mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-26 17:33:04 -04:00
2db6210f69
This PR is part of a series (#11311). Adds support for reading and creating repo-secific access tokens through the API via the `GET /users/{username}/tokens`, `POST /users/{username}/tokens`, and `DELETE /users/{username}/tokens/{id}` APIs. Validation rules are included to [restrict repo-specific access tokens to specific scopes](https://codeberg.org/forgejo/design/issues/50#issuecomment-11093951). ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/11504): <!--number 11504 --><!--line 0 --><!--description cmVhZCwgY3JlYXRlLCAmIGRlbGV0ZSByZXBvLXNwZWNpZmljIGFjY2VzcyB0b2tlbnMgdmlhIEFQSQ==-->read, create, & delete repo-specific access tokens via API<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11504 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
82 lines
3.1 KiB
Go
82 lines
3.1 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package authz
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
)
|
|
|
|
func GetAuthorizationReducerForAccessToken(ctx context.Context, token *auth_model.AccessToken) (AuthorizationReducer, error) {
|
|
if token.ResourceAllRepos {
|
|
if publicOnly, err := token.Scope.PublicOnly(); err != nil {
|
|
return nil, fmt.Errorf("PublicOnly: %w", err)
|
|
} else if publicOnly {
|
|
return &PublicReposAuthorizationReducer{}, nil
|
|
}
|
|
return &AllAccessAuthorizationReducer{}, nil
|
|
}
|
|
|
|
repos, err := auth_model.GetRepositoriesAccessibleWithToken(ctx, token.ID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("GetRepositoriesAccessibleWithToken: %w", err)
|
|
}
|
|
return &SpecificReposAuthorizationReducer{resourceRepos: repos}, nil
|
|
}
|
|
|
|
// A locale lookup string for the error -- eg. `access_token.error.invalid_something`
|
|
type AccessTokenValidationFailure string
|
|
|
|
// Validate that an access token's state is valid for creation. For example, that it doesn't have a conflicting set of
|
|
// resources (public-only and specific repositories), and other similar checks.
|
|
func ValidateAccessToken(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
|
|
// Other validations may be added here in the future.
|
|
return validateRepositoryResource(token, repoResources)
|
|
}
|
|
|
|
var (
|
|
ErrSpecifiedReposNone = errors.New("specified repository access token: must have at least one repository")
|
|
ErrSpecifiedReposNoPublicOnly = errors.New("specified repository access token: cannot be combined with public-only scope")
|
|
ErrSpecifiedReposInvalidScope = errors.New("specified repository access token: invalid scope")
|
|
)
|
|
|
|
func validateRepositoryResource(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
|
|
// Access tokens with broad access to all resources don't have any relevant validation rules to apply.
|
|
if token.ResourceAllRepos {
|
|
return nil
|
|
}
|
|
|
|
// Repo-specific access token must have at least one repository.
|
|
if len(repoResources) == 0 {
|
|
return ErrSpecifiedReposNone
|
|
}
|
|
|
|
// Can't have public-only and specified repos -- that's a combination that doesn't make sense.
|
|
if publicOnly, err := token.Scope.PublicOnly(); err != nil {
|
|
return err
|
|
} else if publicOnly {
|
|
return ErrSpecifiedReposNoPublicOnly
|
|
}
|
|
|
|
// Repo-specific access tokens are only effective at restricting permissions if they are limited to the scopes that
|
|
// support repositories as a resource. For example, if you had a repo-specific token but then gave it
|
|
// `write:organization`, it would be able to do operations like delete an organization -- permission checks on the
|
|
// repository resources wouldn't be applicable to the organization resources.
|
|
for _, scope := range token.Scope.StringSlice() {
|
|
switch auth_model.AccessTokenScope(scope) {
|
|
case auth_model.AccessTokenScopeReadIssue,
|
|
auth_model.AccessTokenScopeWriteIssue,
|
|
auth_model.AccessTokenScopeReadRepository,
|
|
auth_model.AccessTokenScopeWriteRepository:
|
|
continue
|
|
default:
|
|
return fmt.Errorf("%w: cannot be combined with scope %s", ErrSpecifiedReposInvalidScope, scope)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|