mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
70f7260e66
Allows the creation of an authorized integration as a Forgejo administrator, either for development testing or to support server-automation. Clipping out the CLI config options, looks like:
```
NAME:
forgejo admin user create-authorized-integration - Create an authorized integration for a specific user
USAGE:
forgejo admin user create-authorized-integration [options]
OPTIONS:
--username string, -u string Username
--issuer string JWT issuer ('iss' claim), example: https://forgejo.example.org/api/actions
--claim-eq string=string [ --claim-eq string=string ] Zero-or-more claim equality checks, formatted as claim=value, example: "actor=someuser"
--claim-glob string=string [ --claim-glob string=string ] Zero-or-more claim glob checks, formatted as claim=value, example: "sub=repo:forgejo/*:pull_request"
--scope string [ --scope string ] One-or-more scopes to apply to access token, examples: "all", "read:issue", "write:repository" (default: "all")
--repo string [ --repo string ] Zero-or-more specific repositories that can be accessed, or "all" to allow access to all repositories, example: "owner1/repo1" (default: "all")
```
As an example, this will create an authorized integration that will permit Codeberg's Forgejo Actions to generate trusted JWTs that can access the local user `mfenniak`:
```bash
$ ./forgejo admin user create-authorized-integration \
--username mfenniak \
--issuer https://codeberg.org/api/actions \
--claim-eq sub=repo:mfenniak/forgejo-runner-testrepo:pull_request \
--scope read:user
{
"message": "Authorized integration was successfully created.",
"issuer": "https://codeberg.org/api/actions",
"audience": "u:1:c97d83bc-fa4e-4db3-b898-414cd5b6ce33",
"claim_rules": [
{
"description": "\"sub\" = \"repo:mfenniak/forgejo-runner-testrepo:pull_request\"",
"claim": "sub",
"compare": "eq",
"value": "repo:mfenniak/forgejo-runner-testrepo:pull_request"
}
]
}
```
The output is a JSON document to aid in use in automation. The `audience` field is the audience generated by Forgejo that must be used by the remote to generate the JWT. Continuing this example to the client-side, a matching Forgejo Action like this in the `mfenniak/forgejo-runner-testrepo` repo, for a `pull_request` event, then it will be able to access the Forgejo server that the authorized integration was created on like this:
```yaml
on:
pull_request:
enable-openid-connect: true
jobs:
job1:
runs-on: docker
steps:
- name: Fetch JWT
id: jwt
run: |
set -eux -o pipefail
set +x
jwt=$(curl --fail \
-H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=u:1:c97d83bc-fa4e-4db3-b898-414cd5b6ce33" \
| jq -r ".value")
echo "::add-mask::$jwt"
set -x
echo "jwt=$jwt" >> $FORGEJO_OUTPUT
- name: API call to Forgejo
run: |
curl \
-v --fail \
-H "Authorization: bearer ${{ steps.jwt.outputs.jwt }}" \
"https://example.org/api/v1/user" | jq
```
CLI command is tested manually. Supporting functions have associated unit tests.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests for Go changes
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
- [x] `make pr-go` before pushing
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
- CLI update should be automatic in docs -- more detailed Authorized Integration documentation is on my project plan.
### Release notes
- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12299
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
84 lines
3.2 KiB
Go
84 lines
3.2 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package authz
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
)
|
|
|
|
func GetAuthorizationReducerForAccessToken(ctx context.Context, token *auth_model.AccessToken) (AuthorizationReducer, error) {
|
|
if token.ResourceAllRepos {
|
|
if publicOnly, err := token.Scope.PublicOnly(); err != nil {
|
|
return nil, fmt.Errorf("PublicOnly: %w", err)
|
|
} else if publicOnly {
|
|
return &PublicReposAuthorizationReducer{}, nil
|
|
}
|
|
return &AllAccessAuthorizationReducer{}, nil
|
|
}
|
|
|
|
repos, err := auth_model.GetRepositoriesAccessibleWithToken(ctx, token.ID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("GetRepositoriesAccessibleWithToken: %w", err)
|
|
}
|
|
// Cast slice into []RepoGetter
|
|
iface := make([]RepoGetter, len(repos))
|
|
for i, r := range repos {
|
|
iface[i] = r
|
|
}
|
|
return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
|
|
}
|
|
|
|
// Validate that an access token's state is valid for creation. For example, that it doesn't have a conflicting set of
|
|
// resources (public-only and specific repositories), and other similar checks.
|
|
func ValidateAccessToken(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
|
|
// Other validations may be added here in the future.
|
|
return validateRepositoryResource(token.ResourceAllRepos, token.Scope, len(repoResources))
|
|
}
|
|
|
|
var (
|
|
ErrSpecifiedReposNone = errors.New("specified repository access token: must have at least one repository")
|
|
ErrSpecifiedReposNoPublicOnly = errors.New("specified repository access token: cannot be combined with public-only scope")
|
|
ErrSpecifiedReposInvalidScope = errors.New("specified repository access token: invalid scope")
|
|
)
|
|
|
|
func validateRepositoryResource(resourceAllRepos bool, scope auth_model.AccessTokenScope, numRepoResources int) error {
|
|
// Access tokens with broad access to all resources don't have any relevant validation rules to apply.
|
|
if resourceAllRepos {
|
|
return nil
|
|
}
|
|
|
|
// Repo-specific access token must have at least one repository.
|
|
if numRepoResources == 0 {
|
|
return ErrSpecifiedReposNone
|
|
}
|
|
|
|
// Can't have public-only and specified repos -- that's a combination that doesn't make sense.
|
|
if publicOnly, err := scope.PublicOnly(); err != nil {
|
|
return err
|
|
} else if publicOnly {
|
|
return ErrSpecifiedReposNoPublicOnly
|
|
}
|
|
|
|
// Repo-specific access tokens are only effective at restricting permissions if they are limited to the scopes that
|
|
// support repositories as a resource. For example, if you had a repo-specific token but then gave it
|
|
// `write:organization`, it would be able to do operations like delete an organization -- permission checks on the
|
|
// repository resources wouldn't be applicable to the organization resources.
|
|
for _, scope := range scope.StringSlice() {
|
|
switch auth_model.AccessTokenScope(scope) {
|
|
case auth_model.AccessTokenScopeReadIssue,
|
|
auth_model.AccessTokenScopeWriteIssue,
|
|
auth_model.AccessTokenScopeReadRepository,
|
|
auth_model.AccessTokenScopeWriteRepository:
|
|
continue
|
|
default:
|
|
return fmt.Errorf("%w: cannot be combined with scope %s", ErrSpecifiedReposInvalidScope, scope)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|