Refactor Actions Token Access (#35688)

* use a single function to do Action Tokens Permission checks * allows easier customization * add basic tests * lfs file locks should work now --------- Signed-off-by: ChristopherHX <christopher.homberger@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-10-24 13:53:42 +09:00 · 2025-10-22 13:12:31 +02:00
parent a9f2ea720b
commit 08b9776970
15 changed files with 218 additions and 168 deletions
--- a/tests/integration/actions_job_token_test.go
+++ b/tests/integration/actions_job_token_test.go
@@ -0,0 +1,117 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"encoding/base64"
+	"net/http"
+	"net/url"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestActionsJobTokenAccess(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		t.Run("Write Access", testActionsJobTokenAccess(u, false))
+		t.Run("Read Access", testActionsJobTokenAccess(u, true))
+	})
+}
+
+func testActionsJobTokenAccess(u *url.URL, isFork bool) func(t *testing.T) {
+	return func(t *testing.T) {
+		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 47})
+		require.NoError(t, task.GenerateToken())
+		task.Status = actions_model.StatusRunning
+		task.IsForkPullRequest = isFork
+		err := actions_model.UpdateTask(t.Context(), task, "token_hash", "token_salt", "token_last_eight", "status", "is_fork_pull_request")
+		require.NoError(t, err)
+		session := emptyTestSession(t)
+		context := APITestContext{
+			Session:  session,
+			Token:    task.Token,
+			Username: "user5",
+			Reponame: "repo4",
+		}
+		dstPath := t.TempDir()
+
+		u.Path = context.GitPath()
+		u.User = url.UserPassword("gitea-actions", task.Token)
+
+		t.Run("Git Clone", doGitClone(dstPath, u))
+
+		t.Run("API Get Repository", doAPIGetRepository(context, func(t *testing.T, r structs.Repository) {
+			require.Equal(t, "repo4", r.Name)
+			require.Equal(t, "user5", r.Owner.UserName)
+		}))
+
+		context.ExpectedCode = util.Iif(isFork, http.StatusForbidden, http.StatusCreated)
+		t.Run("API Create File", doAPICreateFile(context, "test.txt", &structs.CreateFileOptions{
+			FileOptions: structs.FileOptions{
+				NewBranchName: "new-branch",
+				Message:       "Create File",
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte(`This is a test file created using job token.`)),
+		}))
+
+		context.ExpectedCode = http.StatusForbidden
+		t.Run("Fail to Create Repository", doAPICreateRepository(context, true))
+
+		context.ExpectedCode = http.StatusForbidden
+		t.Run("Fail to Delete Repository", doAPIDeleteRepository(context))
+
+		t.Run("Fail to Create Organization", doAPICreateOrganization(context, &structs.CreateOrgOption{
+			UserName: "actions",
+			FullName: "Gitea Actions",
+		}))
+	}
+}
+
+func TestActionsJobTokenAccessLFS(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		httpContext := NewAPITestContext(t, "user2", "repo-lfs-test", auth_model.AccessTokenScopeWriteUser, auth_model.AccessTokenScopeWriteRepository)
+		t.Run("Create Repository", doAPICreateRepository(httpContext, false, func(t *testing.T, repository structs.Repository) {
+			task := &actions_model.ActionTask{}
+			require.NoError(t, task.GenerateToken())
+			task.Status = actions_model.StatusRunning
+			task.IsForkPullRequest = false
+			task.RepoID = repository.ID
+			err := db.Insert(t.Context(), task)
+			require.NoError(t, err)
+			session := emptyTestSession(t)
+			httpContext := APITestContext{
+				Session:  session,
+				Token:    task.Token,
+				Username: "user2",
+				Reponame: "repo-lfs-test",
+			}
+
+			u.Path = httpContext.GitPath()
+			dstPath := t.TempDir()
+
+			u.Path = httpContext.GitPath()
+			u.User = url.UserPassword("gitea-actions", task.Token)
+
+			t.Run("Clone", doGitClone(dstPath, u))
+
+			dstPath2 := t.TempDir()
+
+			t.Run("Partial Clone", doPartialGitClone(dstPath2, u))
+
+			lfs := lfsCommitAndPushTest(t, dstPath, testFileSizeSmall)[0]
+
+			reqLFS := NewRequest(t, "GET", "/api/v1/repos/user2/repo-lfs-test/media/"+lfs).AddTokenAuth(task.Token)
+			respLFS := MakeRequestNilResponseRecorder(t, reqLFS, http.StatusOK)
+			assert.Equal(t, testFileSizeSmall, respLFS.Length)
+		}))
+	})
+}
--- a/tests/integration/api_repo_file_get_test.go
+++ b/tests/integration/api_repo_file_get_test.go
@@ -9,7 +9,6 @@ import (
 	"testing"

 	auth_model "code.gitea.io/gitea/models/auth"
-	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/tests"

 	"github.com/stretchr/testify/assert"
@@ -25,8 +24,9 @@ func TestAPIGetRawFileOrLFS(t *testing.T) {

 	// Test with LFS
 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		createLFSTestRepository(t, "repo-lfs-test")
 		httpContext := NewAPITestContext(t, "user2", "repo-lfs-test", auth_model.AccessTokenScopeWriteRepository)
-		doAPICreateRepository(httpContext, false, func(t *testing.T, repository api.Repository) {
+		t.Run("repo-lfs-test", func(t *testing.T) {
 			u.Path = httpContext.GitPath()
 			dstPath := t.TempDir()

@@ -41,7 +41,7 @@ func TestAPIGetRawFileOrLFS(t *testing.T) {

 			lfs := lfsCommitAndPushTest(t, dstPath, testFileSizeSmall)[0]

-			reqLFS := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/media/"+lfs)
+			reqLFS := NewRequest(t, "GET", "/api/v1/repos/user2/repo-lfs-test/media/"+lfs).AddTokenAuth(httpContext.Token)
 			respLFS := MakeRequestNilResponseRecorder(t, reqLFS, http.StatusOK)
 			assert.Equal(t, testFileSizeSmall, respLFS.Length)
 		})
--- a/tests/integration/api_repo_lfs_test.go
+++ b/tests/integration/api_repo_lfs_test.go
@@ -23,6 +23,7 @@ import (
 	"code.gitea.io/gitea/tests"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestAPILFSNotStarted(t *testing.T) {
@@ -59,12 +60,12 @@ func TestAPILFSMediaType(t *testing.T) {
 	MakeRequest(t, req, http.StatusUnsupportedMediaType)
 }

-func createLFSTestRepository(t *testing.T, name string) *repo_model.Repository {
-	ctx := NewAPITestContext(t, "user2", "lfs-"+name+"-repo", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+func createLFSTestRepository(t *testing.T, repoName string) *repo_model.Repository {
+	ctx := NewAPITestContext(t, "user2", repoName, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
 	t.Run("CreateRepo", doAPICreateRepository(ctx, false))

-	repo, err := repo_model.GetRepositoryByOwnerAndName(t.Context(), "user2", "lfs-"+name+"-repo")
-	assert.NoError(t, err)
+	repo, err := repo_model.GetRepositoryByOwnerAndName(t.Context(), "user2", repoName)
+	require.NoError(t, err)

 	return repo
 }
@@ -74,7 +75,7 @@ func TestAPILFSBatch(t *testing.T) {

 	setting.LFS.StartServer = true

-	repo := createLFSTestRepository(t, "batch")
+	repo := createLFSTestRepository(t, "lfs-batch-repo")

 	content := []byte("dummy1")
 	oid := storeObjectInRepo(t, repo.ID, &content)
@@ -253,7 +254,7 @@ func TestAPILFSBatch(t *testing.T) {
 			assert.NoError(t, err)
 			assert.True(t, exist)

-			repo2 := createLFSTestRepository(t, "batch2")
+			repo2 := createLFSTestRepository(t, "lfs-batch2-repo")
 			content := []byte("dummy0")
 			storeObjectInRepo(t, repo2.ID, &content)

@@ -329,7 +330,7 @@ func TestAPILFSUpload(t *testing.T) {

 	setting.LFS.StartServer = true

-	repo := createLFSTestRepository(t, "upload")
+	repo := createLFSTestRepository(t, "lfs-upload-repo")

 	content := []byte("dummy3")
 	oid := storeObjectInRepo(t, repo.ID, &content)
@@ -433,7 +434,7 @@ func TestAPILFSVerify(t *testing.T) {

 	setting.LFS.StartServer = true

-	repo := createLFSTestRepository(t, "verify")
+	repo := createLFSTestRepository(t, "lfs-verify-repo")

 	content := []byte("dummy3")
 	oid := storeObjectInRepo(t, repo.ID, &content)