From 27dbe9754289135a8c1514c72ecbde727a213c8c Mon Sep 17 00:00:00 2001 From: Giteabot Date: Mon, 10 Apr 2023 04:36:21 -0400 Subject: [PATCH] Add actions support to package auth verification (#23729) (#24028) Backport #23729 by @yp05327 Partly fixes https://github.com/go-gitea/gitea/issues/23642 Error info: ![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png) ActionsUser (userID -2) is used to login in to docker in action jobs. Due to we have no permission policy settings of ActionsUser now, ActionsUser can only access public registry by this quick fix. Co-authored-by: yp05327 <576951401@qq.com> --- routers/api/packages/api.go | 52 ++++++++++---------------- routers/api/packages/container/auth.go | 7 +--- 2 files changed, 22 insertions(+), 37 deletions(-) diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index 0e3d8b7a02..c2841e1903 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -43,6 +43,24 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) { } } +func verifyAuth(r *web.Route, authMethods []auth.Method) { + if setting.Service.EnableReverseProxyAuth { + authMethods = append(authMethods, &auth.ReverseProxy{}) + } + authGroup := auth.NewGroup(authMethods...) + + r.Use(func(ctx *context.Context) { + var err error + ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) + if err != nil { + log.Error("Failed to verify user: %v", err) + ctx.Error(http.StatusUnauthorized, "authGroup.Verify") + return + } + ctx.IsSigned = ctx.Doer != nil + }) +} + // CommonRoutes provide endpoints for most package managers (except containers - see below) // These are mounted on `/api/packages` (not `/api/v1/packages`) func CommonRoutes(ctx gocontext.Context) *web.Route { @@ -50,27 +68,12 @@ func CommonRoutes(ctx gocontext.Context) *web.Route { r.Use(context.PackageContexter(ctx)) - authMethods := []auth.Method{ + verifyAuth(r, []auth.Method{ &auth.OAuth2{}, &auth.Basic{}, &nuget.Auth{}, &conan.Auth{}, &chef.Auth{}, - } - if setting.Service.EnableReverseProxyAuth { - authMethods = append(authMethods, &auth.ReverseProxy{}) - } - - authGroup := auth.NewGroup(authMethods...) - r.Use(func(ctx *context.Context) { - var err error - ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) - if err != nil { - log.Error("Verify: %v", err) - ctx.Error(http.StatusUnauthorized, "authGroup.Verify") - return - } - ctx.IsSigned = ctx.Doer != nil }) r.Group("/{username}", func() { @@ -401,24 +404,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route { r.Use(context.PackageContexter(ctx)) - authMethods := []auth.Method{ + verifyAuth(r, []auth.Method{ &auth.Basic{}, &container.Auth{}, - } - if setting.Service.EnableReverseProxyAuth { - authMethods = append(authMethods, &auth.ReverseProxy{}) - } - - authGroup := auth.NewGroup(authMethods...) - r.Use(func(ctx *context.Context) { - var err error - ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) - if err != nil { - log.Error("Failed to verify user: %v", err) - ctx.Error(http.StatusUnauthorized, "Verify") - return - } - ctx.IsSigned = ctx.Doer != nil }) r.Get("", container.ReqContainerAccess, container.DetermineSupport) diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go index 33f439ec3e..6fb32c389d 100644 --- a/routers/api/packages/container/auth.go +++ b/routers/api/packages/container/auth.go @@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS if uid == 0 { return nil, nil } - if uid == -1 { - return user_model.NewGhostUser(), nil - } - u, err := user_model.GetUserByID(req.Context(), uid) + u, err := user_model.GetPossibleUserByID(req.Context(), uid) if err != nil { - log.Error("GetUserByID: %v", err) + log.Error("GetPossibleUserByID: %v", err) return nil, err }