mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-13 06:20:24 +00:00
ef5479af71
Forgejo's `basic` and `oauth2` authentication methods perform five distinct types of authentication:
- Username and password authentication
- Personal access tokens
- OAuth2 access tokens
- Forgejo Action's `${{ forgejo.token }}` -- task-based static tokens
- Forgejo Action's `${{ env.ACTIONS_RUNTIME_TOKEN }}` JWT, which is the authentication method used for `upload-artifact` (mirroring GitHub's implementation)
`basic` and `oauth2` both supported almost all of these methods, resulting in quite a bit of code duplication between them. This PR splits personal access tokens into `access_token.go`, Action's task-based tokens into `action_task_token.go`, and Action's JWT tokens into `action_runtime_token.go`.
**Note:** There is one peculiar side-effect that is worth discussing. Previously, `Authorization: Basic ...` was handled by one complex code path in basic.go, and `Authorization: Bearer ...` was handled by another in oauth2.go, and if authorization failed and a 401 was returned, a single error message would be returned to the user. Now, as multiple authorization methods may look at `Authorization: Basic ...` and provide their own reason why authorization didn't work, a 401 response has multiple reasons for a lack of authorization listed:
```
401 Unauthorized
...
failure to authenticate with oauth2 access token: not a JWT
Basic authorization is not allowed while having security keys enrolled
access token does not exist [sha: notpassword]
task with token "notpassword": resource does not exist
```
A couple tests have been adapted to check that the result contains their expected response, rather than is equal-to or prefixed-with their expected result. This is caused by the "auth group" joining together any "invalid credentials" errors, and, to a certain extent it is useful to understand why the authorization request failed. But it's a bit obscure as well.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests for Go changes
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- Relying on integration testing for regression checks.
- I ran...
- [x] `make pr-go` before pushing
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12236
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
218 lines
7 KiB
Go
218 lines
7 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"slices"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/test"
|
|
"forgejo.org/modules/translation"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/pquerna/otp/totp"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestAPITwoFactor(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 16})
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user").
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
|
|
otpKey, err := totp.Generate(totp.GenerateOpts{
|
|
SecretSize: 40,
|
|
Issuer: "gitea-test",
|
|
AccountName: user.Name,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
tfa := &auth_model.TwoFactor{
|
|
UID: user.ID,
|
|
}
|
|
|
|
require.NoError(t, auth_model.NewTwoFactor(db.DefaultContext, tfa, otpKey.Secret()))
|
|
|
|
req = NewRequest(t, "GET", "/api/v1/user").
|
|
AddBasicAuth(user.Name)
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now())
|
|
require.NoError(t, err)
|
|
|
|
req = NewRequest(t, "GET", "/api/v1/user").
|
|
AddBasicAuth(user.Name)
|
|
req.Header.Set("X-Gitea-OTP", passcode)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/user").
|
|
AddBasicAuth(user.Name)
|
|
req.Header.Set("X-Forgejo-OTP", passcode)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
}
|
|
|
|
func TestAPIWebAuthn(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 32})
|
|
unittest.AssertExistsAndLoadBean(t, &auth_model.WebAuthnCredential{UserID: user.ID})
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user")
|
|
req.SetBasicAuth(user.Name, "notpassword")
|
|
|
|
resp := MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
type userResponse struct {
|
|
Message string `json:"message"`
|
|
}
|
|
var userParsed userResponse
|
|
|
|
DecodeJSON(t, resp, &userParsed)
|
|
|
|
assert.Contains(t, userParsed.Message, "Basic authorization is not allowed while having security keys enrolled\n")
|
|
}
|
|
|
|
func TestAPIWithRequiredTwoFactor(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
type userResponse struct {
|
|
Message string `json:"message"`
|
|
}
|
|
|
|
locale := translation.NewLocale("en-US")
|
|
|
|
adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
inactiveUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
|
|
restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29})
|
|
prohibitLoginUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 37})
|
|
|
|
require2FaMessage := locale.TrString("error.must_enable_2fa", fmt.Sprintf("%suser/settings/security", setting.AppURL))
|
|
const prohibitedMessage = "This account is prohibited from signing in, please contact your site administrator."
|
|
const loginNotAllowedMessage = "user is not allowed login"
|
|
|
|
runTest := func(t *testing.T, user *user_model.User, useTOTP bool, status int, messagePrefix string) {
|
|
t.Helper()
|
|
defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID})
|
|
|
|
passcode := func() string {
|
|
if !useTOTP {
|
|
return ""
|
|
}
|
|
|
|
otpKey, err := totp.Generate(totp.GenerateOpts{
|
|
SecretSize: 40,
|
|
Issuer: "forgejo-test",
|
|
AccountName: user.Name,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, auth_model.NewTwoFactor(t.Context(), &auth_model.TwoFactor{UID: user.ID}, otpKey.Secret()))
|
|
|
|
passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now())
|
|
require.NoError(t, err)
|
|
return passcode
|
|
}()
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user").
|
|
AddBasicAuth(user.Name)
|
|
|
|
if useTOTP {
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/user").
|
|
AddBasicAuth(user.Name)
|
|
req.Header.Set("X-Forgejo-OTP", passcode)
|
|
}
|
|
|
|
resp := MakeRequest(t, req, status)
|
|
|
|
if messagePrefix != "" {
|
|
var response userResponse
|
|
DecodeJSON(t, resp, &response)
|
|
|
|
assert.True(t,
|
|
slices.ContainsFunc(
|
|
strings.Split(response.Message, "\n"),
|
|
func(msg string) bool {
|
|
return strings.HasPrefix(msg, messagePrefix)
|
|
},
|
|
),
|
|
"expected prefix %q, but response message was %q", messagePrefix, response.Message)
|
|
}
|
|
}
|
|
|
|
t.Run("NoneTwoFactorRequirement", func(t *testing.T) {
|
|
// this should be the default, so don't have to set the variable
|
|
|
|
t.Run("no 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, false, http.StatusOK, "")
|
|
runTest(t, normalUser, false, http.StatusOK, "")
|
|
runTest(t, inactiveUser, false, http.StatusForbidden, prohibitedMessage)
|
|
runTest(t, restrictedUser, false, http.StatusOK, "")
|
|
runTest(t, prohibitLoginUser, false, http.StatusUnauthorized, loginNotAllowedMessage)
|
|
})
|
|
|
|
t.Run("enabled 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, true, http.StatusOK, "")
|
|
runTest(t, normalUser, true, http.StatusOK, "")
|
|
runTest(t, inactiveUser, true, http.StatusForbidden, prohibitedMessage)
|
|
runTest(t, restrictedUser, true, http.StatusOK, "")
|
|
runTest(t, prohibitLoginUser, true, http.StatusUnauthorized, loginNotAllowedMessage)
|
|
})
|
|
})
|
|
|
|
t.Run("AllTwoFactorRequirement", func(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)()
|
|
|
|
t.Run("no 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, false, http.StatusForbidden, require2FaMessage)
|
|
runTest(t, normalUser, false, http.StatusForbidden, require2FaMessage)
|
|
runTest(t, inactiveUser, false, http.StatusForbidden, prohibitedMessage)
|
|
runTest(t, restrictedUser, false, http.StatusForbidden, require2FaMessage)
|
|
runTest(t, prohibitLoginUser, false, http.StatusUnauthorized, loginNotAllowedMessage)
|
|
})
|
|
|
|
t.Run("enabled 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, true, http.StatusOK, "")
|
|
runTest(t, normalUser, true, http.StatusOK, "")
|
|
runTest(t, inactiveUser, true, http.StatusForbidden, prohibitedMessage)
|
|
runTest(t, restrictedUser, true, http.StatusOK, "")
|
|
runTest(t, prohibitLoginUser, true, http.StatusUnauthorized, loginNotAllowedMessage)
|
|
})
|
|
})
|
|
|
|
t.Run("AdminTwoFactorRequirement", func(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)()
|
|
|
|
t.Run("no 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, false, http.StatusForbidden, require2FaMessage)
|
|
runTest(t, normalUser, false, http.StatusOK, "")
|
|
runTest(t, inactiveUser, false, http.StatusForbidden, prohibitedMessage)
|
|
runTest(t, restrictedUser, false, http.StatusOK, "")
|
|
runTest(t, prohibitLoginUser, false, http.StatusUnauthorized, loginNotAllowedMessage)
|
|
})
|
|
|
|
t.Run("enabled 2fa", func(t *testing.T) {
|
|
runTest(t, adminUser, true, http.StatusOK, "")
|
|
runTest(t, normalUser, true, http.StatusOK, "")
|
|
runTest(t, inactiveUser, true, http.StatusForbidden, prohibitedMessage)
|
|
runTest(t, restrictedUser, true, http.StatusOK, "")
|
|
runTest(t, prohibitLoginUser, true, http.StatusUnauthorized, loginNotAllowedMessage)
|
|
})
|
|
})
|
|
}
|