"` JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"` JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
MaxTokenLength int MaxTokenLength int
DefaultApplications []string DefaultApplications []string
EnableAdditionalGrantScopes bool
}{ }{
Enabled: true, Enabled: true,
AccessTokenExpirationTime: 3600, AccessTokenExpirationTime: 3600,
RefreshTokenExpirationTime: 730, RefreshTokenExpirationTime: 730,
InvalidateRefreshTokens: false, InvalidateRefreshTokens: false,
JWTSigningAlgorithm: "RS256", JWTSigningAlgorithm: "RS256",
JWTSigningPrivateKeyFile: "jwt/private.pem", JWTSigningPrivateKeyFile: "jwt/private.pem",
MaxTokenLength: math.MaxInt16, MaxTokenLength: math.MaxInt16,
DefaultApplications: []string{"git-credential-oauth", "git-credential-manager", "tea"}, DefaultApplications: []string{"git-credential-oauth", "git-credential-manager", "tea"},
EnableAdditionalGrantScopes: false,
} }
func loadOAuth2From(rootCfg ConfigProvider) { func loadOAuth2From(rootCfg ConfigProvider) {

1
routers/web/user/setting/applications.go
Unescape View File

@ -113,6 +113,5 @@ func loadApplicationsData(ctx *context.Context) {
ctx.ServerError("GetOAuth2GrantsByUserID", err) ctx.ServerError("GetOAuth2GrantsByUserID", err)
return return
} }
ctx.Data["EnableAdditionalGrantScopes"] = setting.OAuth2.EnableAdditionalGrantScopes
} }
} }

12
services/oauth2_provider/access_token.go
Unescape View File

@ -228,14 +228,10 @@ func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User, onlyPubli
var groups []string var groups []string
for _, org := range orgs { for _, org := range orgs {
// process additional scopes only if enabled in settings if onlyPublicGroups {
// this could be removed once additional scopes get accepted if public, err := org_model.IsPublicMembership(ctx, org.ID, user.ID); err == nil {
if setting.OAuth2.EnableAdditionalGrantScopes { if !public || !org.Visibility.IsPublic() {
if onlyPublicGroups { continue
if public, err := org_model.IsPublicMembership(ctx, org.ID, user.ID); err == nil {
if !public || !org.Visibility.IsPublic() {
continue
}
} }
} }
} }

1
services/oauth2_provider/additional_scopes_test.go
Unescape View File

@ -10,7 +10,6 @@ import (
) )
func TestGrantAdditionalScopes(t *testing.T) { func TestGrantAdditionalScopes(t *testing.T) {
setting.OAuth2.EnableAdditionalGrantScopes = true
tests := []struct { tests := []struct {
grantScopes string grantScopes string
expectedScopes string expectedScopes string

8
tests/integration/oauth_test.go
Unescape View File

@ -515,7 +515,7 @@ func TestOAuth_GrantScopesReadUserFailRepos(t *testing.T) {
err := db.Insert(db.DefaultContext, grant) err := db.Insert(db.DefaultContext, grant)
require.NoError(t, err) require.NoError(t, err)
assert.Contains(t, grant.Scope, "openid profile email read:user") assert.ElementsMatch(t, []string{"openid", "profile", "email", "read:user"}, strings.Split(grant.Scope, " "))
ctx := loginUserWithPasswordRemember(t, user.Name, "password", true) ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)
@ -596,7 +596,7 @@ func TestOAuth_GrantScopesReadRepositoryFailOrganization(t *testing.T) {
err := db.Insert(db.DefaultContext, grant) err := db.Insert(db.DefaultContext, grant)
require.NoError(t, err) require.NoError(t, err)
assert.Contains(t, grant.Scope, "openid profile email read:user read:repository") assert.ElementsMatch(t, []string{"openid", "profile", "email", "read:user", "read:repository"}, strings.Split(grant.Scope, " "))
ctx := loginUserWithPasswordRemember(t, user.Name, "password", true) ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)
@ -790,7 +790,7 @@ func TestOAuth_GrantScopesClaimGroupsAll(t *testing.T) {
} }
} }
func TestOAuth_GrantScopesEnabledClaimGroups(t *testing.T) { func TestOAuth_GrantScopesClaimGroupsPublicOnly(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"}) user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
@ -819,7 +819,7 @@ func TestOAuth_GrantScopesEnabledClaimGroups(t *testing.T) {
err := db.Insert(db.DefaultContext, grant) err := db.Insert(db.DefaultContext, grant)
require.NoError(t, err) require.NoError(t, err)
assert.Contains(t, grant.Scope, "openid profile email groups") assert.ElementsMatch(t, []string{"openid", "profile", "email", "groups"}, strings.Split(grant.Scope, " "))
ctx := loginUserWithPasswordRemember(t, user.Name, "password", true) ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)

Write Preview
Loading…
Cancel
Save