peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-20 01:36:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
jojo/services/authz/access_token.go
Mathieu Fenniak cf087a2f12 feat: ability to edit authorized integration in web UI (#12601) 
Extends the UI introduced in #12558 to have edit capabilities.  (not in scope: "Add" for a new Authorized Integration will be the next update to this UI; `create-authorized-integration` CLI is still the only way to create a new record)

This PR includes a few refactoring steps.  The goal of these steps is to have `services/auth` be a single entrypoint for validating, inserting, or updating an authorized integration.  Some logic is moved out of `services/authz` because it is not authorization related, and some is moved out of `services/auth/method` to allow it to be reused during validation without creating a cyclical module dependency.

This PR also adds comprehensive validation to the more complex fields in the authorized integration, such as the issuer and claim rules.  This validation applies to the `forgejo admin user create-authorized-integration` CLI as well.

The visible UI is the same as #12558, but with a "Save" button, and the ability to display errors:

![Screenshot 2026-05-16 at 15-43-20 Authorized Integrations - Forgejo Beyond coding. We Forge](/attachments/ffaf60e2-3652-429b-a815-b339100f05f8)

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
    - Documentation is on my TODO list and will be completed before release.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12601
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-05-17 18:33:39 +02:00

84 lines
3.2 KiB
Go
Raw Permalink Blame History

// Copyright 2026 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: GPL-3.0-or-later
package authz
import (
"context"
"errors"
"fmt"
auth_model "forgejo.org/models/auth"
)
func GetAuthorizationReducerForAccessToken(ctx context.Context, token *auth_model.AccessToken) (AuthorizationReducer, error) {
if token.ResourceAllRepos {
if publicOnly, err := token.Scope.PublicOnly(); err != nil {
return nil, fmt.Errorf("PublicOnly: %w", err)
} else if publicOnly {
return &PublicReposAuthorizationReducer{}, nil
}
return &AllAccessAuthorizationReducer{}, nil
}
repos, err := auth_model.GetRepositoriesAccessibleWithToken(ctx, token.ID)
if err != nil {
return nil, fmt.Errorf("GetRepositoriesAccessibleWithToken: %w", err)
}
// Cast slice into []RepoGetter
iface := make([]RepoGetter, len(repos))
for i, r := range repos {
iface[i] = r
}
return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
}
// Validate that an access token's state is valid for creation. For example, that it doesn't have a conflicting set of
// resources (public-only and specific repositories), and other similar checks.
func ValidateAccessToken(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
// Other validations may be added here in the future.
return ValidateRepositoryResource(token.ResourceAllRepos, token.Scope, len(repoResources))
}
var (
ErrSpecifiedReposNone = errors.New("specified repository access token: must have at least one repository")
ErrSpecifiedReposNoPublicOnly = errors.New("specified repository access token: cannot be combined with public-only scope")
ErrSpecifiedReposInvalidScope = errors.New("specified repository access token: invalid scope")
)
func ValidateRepositoryResource(resourceAllRepos bool, scope auth_model.AccessTokenScope, numRepoResources int) error {
// Access tokens with broad access to all resources don't have any relevant validation rules to apply.
if resourceAllRepos {
return nil
}
// Repo-specific access token must have at least one repository.
if numRepoResources == 0 {
return ErrSpecifiedReposNone
}
// Can't have public-only and specified repos -- that's a combination that doesn't make sense.
if publicOnly, err := scope.PublicOnly(); err != nil {
return err
} else if publicOnly {
return ErrSpecifiedReposNoPublicOnly
}
// Repo-specific access tokens are only effective at restricting permissions if they are limited to the scopes that
// support repositories as a resource. For example, if you had a repo-specific token but then gave it
// `write:organization`, it would be able to do operations like delete an organization -- permission checks on the
// repository resources wouldn't be applicable to the organization resources.
for _, scope := range scope.StringSlice() {
switch auth_model.AccessTokenScope(scope) {
case auth_model.AccessTokenScopeReadIssue,
auth_model.AccessTokenScopeWriteIssue,
auth_model.AccessTokenScopeReadRepository,
auth_model.AccessTokenScopeWriteRepository:
continue
default:
return fmt.Errorf("%w: cannot be combined with scope %s", ErrSpecifiedReposInvalidScope, scope)
}
}
return nil
}
Reference in a new issue View git blame Copy permalink