From e2620642bd1b908ce61e9f6bd0d29893ffe1a651 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Mon, 22 Jan 2024 01:44:38 +0800 Subject: [PATCH] Prevent anonymous container access if `RequireSignInView` is enabled (#28877) (#28882) Backport #28877 by @KN4CK3R Fixes #28875 If `RequireSignInView` is enabled, the ghost user has no access rights. Co-authored-by: KN4CK3R (cherry picked from commit b7c944b9e4e9f847719fbce421b2f4fee7281187) --- modules/context/package.go | 2 +- routers/api/packages/container/container.go | 19 ++++++++++++++----- .../api_packages_container_test.go | 9 +++++++++ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/modules/context/package.go b/modules/context/package.go index c0813fb2da..978ca2aaa5 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -93,7 +93,7 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, string, any)) } func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.AccessMode, error) { - if setting.Service.RequireSignInView && doer == nil { + if setting.Service.RequireSignInView && (doer == nil || doer.IsGhost()) { return perm.AccessModeNone, nil } diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go index dce3809264..8621242da4 100644 --- a/routers/api/packages/container/container.go +++ b/routers/api/packages/container/container.go @@ -114,11 +114,15 @@ func apiErrorDefined(ctx *context.Context, err *namedError) { }) } -// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost for anonymous access) +func apiUnauthorizedError(ctx *context.Context) { + ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`) + apiErrorDefined(ctx, errUnauthorized) +} + +// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled) func ReqContainerAccess(ctx *context.Context) { - if ctx.Doer == nil { - ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`) - apiErrorDefined(ctx, errUnauthorized) + if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) { + apiUnauthorizedError(ctx) } } @@ -138,10 +142,15 @@ func DetermineSupport(ctx *context.Context) { } // Authenticate creates a token for the current user -// If the current user is anonymous, the ghost user is used +// If the current user is anonymous, the ghost user is used unless RequireSignInView is enabled. func Authenticate(ctx *context.Context) { u := ctx.Doer if u == nil { + if setting.Service.RequireSignInView { + apiUnauthorizedError(ctx) + return + } + u = user_model.NewGhostUser() } diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go index 7d2215e7f8..9c03938dd1 100644 --- a/tests/integration/api_packages_container_test.go +++ b/tests/integration/api_packages_container_test.go @@ -22,6 +22,7 @@ import ( container_module "code.gitea.io/gitea/modules/packages/container" "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/test" "code.gitea.io/gitea/tests" oci "github.com/opencontainers/image-spec/specs-go/v1" @@ -106,6 +107,14 @@ func TestPackageContainer(t *testing.T) { req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)) addTokenAuthHeader(req, anonymousToken) MakeRequest(t, req, http.StatusOK) + + defer test.MockVariableValue(&setting.Service.RequireSignInView, true)() + + req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)) + MakeRequest(t, req, http.StatusUnauthorized) + + req = NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL)) + MakeRequest(t, req, http.StatusUnauthorized) }) t.Run("User", func(t *testing.T) {