mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-27 00:23:41 +09:00 
			
		
		
		
	Fix a bug when uploading file via lfs ssh command (#34408)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
		| @@ -11,8 +11,10 @@ import ( | ||||
| 	"net/http" | ||||
| 	"net/url" | ||||
| 	"os" | ||||
| 	"os/exec" | ||||
| 	"path" | ||||
| 	"path/filepath" | ||||
| 	"slices" | ||||
| 	"strconv" | ||||
| 	"testing" | ||||
| 	"time" | ||||
| @@ -30,6 +32,7 @@ import ( | ||||
| 	api "code.gitea.io/gitea/modules/structs" | ||||
| 	"code.gitea.io/gitea/tests" | ||||
|  | ||||
| 	"github.com/kballard/go-shellquote" | ||||
| 	"github.com/stretchr/testify/assert" | ||||
| 	"github.com/stretchr/testify/require" | ||||
| ) | ||||
| @@ -105,7 +108,12 @@ func testGitGeneral(t *testing.T, u *url.URL) { | ||||
|  | ||||
| 		// Setup key the user ssh key | ||||
| 		withKeyFile(t, keyname, func(keyFile string) { | ||||
| 			t.Run("CreateUserKey", doAPICreateUserKey(sshContext, "test-key", keyFile)) | ||||
| 			var keyID int64 | ||||
| 			t.Run("CreateUserKey", doAPICreateUserKey(sshContext, "test-key", keyFile, func(t *testing.T, key api.PublicKey) { | ||||
| 				keyID = key.ID | ||||
| 			})) | ||||
| 			assert.NotZero(t, keyID) | ||||
| 			t.Run("LFSAccessTest", doSSHLFSAccessTest(sshContext, keyID)) | ||||
|  | ||||
| 			// Setup remote link | ||||
| 			// TODO: get url from api | ||||
| @@ -136,6 +144,36 @@ func testGitGeneral(t *testing.T, u *url.URL) { | ||||
| 	}) | ||||
| } | ||||
|  | ||||
| func doSSHLFSAccessTest(_ APITestContext, keyID int64) func(*testing.T) { | ||||
| 	return func(t *testing.T) { | ||||
| 		sshCommand := os.Getenv("GIT_SSH_COMMAND")       // it is set in withKeyFile | ||||
| 		sshCmdParts, err := shellquote.Split(sshCommand) // and parse the ssh command to construct some mocked arguments | ||||
| 		require.NoError(t, err) | ||||
|  | ||||
| 		t.Run("User2AccessOwned", func(t *testing.T) { | ||||
| 			sshCmdUser2Self := append(slices.Clone(sshCmdParts), | ||||
| 				"-p", strconv.Itoa(setting.SSH.ListenPort), "git@"+setting.SSH.ListenHost, | ||||
| 				"git-lfs-authenticate", "user2/repo1.git", "upload", // accessible to own repo | ||||
| 			) | ||||
| 			cmd := exec.CommandContext(t.Context(), sshCmdUser2Self[0], sshCmdUser2Self[1:]...) | ||||
| 			_, err := cmd.Output() | ||||
| 			assert.NoError(t, err) // accessible, no error | ||||
| 		}) | ||||
|  | ||||
| 		t.Run("User2AccessOther", func(t *testing.T) { | ||||
| 			sshCmdUser2Other := append(slices.Clone(sshCmdParts), | ||||
| 				"-p", strconv.Itoa(setting.SSH.ListenPort), "git@"+setting.SSH.ListenHost, | ||||
| 				"git-lfs-authenticate", "user5/repo4.git", "upload", // inaccessible to other's (user5/repo4) | ||||
| 			) | ||||
| 			cmd := exec.CommandContext(t.Context(), sshCmdUser2Other[0], sshCmdUser2Other[1:]...) | ||||
| 			_, err := cmd.Output() | ||||
| 			var errExit *exec.ExitError | ||||
| 			require.ErrorAs(t, err, &errExit) // inaccessible, error | ||||
| 			assert.Contains(t, string(errExit.Stderr), fmt.Sprintf("User: 2:user2 with Key: %d:test-key is not authorized to write to user5/repo4.", keyID)) | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func ensureAnonymousClone(t *testing.T, u *url.URL) { | ||||
| 	dstLocalPath := t.TempDir() | ||||
| 	t.Run("CloneAnonymous", doGitClone(dstLocalPath, u)) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user