mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-15 05:58:48 +00:00
A handful of routes, described in this PR as "mixed routes", are currently accessible by both web-based sessions and authenticated API users. The goal of this PR is to allow access to these routes for Authorized Integrations as well, bringing them to full API compatibility (to my knowledge) with other authentication methods. These routes are impacted:
- `/{username}/{repo}/raw/*`
- `/{username}/{repo}/archive/*`
- `/{username}/{repo}/releases/download/{vTag}/{fileName}`
- `/{username}/{repo}/attachments/{uuid}`
- `/attachments/{uuid}`
The major work in this PR was to refactoring the existing authentication methods so that "path based matching" that they were currently doing was no longer required, as I didn't want to introduce that into Authorized Integrations. All the path based matching is removed in this PR, and authentication methods are enabled entirely by the middleware applied to their endpoints.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests for Go changes
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
- [x] `make pr-go` before pushing
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12776
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
433 lines
18 KiB
Go
433 lines
18 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"bytes"
|
|
"image"
|
|
"image/png"
|
|
"io"
|
|
"mime/multipart"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
repo_model "forgejo.org/models/repo"
|
|
unit_model "forgejo.org/models/unit"
|
|
"forgejo.org/models/unittest"
|
|
"forgejo.org/modules/storage"
|
|
"forgejo.org/modules/test"
|
|
repo_service "forgejo.org/services/repository"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func generateImg() bytes.Buffer {
|
|
// Generate image
|
|
myImage := image.NewRGBA(image.Rect(0, 0, 32, 32))
|
|
var buff bytes.Buffer
|
|
png.Encode(&buff, myImage)
|
|
return buff
|
|
}
|
|
|
|
func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
|
|
body := &bytes.Buffer{}
|
|
|
|
// Setup multi-part
|
|
writer := multipart.NewWriter(body)
|
|
part, err := writer.CreateFormFile("file", filename)
|
|
require.NoError(t, err)
|
|
_, err = io.Copy(part, &buff)
|
|
require.NoError(t, err)
|
|
err = writer.Close()
|
|
require.NoError(t, err)
|
|
|
|
req := NewRequestWithBody(t, "POST", repoURL+"/issues/attachments", body)
|
|
req.Header.Add("Content-Type", writer.FormDataContentType())
|
|
resp := session.MakeRequest(t, req, expectedStatus)
|
|
|
|
if expectedStatus != http.StatusOK {
|
|
return ""
|
|
}
|
|
var obj map[string]string
|
|
DecodeJSON(t, resp, &obj)
|
|
return obj["uuid"]
|
|
}
|
|
|
|
func TestCreateAnonymousAttachment(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
session := emptyTestSession(t)
|
|
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusSeeOther)
|
|
}
|
|
|
|
func TestCreateIssueAttachment(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
const repoURL = "user2/repo1"
|
|
session := loginUser(t, "user2")
|
|
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
|
|
|
|
req := NewRequest(t, "GET", repoURL+"/issues/new")
|
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
|
|
link, exists := htmlDoc.doc.Find("form#new-issue").Attr("action")
|
|
assert.True(t, exists, "The template has changed")
|
|
|
|
postData := map[string]string{
|
|
"title": "New Issue With Attachment",
|
|
"content": "some content",
|
|
"files": uuid,
|
|
}
|
|
|
|
req = NewRequestWithValues(t, "POST", link, postData)
|
|
resp = session.MakeRequest(t, req, http.StatusOK)
|
|
test.RedirectURL(resp) // check that redirect URL exists
|
|
|
|
// Validate that attachment is available
|
|
req = NewRequest(t, "GET", "/attachments/"+uuid)
|
|
session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
// anonymous visit should be allowed because user2/repo1 is a public repository
|
|
MakeRequest(t, req, http.StatusOK)
|
|
}
|
|
|
|
func TestGetAttachment(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
adminSession := loginUser(t, "user1")
|
|
user2Session := loginUser(t, "user2")
|
|
user8Session := loginUser(t, "user8")
|
|
emptySession := emptyTestSession(t)
|
|
testCases := []struct {
|
|
name string
|
|
uuid string
|
|
createFile bool
|
|
session *TestSession
|
|
want int
|
|
}{
|
|
{"LinkedIssueUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, user2Session, http.StatusOK},
|
|
{"LinkedCommentUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a17", true, user2Session, http.StatusOK},
|
|
{"linked_release_uuid", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a19", true, user2Session, http.StatusOK},
|
|
{"NotExistingUUID", "b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusNotFound},
|
|
{"FileMissing", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusInternalServerError},
|
|
{"NotLinked", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user2Session, http.StatusNotFound},
|
|
{"NotLinkedAccessibleByUploader", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user8Session, http.StatusOK},
|
|
{"PublicByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, emptySession, http.StatusOK},
|
|
{"PrivateByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, emptySession, http.StatusNotFound},
|
|
{"PrivateAccessibleByAdmin", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, adminSession, http.StatusOK},
|
|
{"PrivateAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user2Session, http.StatusOK},
|
|
{"RepoNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user8Session, http.StatusNotFound},
|
|
{"OrgNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a21", true, user8Session, http.StatusNotFound},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
// Write empty file to be available for response
|
|
if tc.createFile {
|
|
_, err := storage.Attachments.Save(repo_model.AttachmentRelativePath(tc.uuid), strings.NewReader("hello world"), -1)
|
|
require.NoError(t, err)
|
|
}
|
|
// Actual test
|
|
req := NewRequest(t, "GET", "/attachments/"+tc.uuid)
|
|
tc.session.MakeRequest(t, req, tc.want)
|
|
})
|
|
}
|
|
}
|
|
|
|
// Access under `/attachments/{uuid}` and `/{user}/{repo}/attachments/{uuid}` is permitted for API tokens. Those API
|
|
// tokens then need to have the read:issue or read:repository and the correct resource scopes to permit access, though.
|
|
func TestGetAttachmentViaAPITokens(t *testing.T) {
|
|
defer unittest.OverrideFixtures("tests/integration/fixtures/TestGetAttachmentViaAPITokens")()
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
// Create attachment data for an attachment added by this test's fixture.
|
|
_, err := storage.Attachments.Save(repo_model.AttachmentRelativePath("d962b49e-e32a-4b72-922d-33b551b629e2"), strings.NewReader("hello universe"), -1)
|
|
require.NoError(t, err)
|
|
|
|
// Enable Issues unit on repo 16, one of our test targets.
|
|
repo_service.UpdateRepositoryUnits(t.Context(),
|
|
unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 16}),
|
|
[]repo_model.RepoUnit{{
|
|
RepoID: 16,
|
|
Type: unit_model.TypeIssues,
|
|
}}, nil)
|
|
|
|
t.Run("attachments", func(t *testing.T) {
|
|
t.Run("no read:issue scope", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
session := loginUser(t, "user2")
|
|
allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadMisc)
|
|
|
|
t.Run("denied public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
t.Run("denied private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
|
|
t.Run("denied private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
})
|
|
|
|
t.Run("all access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
session := loginUser(t, "user2")
|
|
allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
|
|
t.Run("allowed private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello universe", resp.Body.String())
|
|
})
|
|
})
|
|
|
|
t.Run("public-only access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
session := loginUser(t, "user2")
|
|
publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(publicOnlyToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("denied private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(publicOnlyToken)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
t.Run("denied private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(publicOnlyToken)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
})
|
|
|
|
t.Run("specific repo access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2",
|
|
[]auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadIssue},
|
|
[]int64{2},
|
|
)
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(repo2OnlyToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed inside fine-grain repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(repo2OnlyToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("denied private outside fine-grain repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(repo2OnlyToken)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
})
|
|
})
|
|
|
|
t.Run("user-repo-attachments", func(t *testing.T) {
|
|
t.Run("no read:issue scope", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
session := loginUser(t, "user2")
|
|
allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadMisc)
|
|
|
|
t.Run("denied public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
t.Run("denied private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
|
|
t.Run("denied private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
})
|
|
|
|
t.Run("all access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
session := loginUser(t, "user2")
|
|
allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
|
|
t.Run("allowed private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello universe", resp.Body.String())
|
|
})
|
|
})
|
|
|
|
t.Run("public-only access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
session := loginUser(t, "user2")
|
|
publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(publicOnlyToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("denied private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(publicOnlyToken)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
t.Run("denied private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(publicOnlyToken)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
})
|
|
|
|
t.Run("specific repo access token", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2",
|
|
[]auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadIssue},
|
|
[]int64{2},
|
|
)
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(repo2OnlyToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed inside fine-grain repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(repo2OnlyToken)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("denied private outside fine-grain repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(repo2OnlyToken)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
})
|
|
})
|
|
}
|
|
|
|
func TestGetAttachmentViaAuthorizedIntegration(t *testing.T) {
|
|
defer unittest.OverrideFixtures("tests/integration/fixtures/TestGetAttachmentViaAPITokens")()
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
// Create attachment data for an attachment added by this test's fixture.
|
|
_, err := storage.Attachments.Save(repo_model.AttachmentRelativePath("d962b49e-e32a-4b72-922d-33b551b629e2"), strings.NewReader("hello universe"), -1)
|
|
require.NoError(t, err)
|
|
|
|
// Enable Issues unit on repo 16, one of our test targets.
|
|
repo_service.UpdateRepositoryUnits(t.Context(),
|
|
unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 16}),
|
|
[]repo_model.RepoUnit{{
|
|
RepoID: 16,
|
|
Type: unit_model.TypeIssues,
|
|
}}, nil)
|
|
|
|
// Clone of the "all access token" tests from TestGetAttachmentViaAPITokens -- not all test conditions are repeated
|
|
// as there's no unique code in attachment code paths for authorized integrations other than the authentication
|
|
// method. Scopes and repo-specific reducers are common to both implementations.
|
|
|
|
ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
|
|
ai.Scope = auth_model.AccessTokenScopeReadIssue
|
|
})
|
|
defer ait.close()
|
|
token := ait.signedJWT()
|
|
|
|
t.Run("attachments", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello universe", resp.Body.String())
|
|
})
|
|
})
|
|
|
|
t.Run("user-repo-attachments", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
t.Run("allowed public repo1", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed private repo2", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello world", resp.Body.String())
|
|
})
|
|
t.Run("allowed private repo16", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
assert.Equal(t, "hello universe", resp.Body.String())
|
|
})
|
|
})
|
|
}
|