upstream/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-03-26 23:53:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
forgejo/services/context/api_test.go
Mathieu Fenniak 99984dac4d feat: remove admin-level permissions from repo-specific & public-only access tokens (#11468) 
This PR is part of a series (#11311).

If the user authenticating to an API call is a Forgejo site administrator, or a Forgejo repo administrator, a wide variety of permission and ownership checks in the API are either bypassed, or are bypassable.  If a user has created an access token with restricted resources, I understand the intent of the user is to create a token which has a layer of risk reduction in the event that the token is lost/leaked to an attacker.  For this reason, it makes sense to me that restricted scope access tokens shouldn't inherit the owner's administrator access.

My intent is that repo-specific access tokens [will only be able to access specific authorization scopes](https://codeberg.org/forgejo/design/issues/50#issuecomment-11093951), probably: `repository:read`, `repository:write`, `issue:read`, `issue:write`, (`organization:read` / `user:read` maybe).  This means that *most* admin access is not intended to be affected by this because repo-specific access tokens won't have, for example, `admin:write` scope.  However, administrative access still grants elevated permissions in some areas that are relevant to these scopes, and need to be restricted:

- The `?sudo=otheruser` query parameter allows site administrators to impersonate other users in the API.
- Repository management rules are different for a site administrator, allowing them to create repos for another user, create repos in another organization, migrate a repository to an arbitrary owner, and transfer a repository to a prviate organization.
- Administrators have access to extra data through some APIs which would be in scope: the detailed configuration of branch protection rules, the some details of repository deploy keys (which repo, and which scope -- seems odd), (user:read -- user SSH keys, activity feeds of private users, user profiles of private users, user webhook configurations).
- Pull request reviews have additional perms for repo administrators, including the ability to dismiss PR reviews, delete PR reviews, and view draft PR reviews.
- Repo admins and site admins can comment on locked issues, and related to comments can edit or delete other user's comments and attachments.
- Repo admins can manage and view logged time on behalf of other users.

A handful of these permissions may make sense for repo-specific access tokens, but most of them clearly exceed the risk that would be expected from creating a limited scope access token.  I'd generally prefer to take a restrictive approach, and we can relax it if real-world use-cases come in -- users will have a workaround of creating an access token without repo-specific restrictions if they are blocked from needed access.

**Breaking:** The administration restrictions introduced in this PR affect both repo-specific access tokens, and existing public-only access tokens.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
    - Although repo-specific access tokens are not yet exposed to end users, the breaking changes to public-only tokens will be visible to users and require release notes.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11468
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-03-04 16:17:41 +01:00

155 lines
5.1 KiB
Go
Raw Blame History

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package context
import (
"net/http/httptest"
"net/url"
"strconv"
"testing"
perm_model "forgejo.org/models/perm"
access_model "forgejo.org/models/perm/access"
user_model "forgejo.org/models/user"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/authz"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGenAPILinks(t *testing.T) {
defer test.MockVariableValue(&setting.AppURL, "http://localhost:3000/")()
kases := map[string][]string{
"api/v1/repos/jerrykan/example-repo/issues?state=all": {
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=2&state=all>; rel="next"`,
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=5&state=all>; rel="last"`,
},
"api/v1/repos/jerrykan/example-repo/issues?state=all&page=1": {
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=2&state=all>; rel="next"`,
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=5&state=all>; rel="last"`,
},
"api/v1/repos/jerrykan/example-repo/issues?state=all&page=2": {
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=3&state=all>; rel="next"`,
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=5&state=all>; rel="last"`,
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=1&state=all>; rel="first"`,
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=1&state=all>; rel="prev"`,
},
"api/v1/repos/jerrykan/example-repo/issues?state=all&page=5": {
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=1&state=all>; rel="first"`,
`<http://localhost:3000/api/v1/repos/jerrykan/example-repo/issues?page=4&state=all>; rel="prev"`,
},
}
for req, response := range kases {
u, err := url.Parse(setting.AppURL + req)
require.NoError(t, err)
p := u.Query().Get("page")
curPage, _ := strconv.Atoi(p)
links := genAPILinks(u, 100, 20, curPage)
assert.Equal(t, links, response)
}
}
func TestAcceptsGithubResponse(t *testing.T) {
t.Run("Normal", func(t *testing.T) {
req := httptest.NewRequest("GET", "/", nil)
resp := httptest.NewRecorder()
base, baseCleanUp := NewBaseContext(resp, req)
t.Cleanup(baseCleanUp)
ctx := &APIContext{Base: base}
assert.False(t, ctx.AcceptsGithubResponse())
})
t.Run("Accepts Github", func(t *testing.T) {
req := httptest.NewRequest("GET", "/", nil)
req.Header.Add("Accept", "application/vnd.github+json")
resp := httptest.NewRecorder()
base, baseCleanUp := NewBaseContext(resp, req)
t.Cleanup(baseCleanUp)
ctx := &APIContext{Base: base}
assert.True(t, ctx.AcceptsGithubResponse())
})
}
func TestIsUserSiteAdmin(t *testing.T) {
makeCtx := func(t *testing.T, reducer authz.AuthorizationReducer) *APIContext {
req := httptest.NewRequest("GET", "/", nil)
resp := httptest.NewRecorder()
base, baseCleanUp := NewBaseContext(resp, req)
t.Cleanup(baseCleanUp)
ctx := &APIContext{Base: base, Reducer: reducer}
// setup ctx with an admin, and the test cases will modify to false in various ways
ctx.IsSigned = true
ctx.Doer = &user_model.User{IsAdmin: true}
return ctx
}
defaultReducer := authz.NewMockAuthorizationReducer(t)
defaultReducer.On("AllowAdminOverride").Return(true)
t.Run("not authenticated", func(t *testing.T) {
ctx := makeCtx(t, defaultReducer)
ctx.IsSigned = false
assert.False(t, ctx.IsUserSiteAdmin())
})
t.Run("non-admin", func(t *testing.T) {
ctx := makeCtx(t, defaultReducer)
ctx.Doer.IsAdmin = false
assert.False(t, ctx.IsUserSiteAdmin())
})
t.Run("admin", func(t *testing.T) {
ctx := makeCtx(t, defaultReducer)
assert.True(t, ctx.IsUserSiteAdmin())
})
t.Run("admin w/ reducer", func(t *testing.T) {
reducer := authz.NewMockAuthorizationReducer(t)
reducer.On("AllowAdminOverride").Return(false)
ctx := makeCtx(t, reducer)
assert.False(t, ctx.IsUserSiteAdmin())
})
}
func TestIsUserRepoAdmin(t *testing.T) {
makeCtx := func(t *testing.T, reducer authz.AuthorizationReducer) *APIContext {
req := httptest.NewRequest("GET", "/", nil)
resp := httptest.NewRecorder()
base, baseCleanUp := NewBaseContext(resp, req)
t.Cleanup(baseCleanUp)
ctx := &APIContext{Base: base, Reducer: reducer}
// setup ctx with a repo admin, and the test cases will modify to false in various ways
ctx.Repo = &Repository{Permission: access_model.Permission{AccessMode: perm_model.AccessModeAdmin}}
return ctx
}
defaultReducer := authz.NewMockAuthorizationReducer(t)
defaultReducer.On("AllowAdminOverride").Return(true)
t.Run("non-admin", func(t *testing.T) {
ctx := makeCtx(t, defaultReducer)
ctx.Repo.Permission.AccessMode = perm_model.AccessModeWrite
assert.False(t, ctx.IsUserRepoAdmin())
})
t.Run("admin", func(t *testing.T) {
ctx := makeCtx(t, defaultReducer)
assert.True(t, ctx.IsUserRepoAdmin())
})
t.Run("admin w/ reducer", func(t *testing.T) {
reducer := authz.NewMockAuthorizationReducer(t)
reducer.On("AllowAdminOverride").Return(false)
ctx := makeCtx(t, reducer)
assert.False(t, ctx.IsUserRepoAdmin())
})
}
Reference in a new issue View git blame Copy permalink