From 840ad7eefe2b49ab453b9a89b153a264a8c9f8a2 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 12 Nov 2024 13:33:35 -0800 Subject: [PATCH] Disable Oauth check if oauth disabled (#32368) Fix #32367 --------- Co-authored-by: Giteabot Co-authored-by: wxiaoguang --- routers/web/web.go | 70 ++++++++++++++++++++++------------------- services/auth/oauth2.go | 7 ++++- 2 files changed, 44 insertions(+), 33 deletions(-) diff --git a/routers/web/web.go b/routers/web/web.go index e0915e6a6ef..c56906c10de 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -324,6 +324,13 @@ func registerRoutes(m *web.Router) { } } + oauth2Enabled := func(ctx *context.Context) { + if !setting.OAuth2.Enabled { + ctx.Error(http.StatusForbidden) + return + } + } + reqMilestonesDashboardPageEnabled := func(ctx *context.Context) { if !setting.Service.ShowMilestonesDashboardPage { ctx.Error(http.StatusForbidden) @@ -546,16 +553,18 @@ func registerRoutes(m *web.Router) { m.Any("/user/events", routing.MarkLongPolling, events.Events) m.Group("/login/oauth", func() { - m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) - m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth) - // TODO manage redirection - m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) - }, ignSignInAndCsrf, reqSignIn) - - m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth) - m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth) - m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys) - m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth) + m.Group("", func() { + m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) + m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth) + // TODO manage redirection + m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) + }, ignSignInAndCsrf, reqSignIn) + + m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth) + m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth) + m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys) + m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth) + }, oauth2Enabled) m.Group("/user/settings", func() { m.Get("", user_setting.Profile) @@ -596,17 +605,24 @@ func registerRoutes(m *web.Router) { }, openIDSignInEnabled) m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink) }) - m.Group("/applications/oauth2", func() { - m.Get("/{id}", user_setting.OAuth2ApplicationShow) - m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit) - m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret) - m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost) - m.Post("/{id}/delete", user_setting.DeleteOAuth2Application) - m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant) + + m.Group("/applications", func() { + // oauth2 applications + m.Group("/oauth2", func() { + m.Get("/{id}", user_setting.OAuth2ApplicationShow) + m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit) + m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret) + m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost) + m.Post("/{id}/delete", user_setting.DeleteOAuth2Application) + m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant) + }, oauth2Enabled) + + // access token applications + m.Combo("").Get(user_setting.Applications). + Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost) + m.Post("/delete", user_setting.DeleteApplication) }) - m.Combo("/applications").Get(user_setting.Applications). - Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost) - m.Post("/applications/delete", user_setting.DeleteApplication) + m.Combo("/keys").Get(user_setting.Keys). Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost) m.Post("/keys/delete", user_setting.DeleteKey) @@ -780,12 +796,7 @@ func registerRoutes(m *web.Router) { m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret) m.Post("/delete", admin.DeleteApplication) }) - }, func(ctx *context.Context) { - if !setting.OAuth2.Enabled { - ctx.Error(http.StatusForbidden) - return - } - }) + }, oauth2Enabled) m.Group("/actions", func() { m.Get("", admin.RedirectToDefaultSetting) @@ -909,12 +920,7 @@ func registerRoutes(m *web.Router) { m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret) m.Post("/delete", org.DeleteOAuth2Application) }) - }, func(ctx *context.Context) { - if !setting.OAuth2.Enabled { - ctx.Error(http.StatusForbidden) - return - } - }) + }, oauth2Enabled) m.Group("/hooks", func() { m.Get("", org.Webhooks) diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index 523998a6345..d0aec085b10 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -27,10 +27,15 @@ var ( // CheckOAuthAccessToken returns uid of user from oauth token func CheckOAuthAccessToken(ctx context.Context, accessToken string) int64 { - // JWT tokens require a "." + if !setting.OAuth2.Enabled { + return 0 + } + + // JWT tokens require a ".", if the token isn't like that, return early if !strings.Contains(accessToken, ".") { return 0 } + token, err := oauth2_provider.ParseToken(accessToken, oauth2_provider.DefaultSigningKey) if err != nil { log.Trace("oauth2.ParseToken: %v", err)