diff --git a/services/context/permission.go b/services/context/permission.go index 483758141c..b1d02f135c 100644 --- a/services/context/permission.go +++ b/services/context/permission.go @@ -7,9 +7,11 @@ import ( "net/http" auth_model "forgejo.org/models/auth" + "forgejo.org/models/perm" repo_model "forgejo.org/models/repo" "forgejo.org/models/unit" "forgejo.org/modules/log" + "forgejo.org/services/authz" ) // RequireRepoAdmin returns a middleware for requiring repository admin permission @@ -159,4 +161,27 @@ func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_ return } } + + reducer, ok := ctx.Data["ApiTokenReducer"].(authz.AuthorizationReducer) + if ok { + var accessMode perm.AccessMode + switch level { + case auth_model.Read: + accessMode = perm.AccessModeRead + case auth_model.Write: + accessMode = perm.AccessModeWrite + case auth_model.NoAccess: + fallthrough + default: + accessMode = perm.AccessModeNone + } + actualAccessMode, err := reducer.ReduceRepoAccess(ctx, repo, accessMode) + if err != nil { + ctx.ServerError("HasScope", err) + return + } else if actualAccessMode != accessMode { + ctx.Error(http.StatusForbidden) + return + } + } } diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go index 2a68f22f93..f61338e4ee 100644 --- a/tests/integration/git_test.go +++ b/tests/integration/git_test.go @@ -1265,3 +1265,69 @@ func doTestPushMessages(ctx APITestContext, u *url.URL, objectFormat git.ObjectF doAPIDeleteRepository(ctx)(t) } } + +// Cloning a git repo uses CheckRepoScopedToken to validate a PAT; here we run that through all variations of access +// token resource access. +func TestCloneAccessTokenResources(t *testing.T) { + onApplicationRun(t, func(t *testing.T, u *url.URL) { + t.Run("all access token", func(t *testing.T) { + session := loginUser(t, "user2") + allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository) + u.User = url.UserPassword("token", allToken) + + t.Run("allowed public repo1", func(t *testing.T) { + u.Path = "/user2/repo1.git" + doGitClone(t.TempDir(), u)(t) + }) + t.Run("allowed private repo2", func(t *testing.T) { + u.Path = "/user2/repo2.git" + require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), t.TempDir(), git.CloneRepoOptions{})) + }) + // repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline + t.Run("allowed private repo16", func(t *testing.T) { + u.Path = "/user2/repo16.git" + require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), t.TempDir(), git.CloneRepoOptions{})) + }) + }) + + t.Run("public-only access token", func(t *testing.T) { + session := loginUser(t, "user2") + publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadRepository) + u.User = url.UserPassword("token", publicOnlyToken) + + t.Run("allowed public repo1", func(t *testing.T) { + u.Path = "/user2/repo1.git" + doGitClone(t.TempDir(), u)(t) + }) + t.Run("denied private repo2", func(t *testing.T) { + u.Path = "/user2/repo2.git" + doGitCloneFail(u)(t) + }) + t.Run("denied private repo16", func(t *testing.T) { + u.Path = "/user2/repo16.git" + doGitCloneFail(u)(t) + }) + }) + + t.Run("specific repo access token", func(t *testing.T) { + repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2", + []auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadRepository}, + []int64{2}, + ) + u.User = url.UserPassword("token", repo2OnlyToken) + + t.Run("allowed public repo1", func(t *testing.T) { + u.Path = "/user2/repo1.git" + doGitClone(t.TempDir(), u)(t) + }) + t.Run("allowed inside fine-grain repo2", func(t *testing.T) { + u.Path = "/user2/repo2.git" + require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), t.TempDir(), git.CloneRepoOptions{})) + }) + t.Run("denied private outside fine-grain repo16", func(t *testing.T) { + u.Path = "/user2/repo16.git" + doGitCloneFail(u)(t) + }) + }) + }) +} diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go index 6141ceedd2..de915b3cbf 100644 --- a/tests/integration/integration_test.go +++ b/tests/integration/integration_test.go @@ -512,8 +512,6 @@ func createApplicationSettingsToken(t testing.TB, session *TestSession, name str // TODO: currently this is implemented with direct DB access, which is somewhat against the grain for the integration // tests. But fine-grained repo access tokens don't currently have an API or Web UI to create or manage them. This // should be reimplemented when one of those alternatives lands. -// -//nolint:unused // Will be used in the near future. func createFineGrainedRepoAccessToken(t testing.TB, username string, scopes []auth.AccessTokenScope, repoIDs []int64) string { user, err := user_model.GetUserByName(t.Context(), username) require.NoError(t, err)