Add actions support to package auth verification (#23729)

Partly fixes https://github.com/go-gitea/gitea/issues/23642

Error info:

![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png)
ActionsUser (userID -2) is used to login in to docker in action jobs.

Due to we have no permission policy settings of ActionsUser now,
ActionsUser can only access public registry by this quick fix.
This commit is contained in:
yp05327 2023-04-10 16:21:03 +09:00 committed by GitHub
parent fd9d072af1
commit bb6c670cff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 37 deletions

View file

@ -44,6 +44,24 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
} }
} }
func verifyAuth(r *web.Route, authMethods []auth.Method) {
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
})
}
// CommonRoutes provide endpoints for most package managers (except containers - see below) // CommonRoutes provide endpoints for most package managers (except containers - see below)
// These are mounted on `/api/packages` (not `/api/v1/packages`) // These are mounted on `/api/packages` (not `/api/v1/packages`)
func CommonRoutes(ctx gocontext.Context) *web.Route { func CommonRoutes(ctx gocontext.Context) *web.Route {
@ -51,27 +69,12 @@ func CommonRoutes(ctx gocontext.Context) *web.Route {
r.Use(context.PackageContexter(ctx)) r.Use(context.PackageContexter(ctx))
authMethods := []auth.Method{ verifyAuth(r, []auth.Method{
&auth.OAuth2{}, &auth.OAuth2{},
&auth.Basic{}, &auth.Basic{},
&nuget.Auth{}, &nuget.Auth{},
&conan.Auth{}, &conan.Auth{},
&chef.Auth{}, &chef.Auth{},
}
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Verify: %v", err)
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
}) })
r.Group("/{username}", func() { r.Group("/{username}", func() {
@ -437,24 +440,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
r.Use(context.PackageContexter(ctx)) r.Use(context.PackageContexter(ctx))
authMethods := []auth.Method{ verifyAuth(r, []auth.Method{
&auth.Basic{}, &auth.Basic{},
&container.Auth{}, &container.Auth{},
}
if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{})
}
authGroup := auth.NewGroup(authMethods...)
r.Use(func(ctx *context.Context) {
var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil {
log.Error("Failed to verify user: %v", err)
ctx.Error(http.StatusUnauthorized, "Verify")
return
}
ctx.IsSigned = ctx.Doer != nil
}) })
r.Get("", container.ReqContainerAccess, container.DetermineSupport) r.Get("", container.ReqContainerAccess, container.DetermineSupport)

View file

@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
if uid == 0 { if uid == 0 {
return nil, nil return nil, nil
} }
if uid == -1 {
return user_model.NewGhostUser(), nil
}
u, err := user_model.GetUserByID(req.Context(), uid) u, err := user_model.GetPossibleUserByID(req.Context(), uid)
if err != nil { if err != nil {
log.Error("GetUserByID: %v", err) log.Error("GetPossibleUserByID: %v", err)
return nil, err return nil, err
} }