2017-11-02 17:51:03 +00:00
// Copyright 2017 The Gitea Authors. All rights reserved.
2022-11-27 18:20:29 +00:00
// SPDX-License-Identifier: MIT
2017-11-02 17:51:03 +00:00
2022-09-02 19:18:23 +00:00
package integration
2017-11-02 17:51:03 +00:00
import (
2021-04-10 08:27:29 +00:00
"encoding/hex"
2018-01-16 11:07:47 +00:00
"fmt"
2020-04-27 11:20:09 +00:00
"math/rand"
2019-02-12 15:09:43 +00:00
"net/http"
2017-12-08 12:21:37 +00:00
"net/url"
2021-09-22 05:38:34 +00:00
"os"
2019-02-12 15:09:43 +00:00
"path"
2017-11-02 17:51:03 +00:00
"path/filepath"
2019-05-31 10:12:15 +00:00
"strconv"
2017-11-02 17:51:03 +00:00
"testing"
"time"
2023-01-17 21:46:03 +00:00
auth_model "code.gitea.io/gitea/models/auth"
2022-05-20 14:08:52 +00:00
"code.gitea.io/gitea/models/db"
2022-06-13 09:37:59 +00:00
issues_model "code.gitea.io/gitea/models/issues"
2021-11-28 11:58:28 +00:00
"code.gitea.io/gitea/models/perm"
2021-12-10 01:27:50 +00:00
repo_model "code.gitea.io/gitea/models/repo"
2021-11-16 08:53:21 +00:00
"code.gitea.io/gitea/models/unittest"
2021-11-24 09:49:20 +00:00
user_model "code.gitea.io/gitea/models/user"
2023-04-13 19:45:33 +00:00
gitea_context "code.gitea.io/gitea/modules/context"
2019-03-27 09:33:00 +00:00
"code.gitea.io/gitea/modules/git"
2021-04-08 22:25:57 +00:00
"code.gitea.io/gitea/modules/lfs"
2019-10-12 00:13:27 +00:00
"code.gitea.io/gitea/modules/setting"
2019-05-31 10:12:15 +00:00
api "code.gitea.io/gitea/modules/structs"
2022-09-02 19:18:23 +00:00
"code.gitea.io/gitea/tests"
2017-11-02 17:51:03 +00:00
"github.com/stretchr/testify/assert"
)
2018-01-16 11:07:47 +00:00
const (
2022-01-20 17:46:10 +00:00
littleSize = 1024 // 1ko
bigSize = 128 * 1024 * 1024 // 128Mo
2018-01-16 11:07:47 +00:00
)
2019-02-03 23:56:53 +00:00
func TestGit ( t * testing . T ) {
onGiteaRun ( t , testGit )
}
2017-11-02 17:51:03 +00:00
2019-02-03 23:56:53 +00:00
func testGit ( t * testing . T , u * url . URL ) {
username := "user2"
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 18:57:16 +00:00
baseAPITestContext := NewAPITestContext ( t , username , "repo1" , auth_model . AccessTokenScopeWriteRepository , auth_model . AccessTokenScopeWriteUser )
2017-11-02 17:51:03 +00:00
2019-02-03 23:56:53 +00:00
u . Path = baseAPITestContext . GitPath ( )
2017-11-02 17:51:03 +00:00
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 18:57:16 +00:00
forkedUserCtx := NewAPITestContext ( t , "user4" , "repo1" , auth_model . AccessTokenScopeWriteRepository , auth_model . AccessTokenScopeWriteUser )
2019-06-22 17:35:34 +00:00
2019-02-03 23:56:53 +00:00
t . Run ( "HTTP" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-06-22 17:35:34 +00:00
ensureAnonymousClone ( t , u )
2019-02-03 23:56:53 +00:00
httpContext := baseAPITestContext
httpContext . Reponame = "repo-tmp-17"
2019-06-22 17:35:34 +00:00
forkedUserCtx . Reponame = httpContext . Reponame
2017-11-02 17:51:03 +00:00
2022-09-04 15:14:53 +00:00
dstPath := t . TempDir ( )
2019-02-12 15:09:43 +00:00
2019-06-22 17:35:34 +00:00
t . Run ( "CreateRepoInDifferentUser" , doAPICreateRepository ( forkedUserCtx , false ) )
2021-11-28 11:58:28 +00:00
t . Run ( "AddUserAsCollaborator" , doAPIAddCollaborator ( forkedUserCtx , httpContext . Username , perm . AccessModeRead ) )
2019-06-22 17:35:34 +00:00
t . Run ( "ForkFromDifferentUser" , doAPIForkRepository ( httpContext , forkedUserCtx . Username ) )
2019-02-12 15:09:43 +00:00
2019-05-31 10:12:15 +00:00
u . Path = httpContext . GitPath ( )
u . User = url . UserPassword ( username , userPassword )
2019-02-12 15:09:43 +00:00
2019-05-31 10:12:15 +00:00
t . Run ( "Clone" , doGitClone ( dstPath , u ) )
2019-05-28 10:32:41 +00:00
2022-09-04 15:14:53 +00:00
dstPath2 := t . TempDir ( )
2022-01-23 21:19:32 +00:00
t . Run ( "Partial Clone" , doPartialGitClone ( dstPath2 , u ) )
2019-05-31 10:12:15 +00:00
little , big := standardCommitAndPushTest ( t , dstPath )
littleLFS , bigLFS := lfsCommitAndPushTest ( t , dstPath )
rawTest ( t , & httpContext , little , big , littleLFS , bigLFS )
mediaTest ( t , & httpContext , little , big , littleLFS , bigLFS )
2019-02-12 15:09:43 +00:00
2021-07-28 09:42:56 +00:00
t . Run ( "CreateAgitFlowPull" , doCreateAgitFlowPull ( dstPath , & httpContext , "master" , "test/head" ) )
2019-05-31 10:12:15 +00:00
t . Run ( "BranchProtectMerge" , doBranchProtectPRMerge ( & httpContext , dstPath ) )
2022-05-07 17:05:52 +00:00
t . Run ( "AutoMerge" , doAutoPRMerge ( & httpContext , dstPath ) )
2021-03-04 03:41:23 +00:00
t . Run ( "CreatePRAndSetManuallyMerged" , doCreatePRAndSetManuallyMerged ( httpContext , httpContext , dstPath , "master" , "test-manually-merge" ) )
2019-06-22 17:35:34 +00:00
t . Run ( "MergeFork" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-06-22 17:35:34 +00:00
t . Run ( "CreatePRAndMerge" , doMergeFork ( httpContext , forkedUserCtx , "master" , httpContext . Username + ":master" ) )
rawTest ( t , & forkedUserCtx , little , big , littleLFS , bigLFS )
mediaTest ( t , & forkedUserCtx , little , big , littleLFS , bigLFS )
} )
2019-12-15 02:49:52 +00:00
t . Run ( "PushCreate" , doPushCreate ( httpContext , u ) )
2019-02-03 23:56:53 +00:00
} )
t . Run ( "SSH" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-02-03 23:56:53 +00:00
sshContext := baseAPITestContext
sshContext . Reponame = "repo-tmp-18"
keyname := "my-testing-key"
2019-06-22 17:35:34 +00:00
forkedUserCtx . Reponame = sshContext . Reponame
t . Run ( "CreateRepoInDifferentUser" , doAPICreateRepository ( forkedUserCtx , false ) )
2021-11-28 11:58:28 +00:00
t . Run ( "AddUserAsCollaborator" , doAPIAddCollaborator ( forkedUserCtx , sshContext . Username , perm . AccessModeRead ) )
2019-06-22 17:35:34 +00:00
t . Run ( "ForkFromDifferentUser" , doAPIForkRepository ( sshContext , forkedUserCtx . Username ) )
2022-01-20 17:46:10 +00:00
// Setup key the user ssh key
2019-02-03 23:56:53 +00:00
withKeyFile ( t , keyname , func ( keyFile string ) {
t . Run ( "CreateUserKey" , doAPICreateUserKey ( sshContext , "test-key" , keyFile ) )
2018-01-16 11:07:47 +00:00
2022-01-20 17:46:10 +00:00
// Setup remote link
// TODO: get url from api
2019-02-03 23:56:53 +00:00
sshURL := createSSHUrl ( sshContext . GitPath ( ) , u )
2018-01-16 11:07:47 +00:00
2022-01-20 17:46:10 +00:00
// Setup clone folder
2022-09-04 15:14:53 +00:00
dstPath := t . TempDir ( )
2019-02-03 23:56:53 +00:00
2019-05-31 10:12:15 +00:00
t . Run ( "Clone" , doGitClone ( dstPath , sshURL ) )
little , big := standardCommitAndPushTest ( t , dstPath )
littleLFS , bigLFS := lfsCommitAndPushTest ( t , dstPath )
rawTest ( t , & sshContext , little , big , littleLFS , bigLFS )
mediaTest ( t , & sshContext , little , big , littleLFS , bigLFS )
2021-07-28 09:42:56 +00:00
t . Run ( "CreateAgitFlowPull" , doCreateAgitFlowPull ( dstPath , & sshContext , "master" , "test/head2" ) )
2019-05-31 10:12:15 +00:00
t . Run ( "BranchProtectMerge" , doBranchProtectPRMerge ( & sshContext , dstPath ) )
2019-06-22 17:35:34 +00:00
t . Run ( "MergeFork" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-06-22 17:35:34 +00:00
t . Run ( "CreatePRAndMerge" , doMergeFork ( sshContext , forkedUserCtx , "master" , sshContext . Username + ":master" ) )
rawTest ( t , & forkedUserCtx , little , big , littleLFS , bigLFS )
mediaTest ( t , & forkedUserCtx , little , big , littleLFS , bigLFS )
} )
2019-12-15 02:49:52 +00:00
t . Run ( "PushCreate" , doPushCreate ( sshContext , sshURL ) )
2017-12-08 12:21:37 +00:00
} )
2017-11-02 17:51:03 +00:00
} )
}
2018-01-16 11:07:47 +00:00
2019-02-03 23:56:53 +00:00
func ensureAnonymousClone ( t * testing . T , u * url . URL ) {
2022-09-04 15:14:53 +00:00
dstLocalPath := t . TempDir ( )
2019-02-03 23:56:53 +00:00
t . Run ( "CloneAnonymous" , doGitClone ( dstLocalPath , u ) )
}
2019-05-31 10:12:15 +00:00
func standardCommitAndPushTest ( t * testing . T , dstPath string ) ( little , big string ) {
t . Run ( "Standard" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
little , big = commitAndPushTest ( t , dstPath , "data-file-" )
} )
2022-06-20 10:02:49 +00:00
return little , big
2019-05-31 10:12:15 +00:00
}
func lfsCommitAndPushTest ( t * testing . T , dstPath string ) ( littleLFS , bigLFS string ) {
t . Run ( "LFS" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
prefix := "lfs-data-file-"
2022-04-01 02:55:30 +00:00
err := git . NewCommand ( git . DefaultContext , "lfs" ) . AddArguments ( "install" ) . Run ( & git . RunOpts { Dir : dstPath } )
2019-05-31 10:12:15 +00:00
assert . NoError ( t , err )
2022-10-23 14:44:45 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "lfs" ) . AddArguments ( "track" ) . AddDynamicArguments ( prefix + "*" ) . RunStdString ( & git . RunOpts { Dir : dstPath } )
2019-05-31 10:12:15 +00:00
assert . NoError ( t , err )
err = git . AddChanges ( dstPath , false , ".gitattributes" )
assert . NoError ( t , err )
2019-11-27 00:35:52 +00:00
2022-01-25 18:15:58 +00:00
err = git . CommitChangesWithArgs ( dstPath , git . AllowLFSFiltersArgs ( ) , git . CommitChangesOptions {
2019-10-12 00:13:27 +00:00
Committer : & git . Signature {
Email : "user2@example.com" ,
Name : "User Two" ,
When : time . Now ( ) ,
} ,
Author : & git . Signature {
Email : "user2@example.com" ,
Name : "User Two" ,
When : time . Now ( ) ,
} ,
Message : fmt . Sprintf ( "Testing commit @ %v" , time . Now ( ) ) ,
} )
2019-11-16 18:21:39 +00:00
assert . NoError ( t , err )
2019-05-31 10:12:15 +00:00
littleLFS , bigLFS = commitAndPushTest ( t , dstPath , prefix )
t . Run ( "Locks" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
lockTest ( t , dstPath )
} )
} )
2022-06-20 10:02:49 +00:00
return littleLFS , bigLFS
2019-05-31 10:12:15 +00:00
}
func commitAndPushTest ( t * testing . T , dstPath , prefix string ) ( little , big string ) {
t . Run ( "PushCommit" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
t . Run ( "Little" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
little = doCommitAndPush ( t , littleSize , dstPath , prefix )
} )
t . Run ( "Big" , func ( t * testing . T ) {
if testing . Short ( ) {
t . Skip ( "Skipping test in short mode." )
return
}
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
big = doCommitAndPush ( t , bigSize , dstPath , prefix )
} )
} )
2022-06-20 10:02:49 +00:00
return little , big
2019-05-31 10:12:15 +00:00
}
func rawTest ( t * testing . T , ctx * APITestContext , little , big , littleLFS , bigLFS string ) {
t . Run ( "Raw" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
username := ctx . Username
reponame := ctx . Reponame
session := loginUser ( t , username )
// Request raw paths
req := NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/raw/branch/master/" , little ) )
2021-04-06 16:44:02 +00:00
resp := session . MakeRequestNilResponseRecorder ( t , req , http . StatusOK )
assert . Equal ( t , littleSize , resp . Length )
2019-05-31 10:12:15 +00:00
2019-10-12 00:13:27 +00:00
if setting . LFS . StartServer {
req = NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/raw/branch/master/" , littleLFS ) )
2021-04-06 16:44:02 +00:00
resp := session . MakeRequest ( t , req , http . StatusOK )
2019-10-12 00:13:27 +00:00
assert . NotEqual ( t , littleSize , resp . Body . Len ( ) )
2021-03-14 15:53:59 +00:00
assert . LessOrEqual ( t , resp . Body . Len ( ) , 1024 )
if resp . Body . Len ( ) != littleSize && resp . Body . Len ( ) <= 1024 {
2021-04-08 22:25:57 +00:00
assert . Contains ( t , resp . Body . String ( ) , lfs . MetaFileIdentifier )
2021-03-14 15:53:59 +00:00
}
2019-10-12 00:13:27 +00:00
}
2019-05-31 10:12:15 +00:00
if ! testing . Short ( ) {
req = NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/raw/branch/master/" , big ) )
2021-04-06 16:44:02 +00:00
resp := session . MakeRequestNilResponseRecorder ( t , req , http . StatusOK )
assert . Equal ( t , bigSize , resp . Length )
2019-05-31 10:12:15 +00:00
2019-10-12 00:13:27 +00:00
if setting . LFS . StartServer {
req = NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/raw/branch/master/" , bigLFS ) )
2021-04-06 16:44:02 +00:00
resp := session . MakeRequest ( t , req , http . StatusOK )
2019-10-12 00:13:27 +00:00
assert . NotEqual ( t , bigSize , resp . Body . Len ( ) )
2021-03-14 15:53:59 +00:00
if resp . Body . Len ( ) != bigSize && resp . Body . Len ( ) <= 1024 {
2021-04-08 22:25:57 +00:00
assert . Contains ( t , resp . Body . String ( ) , lfs . MetaFileIdentifier )
2021-03-14 15:53:59 +00:00
}
2019-10-12 00:13:27 +00:00
}
2019-05-31 10:12:15 +00:00
}
} )
}
func mediaTest ( t * testing . T , ctx * APITestContext , little , big , littleLFS , bigLFS string ) {
t . Run ( "Media" , func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
username := ctx . Username
reponame := ctx . Reponame
session := loginUser ( t , username )
// Request media paths
req := NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/media/branch/master/" , little ) )
resp := session . MakeRequestNilResponseRecorder ( t , req , http . StatusOK )
assert . Equal ( t , littleSize , resp . Length )
2022-08-09 03:22:24 +00:00
req = NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/media/branch/master/" , littleLFS ) )
resp = session . MakeRequestNilResponseRecorder ( t , req , http . StatusOK )
assert . Equal ( t , littleSize , resp . Length )
2019-05-31 10:12:15 +00:00
if ! testing . Short ( ) {
req = NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/media/branch/master/" , big ) )
resp = session . MakeRequestNilResponseRecorder ( t , req , http . StatusOK )
assert . Equal ( t , bigSize , resp . Length )
2019-10-12 00:13:27 +00:00
if setting . LFS . StartServer {
req = NewRequest ( t , "GET" , path . Join ( "/" , username , reponame , "/media/branch/master/" , bigLFS ) )
resp = session . MakeRequestNilResponseRecorder ( t , req , http . StatusOK )
assert . Equal ( t , bigSize , resp . Length )
}
2019-05-31 10:12:15 +00:00
}
} )
}
func lockTest ( t * testing . T , repoPath string ) {
2019-05-28 10:32:41 +00:00
lockFileTest ( t , "README.md" , repoPath )
}
func lockFileTest ( t * testing . T , filename , repoPath string ) {
2022-04-01 02:55:30 +00:00
_ , _ , err := git . NewCommand ( git . DefaultContext , "lfs" ) . AddArguments ( "locks" ) . RunStdString ( & git . RunOpts { Dir : repoPath } )
2018-01-16 11:07:47 +00:00
assert . NoError ( t , err )
2022-10-23 14:44:45 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "lfs" ) . AddArguments ( "lock" ) . AddDynamicArguments ( filename ) . RunStdString ( & git . RunOpts { Dir : repoPath } )
2018-01-16 11:07:47 +00:00
assert . NoError ( t , err )
2022-04-01 02:55:30 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "lfs" ) . AddArguments ( "locks" ) . RunStdString ( & git . RunOpts { Dir : repoPath } )
2018-01-16 11:07:47 +00:00
assert . NoError ( t , err )
2022-10-23 14:44:45 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "lfs" ) . AddArguments ( "unlock" ) . AddDynamicArguments ( filename ) . RunStdString ( & git . RunOpts { Dir : repoPath } )
2018-01-16 11:07:47 +00:00
assert . NoError ( t , err )
}
2019-05-31 10:12:15 +00:00
func doCommitAndPush ( t * testing . T , size int , repoPath , prefix string ) string {
name , err := generateCommitWithNewData ( size , repoPath , "user2@example.com" , "User Two" , prefix )
2018-01-16 11:07:47 +00:00
assert . NoError ( t , err )
2022-04-01 02:55:30 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "push" , "origin" , "master" ) . RunStdString ( & git . RunOpts { Dir : repoPath } ) // Push
2018-01-16 11:07:47 +00:00
assert . NoError ( t , err )
2019-02-12 15:09:43 +00:00
return name
2018-01-16 11:07:47 +00:00
}
2019-05-31 10:12:15 +00:00
func generateCommitWithNewData ( size int , repoPath , email , fullName , prefix string ) ( string , error ) {
2022-01-20 17:46:10 +00:00
// Generate random file
2020-04-27 11:20:09 +00:00
bufSize := 4 * 1024
if bufSize > size {
bufSize = size
2018-01-16 11:07:47 +00:00
}
2020-04-27 11:20:09 +00:00
buffer := make ( [ ] byte , bufSize )
2021-09-22 05:38:34 +00:00
tmpFile , err := os . CreateTemp ( repoPath , prefix )
2018-01-16 11:07:47 +00:00
if err != nil {
2019-02-12 15:09:43 +00:00
return "" , err
2018-01-16 11:07:47 +00:00
}
defer tmpFile . Close ( )
2020-04-27 11:20:09 +00:00
written := 0
for written < size {
n := size - written
if n > bufSize {
n = bufSize
}
_ , err := rand . Read ( buffer [ : n ] )
if err != nil {
return "" , err
}
n , err = tmpFile . Write ( buffer [ : n ] )
if err != nil {
return "" , err
}
written += n
}
2018-01-16 11:07:47 +00:00
if err != nil {
2019-02-12 15:09:43 +00:00
return "" , err
2018-01-16 11:07:47 +00:00
}
2022-01-20 17:46:10 +00:00
// Commit
2019-10-12 00:13:27 +00:00
// Now here we should explicitly allow lfs filters to run
2022-01-25 18:15:58 +00:00
globalArgs := git . AllowLFSFiltersArgs ( )
2019-11-27 00:35:52 +00:00
err = git . AddChangesWithArgs ( repoPath , globalArgs , false , filepath . Base ( tmpFile . Name ( ) ) )
2018-01-16 11:07:47 +00:00
if err != nil {
2019-02-12 15:09:43 +00:00
return "" , err
2018-01-16 11:07:47 +00:00
}
2019-11-27 00:35:52 +00:00
err = git . CommitChangesWithArgs ( repoPath , globalArgs , git . CommitChangesOptions {
2018-01-16 11:07:47 +00:00
Committer : & git . Signature {
Email : email ,
Name : fullName ,
When : time . Now ( ) ,
} ,
Author : & git . Signature {
Email : email ,
Name : fullName ,
When : time . Now ( ) ,
} ,
Message : fmt . Sprintf ( "Testing commit @ %v" , time . Now ( ) ) ,
} )
2019-02-12 15:09:43 +00:00
return filepath . Base ( tmpFile . Name ( ) ) , err
2018-01-16 11:07:47 +00:00
}
2019-05-31 10:12:15 +00:00
func doBranchProtectPRMerge ( baseCtx * APITestContext , dstPath string ) func ( t * testing . T ) {
return func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-05-31 10:12:15 +00:00
t . Run ( "CreateBranchProtected" , doGitCreateBranch ( dstPath , "protected" ) )
t . Run ( "PushProtectedBranch" , doGitPushTestRepository ( dstPath , "origin" , "protected" ) )
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 18:57:16 +00:00
ctx := NewAPITestContext ( t , baseCtx . Username , baseCtx . Reponame , auth_model . AccessTokenScopeWriteRepository )
2021-09-11 14:21:17 +00:00
t . Run ( "ProtectProtectedBranchNoWhitelist" , doProtectBranch ( ctx , "protected" , "" , "" ) )
2019-05-31 10:12:15 +00:00
t . Run ( "GenerateCommit" , func ( t * testing . T ) {
_ , err := generateCommitWithNewData ( littleSize , dstPath , "user2@example.com" , "User Two" , "branch-data-file-" )
assert . NoError ( t , err )
} )
t . Run ( "FailToPushToProtectedBranch" , doGitPushTestRepositoryFail ( dstPath , "origin" , "protected" ) )
t . Run ( "PushToUnprotectedBranch" , doGitPushTestRepository ( dstPath , "origin" , "protected:unprotected" ) )
var pr api . PullRequest
var err error
t . Run ( "CreatePullRequest" , func ( t * testing . T ) {
pr , err = doAPICreatePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , "protected" , "unprotected" ) ( t )
assert . NoError ( t , err )
} )
2020-02-21 18:18:13 +00:00
t . Run ( "GenerateCommit" , func ( t * testing . T ) {
_ , err := generateCommitWithNewData ( littleSize , dstPath , "user2@example.com" , "User Two" , "branch-data-file-" )
assert . NoError ( t , err )
} )
t . Run ( "PushToUnprotectedBranch" , doGitPushTestRepository ( dstPath , "origin" , "protected:unprotected-2" ) )
var pr2 api . PullRequest
t . Run ( "CreatePullRequest" , func ( t * testing . T ) {
pr2 , err = doAPICreatePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , "unprotected" , "unprotected-2" ) ( t )
assert . NoError ( t , err )
} )
t . Run ( "MergePR2" , doAPIMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr2 . Index ) )
2019-05-31 10:12:15 +00:00
t . Run ( "MergePR" , doAPIMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
t . Run ( "PullProtected" , doGitPull ( dstPath , "origin" , "protected" ) )
2021-09-11 14:21:17 +00:00
t . Run ( "ProtectProtectedBranchUnprotectedFilePaths" , doProtectBranch ( ctx , "protected" , "" , "unprotected-file-*" ) )
t . Run ( "GenerateCommit" , func ( t * testing . T ) {
_ , err := generateCommitWithNewData ( littleSize , dstPath , "user2@example.com" , "User Two" , "unprotected-file-" )
assert . NoError ( t , err )
} )
t . Run ( "PushUnprotectedFilesToProtectedBranch" , doGitPushTestRepository ( dstPath , "origin" , "protected" ) )
t . Run ( "ProtectProtectedBranchWhitelist" , doProtectBranch ( ctx , "protected" , baseCtx . Username , "" ) )
2019-05-31 10:12:15 +00:00
t . Run ( "CheckoutMaster" , doGitCheckoutBranch ( dstPath , "master" ) )
t . Run ( "CreateBranchForced" , doGitCreateBranch ( dstPath , "toforce" ) )
t . Run ( "GenerateCommit" , func ( t * testing . T ) {
_ , err := generateCommitWithNewData ( littleSize , dstPath , "user2@example.com" , "User Two" , "branch-data-file-" )
assert . NoError ( t , err )
} )
t . Run ( "FailToForcePushToProtectedBranch" , doGitPushTestRepositoryFail ( dstPath , "-f" , "origin" , "toforce:protected" ) )
t . Run ( "MergeProtectedToToforce" , doGitMerge ( dstPath , "protected" ) )
t . Run ( "PushToProtectedBranch" , doGitPushTestRepository ( dstPath , "origin" , "toforce:protected" ) )
t . Run ( "CheckoutMasterAgain" , doGitCheckoutBranch ( dstPath , "master" ) )
}
}
2021-12-20 04:41:31 +00:00
func doProtectBranch ( ctx APITestContext , branch , userToWhitelist , unprotectedFilePatterns string ) func ( t * testing . T ) {
2019-05-31 10:12:15 +00:00
// We are going to just use the owner to set the protection.
return func ( t * testing . T ) {
csrf := GetCSRF ( t , ctx . Session , fmt . Sprintf ( "/%s/%s/settings/branches" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) ) )
if userToWhitelist == "" {
// Change branch to protected
2023-01-16 08:00:22 +00:00
req := NewRequestWithValues ( t , "POST" , fmt . Sprintf ( "/%s/%s/settings/branches/edit" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) ) , map [ string ] string {
2021-09-11 14:21:17 +00:00
"_csrf" : csrf ,
2023-01-16 08:00:22 +00:00
"rule_name" : branch ,
2021-09-11 14:21:17 +00:00
"unprotected_file_patterns" : unprotectedFilePatterns ,
2019-05-31 10:12:15 +00:00
} )
2022-03-23 04:54:07 +00:00
ctx . Session . MakeRequest ( t , req , http . StatusSeeOther )
2019-05-31 10:12:15 +00:00
} else {
2022-05-20 14:08:52 +00:00
user , err := user_model . GetUserByName ( db . DefaultContext , userToWhitelist )
2019-05-31 10:12:15 +00:00
assert . NoError ( t , err )
// Change branch to protected
2023-01-16 08:00:22 +00:00
req := NewRequestWithValues ( t , "POST" , fmt . Sprintf ( "/%s/%s/settings/branches/edit" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) ) , map [ string ] string {
2021-09-11 14:21:17 +00:00
"_csrf" : csrf ,
2023-01-16 08:00:22 +00:00
"rule_name" : branch ,
2021-09-11 14:21:17 +00:00
"enable_push" : "whitelist" ,
"enable_whitelist" : "on" ,
"whitelist_users" : strconv . FormatInt ( user . ID , 10 ) ,
"unprotected_file_patterns" : unprotectedFilePatterns ,
2019-05-31 10:12:15 +00:00
} )
2022-03-23 04:54:07 +00:00
ctx . Session . MakeRequest ( t , req , http . StatusSeeOther )
2019-05-31 10:12:15 +00:00
}
// Check if master branch has been locked successfully
2023-04-13 19:45:33 +00:00
flashCookie := ctx . Session . GetCookie ( gitea_context . CookieNameFlash )
2019-05-31 10:12:15 +00:00
assert . NotNil ( t , flashCookie )
2023-04-17 22:04:26 +00:00
assert . EqualValues ( t , "success%3DBranch%2Bprotection%2Bfor%2Brule%2B%2522" + url . QueryEscape ( branch ) + "%2522%2Bhas%2Bbeen%2Bupdated." , flashCookie . Value )
2019-05-31 10:12:15 +00:00
}
}
2019-06-22 17:35:34 +00:00
func doMergeFork ( ctx , baseCtx APITestContext , baseBranch , headBranch string ) func ( t * testing . T ) {
return func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2019-06-22 17:35:34 +00:00
var pr api . PullRequest
var err error
2020-04-28 08:32:23 +00:00
// Create a test pullrequest
2019-06-22 17:35:34 +00:00
t . Run ( "CreatePullRequest" , func ( t * testing . T ) {
pr , err = doAPICreatePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , baseBranch , headBranch ) ( t )
assert . NoError ( t , err )
} )
2020-04-28 08:32:23 +00:00
// Ensure the PR page works
t . Run ( "EnsureCanSeePull" , doEnsureCanSeePull ( baseCtx , pr ) )
// Then get the diff string
2021-04-06 16:44:02 +00:00
var diffHash string
2021-04-10 08:27:29 +00:00
var diffLength int
2020-04-03 13:21:41 +00:00
t . Run ( "GetDiff" , func ( t * testing . T ) {
req := NewRequest ( t , "GET" , fmt . Sprintf ( "/%s/%s/pulls/%d.diff" , url . PathEscape ( baseCtx . Username ) , url . PathEscape ( baseCtx . Reponame ) , pr . Index ) )
2021-04-06 16:44:02 +00:00
resp := ctx . Session . MakeRequestNilResponseHashSumRecorder ( t , req , http . StatusOK )
diffHash = string ( resp . Hash . Sum ( nil ) )
2021-04-10 08:27:29 +00:00
diffLength = resp . Length
2020-04-03 13:21:41 +00:00
} )
2020-04-28 08:32:23 +00:00
// Now: Merge the PR & make sure that doesn't break the PR page or change its diff
2019-06-22 17:35:34 +00:00
t . Run ( "MergePR" , doAPIMergePullRequest ( baseCtx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
2020-04-28 08:32:23 +00:00
t . Run ( "EnsureCanSeePull" , doEnsureCanSeePull ( baseCtx , pr ) )
2021-04-10 08:27:29 +00:00
t . Run ( "CheckPR" , func ( t * testing . T ) {
oldMergeBase := pr . MergeBase
pr2 , err := doAPIGetPullRequest ( baseCtx , baseCtx . Username , baseCtx . Reponame , pr . Index ) ( t )
assert . NoError ( t , err )
assert . Equal ( t , oldMergeBase , pr2 . MergeBase )
} )
t . Run ( "EnsurDiffNoChange" , doEnsureDiffNoChange ( baseCtx , pr , diffHash , diffLength ) )
2020-04-28 08:32:23 +00:00
// Then: Delete the head branch & make sure that doesn't break the PR page or change its diff
2020-04-03 13:21:41 +00:00
t . Run ( "DeleteHeadBranch" , doBranchDelete ( baseCtx , baseCtx . Username , baseCtx . Reponame , headBranch ) )
2020-04-28 08:32:23 +00:00
t . Run ( "EnsureCanSeePull" , doEnsureCanSeePull ( baseCtx , pr ) )
2021-04-10 08:27:29 +00:00
t . Run ( "EnsureDiffNoChange" , doEnsureDiffNoChange ( baseCtx , pr , diffHash , diffLength ) )
2020-04-28 08:32:23 +00:00
// Delete the head repository & make sure that doesn't break the PR page or change its diff
t . Run ( "DeleteHeadRepository" , doAPIDeleteRepository ( ctx ) )
t . Run ( "EnsureCanSeePull" , doEnsureCanSeePull ( baseCtx , pr ) )
2021-04-10 08:27:29 +00:00
t . Run ( "EnsureDiffNoChange" , doEnsureDiffNoChange ( baseCtx , pr , diffHash , diffLength ) )
2020-04-28 08:32:23 +00:00
}
}
2021-03-04 03:41:23 +00:00
func doCreatePRAndSetManuallyMerged ( ctx , baseCtx APITestContext , dstPath , baseBranch , headBranch string ) func ( t * testing . T ) {
return func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2021-03-04 03:41:23 +00:00
var (
pr api . PullRequest
err error
lastCommitID string
)
trueBool := true
falseBool := false
t . Run ( "AllowSetManuallyMergedAndSwitchOffAutodetectManualMerge" , doAPIEditRepository ( baseCtx , & api . EditRepoOption {
HasPullRequests : & trueBool ,
AllowManualMerge : & trueBool ,
AutodetectManualMerge : & falseBool ,
} ) )
t . Run ( "CreateHeadBranch" , doGitCreateBranch ( dstPath , headBranch ) )
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-04 02:30:43 +00:00
t . Run ( "PushToHeadBranch" , doGitPushTestRepository ( dstPath , "origin" , headBranch ) )
2021-03-04 03:41:23 +00:00
t . Run ( "CreateEmptyPullRequest" , func ( t * testing . T ) {
pr , err = doAPICreatePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , baseBranch , headBranch ) ( t )
assert . NoError ( t , err )
} )
lastCommitID = pr . Base . Sha
t . Run ( "ManuallyMergePR" , doAPIManuallyMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , lastCommitID , pr . Index ) )
}
}
2020-04-28 08:32:23 +00:00
func doEnsureCanSeePull ( ctx APITestContext , pr api . PullRequest ) func ( t * testing . T ) {
return func ( t * testing . T ) {
req := NewRequest ( t , "GET" , fmt . Sprintf ( "/%s/%s/pulls/%d" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) , pr . Index ) )
ctx . Session . MakeRequest ( t , req , http . StatusOK )
req = NewRequest ( t , "GET" , fmt . Sprintf ( "/%s/%s/pulls/%d/files" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) , pr . Index ) )
ctx . Session . MakeRequest ( t , req , http . StatusOK )
req = NewRequest ( t , "GET" , fmt . Sprintf ( "/%s/%s/pulls/%d/commits" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) , pr . Index ) )
ctx . Session . MakeRequest ( t , req , http . StatusOK )
}
}
2021-04-10 08:27:29 +00:00
func doEnsureDiffNoChange ( ctx APITestContext , pr api . PullRequest , diffHash string , diffLength int ) func ( t * testing . T ) {
2020-04-28 08:32:23 +00:00
return func ( t * testing . T ) {
req := NewRequest ( t , "GET" , fmt . Sprintf ( "/%s/%s/pulls/%d.diff" , url . PathEscape ( ctx . Username ) , url . PathEscape ( ctx . Reponame ) , pr . Index ) )
2021-04-06 16:44:02 +00:00
resp := ctx . Session . MakeRequestNilResponseHashSumRecorder ( t , req , http . StatusOK )
actual := string ( resp . Hash . Sum ( nil ) )
2021-04-10 08:27:29 +00:00
actualLength := resp . Length
2021-03-21 19:51:54 +00:00
2021-04-06 16:44:02 +00:00
equal := diffHash == actual
2021-04-10 08:27:29 +00:00
assert . True ( t , equal , "Unexpected change in the diff string: expected hash: %s size: %d but was actually: %s size: %d" , hex . EncodeToString ( [ ] byte ( diffHash ) ) , diffLength , hex . EncodeToString ( [ ] byte ( actual ) ) , actualLength )
2019-06-22 17:35:34 +00:00
}
}
2019-12-15 02:49:52 +00:00
func doPushCreate ( ctx APITestContext , u * url . URL ) func ( t * testing . T ) {
return func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2020-04-28 08:32:23 +00:00
// create a context for a currently non-existent repository
2019-12-15 02:49:52 +00:00
ctx . Reponame = fmt . Sprintf ( "repo-tmp-push-create-%s" , u . Scheme )
u . Path = ctx . GitPath ( )
2020-04-28 08:32:23 +00:00
// Create a temporary directory
2022-09-04 15:14:53 +00:00
tmpDir := t . TempDir ( )
2019-12-15 02:49:52 +00:00
2020-04-28 08:32:23 +00:00
// Now create local repository to push as our test and set its origin
t . Run ( "InitTestRepository" , doGitInitTestRepository ( tmpDir ) )
t . Run ( "AddRemote" , doGitAddRemote ( tmpDir , "origin" , u ) )
2019-12-15 02:49:52 +00:00
2020-04-28 08:32:23 +00:00
// Disable "Push To Create" and attempt to push
2019-12-15 02:49:52 +00:00
setting . Repository . EnablePushCreateUser = false
2020-04-28 08:32:23 +00:00
t . Run ( "FailToPushAndCreateTestRepository" , doGitPushTestRepositoryFail ( tmpDir , "origin" , "master" ) )
2019-12-15 02:49:52 +00:00
2020-04-28 08:32:23 +00:00
// Enable "Push To Create"
2019-12-15 02:49:52 +00:00
setting . Repository . EnablePushCreateUser = true
2020-02-05 09:40:35 +00:00
2020-04-28 08:32:23 +00:00
// Assert that cloning from a non-existent repository does not create it and that it definitely wasn't create above
t . Run ( "FailToCloneFromNonExistentRepository" , doGitCloneFail ( u ) )
2020-02-05 09:40:35 +00:00
2020-04-28 08:32:23 +00:00
// Then "Push To Create"x
t . Run ( "SuccessfullyPushAndCreateTestRepository" , doGitPushTestRepository ( tmpDir , "origin" , "master" ) )
2019-12-15 02:49:52 +00:00
2020-04-28 08:32:23 +00:00
// Finally, fetch repo from database and ensure the correct repository has been created
2022-12-03 02:48:26 +00:00
repo , err := repo_model . GetRepositoryByOwnerAndName ( db . DefaultContext , ctx . Username , ctx . Reponame )
2019-12-15 02:49:52 +00:00
assert . NoError ( t , err )
assert . False ( t , repo . IsEmpty )
assert . True ( t , repo . IsPrivate )
2020-04-28 08:32:23 +00:00
// Now add a remote that is invalid to "Push To Create"
invalidCtx := ctx
invalidCtx . Reponame = fmt . Sprintf ( "invalid/repo-tmp-push-create-%s" , u . Scheme )
u . Path = invalidCtx . GitPath ( )
t . Run ( "AddInvalidRemote" , doGitAddRemote ( tmpDir , "invalid" , u ) )
// Fail to "Push To Create" the invalid
t . Run ( "FailToPushAndCreateInvalidTestRepository" , doGitPushTestRepositoryFail ( tmpDir , "invalid" , "master" ) )
2019-12-15 02:49:52 +00:00
}
}
2020-04-03 13:21:41 +00:00
func doBranchDelete ( ctx APITestContext , owner , repo , branch string ) func ( * testing . T ) {
return func ( t * testing . T ) {
csrf := GetCSRF ( t , ctx . Session , fmt . Sprintf ( "/%s/%s/branches" , url . PathEscape ( owner ) , url . PathEscape ( repo ) ) )
req := NewRequestWithValues ( t , "POST" , fmt . Sprintf ( "/%s/%s/branches/delete?name=%s" , url . PathEscape ( owner ) , url . PathEscape ( repo ) , url . QueryEscape ( branch ) ) , map [ string ] string {
"_csrf" : csrf ,
} )
ctx . Session . MakeRequest ( t , req , http . StatusOK )
}
}
2021-07-28 09:42:56 +00:00
2022-05-07 17:05:52 +00:00
func doAutoPRMerge ( baseCtx * APITestContext , dstPath string ) func ( t * testing . T ) {
return func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2022-05-07 17:05:52 +00:00
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 18:57:16 +00:00
ctx := NewAPITestContext ( t , baseCtx . Username , baseCtx . Reponame , auth_model . AccessTokenScopeWriteRepository )
2022-05-07 17:05:52 +00:00
t . Run ( "CheckoutProtected" , doGitCheckoutBranch ( dstPath , "protected" ) )
t . Run ( "PullProtected" , doGitPull ( dstPath , "origin" , "protected" ) )
t . Run ( "GenerateCommit" , func ( t * testing . T ) {
_ , err := generateCommitWithNewData ( littleSize , dstPath , "user2@example.com" , "User Two" , "branch-data-file-" )
assert . NoError ( t , err )
} )
t . Run ( "PushToUnprotectedBranch" , doGitPushTestRepository ( dstPath , "origin" , "protected:unprotected3" ) )
var pr api . PullRequest
var err error
t . Run ( "CreatePullRequest" , func ( t * testing . T ) {
pr , err = doAPICreatePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , "protected" , "unprotected3" ) ( t )
assert . NoError ( t , err )
} )
// Request repository commits page
req := NewRequest ( t , "GET" , fmt . Sprintf ( "/%s/%s/pulls/%d/commits" , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
resp := ctx . Session . MakeRequest ( t , req , http . StatusOK )
doc := NewHTMLParser ( t , resp . Body )
// Get first commit URL
commitURL , exists := doc . doc . Find ( "#commits-table tbody tr td.sha a" ) . Last ( ) . Attr ( "href" )
assert . True ( t , exists )
assert . NotEmpty ( t , commitURL )
commitID := path . Base ( commitURL )
2023-02-20 08:43:04 +00:00
addCommitStatus := func ( status api . CommitStatusState ) func ( * testing . T ) {
return doAPICreateCommitStatus ( ctx , commitID , api . CreateStatusOption {
State : status ,
TargetURL : "http://test.ci/" ,
Description : "" ,
Context : "testci" ,
} )
}
2022-05-07 17:05:52 +00:00
// Call API to add Pending status for commit
2023-02-20 08:43:04 +00:00
t . Run ( "CreateStatus" , addCommitStatus ( api . CommitStatusPending ) )
2022-05-07 17:05:52 +00:00
// Cancel not existing auto merge
ctx . ExpectedCode = http . StatusNotFound
t . Run ( "CancelAutoMergePR" , doAPICancelAutoMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
// Add auto merge request
ctx . ExpectedCode = http . StatusCreated
t . Run ( "AutoMergePR" , doAPIAutoMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
// Can not create schedule twice
ctx . ExpectedCode = http . StatusConflict
t . Run ( "AutoMergePRTwice" , doAPIAutoMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
// Cancel auto merge request
ctx . ExpectedCode = http . StatusNoContent
t . Run ( "CancelAutoMergePR" , doAPICancelAutoMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
// Add auto merge request
ctx . ExpectedCode = http . StatusCreated
t . Run ( "AutoMergePR" , doAPIAutoMergePullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) )
// Check pr status
ctx . ExpectedCode = 0
pr , err = doAPIGetPullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) ( t )
assert . NoError ( t , err )
assert . False ( t , pr . HasMerged )
// Call API to add Failure status for commit
2023-02-20 08:43:04 +00:00
t . Run ( "CreateStatus" , addCommitStatus ( api . CommitStatusFailure ) )
2022-05-07 17:05:52 +00:00
// Check pr status
pr , err = doAPIGetPullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) ( t )
assert . NoError ( t , err )
assert . False ( t , pr . HasMerged )
// Call API to add Success status for commit
2023-02-20 08:43:04 +00:00
t . Run ( "CreateStatus" , addCommitStatus ( api . CommitStatusSuccess ) )
2022-05-07 17:05:52 +00:00
// wait to let gitea merge stuff
time . Sleep ( time . Second )
// test pr status
pr , err = doAPIGetPullRequest ( ctx , baseCtx . Username , baseCtx . Reponame , pr . Index ) ( t )
assert . NoError ( t , err )
assert . True ( t , pr . HasMerged )
}
}
2021-07-28 09:42:56 +00:00
func doCreateAgitFlowPull ( dstPath string , ctx * APITestContext , baseBranch , headBranch string ) func ( t * testing . T ) {
return func ( t * testing . T ) {
2022-09-02 19:18:23 +00:00
defer tests . PrintCurrentTest ( t ) ( )
2021-07-28 09:42:56 +00:00
// skip this test if git version is low
if git . CheckGitVersionAtLeast ( "2.29" ) != nil {
return
}
2022-03-29 19:13:41 +00:00
gitRepo , err := git . OpenRepository ( git . DefaultContext , dstPath )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
defer gitRepo . Close ( )
var (
2022-06-13 09:37:59 +00:00
pr1 , pr2 * issues_model . PullRequest
2021-07-28 09:42:56 +00:00
commit string
)
2022-12-03 02:48:26 +00:00
repo , err := repo_model . GetRepositoryByOwnerAndName ( db . DefaultContext , ctx . Username , ctx . Reponame )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
2022-06-13 09:37:59 +00:00
pullNum := unittest . GetCount ( t , & issues_model . PullRequest { } )
2021-07-28 09:42:56 +00:00
t . Run ( "CreateHeadBranch" , doGitCreateBranch ( dstPath , headBranch ) )
t . Run ( "AddCommit" , func ( t * testing . T ) {
2022-01-20 17:46:10 +00:00
err := os . WriteFile ( path . Join ( dstPath , "test_file" ) , [ ] byte ( "## test content" ) , 0 o666 )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
err = git . AddChanges ( dstPath , true )
assert . NoError ( t , err )
err = git . CommitChanges ( dstPath , git . CommitChangesOptions {
Committer : & git . Signature {
Email : "user2@example.com" ,
Name : "user2" ,
When : time . Now ( ) ,
} ,
Author : & git . Signature {
Email : "user2@example.com" ,
Name : "user2" ,
When : time . Now ( ) ,
} ,
Message : "Testing commit 1" ,
} )
assert . NoError ( t , err )
commit , err = gitRepo . GetRefCommitID ( "HEAD" )
assert . NoError ( t , err )
} )
t . Run ( "Push" , func ( t * testing . T ) {
2022-10-23 14:44:45 +00:00
err := git . NewCommand ( git . DefaultContext , "push" , "origin" , "HEAD:refs/for/master" , "-o" ) . AddDynamicArguments ( "topic=" + headBranch ) . Run ( & git . RunOpts { Dir : dstPath } )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
2022-06-13 09:37:59 +00:00
unittest . AssertCount ( t , & issues_model . PullRequest { } , pullNum + 1 )
pr1 = unittest . AssertExistsAndLoadBean ( t , & issues_model . PullRequest {
2021-07-28 09:42:56 +00:00
HeadRepoID : repo . ID ,
2022-06-13 09:37:59 +00:00
Flow : issues_model . PullRequestFlowAGit ,
2022-08-16 02:22:25 +00:00
} )
2021-07-28 09:42:56 +00:00
if ! assert . NotEmpty ( t , pr1 ) {
return
}
prMsg , err := doAPIGetPullRequest ( * ctx , ctx . Username , ctx . Reponame , pr1 . Index ) ( t )
if ! assert . NoError ( t , err ) {
return
}
assert . Equal ( t , "user2/" + headBranch , pr1 . HeadBranch )
2023-04-22 21:56:27 +00:00
assert . False ( t , prMsg . HasMerged )
2021-07-28 09:42:56 +00:00
assert . Contains ( t , "Testing commit 1" , prMsg . Body )
assert . Equal ( t , commit , prMsg . Head . Sha )
2022-10-23 14:44:45 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "push" , "origin" ) . AddDynamicArguments ( "HEAD:refs/for/master/test/" + headBranch ) . RunStdString ( & git . RunOpts { Dir : dstPath } )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
2022-06-13 09:37:59 +00:00
unittest . AssertCount ( t , & issues_model . PullRequest { } , pullNum + 2 )
pr2 = unittest . AssertExistsAndLoadBean ( t , & issues_model . PullRequest {
2021-07-28 09:42:56 +00:00
HeadRepoID : repo . ID ,
Index : pr1 . Index + 1 ,
2022-06-13 09:37:59 +00:00
Flow : issues_model . PullRequestFlowAGit ,
2022-08-16 02:22:25 +00:00
} )
2021-07-28 09:42:56 +00:00
if ! assert . NotEmpty ( t , pr2 ) {
return
}
prMsg , err = doAPIGetPullRequest ( * ctx , ctx . Username , ctx . Reponame , pr2 . Index ) ( t )
if ! assert . NoError ( t , err ) {
return
}
assert . Equal ( t , "user2/test/" + headBranch , pr2 . HeadBranch )
2023-04-22 21:56:27 +00:00
assert . False ( t , prMsg . HasMerged )
2021-07-28 09:42:56 +00:00
} )
if pr1 == nil || pr2 == nil {
return
}
t . Run ( "AddCommit2" , func ( t * testing . T ) {
2022-01-20 17:46:10 +00:00
err := os . WriteFile ( path . Join ( dstPath , "test_file" ) , [ ] byte ( "## test content \n ## test content 2" ) , 0 o666 )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
err = git . AddChanges ( dstPath , true )
assert . NoError ( t , err )
err = git . CommitChanges ( dstPath , git . CommitChangesOptions {
Committer : & git . Signature {
Email : "user2@example.com" ,
Name : "user2" ,
When : time . Now ( ) ,
} ,
Author : & git . Signature {
Email : "user2@example.com" ,
Name : "user2" ,
When : time . Now ( ) ,
} ,
Message : "Testing commit 2" ,
} )
assert . NoError ( t , err )
commit , err = gitRepo . GetRefCommitID ( "HEAD" )
assert . NoError ( t , err )
} )
t . Run ( "Push2" , func ( t * testing . T ) {
2022-10-23 14:44:45 +00:00
err := git . NewCommand ( git . DefaultContext , "push" , "origin" , "HEAD:refs/for/master" , "-o" ) . AddDynamicArguments ( "topic=" + headBranch ) . Run ( & git . RunOpts { Dir : dstPath } )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
2022-06-13 09:37:59 +00:00
unittest . AssertCount ( t , & issues_model . PullRequest { } , pullNum + 2 )
2021-07-28 09:42:56 +00:00
prMsg , err := doAPIGetPullRequest ( * ctx , ctx . Username , ctx . Reponame , pr1 . Index ) ( t )
if ! assert . NoError ( t , err ) {
return
}
2023-04-22 21:56:27 +00:00
assert . False ( t , prMsg . HasMerged )
2021-07-28 09:42:56 +00:00
assert . Equal ( t , commit , prMsg . Head . Sha )
2022-10-23 14:44:45 +00:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "push" , "origin" ) . AddDynamicArguments ( "HEAD:refs/for/master/test/" + headBranch ) . RunStdString ( & git . RunOpts { Dir : dstPath } )
2021-07-28 09:42:56 +00:00
if ! assert . NoError ( t , err ) {
return
}
2022-06-13 09:37:59 +00:00
unittest . AssertCount ( t , & issues_model . PullRequest { } , pullNum + 2 )
2021-07-28 09:42:56 +00:00
prMsg , err = doAPIGetPullRequest ( * ctx , ctx . Username , ctx . Reponame , pr2 . Index ) ( t )
if ! assert . NoError ( t , err ) {
return
}
2023-04-22 21:56:27 +00:00
assert . False ( t , prMsg . HasMerged )
2021-07-28 09:42:56 +00:00
assert . Equal ( t , commit , prMsg . Head . Sha )
} )
t . Run ( "Merge" , doAPIMergePullRequest ( * ctx , ctx . Username , ctx . Reponame , pr1 . Index ) )
t . Run ( "CheckoutMasterAgain" , doGitCheckoutBranch ( dstPath , "master" ) )
}
}