mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-13 04:58:46 +00:00
Built on #12266; one commit added. Adds the ability to reduce the authorization scope of an authorized integration to public-only resources and repo-specific resources. Backend only -- no frontend created yet. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12267 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
87 lines
3.3 KiB
Go
87 lines
3.3 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package authz
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
)
|
|
|
|
func GetAuthorizationReducerForAccessToken(ctx context.Context, token *auth_model.AccessToken) (AuthorizationReducer, error) {
|
|
if token.ResourceAllRepos {
|
|
if publicOnly, err := token.Scope.PublicOnly(); err != nil {
|
|
return nil, fmt.Errorf("PublicOnly: %w", err)
|
|
} else if publicOnly {
|
|
return &PublicReposAuthorizationReducer{}, nil
|
|
}
|
|
return &AllAccessAuthorizationReducer{}, nil
|
|
}
|
|
|
|
repos, err := auth_model.GetRepositoriesAccessibleWithToken(ctx, token.ID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("GetRepositoriesAccessibleWithToken: %w", err)
|
|
}
|
|
// Cast slice into []RepoGetter
|
|
iface := make([]RepoGetter, len(repos))
|
|
for i, r := range repos {
|
|
iface[i] = r
|
|
}
|
|
return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
|
|
}
|
|
|
|
// A locale lookup string for the error -- eg. `access_token.error.invalid_something`
|
|
type AccessTokenValidationFailure string
|
|
|
|
// Validate that an access token's state is valid for creation. For example, that it doesn't have a conflicting set of
|
|
// resources (public-only and specific repositories), and other similar checks.
|
|
func ValidateAccessToken(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
|
|
// Other validations may be added here in the future.
|
|
return validateRepositoryResource(token, repoResources)
|
|
}
|
|
|
|
var (
|
|
ErrSpecifiedReposNone = errors.New("specified repository access token: must have at least one repository")
|
|
ErrSpecifiedReposNoPublicOnly = errors.New("specified repository access token: cannot be combined with public-only scope")
|
|
ErrSpecifiedReposInvalidScope = errors.New("specified repository access token: invalid scope")
|
|
)
|
|
|
|
func validateRepositoryResource(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
|
|
// Access tokens with broad access to all resources don't have any relevant validation rules to apply.
|
|
if token.ResourceAllRepos {
|
|
return nil
|
|
}
|
|
|
|
// Repo-specific access token must have at least one repository.
|
|
if len(repoResources) == 0 {
|
|
return ErrSpecifiedReposNone
|
|
}
|
|
|
|
// Can't have public-only and specified repos -- that's a combination that doesn't make sense.
|
|
if publicOnly, err := token.Scope.PublicOnly(); err != nil {
|
|
return err
|
|
} else if publicOnly {
|
|
return ErrSpecifiedReposNoPublicOnly
|
|
}
|
|
|
|
// Repo-specific access tokens are only effective at restricting permissions if they are limited to the scopes that
|
|
// support repositories as a resource. For example, if you had a repo-specific token but then gave it
|
|
// `write:organization`, it would be able to do operations like delete an organization -- permission checks on the
|
|
// repository resources wouldn't be applicable to the organization resources.
|
|
for _, scope := range token.Scope.StringSlice() {
|
|
switch auth_model.AccessTokenScope(scope) {
|
|
case auth_model.AccessTokenScopeReadIssue,
|
|
auth_model.AccessTokenScopeWriteIssue,
|
|
auth_model.AccessTokenScopeReadRepository,
|
|
auth_model.AccessTokenScopeWriteRepository:
|
|
continue
|
|
default:
|
|
return fmt.Errorf("%w: cannot be combined with scope %s", ErrSpecifiedReposInvalidScope, scope)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|