mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-18 00:36:35 +00:00
be3fe4ff60
Enables and tests the usage of Authorized Integrations to access the package registries. Specific testing includes: - Container registry -- automated testing and manual testing - Generic registry, w/ detailed authorization tests -- automated testing - Conan registry -- automated testing (uses an "authenticate" endpoint that required updates) - npm registry -- manual testing with a Forgejo Action publishing packages For the container & conan registeries, where the client uses an authentication endpoint to request a temporary access token, the expiry of the temporary access token is restricted to the expiry of the authorized integration's JWT for the authorized integration in order to prevent an escalation of privileges. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [ ] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12310 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
841 lines
28 KiB
Go
841 lines
28 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha256"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/models/db"
|
|
packages_model "forgejo.org/models/packages"
|
|
container_model "forgejo.org/models/packages/container"
|
|
unit_model "forgejo.org/models/unit"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/container"
|
|
"forgejo.org/modules/setting"
|
|
api "forgejo.org/modules/structs"
|
|
"forgejo.org/modules/test"
|
|
"forgejo.org/modules/translation"
|
|
"forgejo.org/modules/util"
|
|
packages_service "forgejo.org/services/packages"
|
|
packages_cleanup_service "forgejo.org/services/packages/cleanup"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/pquerna/otp/totp"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestPackageAPI(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
session := loginUser(t, user.Name)
|
|
tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
|
|
tokenWritePackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWritePackage)
|
|
|
|
packageName := "test-package"
|
|
packageVersion := "1.0.3"
|
|
filename := "file.bin"
|
|
|
|
url := fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, packageVersion, filename)
|
|
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{})).
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
t.Run("ListPackages", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", user.Name))
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var apiPackages []*api.Package
|
|
DecodeJSON(t, resp, &apiPackages)
|
|
|
|
assert.Len(t, apiPackages, 1)
|
|
assert.Equal(t, string(packages_model.TypeGeneric), apiPackages[0].Type)
|
|
assert.Equal(t, packageName, apiPackages[0].Name)
|
|
assert.Equal(t, packageVersion, apiPackages[0].Version)
|
|
assert.NotNil(t, apiPackages[0].Creator)
|
|
assert.Equal(t, user.Name, apiPackages[0].Creator.UserName)
|
|
})
|
|
|
|
t.Run("GetPackage", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s", user.Name, packageName, packageVersion))
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
|
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion))
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var p *api.Package
|
|
DecodeJSON(t, resp, &p)
|
|
|
|
assert.Equal(t, string(packages_model.TypeGeneric), p.Type)
|
|
assert.Equal(t, packageName, p.Name)
|
|
assert.Equal(t, packageVersion, p.Version)
|
|
assert.NotNil(t, p.Creator)
|
|
assert.Equal(t, user.Name, p.Creator.UserName)
|
|
|
|
t.Run("RepositoryLink", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
p, err := packages_model.GetPackageByName(db.DefaultContext, user.ID, packages_model.TypeGeneric, packageName)
|
|
require.NoError(t, err)
|
|
|
|
// no repository link
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenReadPackage)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var ap1 *api.Package
|
|
DecodeJSON(t, resp, &ap1)
|
|
assert.Nil(t, ap1.Repository)
|
|
|
|
// create a repository
|
|
repo, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit_model.Type{unit_model.TypeCode}, nil, nil)
|
|
defer f()
|
|
|
|
// link to public repository
|
|
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/-/link/%s", user.Name, packageName, repo.Name)).AddTokenAuth(tokenWritePackage)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/-/link/%s", user.Name, packageName, repo.Name))
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenReadPackage)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
var ap2 *api.Package
|
|
DecodeJSON(t, resp, &ap2)
|
|
assert.NotNil(t, ap2.Repository)
|
|
assert.Equal(t, repo.ID, ap2.Repository.ID)
|
|
|
|
// link to repository without write access, should fail
|
|
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/-/link/%s", user.Name, packageName, "repo3")).AddTokenAuth(tokenWritePackage)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
|
|
// remove link
|
|
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/-/unlink", user.Name, packageName)).AddTokenAuth(tokenWritePackage)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
|
|
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/-/unlink", user.Name, packageName))
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenReadPackage)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
var ap3 *api.Package
|
|
DecodeJSON(t, resp, &ap3)
|
|
assert.Nil(t, ap3.Repository)
|
|
|
|
// force link to a repository the currently logged-in user doesn't have access to
|
|
privateRepoID := int64(6)
|
|
require.NoError(t, packages_model.SetRepositoryLink(db.DefaultContext, p.ID, privateRepoID))
|
|
|
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion))
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
var ap4 *api.Package
|
|
DecodeJSON(t, resp, &ap4)
|
|
assert.Nil(t, ap4.Repository)
|
|
|
|
require.NoError(t, packages_model.UnlinkRepositoryFromAllPackages(db.DefaultContext, privateRepoID))
|
|
})
|
|
})
|
|
|
|
t.Run("ListPackageFiles", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s/files", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenReadPackage)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
|
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s/files", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenReadPackage)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var files []*api.PackageFile
|
|
DecodeJSON(t, resp, &files)
|
|
|
|
assert.Len(t, files, 1)
|
|
assert.Equal(t, int64(0), files[0].Size)
|
|
assert.Equal(t, filename, files[0].Name)
|
|
assert.Equal(t, "d41d8cd98f00b204e9800998ecf8427e", files[0].HashMD5)
|
|
assert.Equal(t, "da39a3ee5e6b4b0d3255bfef95601890afd80709", files[0].HashSHA1)
|
|
assert.Equal(t, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", files[0].HashSHA256)
|
|
assert.Equal(t, "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", files[0].HashSHA512)
|
|
})
|
|
|
|
t.Run("DeletePackage", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/dummy/%s/%s", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenWritePackage)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
|
|
req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion))
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
|
|
AddTokenAuth(tokenWritePackage)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
})
|
|
}
|
|
|
|
func TestPackageAccess(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
|
inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
|
|
limitedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 33})
|
|
privateUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 31})
|
|
privateOrgMember := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23}) // user has package write access
|
|
limitedOrgMember := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 36}) // user has package write access
|
|
publicOrgMember := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 25}) // user has package read access
|
|
privateOrgNoMember := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 35})
|
|
limitedOrgNoMember := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 22})
|
|
publicOrgNoMember := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17})
|
|
|
|
uploadPackage := func(doer, owner *user_model.User, filename string, expectedStatus int) {
|
|
url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/%s.bin", owner.Name, filename)
|
|
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
|
|
if doer != nil {
|
|
req.AddBasicAuth(doer.Name)
|
|
}
|
|
MakeRequest(t, req, expectedStatus)
|
|
}
|
|
|
|
downloadPackage := func(doer, owner *user_model.User, expectedStatus int) {
|
|
url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/admin.bin", owner.Name)
|
|
req := NewRequest(t, "GET", url)
|
|
if doer != nil {
|
|
req.AddBasicAuth(doer.Name)
|
|
}
|
|
MakeRequest(t, req, expectedStatus)
|
|
}
|
|
|
|
type Target struct {
|
|
Owner *user_model.User
|
|
ExpectedStatus int
|
|
}
|
|
|
|
t.Run("Upload", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
cases := []struct {
|
|
Doer *user_model.User
|
|
Filename string
|
|
Targets []Target
|
|
}{
|
|
{ // Admins can upload to every owner
|
|
Doer: admin,
|
|
Filename: "admin",
|
|
Targets: []Target{
|
|
{admin, http.StatusCreated},
|
|
{inactive, http.StatusCreated},
|
|
{user, http.StatusCreated},
|
|
{limitedUser, http.StatusCreated},
|
|
{privateUser, http.StatusCreated},
|
|
{privateOrgMember, http.StatusCreated},
|
|
{limitedOrgMember, http.StatusCreated},
|
|
{publicOrgMember, http.StatusCreated},
|
|
{privateOrgNoMember, http.StatusCreated},
|
|
{limitedOrgNoMember, http.StatusCreated},
|
|
{publicOrgNoMember, http.StatusCreated},
|
|
},
|
|
},
|
|
{ // Without credentials no upload should be possible
|
|
Doer: nil,
|
|
Filename: "nil",
|
|
Targets: []Target{
|
|
{admin, http.StatusUnauthorized},
|
|
{inactive, http.StatusUnauthorized},
|
|
{user, http.StatusUnauthorized},
|
|
{limitedUser, http.StatusUnauthorized},
|
|
{privateUser, http.StatusUnauthorized},
|
|
{privateOrgMember, http.StatusUnauthorized},
|
|
{limitedOrgMember, http.StatusUnauthorized},
|
|
{publicOrgMember, http.StatusUnauthorized},
|
|
{privateOrgNoMember, http.StatusUnauthorized},
|
|
{limitedOrgNoMember, http.StatusUnauthorized},
|
|
{publicOrgNoMember, http.StatusUnauthorized},
|
|
},
|
|
},
|
|
{ // Inactive users can't upload anywhere
|
|
Doer: inactive,
|
|
Filename: "inactive",
|
|
Targets: []Target{
|
|
{admin, http.StatusUnauthorized},
|
|
{inactive, http.StatusUnauthorized},
|
|
{user, http.StatusUnauthorized},
|
|
{limitedUser, http.StatusUnauthorized},
|
|
{privateUser, http.StatusUnauthorized},
|
|
{privateOrgMember, http.StatusUnauthorized},
|
|
{limitedOrgMember, http.StatusUnauthorized},
|
|
{publicOrgMember, http.StatusUnauthorized},
|
|
{privateOrgNoMember, http.StatusUnauthorized},
|
|
{limitedOrgNoMember, http.StatusUnauthorized},
|
|
{publicOrgNoMember, http.StatusUnauthorized},
|
|
},
|
|
},
|
|
{ // Normal users can upload to self and orgs in which they are members and have package write access
|
|
Doer: user,
|
|
Filename: "user",
|
|
Targets: []Target{
|
|
{admin, http.StatusUnauthorized},
|
|
{inactive, http.StatusUnauthorized},
|
|
{user, http.StatusCreated},
|
|
{limitedUser, http.StatusUnauthorized},
|
|
{privateUser, http.StatusUnauthorized},
|
|
{privateOrgMember, http.StatusCreated},
|
|
{limitedOrgMember, http.StatusCreated},
|
|
{publicOrgMember, http.StatusUnauthorized},
|
|
{privateOrgNoMember, http.StatusUnauthorized},
|
|
{limitedOrgNoMember, http.StatusUnauthorized},
|
|
{publicOrgNoMember, http.StatusUnauthorized},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
for _, t := range c.Targets {
|
|
uploadPackage(c.Doer, t.Owner, c.Filename, t.ExpectedStatus)
|
|
}
|
|
}
|
|
})
|
|
|
|
t.Run("Download", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
cases := []struct {
|
|
Doer *user_model.User
|
|
Filename string
|
|
Targets []Target
|
|
}{
|
|
{ // Admins can access everything
|
|
Doer: admin,
|
|
Targets: []Target{
|
|
{admin, http.StatusOK},
|
|
{inactive, http.StatusOK},
|
|
{user, http.StatusOK},
|
|
{limitedUser, http.StatusOK},
|
|
{privateUser, http.StatusOK},
|
|
{privateOrgMember, http.StatusOK},
|
|
{limitedOrgMember, http.StatusOK},
|
|
{publicOrgMember, http.StatusOK},
|
|
{privateOrgNoMember, http.StatusOK},
|
|
{limitedOrgNoMember, http.StatusOK},
|
|
{publicOrgNoMember, http.StatusOK},
|
|
},
|
|
},
|
|
{ // Without credentials only public owners are accessible
|
|
Doer: nil,
|
|
Targets: []Target{
|
|
{admin, http.StatusOK},
|
|
{inactive, http.StatusOK},
|
|
{user, http.StatusOK},
|
|
{limitedUser, http.StatusUnauthorized},
|
|
{privateUser, http.StatusUnauthorized},
|
|
{privateOrgMember, http.StatusUnauthorized},
|
|
{limitedOrgMember, http.StatusUnauthorized},
|
|
{publicOrgMember, http.StatusOK},
|
|
{privateOrgNoMember, http.StatusUnauthorized},
|
|
{limitedOrgNoMember, http.StatusUnauthorized},
|
|
{publicOrgNoMember, http.StatusOK},
|
|
},
|
|
},
|
|
{ // Inactive users have no access
|
|
Doer: inactive,
|
|
Targets: []Target{
|
|
{admin, http.StatusUnauthorized},
|
|
{inactive, http.StatusUnauthorized},
|
|
{user, http.StatusUnauthorized},
|
|
{limitedUser, http.StatusUnauthorized},
|
|
{privateUser, http.StatusUnauthorized},
|
|
{privateOrgMember, http.StatusUnauthorized},
|
|
{limitedOrgMember, http.StatusUnauthorized},
|
|
{publicOrgMember, http.StatusUnauthorized},
|
|
{privateOrgNoMember, http.StatusUnauthorized},
|
|
{limitedOrgNoMember, http.StatusUnauthorized},
|
|
{publicOrgNoMember, http.StatusUnauthorized},
|
|
},
|
|
},
|
|
{ // Normal users can access self, public or limited users/orgs and private orgs in which they are members
|
|
Doer: user,
|
|
Targets: []Target{
|
|
{admin, http.StatusOK},
|
|
{inactive, http.StatusOK},
|
|
{user, http.StatusOK},
|
|
{limitedUser, http.StatusOK},
|
|
{privateUser, http.StatusUnauthorized},
|
|
{privateOrgMember, http.StatusOK},
|
|
{limitedOrgMember, http.StatusOK},
|
|
{publicOrgMember, http.StatusOK},
|
|
{privateOrgNoMember, http.StatusUnauthorized},
|
|
{limitedOrgNoMember, http.StatusOK},
|
|
{publicOrgNoMember, http.StatusOK},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
for _, target := range c.Targets {
|
|
downloadPackage(c.Doer, target.Owner, target.ExpectedStatus)
|
|
}
|
|
}
|
|
})
|
|
|
|
t.Run("API", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
session := loginUser(t, user.Name)
|
|
tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
|
|
|
|
for _, target := range []Target{
|
|
{admin, http.StatusOK},
|
|
{inactive, http.StatusOK},
|
|
{user, http.StatusOK},
|
|
{limitedUser, http.StatusOK},
|
|
{privateUser, http.StatusForbidden},
|
|
{privateOrgMember, http.StatusOK},
|
|
{limitedOrgMember, http.StatusOK},
|
|
{publicOrgMember, http.StatusOK},
|
|
{privateOrgNoMember, http.StatusForbidden},
|
|
{limitedOrgNoMember, http.StatusOK},
|
|
{publicOrgNoMember, http.StatusOK},
|
|
} {
|
|
t.Run(target.Owner.Name, func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", target.Owner.Name)).
|
|
AddTokenAuth(tokenReadPackage)
|
|
MakeRequest(t, req, target.ExpectedStatus)
|
|
})
|
|
}
|
|
})
|
|
|
|
t.Run("Authorized Integration", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
|
|
ai.Scope = auth_model.AccessTokenScopeReadPackage
|
|
ai.UserID = user.ID
|
|
})
|
|
defer ait.close()
|
|
token := ait.signedJWT()
|
|
|
|
for _, target := range []Target{
|
|
{admin, http.StatusOK},
|
|
{inactive, http.StatusOK},
|
|
{user, http.StatusOK},
|
|
{limitedUser, http.StatusOK},
|
|
{privateUser, http.StatusForbidden},
|
|
{privateOrgMember, http.StatusOK},
|
|
{limitedOrgMember, http.StatusOK},
|
|
{publicOrgMember, http.StatusOK},
|
|
{privateOrgNoMember, http.StatusForbidden},
|
|
{limitedOrgNoMember, http.StatusOK},
|
|
{publicOrgNoMember, http.StatusOK},
|
|
} {
|
|
t.Run(target.Owner.Name, func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", target.Owner.Name)).
|
|
AddTokenAuth(token)
|
|
MakeRequest(t, req, target.ExpectedStatus)
|
|
})
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestPackageQuota(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
limitTotalOwnerCount, limitTotalOwnerSize := setting.Packages.LimitTotalOwnerCount, setting.Packages.LimitTotalOwnerSize
|
|
|
|
// Exceeded quota result in StatusForbidden for normal users but admins are always allowed to upload.
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 10})
|
|
|
|
t.Run("Common", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
limitSizeGeneric := setting.Packages.LimitSizeGeneric
|
|
|
|
uploadPackage := func(doer *user_model.User, version string, expectedStatus int) {
|
|
url := fmt.Sprintf("/api/packages/%s/generic/test-package/%s/file.bin", user.Name, version)
|
|
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1})).
|
|
AddBasicAuth(doer.Name)
|
|
MakeRequest(t, req, expectedStatus)
|
|
}
|
|
|
|
setting.Packages.LimitTotalOwnerCount = 0
|
|
uploadPackage(user, "1.0", http.StatusForbidden)
|
|
uploadPackage(admin, "1.0", http.StatusCreated)
|
|
setting.Packages.LimitTotalOwnerCount = limitTotalOwnerCount
|
|
|
|
setting.Packages.LimitTotalOwnerSize = 0
|
|
uploadPackage(user, "1.1", http.StatusForbidden)
|
|
uploadPackage(admin, "1.1", http.StatusCreated)
|
|
setting.Packages.LimitTotalOwnerSize = limitTotalOwnerSize
|
|
|
|
setting.Packages.LimitSizeGeneric = 0
|
|
uploadPackage(user, "1.2", http.StatusForbidden)
|
|
uploadPackage(admin, "1.2", http.StatusCreated)
|
|
setting.Packages.LimitSizeGeneric = limitSizeGeneric
|
|
})
|
|
|
|
t.Run("Container", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
limitSizeContainer := setting.Packages.LimitSizeContainer
|
|
|
|
uploadBlob := func(doer *user_model.User, data string, expectedStatus int) {
|
|
url := fmt.Sprintf("/v2/%s/quota-test/blobs/uploads?digest=sha256:%x", user.Name, sha256.Sum256([]byte(data)))
|
|
req := NewRequestWithBody(t, "POST", url, strings.NewReader(data)).
|
|
AddBasicAuth(doer.Name)
|
|
MakeRequest(t, req, expectedStatus)
|
|
}
|
|
|
|
setting.Packages.LimitTotalOwnerSize = 0
|
|
uploadBlob(user, "2", http.StatusForbidden)
|
|
uploadBlob(admin, "2", http.StatusCreated)
|
|
setting.Packages.LimitTotalOwnerSize = limitTotalOwnerSize
|
|
|
|
setting.Packages.LimitSizeContainer = 0
|
|
uploadBlob(user, "3", http.StatusForbidden)
|
|
uploadBlob(admin, "3", http.StatusCreated)
|
|
setting.Packages.LimitSizeContainer = limitSizeContainer
|
|
})
|
|
}
|
|
|
|
func TestPackageCleanup(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
|
|
duration, _ := time.ParseDuration("-1h")
|
|
|
|
t.Run("Common", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
// Upload and delete a generic package and upload a container blob
|
|
data := util.CryptoRandomBytes(5)
|
|
url := fmt.Sprintf("/api/packages/%s/generic/cleanup-test/1.1.1/file.bin", user.Name)
|
|
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(data)).
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
req = NewRequest(t, "DELETE", url).
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
|
|
data = util.CryptoRandomBytes(5)
|
|
url = fmt.Sprintf("/v2/%s/cleanup-test/blobs/uploads?digest=sha256:%x", user.Name, sha256.Sum256(data))
|
|
req = NewRequestWithBody(t, "POST", url, bytes.NewReader(data)).
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
unittest.AssertExistsAndLoadBean(t, &packages_model.Package{Name: "cleanup-test"})
|
|
|
|
pbs, err := packages_model.FindExpiredUnreferencedBlobs(db.DefaultContext, duration)
|
|
require.NoError(t, err)
|
|
assert.NotEmpty(t, pbs)
|
|
|
|
_, err = packages_model.GetInternalVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeContainer, "cleanup-test", container_model.UploadVersion)
|
|
require.NoError(t, err)
|
|
|
|
err = packages_cleanup_service.CleanupTask(db.DefaultContext, duration)
|
|
require.NoError(t, err)
|
|
|
|
pbs, err = packages_model.FindExpiredUnreferencedBlobs(db.DefaultContext, duration)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, pbs)
|
|
|
|
unittest.AssertNotExistsBean(t, &packages_model.Package{Name: "cleanup-test"})
|
|
|
|
_, err = packages_model.GetInternalVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeContainer, "cleanup-test", container_model.UploadVersion)
|
|
require.ErrorIs(t, err, packages_model.ErrPackageNotExist)
|
|
})
|
|
|
|
t.Run("CleanupRules", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
locale := translation.NewLocale("en-US")
|
|
session := loginUser(t, user.Name)
|
|
|
|
type version struct {
|
|
Version string
|
|
ShouldExist bool
|
|
Created int64
|
|
}
|
|
|
|
cases := []struct {
|
|
Name string
|
|
Versions []version
|
|
Rule *packages_model.PackageCleanupRule
|
|
}{
|
|
{
|
|
Name: "Disabled",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: false,
|
|
},
|
|
},
|
|
{
|
|
Name: "KeepCount",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true},
|
|
{Version: "v1.0", ShouldExist: true},
|
|
{Version: "test-3", ShouldExist: false, Created: 1},
|
|
{Version: "test-4", ShouldExist: false, Created: 1},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
KeepCount: 2,
|
|
},
|
|
},
|
|
{
|
|
Name: "KeepCountGreaterThanTotal",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true},
|
|
{Version: "v1.0", ShouldExist: true},
|
|
{Version: "test-3", ShouldExist: true},
|
|
{Version: "test-4", ShouldExist: true},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
KeepCount: 2000,
|
|
},
|
|
},
|
|
{
|
|
Name: "KeepPattern",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true},
|
|
{Version: "v1.0", ShouldExist: false},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
KeepPattern: "k.+p",
|
|
},
|
|
},
|
|
{
|
|
Name: "RemoveDays",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true},
|
|
{Version: "v1.0", ShouldExist: false, Created: 1},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
RemoveDays: 60,
|
|
},
|
|
},
|
|
{
|
|
Name: "RemovePattern",
|
|
Versions: []version{
|
|
{Version: "test", ShouldExist: true},
|
|
{Version: "test-3", ShouldExist: false},
|
|
{Version: "test-4", ShouldExist: false},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
RemovePattern: `t[e]+st-\d+`,
|
|
},
|
|
},
|
|
{
|
|
Name: "MatchFullName",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true},
|
|
{Version: "test", ShouldExist: false},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
RemovePattern: `package/test|different/keep`,
|
|
MatchFullName: true,
|
|
},
|
|
},
|
|
{
|
|
Name: "Mixed",
|
|
Versions: []version{
|
|
{Version: "keep", ShouldExist: true, Created: time.Now().Add(time.Duration(10000)).Unix()},
|
|
{Version: "dummy", ShouldExist: true, Created: 1},
|
|
{Version: "test-3", ShouldExist: true},
|
|
{Version: "test-4", ShouldExist: false, Created: 1},
|
|
},
|
|
Rule: &packages_model.PackageCleanupRule{
|
|
Enabled: true,
|
|
KeepCount: 1,
|
|
KeepPattern: `dummy`,
|
|
RemoveDays: 7,
|
|
RemovePattern: `t[e]+st-\d+`,
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.Name, func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
for _, v := range c.Versions {
|
|
url := fmt.Sprintf("/api/packages/%s/generic/package/%s/file.bin", user.Name, v.Version)
|
|
req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1})).
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
if v.Created != 0 {
|
|
pv, err := packages_model.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeGeneric, "package", v.Version)
|
|
require.NoError(t, err)
|
|
_, err = db.GetEngine(db.DefaultContext).Exec("UPDATE package_version SET created_unix = ? WHERE id = ?", v.Created, pv.ID)
|
|
require.NoError(t, err)
|
|
}
|
|
}
|
|
|
|
c.Rule.OwnerID = user.ID
|
|
c.Rule.Type = packages_model.TypeGeneric
|
|
|
|
pcr, err := packages_model.InsertCleanupRule(db.DefaultContext, c.Rule)
|
|
require.NoError(t, err)
|
|
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/user/settings/packages/rules/%d/preview", pcr.ID))
|
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
|
|
toDelete := container.FilterSlice(c.Versions, func(v version) (version, bool) {
|
|
return v, !v.ShouldExist
|
|
})
|
|
deletedCount := len(toDelete)
|
|
|
|
// disabled rule would delete everything
|
|
if !pcr.Enabled {
|
|
deletedCount = 1
|
|
htmlDoc.AssertSelection(t, htmlDoc.FindByText(fmt.Sprintf("a[href='/%s/-/packages/generic/package/keep']", user.Name), "keep"), true)
|
|
}
|
|
|
|
htmlDoc.AssertSelection(t, htmlDoc.FindByText("p", locale.TrString("packages.owner.settings.cleanuprules.preview.overview", deletedCount)), true)
|
|
|
|
err = packages_cleanup_service.CleanupTask(db.DefaultContext, duration)
|
|
require.NoError(t, err)
|
|
|
|
for _, v := range c.Versions {
|
|
pv, err := packages_model.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages_model.TypeGeneric, "package", v.Version)
|
|
if v.ShouldExist {
|
|
require.NoError(t, err, `version "%s" should exist`, v.Version)
|
|
err = packages_service.DeletePackageVersionAndReferences(db.DefaultContext, pv)
|
|
require.NoError(t, err)
|
|
} else {
|
|
require.ErrorIs(t, err, packages_model.ErrPackageNotExist, `version "%s" should not exist`, v.Version)
|
|
}
|
|
}
|
|
|
|
require.NoError(t, packages_model.DeleteCleanupRuleByID(db.DefaultContext, pcr.ID))
|
|
})
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestPackageWithTwoFactor(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
|
|
runTest := func(t *testing.T, doer *user_model.User, useTOTP bool, expectedStatus int) {
|
|
t.Helper()
|
|
if doer != nil {
|
|
defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: doer.ID})
|
|
}
|
|
|
|
passcode := func() string {
|
|
if !useTOTP {
|
|
return ""
|
|
}
|
|
|
|
otpKey, err := totp.Generate(totp.GenerateOpts{
|
|
SecretSize: 40,
|
|
Issuer: "forgejo-test",
|
|
AccountName: doer.Name,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, auth_model.NewTwoFactor(t.Context(), &auth_model.TwoFactor{UID: doer.ID}, otpKey.Secret()))
|
|
|
|
passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now())
|
|
require.NoError(t, err)
|
|
return passcode
|
|
}()
|
|
|
|
url := fmt.Sprintf("/api/v1/packages/%s", normalUser.Name) // a public package to test
|
|
req := NewRequest(t, "GET", url)
|
|
if doer != nil {
|
|
req.AddBasicAuth(doer.Name)
|
|
}
|
|
|
|
if useTOTP {
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
req = NewRequest(t, "GET", url).
|
|
AddBasicAuth(doer.Name)
|
|
req.Header.Set("X-Forgejo-OTP", passcode)
|
|
}
|
|
|
|
MakeRequest(t, req, expectedStatus)
|
|
}
|
|
|
|
t.Run("NoneTwoFactorRequirement", func(t *testing.T) {
|
|
// this should be the default, so don't have to set the variable
|
|
|
|
t.Run("no 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, false, http.StatusOK)
|
|
runTest(t, normalUser, false, http.StatusOK)
|
|
runTest(t, nil, false, http.StatusOK) // anonymous
|
|
})
|
|
|
|
t.Run("enabled 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, true, http.StatusOK)
|
|
runTest(t, normalUser, true, http.StatusOK)
|
|
})
|
|
})
|
|
|
|
t.Run("AllTwoFactorRequirement", func(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)()
|
|
|
|
t.Run("no 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, false, http.StatusForbidden)
|
|
runTest(t, normalUser, false, http.StatusForbidden)
|
|
runTest(t, nil, false, http.StatusOK) // anonymous
|
|
})
|
|
|
|
t.Run("enabled 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, true, http.StatusOK)
|
|
runTest(t, normalUser, true, http.StatusOK)
|
|
})
|
|
})
|
|
|
|
t.Run("AdminTwoFactorRequirement", func(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)()
|
|
|
|
t.Run("no 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, false, http.StatusForbidden)
|
|
runTest(t, normalUser, false, http.StatusOK)
|
|
runTest(t, nil, false, http.StatusOK) // anonymous
|
|
})
|
|
|
|
t.Run("enabled 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, true, http.StatusOK)
|
|
runTest(t, normalUser, true, http.StatusOK)
|
|
})
|
|
})
|
|
}
|