mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-27 09:23:03 -04:00
2db6210f69
This PR is part of a series (#11311). Adds support for reading and creating repo-secific access tokens through the API via the `GET /users/{username}/tokens`, `POST /users/{username}/tokens`, and `DELETE /users/{username}/tokens/{id}` APIs. Validation rules are included to [restrict repo-specific access tokens to specific scopes](https://codeberg.org/forgejo/design/issues/50#issuecomment-11093951). ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/11504): <!--number 11504 --><!--line 0 --><!--description cmVhZCwgY3JlYXRlLCAmIGRlbGV0ZSByZXBvLXNwZWNpZmljIGFjY2VzcyB0b2tlbnMgdmlhIEFQSQ==-->read, create, & delete repo-specific access tokens via API<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11504 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
99 lines
3.3 KiB
Go
99 lines
3.3 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package authz
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"forgejo.org/models/auth"
|
|
"forgejo.org/models/unittest"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestGetAuthorizationReducerForAccessToken(t *testing.T) {
|
|
defer unittest.OverrideFixtures("services/authz/TestGetAuthorizationReducerForAccessToken")()
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
t.Run("all access", func(t *testing.T) {
|
|
token := unittest.AssertExistsAndLoadBean(t, &auth.AccessToken{ID: 5})
|
|
reducer, err := GetAuthorizationReducerForAccessToken(t.Context(), token)
|
|
require.NoError(t, err)
|
|
assert.IsType(t, &AllAccessAuthorizationReducer{}, reducer)
|
|
})
|
|
|
|
t.Run("public resources only", func(t *testing.T) {
|
|
token := unittest.AssertExistsAndLoadBean(t, &auth.AccessToken{ID: 6})
|
|
reducer, err := GetAuthorizationReducerForAccessToken(t.Context(), token)
|
|
require.NoError(t, err)
|
|
assert.IsType(t, &PublicReposAuthorizationReducer{}, reducer)
|
|
})
|
|
|
|
t.Run("specific repos only", func(t *testing.T) {
|
|
token := unittest.AssertExistsAndLoadBean(t, &auth.AccessToken{ID: 7})
|
|
reducer, err := GetAuthorizationReducerForAccessToken(t.Context(), token)
|
|
require.NoError(t, err)
|
|
|
|
specific, ok := reducer.(*SpecificReposAuthorizationReducer)
|
|
require.True(t, ok)
|
|
require.NotNil(t, specific)
|
|
|
|
require.Len(t, specific.resourceRepos, 1)
|
|
assert.EqualValues(t, 1, specific.resourceRepos[0].RepoID)
|
|
})
|
|
}
|
|
|
|
func TestValidateAccessToken(t *testing.T) {
|
|
t.Run("valid - all access", func(t *testing.T) {
|
|
token := &auth.AccessToken{
|
|
ResourceAllRepos: true,
|
|
Scope: auth.AccessTokenScopeReadRepository,
|
|
}
|
|
err := ValidateAccessToken(token, nil)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("valid - specified repos", func(t *testing.T) {
|
|
token := &auth.AccessToken{
|
|
ResourceAllRepos: false,
|
|
Scope: auth.AccessTokenScopeReadRepository,
|
|
}
|
|
resources := []*auth.AccessTokenResourceRepo{{RepoID: 12}}
|
|
err := ValidateAccessToken(token, resources)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("invalid - no specified repos", func(t *testing.T) {
|
|
token := &auth.AccessToken{
|
|
ResourceAllRepos: false,
|
|
Scope: auth.AccessTokenScopeReadRepository,
|
|
}
|
|
resources := []*auth.AccessTokenResourceRepo{}
|
|
err := ValidateAccessToken(token, resources)
|
|
require.ErrorIs(t, err, ErrSpecifiedReposNone)
|
|
})
|
|
|
|
t.Run("invalid - specified repos & public-only", func(t *testing.T) {
|
|
token := &auth.AccessToken{
|
|
ResourceAllRepos: false,
|
|
Scope: auth.AccessTokenScope(strings.Join([]string{string(auth.AccessTokenScopePublicOnly), string(auth.AccessTokenScopeReadRepository)}, ",")),
|
|
}
|
|
resources := []*auth.AccessTokenResourceRepo{{RepoID: 12}}
|
|
err := ValidateAccessToken(token, resources)
|
|
require.ErrorIs(t, err, ErrSpecifiedReposNoPublicOnly)
|
|
})
|
|
|
|
t.Run("invalid - specified repos unsupported scopes", func(t *testing.T) {
|
|
token := &auth.AccessToken{
|
|
ResourceAllRepos: false,
|
|
Scope: auth.AccessTokenScopeReadAdmin,
|
|
}
|
|
resources := []*auth.AccessTokenResourceRepo{{RepoID: 12}}
|
|
err := ValidateAccessToken(token, resources)
|
|
require.ErrorIs(t, err, ErrSpecifiedReposInvalidScope)
|
|
require.ErrorContains(t, err, string(auth.AccessTokenScopeReadAdmin))
|
|
})
|
|
}
|