peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-30 06:02:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 12
jojo/tests/integration/git_smart_http_test.go
Mathieu Fenniak c8d24ff06a feat: enable auth to git HTTP via authorized integrations (#12715) 
Allow authentication to git HTTP & git LFS via an authorized integration.

This is the first step in getting rid of OAuth, basic auth, etc.'s usage of [`isGitRawOrAttachPath(req)`](26f18a94ee/services/auth/method/basic.go (L38-L40)).  I don't want to follow that pattern of HTTP route matching in the authentication method, so I've broken the HTTP routes related to git functionality out to using a separate authentication middleware in the top-level `web.Routes` handler.  As this approach is expanded to the other endpoints in order to add support to them for authorized integrations, eventually it will be possible to remove this URL matching completely and just rely on middleware installation.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12715
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-05-25 19:33:36 +02:00

206 lines
6.7 KiB
Go
Raw Blame History

// Copyright 2021 The Gitea Authors. All rights reserved.
// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"fmt"
"io"
"net/http"
"net/url"
"testing"
auth_model "forgejo.org/models/auth"
"forgejo.org/models/db"
"forgejo.org/models/perm"
unit_model "forgejo.org/models/unit"
"forgejo.org/models/unittest"
user_model "forgejo.org/models/user"
"forgejo.org/tests"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGitSmartHTTP(t *testing.T) {
onApplicationRun(t, testGitSmartHTTP)
}
func testGitSmartHTTP(t *testing.T, u *url.URL) {
kases := []struct {
p string
code int
}{
{
p: "user2/repo1/info/refs",
code: http.StatusOK,
},
{
p: "user2/repo1/HEAD",
code: http.StatusOK,
},
{
p: "user2/repo1/objects/info/alternates",
code: http.StatusNotFound,
},
{
p: "user2/repo1/objects/info/http-alternates",
code: http.StatusNotFound,
},
{
p: "user2/repo1/../../custom/conf/app.ini",
code: http.StatusNotFound,
},
{
p: "user2/repo1/objects/info/../../../../custom/conf/app.ini",
code: http.StatusNotFound,
},
{
p: `user2/repo1/objects/info/..\..\..\..\custom\conf\app.ini`,
code: http.StatusBadRequest,
},
}
for _, kase := range kases {
t.Run(kase.p, func(t *testing.T) {
p := u.String() + kase.p
req, err := http.NewRequest("GET", p, nil)
require.NoError(t, err)
req.SetBasicAuth("user2", userPassword)
resp, err := http.DefaultClient.Do(req)
require.NoError(t, err)
defer resp.Body.Close()
assert.Equal(t, kase.code, resp.StatusCode)
_, err = io.ReadAll(resp.Body)
require.NoError(t, err)
})
}
}
// Test that the git http endpoints have the same authentication behavior irrespective of if it is a GET or a HEAD request.
func TestGitHTTPSameStatusCodeForGetAndHeadRequests(t *testing.T) {
defer tests.PrepareTestEnv(t)()
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
type caseType struct {
User *user_model.User
IsCollaborator bool
RepoIsPrivate bool
Endpoint string
ExpectedStatusCode int
}
cases := []caseType{
{owner, false, false, "HEAD", 200},
{owner, false, false, "git-receive-pack", 405},
{owner, false, false, "git-upload-pack", 405},
{owner, false, false, "info/refs", 200},
{owner, false, false, "objects/info/alternates", 404},
{owner, false, false, "objects/info/http-alternates", 404},
{owner, false, false, "objects/info/packs", 200},
{owner, false, true, "HEAD", 200},
{owner, false, true, "git-receive-pack", 405},
{owner, false, true, "git-upload-pack", 405},
{owner, false, true, "info/refs", 200},
{owner, false, true, "objects/info/alternates", 404},
{owner, false, true, "objects/info/http-alternates", 404},
{owner, false, true, "objects/info/packs", 200},
{user2, false, false, "HEAD", 200},
{user2, false, false, "git-receive-pack", 405},
{user2, false, false, "git-upload-pack", 405},
{user2, false, false, "info/refs", 200},
{user2, false, false, "objects/info/alternates", 404},
{user2, false, false, "objects/info/http-alternates", 404},
{user2, false, false, "objects/info/packs", 200},
{user2, false, true, "HEAD", 404},
{user2, false, true, "git-receive-pack", 405},
{user2, false, true, "git-upload-pack", 405},
{user2, false, true, "info/refs", 404},
{user2, false, true, "objects/info/alternates", 404},
{user2, false, true, "objects/info/http-alternates", 404},
{user2, false, true, "objects/info/packs", 404},
// user2 with IsCollaborator=true must come after IsCollaborator=false, because
// the addition as a collaborator is not reset
{user2, true, false, "HEAD", 200},
{user2, true, false, "git-receive-pack", 405},
{user2, true, false, "git-upload-pack", 405},
{user2, true, false, "info/refs", 200},
{user2, true, false, "objects/info/alternates", 404},
{user2, true, false, "objects/info/http-alternates", 404},
{user2, true, false, "objects/info/packs", 200},
{user2, true, true, "HEAD", 200},
{user2, true, true, "git-receive-pack", 405},
{user2, true, true, "git-upload-pack", 405},
{user2, true, true, "info/refs", 200},
{user2, true, true, "objects/info/alternates", 404},
{user2, true, true, "objects/info/http-alternates", 404},
{user2, true, true, "objects/info/packs", 200},
{nil, false, false, "HEAD", 200},
{nil, false, false, "git-receive-pack", 405},
{nil, false, false, "git-upload-pack", 405},
{nil, false, false, "info/refs", 200},
{nil, false, false, "objects/info/alternates", 404},
{nil, false, false, "objects/info/http-alternates", 404},
{nil, false, false, "objects/info/packs", 200},
{nil, false, true, "HEAD", 401},
{nil, false, true, "git-receive-pack", 405},
{nil, false, true, "git-upload-pack", 405},
{nil, false, true, "info/refs", 401},
{nil, false, true, "objects/info/alternates", 401},
{nil, false, true, "objects/info/http-alternates", 401},
{nil, false, true, "objects/info/packs", 401},
}
caseToTestName := func(c caseType) string {
var user string
if c.User == nil {
user = "nil"
} else if c.User == owner {
user = "owner"
} else {
user = c.User.Name
}
return fmt.Sprintf(
"User=%s,IsCollaborator=%t,RepoIsPrivate=%t,Endpoint=%s,ExpectedStatusCode=%d",
user,
c.IsCollaborator,
c.RepoIsPrivate,
c.Endpoint,
c.ExpectedStatusCode,
)
}
repo, _, f := tests.CreateDeclarativeRepo(t, owner, "get-and-head-requests", []unit_model.Type{unit_model.TypeCode}, nil, nil)
defer f()
for _, c := range cases {
t.Run(caseToTestName(c), func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
if c.IsCollaborator {
testCtx := NewAPITestContext(t, owner.Name, repo.Name, auth_model.AccessTokenScopeWriteRepository)
doAPIAddCollaborator(testCtx, c.User.Name, perm.AccessModeRead)(t)
}
repo.IsPrivate = c.RepoIsPrivate
_, err := db.GetEngine(db.DefaultContext).Cols("is_private").Update(repo)
require.NoError(t, err)
// Given the test parameters check that the endpoint returns the same status
// code for both GET and HEAD, which needs to equal the test cases expected
// status code
getReq := NewRequestf(t, "GET", "%s/%s", repo.Link(), c.Endpoint)
if c.User != nil {
getReq.AddBasicAuth(c.User.Name)
}
getResp := MakeRequest(t, getReq, NoExpectedStatus)
headReq := NewRequestf(t, "HEAD", "%s/%s", repo.Link(), c.Endpoint)
if c.User != nil {
headReq.AddBasicAuth(c.User.Name)
}
headResp := MakeRequest(t, headReq, NoExpectedStatus)
require.Equal(t, getResp.Result().StatusCode, headResp.Result().StatusCode)
require.Equal(t, c.ExpectedStatusCode, headResp.Result().StatusCode)
})
}
}
Reference in a new issue View git blame Copy permalink