mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-14 06:50:25 +00:00
900306e65a
Built on #12266; one commit added. Adds the ability to reduce the authorization scope of an authorized integration to public-only resources and repo-specific resources. Backend only -- no frontend created yet. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12267 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
122 lines
4.3 KiB
Go
122 lines
4.3 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"testing"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/models/db"
|
|
api "forgejo.org/modules/structs"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestAPIAuthWithAuthorizedIntegration(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
t.Run("all access authorized integration", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
ait := newAITester(t)
|
|
defer ait.close()
|
|
token := ait.signedJWT()
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var user api.User
|
|
DecodeJSON(t, resp, &user)
|
|
assert.Equal(t, "user2", user.LoginName)
|
|
|
|
req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1").AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
})
|
|
|
|
t.Run("scope-limited authorized integration", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
|
|
ai.Scope = auth_model.AccessTokenScopeReadUser
|
|
})
|
|
defer ait.close()
|
|
token := ait.signedJWT()
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var user api.User
|
|
DecodeJSON(t, resp, &user)
|
|
assert.Equal(t, "user2", user.LoginName)
|
|
|
|
req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1").AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
|
|
// Clone of TestAPICompareCommitsAccessTokenResources, but using an authorized integration rather than an access
|
|
// token, to test its application of an authorization reducer for public-only and repo-specific access. Any API test
|
|
// that uses repo-specific tokens could serve as a test here; this one is just relatively simple and succinct for
|
|
// the number of things being tested.
|
|
t.Run("authorization reducer", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
// Using the compare API, will be testing that the base repo's security checks implement fine-grained access
|
|
// controls (and baselines with all and public-only).
|
|
testCase := func(t *testing.T, repo, token string, expectedStatus int) {
|
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/compare/master...master", repo)).AddTokenAuth(token)
|
|
MakeRequest(t, req, expectedStatus)
|
|
}
|
|
|
|
t.Run("all access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
|
|
ai.Scope = auth_model.AccessTokenScopeReadRepository
|
|
})
|
|
defer ait.close()
|
|
allToken := ait.signedJWT()
|
|
|
|
testCase(t, "user2/repo1", allToken, http.StatusOK) // public user2/repo1
|
|
testCase(t, "org3/repo3", allToken, http.StatusOK) // private org3/repo3
|
|
testCase(t, "user2/repo20", allToken, http.StatusOK) // private user2/repo20
|
|
})
|
|
|
|
t.Run("public-only access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
|
|
ai.Scope = auth_model.AccessTokenScope(fmt.Sprintf("%s,%s", auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadRepository))
|
|
})
|
|
defer ait.close()
|
|
publicOnlyToken := ait.signedJWT()
|
|
|
|
testCase(t, "user2/repo1", publicOnlyToken, http.StatusOK) // public user2/repo1
|
|
testCase(t, "org3/repo3", publicOnlyToken, http.StatusNotFound) // private org3/repo3
|
|
testCase(t, "user2/repo20", publicOnlyToken, http.StatusNotFound) // private user2/repo20
|
|
})
|
|
|
|
t.Run("specific repo access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
|
|
ai.Scope = auth_model.AccessTokenScopeReadRepository
|
|
ai.ResourceAllRepos = false
|
|
})
|
|
defer ait.close()
|
|
|
|
_, err := db.GetEngine(t.Context()).Insert(&auth_model.AuthorizedIntegResourceRepo{
|
|
IntegID: ait.authorizedIntegration.ID,
|
|
RepoID: 3,
|
|
})
|
|
require.NoError(t, err)
|
|
repo3OnlyToken := ait.signedJWT()
|
|
|
|
testCase(t, "user2/repo1", repo3OnlyToken, http.StatusOK) // public user2/repo1
|
|
testCase(t, "org3/repo3", repo3OnlyToken, http.StatusOK) // private org3/repo3
|
|
testCase(t, "user2/repo20", repo3OnlyToken, http.StatusNotFound) // private user2/repo20, outside of fine-grain
|
|
})
|
|
})
|
|
}
|