From f21955caa52abcde4a2439cfaa3c62352a85517a Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sat, 28 Feb 2026 18:00:23 +0100
Subject: [PATCH] feat: implement repo-specific access tokens in git operations
 (#11452)

Repository-specific personal access tokens will allow a user's access tokens to be restricted to accessing zero-or-more specific repositories.  Currently they can be configured as "All", or "Public only", and this project will add a third configuration option allowing specific repositories.

This PR is part of a series (#11311), and builds on the infrastructure work in #11434.  In this PR, repository-specific access tokens are implemented in `CheckRepoScopedToken`, which is a specific codepath used by git operations to check the permissions of an access token.

For larger context on the usage and future incoming work, the description of #11311 can be referenced.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
    - As repo-specific access tokens are not exposed to end-users, this PR does not require release notes.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11452
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 services/context/permission.go        | 25 ++++++++++
 tests/integration/git_test.go         | 66 +++++++++++++++++++++++++++
 tests/integration/integration_test.go |  2 -
 3 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/services/context/permission.go b/services/context/permission.go
index 483758141c..b1d02f135c 100644
--- a/services/context/permission.go
+++ b/services/context/permission.go
@@ -7,9 +7,11 @@ import (
 	"net/http"
 
 	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/perm"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
 	"forgejo.org/modules/log"
+	"forgejo.org/services/authz"
 )
 
 // RequireRepoAdmin returns a middleware for requiring repository admin permission
@@ -159,4 +161,27 @@ func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_
 			return
 		}
 	}
+
+	reducer, ok := ctx.Data["ApiTokenReducer"].(authz.AuthorizationReducer)
+	if ok {
+		var accessMode perm.AccessMode
+		switch level {
+		case auth_model.Read:
+			accessMode = perm.AccessModeRead
+		case auth_model.Write:
+			accessMode = perm.AccessModeWrite
+		case auth_model.NoAccess:
+			fallthrough
+		default:
+			accessMode = perm.AccessModeNone
+		}
+		actualAccessMode, err := reducer.ReduceRepoAccess(ctx, repo, accessMode)
+		if err != nil {
+			ctx.ServerError("HasScope", err)
+			return
+		} else if actualAccessMode != accessMode {
+			ctx.Error(http.StatusForbidden)
+			return
+		}
+	}
 }
diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go
index 2a68f22f93..f61338e4ee 100644
--- a/tests/integration/git_test.go
+++ b/tests/integration/git_test.go
@@ -1265,3 +1265,69 @@ func doTestPushMessages(ctx APITestContext, u *url.URL, objectFormat git.ObjectF
 		doAPIDeleteRepository(ctx)(t)
 	}
 }
+
+// Cloning a git repo uses CheckRepoScopedToken to validate a PAT; here we run that through all variations of access
+// token resource access.
+func TestCloneAccessTokenResources(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		t.Run("all access token", func(t *testing.T) {
+			session := loginUser(t, "user2")
+			allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
+			u.User = url.UserPassword("token", allToken)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				u.Path = "/user2/repo1.git"
+				doGitClone(t.TempDir(), u)(t)
+			})
+			t.Run("allowed private repo2", func(t *testing.T) {
+				u.Path = "/user2/repo2.git"
+				require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), t.TempDir(), git.CloneRepoOptions{}))
+			})
+			// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+			t.Run("allowed private repo16", func(t *testing.T) {
+				u.Path = "/user2/repo16.git"
+				require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), t.TempDir(), git.CloneRepoOptions{}))
+			})
+		})
+
+		t.Run("public-only access token", func(t *testing.T) {
+			session := loginUser(t, "user2")
+			publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadRepository)
+			u.User = url.UserPassword("token", publicOnlyToken)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				u.Path = "/user2/repo1.git"
+				doGitClone(t.TempDir(), u)(t)
+			})
+			t.Run("denied private repo2", func(t *testing.T) {
+				u.Path = "/user2/repo2.git"
+				doGitCloneFail(u)(t)
+			})
+			t.Run("denied private repo16", func(t *testing.T) {
+				u.Path = "/user2/repo16.git"
+				doGitCloneFail(u)(t)
+			})
+		})
+
+		t.Run("specific repo access token", func(t *testing.T) {
+			repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2",
+				[]auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadRepository},
+				[]int64{2},
+			)
+			u.User = url.UserPassword("token", repo2OnlyToken)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				u.Path = "/user2/repo1.git"
+				doGitClone(t.TempDir(), u)(t)
+			})
+			t.Run("allowed inside fine-grain repo2", func(t *testing.T) {
+				u.Path = "/user2/repo2.git"
+				require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), t.TempDir(), git.CloneRepoOptions{}))
+			})
+			t.Run("denied private outside fine-grain repo16", func(t *testing.T) {
+				u.Path = "/user2/repo16.git"
+				doGitCloneFail(u)(t)
+			})
+		})
+	})
+}
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index 6141ceedd2..de915b3cbf 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -512,8 +512,6 @@ func createApplicationSettingsToken(t testing.TB, session *TestSession, name str
 // TODO: currently this is implemented with direct DB access, which is somewhat against the grain for the integration
 // tests.  But fine-grained repo access tokens don't currently have an API or Web UI to create or manage them.  This
 // should be reimplemented when one of those alternatives lands.
-//
-//nolint:unused // Will be used in the near future.
 func createFineGrainedRepoAccessToken(t testing.TB, username string, scopes []auth.AccessTokenScope, repoIDs []int64) string {
 	user, err := user_model.GetUserByName(t.Context(), username)
 	require.NoError(t, err)