mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
9b88e77c19
Protect OIDC tokens generated by Forgejo Actions from threats arising when users or repositories are renamed or deleted, freeing their names up for reuse by another user. In this threat environment, relying on the name of users and repositories in validating JWT claims is unsafe because they can change. Adds three new claims to Actions' OIDC tokens: - `actor_id` -- the immutable identifier of the actor who triggered an Action run - `repository_id` -- the immutable identifier of the repository on which the Action is running - `repository_owner_id` -- the immutable identifier of the owner of the repository on which the Action is running Repositories will change their subject (`sub`) OIDC claims to include these immutable identifiers. Existing repositories will not change, in order to maintain compatibility with existing JWT usage. The new format will be applied to new repositories, or can be applied by disabling and enabling the Actions unit. The new format embeds the identifiers: - **Existing repos:** `repo:my-org/my-repo:ref:refs/heads/main` - **New repos:** `repo:my-org-123456/my-repo-456789:ref:refs/heads/main` Fixes #12244. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - New fields will be added to documentation soon. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12355 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
375 lines
12 KiB
Go
375 lines
12 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package repo
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"slices"
|
|
"strings"
|
|
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/models/perm"
|
|
"forgejo.org/models/unit"
|
|
"forgejo.org/modules/json"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/timeutil"
|
|
"forgejo.org/modules/util"
|
|
|
|
"xorm.io/xorm"
|
|
"xorm.io/xorm/convert"
|
|
)
|
|
|
|
// ErrUnitTypeNotExist represents a "UnitTypeNotExist" kind of error.
|
|
type ErrUnitTypeNotExist struct {
|
|
UT unit.Type
|
|
}
|
|
|
|
// IsErrUnitTypeNotExist checks if an error is a ErrUnitNotExist.
|
|
func IsErrUnitTypeNotExist(err error) bool {
|
|
_, ok := err.(ErrUnitTypeNotExist)
|
|
return ok
|
|
}
|
|
|
|
func (err ErrUnitTypeNotExist) Error() string {
|
|
return fmt.Sprintf("Unit type does not exist: %s", err.UT.String())
|
|
}
|
|
|
|
func (err ErrUnitTypeNotExist) Unwrap() error {
|
|
return util.ErrNotExist
|
|
}
|
|
|
|
// RepoUnitAccessMode specifies the users access mode to a repo unit
|
|
// Only UnitAccessModeWrite is used by the wiki, to mark it as instance-writable
|
|
type UnitAccessMode int
|
|
|
|
const (
|
|
// UnitAccessModeUnset - no unit mode set
|
|
UnitAccessModeUnset UnitAccessMode = iota // 0
|
|
|
|
// UnitAccessModeNone no access
|
|
// UnitAccessModeNone UnitAccessMode = 1
|
|
// UnitAccessModeRead read access
|
|
// UnitAccessModeRead UnitAccessMode = 2
|
|
|
|
// UnitAccessModeWrite write access
|
|
UnitAccessModeWrite UnitAccessMode = 3
|
|
)
|
|
|
|
func (mode UnitAccessMode) ToAccessMode(modeIfUnset perm.AccessMode) perm.AccessMode {
|
|
switch mode {
|
|
case UnitAccessModeUnset:
|
|
return modeIfUnset
|
|
// case UnitAccessModeNone:
|
|
// return perm.AccessModeNone
|
|
// case UnitAccessModeRead:
|
|
// return perm.AccessModeRead
|
|
case UnitAccessModeWrite:
|
|
return perm.AccessModeWrite
|
|
default:
|
|
return perm.AccessModeNone
|
|
}
|
|
}
|
|
|
|
// RepoUnit describes all units of a repository
|
|
type RepoUnit struct { //revive:disable-line:exported
|
|
ID int64
|
|
RepoID int64 `xorm:"INDEX(s)"`
|
|
Type unit.Type `xorm:"INDEX(s)"`
|
|
Config convert.Conversion `xorm:"TEXT"`
|
|
CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
|
|
DefaultPermissions UnitAccessMode `xorm:"NOT NULL DEFAULT 0"`
|
|
}
|
|
|
|
func init() {
|
|
db.RegisterModel(new(RepoUnit))
|
|
}
|
|
|
|
// UnitConfig describes common unit config
|
|
type UnitConfig struct{}
|
|
|
|
// FromDB fills up a UnitConfig from serialized format.
|
|
func (cfg *UnitConfig) FromDB(bs []byte) error {
|
|
return json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
}
|
|
|
|
// ToDB exports a UnitConfig to a serialized format.
|
|
func (cfg *UnitConfig) ToDB() ([]byte, error) {
|
|
return json.Marshal(cfg)
|
|
}
|
|
|
|
// ExternalWikiConfig describes external wiki config
|
|
type ExternalWikiConfig struct {
|
|
ExternalWikiURL string
|
|
}
|
|
|
|
// FromDB fills up a ExternalWikiConfig from serialized format.
|
|
func (cfg *ExternalWikiConfig) FromDB(bs []byte) error {
|
|
return json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
}
|
|
|
|
// ToDB exports a ExternalWikiConfig to a serialized format.
|
|
func (cfg *ExternalWikiConfig) ToDB() ([]byte, error) {
|
|
return json.Marshal(cfg)
|
|
}
|
|
|
|
// ExternalTrackerConfig describes external tracker config
|
|
type ExternalTrackerConfig struct {
|
|
ExternalTrackerURL string
|
|
ExternalTrackerFormat string
|
|
ExternalTrackerStyle string
|
|
ExternalTrackerRegexpPattern string
|
|
}
|
|
|
|
// FromDB fills up a ExternalTrackerConfig from serialized format.
|
|
func (cfg *ExternalTrackerConfig) FromDB(bs []byte) error {
|
|
return json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
}
|
|
|
|
// ToDB exports a ExternalTrackerConfig to a serialized format.
|
|
func (cfg *ExternalTrackerConfig) ToDB() ([]byte, error) {
|
|
return json.Marshal(cfg)
|
|
}
|
|
|
|
// IssuesConfig describes issues config
|
|
type IssuesConfig struct {
|
|
EnableTimetracker bool
|
|
AllowOnlyContributorsToTrackTime bool
|
|
EnableDependencies bool
|
|
}
|
|
|
|
// FromDB fills up a IssuesConfig from serialized format.
|
|
func (cfg *IssuesConfig) FromDB(bs []byte) error {
|
|
return json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
}
|
|
|
|
// ToDB exports a IssuesConfig to a serialized format.
|
|
func (cfg *IssuesConfig) ToDB() ([]byte, error) {
|
|
return json.Marshal(cfg)
|
|
}
|
|
|
|
// PullRequestsConfig describes pull requests config
|
|
type PullRequestsConfig struct {
|
|
IgnoreWhitespaceConflicts bool
|
|
AllowMerge bool
|
|
AllowRebase bool
|
|
AllowRebaseMerge bool
|
|
AllowSquash bool
|
|
AllowFastForwardOnly bool
|
|
AllowManualMerge bool
|
|
AutodetectManualMerge bool
|
|
AllowRebaseUpdate bool
|
|
DefaultDeleteBranchAfterMerge bool
|
|
DefaultMergeStyle MergeStyle
|
|
DefaultUpdateStyle UpdateStyle
|
|
DefaultAllowMaintainerEdit bool
|
|
}
|
|
|
|
// FromDB fills up a PullRequestsConfig from serialized format.
|
|
func (cfg *PullRequestsConfig) FromDB(bs []byte) error {
|
|
// AllowRebaseUpdate = true as default for existing PullRequestConfig in DB
|
|
cfg.AllowRebaseUpdate = true
|
|
return json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
}
|
|
|
|
// ToDB exports a PullRequestsConfig to a serialized format.
|
|
func (cfg *PullRequestsConfig) ToDB() ([]byte, error) {
|
|
return json.Marshal(cfg)
|
|
}
|
|
|
|
// IsMergeStyleAllowed returns if merge style is allowed
|
|
func (cfg *PullRequestsConfig) IsMergeStyleAllowed(mergeStyle MergeStyle) bool {
|
|
return mergeStyle == MergeStyleMerge && cfg.AllowMerge ||
|
|
mergeStyle == MergeStyleRebase && cfg.AllowRebase ||
|
|
mergeStyle == MergeStyleRebaseMerge && cfg.AllowRebaseMerge ||
|
|
mergeStyle == MergeStyleSquash && cfg.AllowSquash ||
|
|
mergeStyle == MergeStyleFastForwardOnly && cfg.AllowFastForwardOnly ||
|
|
mergeStyle == MergeStyleManuallyMerged && cfg.AllowManualMerge
|
|
}
|
|
|
|
// GetDefaultMergeStyle returns the default merge style for this pull request
|
|
func (cfg *PullRequestsConfig) GetDefaultMergeStyle() MergeStyle {
|
|
if len(cfg.DefaultMergeStyle) != 0 {
|
|
return cfg.DefaultMergeStyle
|
|
}
|
|
|
|
if setting.Repository.PullRequest.DefaultMergeStyle != "" {
|
|
return MergeStyle(setting.Repository.PullRequest.DefaultMergeStyle)
|
|
}
|
|
|
|
return MergeStyleMerge
|
|
}
|
|
|
|
// IsUpdateStyleAllowed returns if update style is allowed
|
|
func (cfg *PullRequestsConfig) IsUpdateStyleAllowed(updateStyle UpdateStyle) bool {
|
|
return updateStyle == UpdateStyleMerge ||
|
|
updateStyle == UpdateStyleRebase && cfg.AllowRebaseUpdate
|
|
}
|
|
|
|
// GetDefaultUpdateStyle returns the default update style for this pull request
|
|
func (cfg *PullRequestsConfig) GetDefaultUpdateStyle() UpdateStyle {
|
|
if len(cfg.DefaultUpdateStyle) != 0 {
|
|
return cfg.DefaultUpdateStyle
|
|
}
|
|
|
|
if setting.Repository.PullRequest.DefaultUpdateStyle != "" {
|
|
return UpdateStyle(setting.Repository.PullRequest.DefaultUpdateStyle)
|
|
}
|
|
|
|
return UpdateStyleMerge
|
|
}
|
|
|
|
// Represents the current format for `sub` claim generation when using `enable-openid-connect: true` on an Action.
|
|
//
|
|
// We try to follow GitHub's format for the `sub` claim because it should allow third-party integrations, which may have
|
|
// existing knowledge and code that works with GitHub's OIDC tokens, to reuse that knowledge and code in the future to
|
|
// implement Forgejo support. As GitHub's format changes, we may implement those format changes to maintain that
|
|
// familarity. Forgejo isn't required to do so, though -- if future changes from GitHub don't make sense for Forgejo,
|
|
// or vice-versa, this format matching effort may be discarded.
|
|
type OIDCSubjectFormat string
|
|
|
|
var (
|
|
// Default is the current, most preferred method of generating an `sub` JWT claim for an Actions JWT token. It is
|
|
// an empty string which allows [ActionsConfig] to always default to the current preferred default value for new
|
|
// repositories. At present, it is a `sub` claim that contains information about the repository owner and
|
|
// repository where the action occurred, their immutable identifiers (ID numbers), and the event that triggered the
|
|
// Action.
|
|
//
|
|
// Immutable identifiers have been added since OIDCSubjectFormatLegacyForgejo15. The intent of adding them is to
|
|
// protect resource servers which may be requiring a specific subject claim from having that claim be impersonated
|
|
// when a user or repository are renamed or deleted. For example, if a JWT from my-org/my-repo is trusted, but then
|
|
// my-org is deleted and a new user takes ownership of the name my-org, they should not be granted the same trust.
|
|
//
|
|
// Example: repo:my-org-123456/my-repo-456789:ref:refs/heads/main
|
|
OIDCSubjectFormatDefault OIDCSubjectFormat // defaults to ""
|
|
|
|
// The `sub` JWT claim generation that was shipped in Forgejo 15. Contains information about the repository owner
|
|
// and repository where the action occurred and the event that triggered the Action.
|
|
//
|
|
// Example: repo:my-org/my-repo:ref:refs/heads/main
|
|
OIDCSubjectFormatLegacyForgejo15 OIDCSubjectFormat = "legacy-forgejo-v15"
|
|
)
|
|
|
|
type ActionsConfig struct {
|
|
DisabledWorkflows []string
|
|
|
|
// Format of the OIDC 'sub' claim that will be used when `enable-openid-connect` is true in an Action.
|
|
OIDCSubjectFormat OIDCSubjectFormat `json:",omitempty"`
|
|
}
|
|
|
|
func (cfg *ActionsConfig) EnableWorkflow(file string) {
|
|
cfg.DisabledWorkflows = util.SliceRemoveAll(cfg.DisabledWorkflows, file)
|
|
}
|
|
|
|
func (cfg *ActionsConfig) ToString() string {
|
|
return strings.Join(cfg.DisabledWorkflows, ",")
|
|
}
|
|
|
|
func (cfg *ActionsConfig) IsWorkflowDisabled(file string) bool {
|
|
return slices.Contains(cfg.DisabledWorkflows, file)
|
|
}
|
|
|
|
func (cfg *ActionsConfig) DisableWorkflow(file string) {
|
|
if slices.Contains(cfg.DisabledWorkflows, file) {
|
|
return
|
|
}
|
|
|
|
cfg.DisabledWorkflows = append(cfg.DisabledWorkflows, file)
|
|
}
|
|
|
|
// FromDB fills up a ActionsConfig from serialized format.
|
|
func (cfg *ActionsConfig) FromDB(bs []byte) error {
|
|
return json.UnmarshalHandleDoubleEncode(bs, &cfg)
|
|
}
|
|
|
|
// ToDB exports a ActionsConfig to a serialized format.
|
|
func (cfg *ActionsConfig) ToDB() ([]byte, error) {
|
|
return json.Marshal(cfg)
|
|
}
|
|
|
|
// BeforeSet is invoked from XORM before setting the value of a field of this object.
|
|
func (r *RepoUnit) BeforeSet(colName string, val xorm.Cell) {
|
|
if colName == "type" {
|
|
switch unit.Type(db.Cell2Int64(val)) {
|
|
case unit.TypeExternalWiki:
|
|
r.Config = new(ExternalWikiConfig)
|
|
case unit.TypeExternalTracker:
|
|
r.Config = new(ExternalTrackerConfig)
|
|
case unit.TypePullRequests:
|
|
r.Config = new(PullRequestsConfig)
|
|
case unit.TypeIssues:
|
|
r.Config = new(IssuesConfig)
|
|
case unit.TypeActions:
|
|
r.Config = new(ActionsConfig)
|
|
case unit.TypeCode, unit.TypeReleases, unit.TypeWiki, unit.TypeProjects, unit.TypePackages:
|
|
fallthrough
|
|
default:
|
|
r.Config = new(UnitConfig)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Unit returns Unit
|
|
func (r *RepoUnit) Unit() unit.Unit {
|
|
return unit.Units[r.Type]
|
|
}
|
|
|
|
// CodeConfig returns config for unit.TypeCode
|
|
func (r *RepoUnit) CodeConfig() *UnitConfig {
|
|
return r.Config.(*UnitConfig)
|
|
}
|
|
|
|
// PullRequestsConfig returns config for unit.TypePullRequests
|
|
func (r *RepoUnit) PullRequestsConfig() *PullRequestsConfig {
|
|
return r.Config.(*PullRequestsConfig)
|
|
}
|
|
|
|
// ReleasesConfig returns config for unit.TypeReleases
|
|
func (r *RepoUnit) ReleasesConfig() *UnitConfig {
|
|
return r.Config.(*UnitConfig)
|
|
}
|
|
|
|
// ExternalWikiConfig returns config for unit.TypeExternalWiki
|
|
func (r *RepoUnit) ExternalWikiConfig() *ExternalWikiConfig {
|
|
return r.Config.(*ExternalWikiConfig)
|
|
}
|
|
|
|
// IssuesConfig returns config for unit.TypeIssues
|
|
func (r *RepoUnit) IssuesConfig() *IssuesConfig {
|
|
return r.Config.(*IssuesConfig)
|
|
}
|
|
|
|
// ExternalTrackerConfig returns config for unit.TypeExternalTracker
|
|
func (r *RepoUnit) ExternalTrackerConfig() *ExternalTrackerConfig {
|
|
return r.Config.(*ExternalTrackerConfig)
|
|
}
|
|
|
|
// ActionsConfig returns config for unit.ActionsConfig
|
|
func (r *RepoUnit) ActionsConfig() *ActionsConfig {
|
|
return r.Config.(*ActionsConfig)
|
|
}
|
|
|
|
func getUnitsByRepoID(ctx context.Context, repoID int64) (units []*RepoUnit, err error) {
|
|
var tmpUnits []*RepoUnit
|
|
if err := db.GetEngine(ctx).Where("repo_id = ?", repoID).Find(&tmpUnits); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, u := range tmpUnits {
|
|
if !u.Type.UnitGlobalDisabled() {
|
|
units = append(units, u)
|
|
}
|
|
}
|
|
|
|
return units, nil
|
|
}
|
|
|
|
// UpdateRepoUnit updates the provided repo unit
|
|
func UpdateRepoUnit(ctx context.Context, unit *RepoUnit) error {
|
|
_, err := db.GetEngine(ctx).ID(unit.ID).Update(unit)
|
|
if err != nil {
|
|
return fmt.Errorf("UpdateRepoUnit: %v", err)
|
|
}
|
|
return nil
|
|
}
|