mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
37412e6a00
Enhances authorized integrations (#12261) with a cache of the remote OpenID Connect descriptor file and JSON Web Key Set (JWKS), improving runtime performance and reducing intermittent reliability risks. By default a 10 minute cache is used, configurable through `[authorized_integration].CACHE_TTL`. To mock the cache for testing, mockery code generation is added, and a previous manually generated mock for `AuthorizationReducer` was replaced with the code generation. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. - Authorized integrations are not yet exposed to end-users. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12275 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
26 lines
1.2 KiB
Go
26 lines
1.2 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package authz
|
|
|
|
import (
|
|
repo_model "forgejo.org/models/repo"
|
|
)
|
|
|
|
// Defines an API for reducing available permissions to specific resources. Typically associated with a fine-grained
|
|
// access tokens and provides methods to reduce authorization that the access token provides down to specific resources.
|
|
//
|
|
//mockery:generate: true
|
|
type AuthorizationReducer interface {
|
|
// Incorporate all the methods of [RepositoryAuthorizationReducer], which allows reducing permissions related to
|
|
// repositories specifically.
|
|
repo_model.RepositoryAuthorizationReducer
|
|
|
|
// Controls whether the presence of an authorization reducer will prevent administrators from overriding permission
|
|
// checks. Typically site administrators and repo administrators are exempted from permission checks, but if an
|
|
// authorization reducer is present then it may be intended for its restrictions to apply even to administrators.
|
|
//
|
|
// `true` allows the typical case where administrators *can* override permissions. `false` disables administrator
|
|
// overrides of permission checks.
|
|
AllowAdminOverride() bool
|
|
}
|