mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
9b88e77c19
Protect OIDC tokens generated by Forgejo Actions from threats arising when users or repositories are renamed or deleted, freeing their names up for reuse by another user. In this threat environment, relying on the name of users and repositories in validating JWT claims is unsafe because they can change. Adds three new claims to Actions' OIDC tokens: - `actor_id` -- the immutable identifier of the actor who triggered an Action run - `repository_id` -- the immutable identifier of the repository on which the Action is running - `repository_owner_id` -- the immutable identifier of the owner of the repository on which the Action is running Repositories will change their subject (`sub`) OIDC claims to include these immutable identifiers. Existing repositories will not change, in order to maintain compatibility with existing JWT usage. The new format will be applied to new repositories, or can be applied by disabling and enabling the Actions unit. The new format embeds the identifiers: - **Existing repos:** `repo:my-org/my-repo:ref:refs/heads/main` - **New repos:** `repo:my-org-123456/my-repo-456789:ref:refs/heads/main` Fixes #12244. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - New fields will be added to documentation soon. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12355 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
228 lines
8 KiB
Go
228 lines
8 KiB
Go
// Copyright 2025 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package integration
|
|
|
|
import (
|
|
"crypto/rsa"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"math/big"
|
|
"net/http"
|
|
"testing"
|
|
|
|
actions_model "forgejo.org/models/actions"
|
|
"forgejo.org/models/auth"
|
|
"forgejo.org/models/db"
|
|
repo_model "forgejo.org/models/repo"
|
|
"forgejo.org/modules/setting"
|
|
api "forgejo.org/modules/structs"
|
|
actions_service "forgejo.org/services/actions"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
type getTokenResponse struct {
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
func prepareTestEnvActionsIDToken(t *testing.T) func() {
|
|
t.Helper()
|
|
f := tests.PrepareTestEnv(t, 1)
|
|
return f
|
|
}
|
|
|
|
func TestActionsIDToken(t *testing.T) {
|
|
defer prepareTestEnvActionsIDToken(t)()
|
|
task, err := actions_model.GetTaskByID(db.DefaultContext, 48)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
err = task.LoadAttributes(db.DefaultContext)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
gitCtx, err := actions_service.GenerateGiteaContext(task.Job.Run, task.Job)
|
|
require.NoError(t, err)
|
|
|
|
token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{})
|
|
require.NoError(t, err)
|
|
tokenWithoutOIDCAccess, err := actions_service.CreateAuthorizationToken(task, gitCtx, false, &repo_model.ActionsConfig{})
|
|
require.NoError(t, err)
|
|
|
|
// get JWKs information
|
|
req := NewRequest(t, "GET", "/api/actions/.well-known/keys")
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var jwks jwksResponse
|
|
DecodeJSON(t, resp, &jwks)
|
|
require.Len(t, jwks["keys"], 1)
|
|
key := jwks["keys"][0]
|
|
|
|
var exponent []byte
|
|
if exponent, err = base64.RawURLEncoding.DecodeString(key["e"]); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var modulus []byte
|
|
if modulus, err = base64.RawURLEncoding.DecodeString(key["n"]); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
pubKey := rsa.PublicKey{
|
|
E: int(big.NewInt(0).SetBytes(exponent).Uint64()),
|
|
N: big.NewInt(0).SetBytes(modulus),
|
|
}
|
|
|
|
t.Run("success path", func(t *testing.T) {
|
|
doAssertions := func(aud string, claims map[string]any) {
|
|
assert.Equal(t, "user1", claims["actor"])
|
|
assert.Equal(t, aud, claims["aud"])
|
|
assert.Equal(t, setting.AppURL+"api/actions", claims["iss"])
|
|
assert.Equal(t, "refs/heads/master", claims["ref"])
|
|
assert.Equal(t, "false", claims["ref_protected"])
|
|
assert.Equal(t, "branch", claims["ref_type"])
|
|
assert.Equal(t, "user5/repo4", claims["repository"])
|
|
assert.Equal(t, "user5", claims["repository_owner"])
|
|
assert.Equal(t, "1", claims["run_attempt"])
|
|
assert.Equal(t, "792", claims["run_id"])
|
|
assert.Equal(t, "188", claims["run_number"])
|
|
assert.Equal(t, "c2d72f548424103f01ee1dc02889c1e2bff816b0", claims["sha"])
|
|
assert.Equal(t, "repo:user5-5/repo4-4:ref:refs/heads/master", claims["sub"])
|
|
assert.Equal(t, "artifact.yaml", claims["workflow"])
|
|
assert.Equal(t, "user5/repo4/.forgejo/workflows/artifact.yaml@refs/heads/master", claims["workflow_ref"])
|
|
}
|
|
|
|
// Default aud
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true").AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
var getResponse getTokenResponse
|
|
DecodeJSON(t, resp, &getResponse)
|
|
|
|
claims := jwt.MapClaims{}
|
|
_, err = jwt.ParseWithClaims(getResponse.Value, claims, func(t *jwt.Token) (any, error) {
|
|
return &pubKey, nil
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
doAssertions(setting.AppURL+"user5", claims)
|
|
|
|
// Custom aud
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=testingAud").AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &getResponse)
|
|
|
|
claims = jwt.MapClaims{}
|
|
_, err = jwt.ParseWithClaims(getResponse.Value, claims, func(t *jwt.Token) (any, error) {
|
|
return &pubKey, nil
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
doAssertions("testingAud", claims)
|
|
})
|
|
|
|
t.Run("with token that doesn't support OIDC", func(t *testing.T) {
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true").AddTokenAuth(tokenWithoutOIDCAccess)
|
|
resp = MakeRequest(t, req, http.StatusInternalServerError)
|
|
assert.Contains(t, resp.Body.String(), "Error runner api parsing custom claims")
|
|
assert.NotContains(t, resp.Body.String(), "value") // must not leak an actual `getTokenResponse`
|
|
})
|
|
|
|
t.Run("with no auth header", func(t *testing.T) {
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=testingAud")
|
|
resp = MakeRequest(t, req, http.StatusUnauthorized)
|
|
assert.Contains(t, resp.Body.String(), "Bad authorization header")
|
|
})
|
|
|
|
t.Run("with bad token format", func(t *testing.T) {
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=testingAud").AddTokenAuth("1234567")
|
|
resp = MakeRequest(t, req, http.StatusInternalServerError)
|
|
assert.Contains(t, resp.Body.String(), "Error runner api parsing authorization token")
|
|
})
|
|
|
|
t.Run("with invalid task", func(t *testing.T) {
|
|
task, err := actions_model.GetTaskByID(db.DefaultContext, 48)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
err = task.LoadAttributes(db.DefaultContext)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// Change ID to be invalid
|
|
task.ID = 123456
|
|
|
|
gitCtx, err := actions_service.GenerateGiteaContext(task.Job.Run, task.Job)
|
|
require.NoError(t, err)
|
|
|
|
token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{})
|
|
require.NoError(t, err)
|
|
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/abcde/idtoken?placeholder=true&audience=testingAud").AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusInternalServerError)
|
|
assert.Contains(t, resp.Body.String(), "Error runner api getting task by ID")
|
|
})
|
|
|
|
t.Run("with task that is not running", func(t *testing.T) {
|
|
task, err := actions_model.GetTaskByID(db.DefaultContext, 49)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
err = task.LoadAttributes(db.DefaultContext)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
gitCtx, err := actions_service.GenerateGiteaContext(task.Job.Run, task.Job)
|
|
require.NoError(t, err)
|
|
|
|
token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{})
|
|
require.NoError(t, err)
|
|
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/abcde/idtoken?placeholder=true&audience=testingAud").AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusInternalServerError)
|
|
assert.Contains(t, resp.Body.String(), "Error runner api getting task: task is not running")
|
|
})
|
|
|
|
t.Run("with mismatched run ID", func(t *testing.T) {
|
|
req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/123/idtoken?placeholder=true&audience=testingAud").AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusBadRequest)
|
|
assert.Contains(t, resp.Body.String(), "run-id does not match")
|
|
})
|
|
|
|
t.Run("authorized integration internal issuer", func(t *testing.T) {
|
|
// Create an Authorized Integration which is set-up to be validated with the in-memory Actions' JWT signing key:
|
|
ai := &auth.AuthorizedIntegration{
|
|
UserID: 2,
|
|
Scope: auth.AccessTokenScopeAll,
|
|
Issuer: "urn:forgejo:authorized-integrations:actions",
|
|
ClaimRules: &auth.ClaimRules{
|
|
Rules: []auth.ClaimRule{
|
|
{
|
|
Claim: "sub",
|
|
Comparison: auth.ClaimEqual,
|
|
Value: "repo:user5/repo4:ref:refs/heads/master",
|
|
},
|
|
},
|
|
},
|
|
ResourceAllRepos: true,
|
|
}
|
|
require.NoError(t, auth.InsertAuthorizedIntegration(t.Context(), ai))
|
|
|
|
// Create a JWT from the Actions system:
|
|
var getResponse getTokenResponse
|
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=%s", ai.Audience)).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &getResponse)
|
|
|
|
// Should be able to make a Forgejo API call with the JWT, authenticated by the Authorized Integration:
|
|
req := NewRequest(t, "GET", "/api/v1/user").AddTokenAuth(getResponse.Value)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var user api.User
|
|
DecodeJSON(t, resp, &user)
|
|
assert.Equal(t, "user2", user.LoginName)
|
|
})
|
|
}
|