From 34b34d23280a9ee44a95e790296e73f2b53fa1ad Mon Sep 17 00:00:00 2001 From: ChristopherHX Date: Mon, 9 Feb 2026 04:04:56 +0100 Subject: [PATCH] Refactor merge conan and container auth preserve actions taskID (#36560) * Remove duplicated code * Allow further ActionsUser package permission checks --------- Co-authored-by: wxiaoguang --- routers/api/packages/api.go | 5 ++- routers/api/packages/{conan => }/auth.go | 29 +++++++++++---- routers/api/packages/container/auth.go | 47 ------------------------ services/packages/auth.go | 11 ++++-- 4 files changed, 32 insertions(+), 60 deletions(-) rename routers/api/packages/{conan => }/auth.go (60%) delete mode 100644 routers/api/packages/container/auth.go diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index f6ee5958b5..71fee23c92 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -117,7 +117,7 @@ func CommonRoutes() *web.Router { &auth.OAuth2{}, &auth.Basic{}, &nuget.Auth{}, - &conan.Auth{}, + &Auth{}, &chef.Auth{}, }) @@ -537,7 +537,8 @@ func ContainerRoutes() *web.Router { verifyAuth(r, []auth.Method{ &auth.Basic{}, - &container.Auth{}, + // container auth requires an token, so container.Authenticate issues a Ghost user token for anonymous access + &Auth{AllowGhostUser: true}, }) // TODO: Content Discovery / References (not implemented yet) diff --git a/routers/api/packages/conan/auth.go b/routers/api/packages/auth.go similarity index 60% rename from routers/api/packages/conan/auth.go rename to routers/api/packages/auth.go index bce3235a2e..b7bf381241 100644 --- a/routers/api/packages/conan/auth.go +++ b/routers/api/packages/auth.go @@ -1,7 +1,7 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT -package conan +package packages import ( "net/http" @@ -14,10 +14,13 @@ import ( var _ auth.Method = &Auth{} -type Auth struct{} +// Auth is for conan and container +type Auth struct { + AllowGhostUser bool +} func (a *Auth) Name() string { - return "conan" + return "packages" } // Verify extracts the user from the Bearer token @@ -32,10 +35,22 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS return nil, nil } - u, err := user_model.GetUserByID(req.Context(), packageMeta.UserID) - if err != nil { - return nil, err + var u *user_model.User + switch packageMeta.UserID { + case user_model.GhostUserID: + if !a.AllowGhostUser { + return nil, nil + } + u = user_model.NewGhostUser() + case user_model.ActionsUserID: + u = user_model.NewActionsUserWithTaskID(packageMeta.ActionsUserTaskID) + default: + u, err = user_model.GetUserByID(req.Context(), packageMeta.UserID) + if err != nil { + return nil, err + } } + if packageMeta.Scope != "" { store.GetData()["IsApiToken"] = true store.GetData()["ApiTokenScope"] = packageMeta.Scope diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go deleted file mode 100644 index 19a931c405..0000000000 --- a/routers/api/packages/container/auth.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package container - -import ( - "net/http" - - user_model "code.gitea.io/gitea/models/user" - "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/services/auth" - "code.gitea.io/gitea/services/packages" -) - -var _ auth.Method = &Auth{} - -type Auth struct{} - -func (a *Auth) Name() string { - return "container" -} - -// Verify extracts the user from the Bearer token -// If it's an anonymous session, a ghost user is returned -func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) { - packageMeta, err := packages.ParseAuthorizationRequest(req) - if err != nil { - log.Trace("ParseAuthorizationToken: %v", err) - return nil, err - } - - if packageMeta == nil || packageMeta.UserID == 0 { - return nil, nil - } - - u, err := user_model.GetPossibleUserByID(req.Context(), packageMeta.UserID) - if err != nil { - return nil, err - } - - if packageMeta.Scope != "" { - store.GetData()["IsApiToken"] = true - store.GetData()["ApiTokenScope"] = packageMeta.Scope - } - - return u, nil -} diff --git a/services/packages/auth.go b/services/packages/auth.go index 6e87643e29..6fcc408adc 100644 --- a/services/packages/auth.go +++ b/services/packages/auth.go @@ -23,21 +23,24 @@ type packageClaims struct { PackageMeta } type PackageMeta struct { - UserID int64 - Scope auth_model.AccessTokenScope + UserID int64 + Scope auth_model.AccessTokenScope + ActionsUserTaskID int64 } func CreateAuthorizationToken(u *user_model.User, packageScope auth_model.AccessTokenScope) (string, error) { now := time.Now() + actionsUserTaskID, _ := user_model.GetActionsUserTaskID(u) claims := packageClaims{ RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)), NotBefore: jwt.NewNumericDate(now), }, PackageMeta: PackageMeta{ - UserID: u.ID, - Scope: packageScope, + UserID: u.ID, + Scope: packageScope, + ActionsUserTaskID: actionsUserTaskID, }, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)