mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-12-23 00:46:30 +00:00
Fix agent auth (#1952)
if no global agent secret set, disable agent registration via it
This commit is contained in:
parent
cef135eba5
commit
6c58e9db9b
4 changed files with 41 additions and 28 deletions
|
@ -26,6 +26,7 @@ import (
|
|||
|
||||
"github.com/woodpecker-ci/woodpecker/server"
|
||||
"github.com/woodpecker-ci/woodpecker/server/model"
|
||||
"github.com/woodpecker-ci/woodpecker/server/router/middleware"
|
||||
"github.com/woodpecker-ci/woodpecker/server/store"
|
||||
"github.com/woodpecker-ci/woodpecker/server/store/types"
|
||||
"github.com/woodpecker-ci/woodpecker/shared/httputil"
|
||||
|
@ -63,7 +64,7 @@ func HandleAuth(c *gin.Context) {
|
|||
if tmpuser == nil {
|
||||
return
|
||||
}
|
||||
config := ToConfig(c)
|
||||
config := middleware.GetConfig(c)
|
||||
|
||||
// get the user from the database
|
||||
u, err := _store.GetUserRemoteID(tmpuser.ForgeRemoteID, tmpuser.Login)
|
||||
|
@ -227,9 +228,3 @@ type tokenPayload struct {
|
|||
Refresh string `json:"refresh_token,omitempty"`
|
||||
Expires int64 `json:"expires_in,omitempty"`
|
||||
}
|
||||
|
||||
// ToConfig returns the config from the Context
|
||||
func ToConfig(c *gin.Context) *model.Settings {
|
||||
v := c.MustGet("config")
|
||||
return v.(*model.Settings)
|
||||
}
|
||||
|
|
|
@ -16,13 +16,15 @@ package grpc
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/rs/zerolog/log"
|
||||
|
||||
"github.com/woodpecker-ci/woodpecker/pipeline/rpc/proto"
|
||||
"github.com/woodpecker-ci/woodpecker/server"
|
||||
"github.com/woodpecker-ci/woodpecker/server/model"
|
||||
"github.com/woodpecker-ci/woodpecker/server/store"
|
||||
"github.com/woodpecker-ci/woodpecker/server/store/types"
|
||||
)
|
||||
|
||||
type WoodpeckerAuthServer struct {
|
||||
|
@ -39,7 +41,7 @@ func NewWoodpeckerAuthServer(jwtManager *JWTManager, agentMasterToken string, st
|
|||
func (s *WoodpeckerAuthServer) Auth(_ context.Context, req *proto.AuthRequest) (*proto.AuthResponse, error) {
|
||||
agent, err := s.getAgent(req.AgentId, req.AgentToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, fmt.Errorf("Agent could not auth: %w", err)
|
||||
}
|
||||
|
||||
accessToken, err := s.jwtManager.Generate(agent.ID)
|
||||
|
@ -55,25 +57,37 @@ func (s *WoodpeckerAuthServer) Auth(_ context.Context, req *proto.AuthRequest) (
|
|||
}
|
||||
|
||||
func (s *WoodpeckerAuthServer) getAgent(agentID int64, agentToken string) (*model.Agent, error) {
|
||||
if agentToken == s.agentMasterToken && agentID == -1 {
|
||||
agent := new(model.Agent)
|
||||
agent.Name = ""
|
||||
agent.OwnerID = -1 // system agent
|
||||
agent.Token = server.Config.Server.AgentToken
|
||||
agent.Backend = ""
|
||||
agent.Platform = ""
|
||||
agent.Capacity = -1
|
||||
err := s.store.AgentCreate(agent)
|
||||
if err != nil {
|
||||
log.Err(err).Msgf("Error creating system agent: %s", err)
|
||||
return nil, err
|
||||
// global agent secret auth
|
||||
if s.agentMasterToken != "" {
|
||||
if agentToken == s.agentMasterToken && agentID == -1 {
|
||||
agent := new(model.Agent)
|
||||
agent.Name = ""
|
||||
agent.OwnerID = -1 // system agent
|
||||
agent.Token = s.agentMasterToken
|
||||
agent.Backend = ""
|
||||
agent.Platform = ""
|
||||
agent.Capacity = -1
|
||||
err := s.store.AgentCreate(agent)
|
||||
if err != nil {
|
||||
log.Err(err).Msgf("Error creating system agent: %s", err)
|
||||
return nil, err
|
||||
}
|
||||
return agent, nil
|
||||
}
|
||||
|
||||
if agentToken == s.agentMasterToken {
|
||||
agent, err := s.store.AgentFind(agentID)
|
||||
if err != nil && errors.Is(err, types.RecordNotExist) {
|
||||
return nil, fmt.Errorf("AgentID not found in database")
|
||||
}
|
||||
return agent, err
|
||||
}
|
||||
return agent, nil
|
||||
}
|
||||
|
||||
if agentToken == s.agentMasterToken {
|
||||
return s.store.AgentFind(agentID)
|
||||
// individual agent token auth
|
||||
agent, err := s.store.AgentFindByToken(agentToken)
|
||||
if err != nil && errors.Is(err, types.RecordNotExist) {
|
||||
return nil, fmt.Errorf("individual agent not found by token: %w", err)
|
||||
}
|
||||
|
||||
return s.store.AgentFindByToken(agentToken)
|
||||
return agent, err
|
||||
}
|
||||
|
|
|
@ -17,7 +17,6 @@ package model
|
|||
// Settings defines system configuration parameters.
|
||||
type Settings struct {
|
||||
Open bool // Enables open registration
|
||||
Secret string // Secret token used to authenticate agents
|
||||
Admins map[string]bool // Administrative users
|
||||
Orgs map[string]bool // Organization whitelist
|
||||
OwnersWhitelist map[string]bool // Owners whitelist
|
||||
|
|
|
@ -36,7 +36,6 @@ func Config(cli *cli.Context) gin.HandlerFunc {
|
|||
func setupConfig(c *cli.Context) *model.Settings {
|
||||
return &model.Settings{
|
||||
Open: c.Bool("open"),
|
||||
Secret: c.String("agent-secret"),
|
||||
Admins: sliceToMap2(c.StringSlice("admin")),
|
||||
Orgs: sliceToMap2(c.StringSlice("orgs")),
|
||||
OwnersWhitelist: sliceToMap2(c.StringSlice("repo-owners")),
|
||||
|
@ -54,3 +53,9 @@ func sliceToMap2(s []string) map[string]bool {
|
|||
}
|
||||
return v
|
||||
}
|
||||
|
||||
// GetConfig returns the config from the Context
|
||||
func GetConfig(c *gin.Context) *model.Settings {
|
||||
v := c.MustGet(configKey)
|
||||
return v.(*model.Settings)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue