2017-06-15 19:20:39 +08:00
// Copyright 2017 The Gitea Authors. All rights reserved.
2022-11-27 13:20:29 -05:00
// SPDX-License-Identifier: MIT
2017-06-15 19:20:39 +08:00
2022-09-02 15:18:23 -04:00
package integration
2017-06-15 19:20:39 +08:00
import (
2019-11-10 08:42:51 +00:00
"bytes"
2022-05-08 20:32:45 +08:00
"context"
2019-11-10 08:42:51 +00:00
"fmt"
2017-06-15 19:20:39 +08:00
"net/http"
2017-12-03 14:46:01 -08:00
"net/http/httptest"
2019-05-11 16:29:17 +01:00
"net/url"
2019-11-10 08:42:51 +00:00
"os"
2017-06-15 19:20:39 +08:00
"path"
"strings"
"testing"
2019-11-10 08:42:51 +00:00
"time"
2017-06-15 19:20:39 +08:00
2018-01-05 20:56:50 +02:00
"code.gitea.io/gitea/models"
2023-01-17 16:46:03 -05:00
auth_model "code.gitea.io/gitea/models/auth"
2022-05-20 22:08:52 +08:00
"code.gitea.io/gitea/models/db"
2022-06-13 17:37:59 +08:00
issues_model "code.gitea.io/gitea/models/issues"
2021-12-10 09:27:50 +08:00
repo_model "code.gitea.io/gitea/models/repo"
2021-11-16 16:53:21 +08:00
"code.gitea.io/gitea/models/unittest"
2021-11-24 17:49:20 +08:00
user_model "code.gitea.io/gitea/models/user"
2021-11-10 13:13:16 +08:00
"code.gitea.io/gitea/models/webhook"
2019-11-10 08:42:51 +00:00
"code.gitea.io/gitea/modules/git"
api "code.gitea.io/gitea/modules/structs"
2017-12-15 13:11:02 -08:00
"code.gitea.io/gitea/modules/test"
2022-06-26 16:19:22 +02:00
"code.gitea.io/gitea/modules/translation"
2019-11-10 08:42:51 +00:00
"code.gitea.io/gitea/services/pull"
2022-04-21 21:55:45 +00:00
repo_service "code.gitea.io/gitea/services/repository"
files_service "code.gitea.io/gitea/services/repository/files"
2017-12-15 13:11:02 -08:00
2017-06-15 19:20:39 +08:00
"github.com/stretchr/testify/assert"
)
2021-12-10 09:27:50 +08:00
func testPullMerge ( t * testing . T , session * TestSession , user , repo , pullnum string , mergeStyle repo_model . MergeStyle ) * httptest . ResponseRecorder {
2017-06-15 19:20:39 +08:00
req := NewRequest ( t , "GET" , path . Join ( user , repo , "pulls" , pullnum ) )
2017-07-07 15:36:47 -04:00
resp := session . MakeRequest ( t , req , http . StatusOK )
2017-06-15 19:20:39 +08:00
2017-06-17 11:29:59 -05:00
htmlDoc := NewHTMLParser ( t , resp . Body )
2022-05-12 21:39:02 +08:00
link := path . Join ( user , repo , "pulls" , pullnum , "merge" )
2017-06-17 00:49:45 -04:00
req = NewRequestWithValues ( t , "POST" , link , map [ string ] string {
"_csrf" : htmlDoc . GetCSRF ( ) ,
2018-01-05 20:56:50 +02:00
"do" : string ( mergeStyle ) ,
2017-06-17 00:49:45 -04:00
} )
2022-03-23 05:54:07 +01:00
resp = session . MakeRequest ( t , req , http . StatusSeeOther )
2017-06-15 19:20:39 +08:00
return resp
}
2017-12-03 14:46:01 -08:00
func testPullCleanUp ( t * testing . T , session * TestSession , user , repo , pullnum string ) * httptest . ResponseRecorder {
2017-06-21 04:00:03 +03:00
req := NewRequest ( t , "GET" , path . Join ( user , repo , "pulls" , pullnum ) )
2017-07-07 15:36:47 -04:00
resp := session . MakeRequest ( t , req , http . StatusOK )
2017-06-21 04:00:03 +03:00
2023-09-19 00:05:31 +02:00
// Click the little button to create a pull
2017-06-21 04:00:03 +03:00
htmlDoc := NewHTMLParser ( t , resp . Body )
2020-04-11 00:01:41 +02:00
link , exists := htmlDoc . doc . Find ( ".timeline-item .delete-button" ) . Attr ( "data-url" )
2022-05-12 21:39:02 +08:00
assert . True ( t , exists , "The template has changed, can not find delete button url" )
2017-06-21 04:00:03 +03:00
req = NewRequestWithValues ( t , "POST" , link , map [ string ] string {
"_csrf" : htmlDoc . GetCSRF ( ) ,
} )
2017-07-07 15:36:47 -04:00
resp = session . MakeRequest ( t , req , http . StatusOK )
2017-06-21 04:00:03 +03:00
return resp
}
2017-06-15 19:20:39 +08:00
func TestPullMerge ( t * testing . T ) {
2019-05-11 16:29:17 +01:00
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
2022-01-20 18:46:10 +01:00
hookTasks , err := webhook . HookTasks ( 1 , 1 ) // Retrieve previous hook number
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
hookTasksLenBefore := len ( hookTasks )
2019-05-11 16:29:17 +01:00
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFile ( t , session , "user1" , "repo1" , "master" , "README.md" , "Hello, World (Edited)\n" )
2017-06-15 19:20:39 +08:00
2019-05-11 16:29:17 +01:00
resp := testPullCreate ( t , session , "user1" , "repo1" , "master" , "This is a pull title" )
2017-06-15 19:20:39 +08:00
2019-05-11 16:29:17 +01:00
elem := strings . Split ( test . RedirectURL ( resp ) , "/" )
assert . EqualValues ( t , "pulls" , elem [ 3 ] )
2021-12-10 09:27:50 +08:00
testPullMerge ( t , session , elem [ 1 ] , elem [ 2 ] , elem [ 4 ] , repo_model . MergeStyleMerge )
2019-08-11 22:31:18 +02:00
2021-11-10 13:13:16 +08:00
hookTasks , err = webhook . HookTasks ( 1 , 1 )
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
assert . Len ( t , hookTasks , hookTasksLenBefore + 1 )
2019-05-11 16:29:17 +01:00
} )
2018-01-05 20:56:50 +02:00
}
func TestPullRebase ( t * testing . T ) {
2019-05-11 16:29:17 +01:00
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
2022-01-20 18:46:10 +01:00
hookTasks , err := webhook . HookTasks ( 1 , 1 ) // Retrieve previous hook number
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
hookTasksLenBefore := len ( hookTasks )
2019-05-11 16:29:17 +01:00
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFile ( t , session , "user1" , "repo1" , "master" , "README.md" , "Hello, World (Edited)\n" )
2018-01-05 20:56:50 +02:00
2019-05-11 16:29:17 +01:00
resp := testPullCreate ( t , session , "user1" , "repo1" , "master" , "This is a pull title" )
2018-01-05 20:56:50 +02:00
2019-05-11 16:29:17 +01:00
elem := strings . Split ( test . RedirectURL ( resp ) , "/" )
assert . EqualValues ( t , "pulls" , elem [ 3 ] )
2021-12-10 09:27:50 +08:00
testPullMerge ( t , session , elem [ 1 ] , elem [ 2 ] , elem [ 4 ] , repo_model . MergeStyleRebase )
2019-08-11 22:31:18 +02:00
2021-11-10 13:13:16 +08:00
hookTasks , err = webhook . HookTasks ( 1 , 1 )
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
assert . Len ( t , hookTasks , hookTasksLenBefore + 1 )
2019-05-11 16:29:17 +01:00
} )
2018-01-05 20:56:50 +02:00
}
2018-12-27 11:27:08 +01:00
func TestPullRebaseMerge ( t * testing . T ) {
2019-05-11 16:29:17 +01:00
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
2022-01-20 18:46:10 +01:00
hookTasks , err := webhook . HookTasks ( 1 , 1 ) // Retrieve previous hook number
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
hookTasksLenBefore := len ( hookTasks )
2019-05-11 16:29:17 +01:00
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFile ( t , session , "user1" , "repo1" , "master" , "README.md" , "Hello, World (Edited)\n" )
2018-12-27 11:27:08 +01:00
2019-05-11 16:29:17 +01:00
resp := testPullCreate ( t , session , "user1" , "repo1" , "master" , "This is a pull title" )
2018-12-27 11:27:08 +01:00
2019-05-11 16:29:17 +01:00
elem := strings . Split ( test . RedirectURL ( resp ) , "/" )
assert . EqualValues ( t , "pulls" , elem [ 3 ] )
2021-12-10 09:27:50 +08:00
testPullMerge ( t , session , elem [ 1 ] , elem [ 2 ] , elem [ 4 ] , repo_model . MergeStyleRebaseMerge )
2019-08-11 22:31:18 +02:00
2021-11-10 13:13:16 +08:00
hookTasks , err = webhook . HookTasks ( 1 , 1 )
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
assert . Len ( t , hookTasks , hookTasksLenBefore + 1 )
2019-05-11 16:29:17 +01:00
} )
2018-12-27 11:27:08 +01:00
}
2018-01-05 20:56:50 +02:00
func TestPullSquash ( t * testing . T ) {
2019-05-11 16:29:17 +01:00
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
2022-01-20 18:46:10 +01:00
hookTasks , err := webhook . HookTasks ( 1 , 1 ) // Retrieve previous hook number
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
hookTasksLenBefore := len ( hookTasks )
2019-05-11 16:29:17 +01:00
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFile ( t , session , "user1" , "repo1" , "master" , "README.md" , "Hello, World (Edited)\n" )
testEditFile ( t , session , "user1" , "repo1" , "master" , "README.md" , "Hello, World (Edited!)\n" )
resp := testPullCreate ( t , session , "user1" , "repo1" , "master" , "This is a pull title" )
elem := strings . Split ( test . RedirectURL ( resp ) , "/" )
assert . EqualValues ( t , "pulls" , elem [ 3 ] )
2021-12-10 09:27:50 +08:00
testPullMerge ( t , session , elem [ 1 ] , elem [ 2 ] , elem [ 4 ] , repo_model . MergeStyleSquash )
2019-08-11 22:31:18 +02:00
2021-11-10 13:13:16 +08:00
hookTasks , err = webhook . HookTasks ( 1 , 1 )
2019-08-11 22:31:18 +02:00
assert . NoError ( t , err )
assert . Len ( t , hookTasks , hookTasksLenBefore + 1 )
2019-05-11 16:29:17 +01:00
} )
2017-06-15 19:20:39 +08:00
}
2017-06-21 04:00:03 +03:00
func TestPullCleanUpAfterMerge ( t * testing . T ) {
2019-05-11 16:29:17 +01:00
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
2020-02-09 23:09:31 +00:00
testEditFileToNewBranch ( t , session , "user1" , "repo1" , "master" , "feature/test" , "README.md" , "Hello, World (Edited - TestPullCleanUpAfterMerge)\n" )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
resp := testPullCreate ( t , session , "user1" , "repo1" , "feature/test" , "This is a pull title" )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
elem := strings . Split ( test . RedirectURL ( resp ) , "/" )
assert . EqualValues ( t , "pulls" , elem [ 3 ] )
2021-12-10 09:27:50 +08:00
testPullMerge ( t , session , elem [ 1 ] , elem [ 2 ] , elem [ 4 ] , repo_model . MergeStyleMerge )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
// Check PR branch deletion
resp = testPullCleanUp ( t , session , elem [ 1 ] , elem [ 2 ] , elem [ 4 ] )
respJSON := struct {
Redirect string
} { }
DecodeJSON ( t , resp , & respJSON )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
assert . NotEmpty ( t , respJSON . Redirect , "Redirected URL is not found" )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
elem = strings . Split ( respJSON . Redirect , "/" )
assert . EqualValues ( t , "pulls" , elem [ 3 ] )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
// Check branch deletion result
req := NewRequest ( t , "GET" , respJSON . Redirect )
resp = session . MakeRequest ( t , req , http . StatusOK )
2017-06-21 04:00:03 +03:00
2019-05-11 16:29:17 +01:00
htmlDoc := NewHTMLParser ( t , resp . Body )
resultMsg := htmlDoc . doc . Find ( ".ui.message>p" ) . Text ( )
2017-06-21 04:00:03 +03:00
2023-04-17 22:04:26 +00:00
assert . EqualValues ( t , "Branch \"user1/repo1:feature/test\" has been deleted." , resultMsg )
2019-05-11 16:29:17 +01:00
} )
2017-06-21 04:00:03 +03:00
}
2018-08-13 21:04:39 +02:00
func TestCantMergeWorkInProgress ( t * testing . T ) {
2019-05-11 16:29:17 +01:00
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFile ( t , session , "user1" , "repo1" , "master" , "README.md" , "Hello, World (Edited)\n" )
resp := testPullCreate ( t , session , "user1" , "repo1" , "master" , "[wip] This is a pull title" )
2023-06-19 16:25:36 +08:00
req := NewRequest ( t , "GET" , test . RedirectURL ( resp ) )
2019-05-11 16:29:17 +01:00
resp = session . MakeRequest ( t , req , http . StatusOK )
htmlDoc := NewHTMLParser ( t , resp . Body )
2020-11-15 21:58:16 +01:00
text := strings . TrimSpace ( htmlDoc . doc . Find ( ".merge-section > .item" ) . Last ( ) . Text ( ) )
2019-05-11 16:29:17 +01:00
assert . NotEmpty ( t , text , "Can't find WIP text" )
2022-06-26 16:19:22 +02:00
assert . Contains ( t , text , translation . NewLocale ( "en-US" ) . Tr ( "repo.pulls.cannot_merge_work_in_progress" ) , "Unable to find WIP text" )
2021-05-27 22:02:04 +02:00
assert . Contains ( t , text , "[wip]" , "Unable to find WIP text" )
2019-05-11 16:29:17 +01:00
} )
2018-08-13 21:04:39 +02:00
}
2019-11-10 08:42:51 +00:00
func TestCantMergeConflict ( t * testing . T ) {
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFileToNewBranch ( t , session , "user1" , "repo1" , "master" , "conflict" , "README.md" , "Hello, World (Edited Once)\n" )
testEditFileToNewBranch ( t , session , "user1" , "repo1" , "master" , "base" , "README.md" , "Hello, World (Edited Twice)\n" )
// Use API to create a conflicting pr
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 14:57:16 -04:00
token := getTokenForLoggedInUser ( t , session , auth_model . AccessTokenScopeWriteRepository )
2019-11-10 08:42:51 +00:00
req := NewRequestWithJSON ( t , http . MethodPost , fmt . Sprintf ( "/api/v1/repos/%s/%s/pulls?token=%s" , "user1" , "repo1" , token ) , & api . CreatePullRequestOption {
Head : "conflict" ,
Base : "base" ,
Title : "create a conflicting pr" ,
} )
2022-03-23 05:54:07 +01:00
session . MakeRequest ( t , req , http . StatusCreated )
2019-11-10 08:42:51 +00:00
// Now this PR will be marked conflict - or at least a race will do - so drop down to pure code at this point...
2021-11-24 17:49:20 +08:00
user1 := unittest . AssertExistsAndLoadBean ( t , & user_model . User {
2019-11-10 08:42:51 +00:00
Name : "user1" ,
2022-08-16 10:22:25 +08:00
} )
2021-12-10 09:27:50 +08:00
repo1 := unittest . AssertExistsAndLoadBean ( t , & repo_model . Repository {
2019-11-10 08:42:51 +00:00
OwnerID : user1 . ID ,
Name : "repo1" ,
2022-08-16 10:22:25 +08:00
} )
2019-11-10 08:42:51 +00:00
2022-06-13 17:37:59 +08:00
pr := unittest . AssertExistsAndLoadBean ( t , & issues_model . PullRequest {
2019-11-10 08:42:51 +00:00
HeadRepoID : repo1 . ID ,
BaseRepoID : repo1 . ID ,
HeadBranch : "conflict" ,
BaseBranch : "base" ,
2022-08-16 10:22:25 +08:00
} )
2019-11-10 08:42:51 +00:00
2022-03-29 21:13:41 +02:00
gitRepo , err := git . OpenRepository ( git . DefaultContext , repo_model . RepoPath ( user1 . Name , repo1 . Name ) )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
2022-11-03 16:49:00 +01:00
err = pull . Merge ( context . Background ( ) , pr , user1 , gitRepo , repo_model . MergeStyleMerge , "" , "CONFLICT" , false )
2019-11-10 08:42:51 +00:00
assert . Error ( t , err , "Merge should return an error due to conflict" )
assert . True ( t , models . IsErrMergeConflicts ( err ) , "Merge error is not a conflict error" )
2022-11-03 16:49:00 +01:00
err = pull . Merge ( context . Background ( ) , pr , user1 , gitRepo , repo_model . MergeStyleRebase , "" , "CONFLICT" , false )
2019-11-10 08:42:51 +00:00
assert . Error ( t , err , "Merge should return an error due to conflict" )
assert . True ( t , models . IsErrRebaseConflicts ( err ) , "Merge error is not a conflict error" )
2021-01-07 03:23:57 +08:00
gitRepo . Close ( )
2019-11-10 08:42:51 +00:00
} )
}
func TestCantMergeUnrelated ( t * testing . T ) {
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
session := loginUser ( t , "user1" )
testRepoFork ( t , session , "user2" , "repo1" , "user1" , "repo1" )
testEditFileToNewBranch ( t , session , "user1" , "repo1" , "master" , "base" , "README.md" , "Hello, World (Edited Twice)\n" )
// Now we want to create a commit on a branch that is totally unrelated to our current head
// Drop down to pure code at this point
2021-11-24 17:49:20 +08:00
user1 := unittest . AssertExistsAndLoadBean ( t , & user_model . User {
2019-11-10 08:42:51 +00:00
Name : "user1" ,
2022-08-16 10:22:25 +08:00
} )
2021-12-10 09:27:50 +08:00
repo1 := unittest . AssertExistsAndLoadBean ( t , & repo_model . Repository {
2019-11-10 08:42:51 +00:00
OwnerID : user1 . ID ,
Name : "repo1" ,
2022-08-16 10:22:25 +08:00
} )
2021-12-10 09:27:50 +08:00
path := repo_model . RepoPath ( user1 . Name , repo1 . Name )
2019-11-10 08:42:51 +00:00
2022-04-01 10:55:30 +08:00
err := git . NewCommand ( git . DefaultContext , "read-tree" , "--empty" ) . Run ( & git . RunOpts { Dir : path } )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
stdin := bytes . NewBufferString ( "Unrelated File" )
var stdout strings . Builder
2022-04-01 10:55:30 +08:00
err = git . NewCommand ( git . DefaultContext , "hash-object" , "-w" , "--stdin" ) . Run ( & git . RunOpts {
Dir : path ,
Stdin : stdin ,
Stdout : & stdout ,
2022-02-11 13:47:22 +01:00
} )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
sha := strings . TrimSpace ( stdout . String ( ) )
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-04 10:30:43 +08:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "update-index" , "--add" , "--replace" , "--cacheinfo" ) . AddDynamicArguments ( "100644" , sha , "somewher-over-the-rainbow" ) . RunStdString ( & git . RunOpts { Dir : path } )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
2022-04-01 10:55:30 +08:00
treeSha , _ , err := git . NewCommand ( git . DefaultContext , "write-tree" ) . RunStdString ( & git . RunOpts { Dir : path } )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
treeSha = strings . TrimSpace ( treeSha )
commitTimeStr := time . Now ( ) . Format ( time . RFC3339 )
doerSig := user1 . NewGitSig ( )
env := append ( os . Environ ( ) ,
"GIT_AUTHOR_NAME=" + doerSig . Name ,
"GIT_AUTHOR_EMAIL=" + doerSig . Email ,
"GIT_AUTHOR_DATE=" + commitTimeStr ,
"GIT_COMMITTER_NAME=" + doerSig . Name ,
"GIT_COMMITTER_EMAIL=" + doerSig . Email ,
"GIT_COMMITTER_DATE=" + commitTimeStr ,
)
messageBytes := new ( bytes . Buffer )
_ , _ = messageBytes . WriteString ( "Unrelated" )
_ , _ = messageBytes . WriteString ( "\n" )
stdout . Reset ( )
2022-10-23 22:44:45 +08:00
err = git . NewCommand ( git . DefaultContext , "commit-tree" ) . AddDynamicArguments ( treeSha ) .
2022-04-01 10:55:30 +08:00
Run ( & git . RunOpts {
Env : env ,
Dir : path ,
Stdin : messageBytes ,
Stdout : & stdout ,
2022-02-11 13:47:22 +01:00
} )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
commitSha := strings . TrimSpace ( stdout . String ( ) )
2022-10-23 22:44:45 +08:00
_ , _ , err = git . NewCommand ( git . DefaultContext , "branch" , "unrelated" ) . AddDynamicArguments ( commitSha ) . RunStdString ( & git . RunOpts { Dir : path } )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
testEditFileToNewBranch ( t , session , "user1" , "repo1" , "master" , "conflict" , "README.md" , "Hello, World (Edited Once)\n" )
// Use API to create a conflicting pr
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 14:57:16 -04:00
token := getTokenForLoggedInUser ( t , session , auth_model . AccessTokenScopeWriteRepository )
2019-11-10 08:42:51 +00:00
req := NewRequestWithJSON ( t , http . MethodPost , fmt . Sprintf ( "/api/v1/repos/%s/%s/pulls?token=%s" , "user1" , "repo1" , token ) , & api . CreatePullRequestOption {
Head : "unrelated" ,
Base : "base" ,
Title : "create an unrelated pr" ,
} )
2022-03-23 05:54:07 +01:00
session . MakeRequest ( t , req , http . StatusCreated )
2019-11-10 08:42:51 +00:00
// Now this PR could be marked conflict - or at least a race may occur - so drop down to pure code at this point...
2022-03-29 21:13:41 +02:00
gitRepo , err := git . OpenRepository ( git . DefaultContext , path )
2019-11-10 08:42:51 +00:00
assert . NoError ( t , err )
2022-06-13 17:37:59 +08:00
pr := unittest . AssertExistsAndLoadBean ( t , & issues_model . PullRequest {
2019-11-10 08:42:51 +00:00
HeadRepoID : repo1 . ID ,
BaseRepoID : repo1 . ID ,
HeadBranch : "unrelated" ,
BaseBranch : "base" ,
2022-08-16 10:22:25 +08:00
} )
2019-11-10 08:42:51 +00:00
2022-11-03 16:49:00 +01:00
err = pull . Merge ( context . Background ( ) , pr , user1 , gitRepo , repo_model . MergeStyleMerge , "" , "UNRELATED" , false )
2019-11-10 08:42:51 +00:00
assert . Error ( t , err , "Merge should return an error due to unrelated" )
assert . True ( t , models . IsErrMergeUnrelatedHistories ( err ) , "Merge error is not a unrelated histories error" )
2021-01-07 03:23:57 +08:00
gitRepo . Close ( )
2019-11-10 08:42:51 +00:00
} )
}
2022-04-21 21:55:45 +00:00
func TestConflictChecking ( t * testing . T ) {
onGiteaRun ( t , func ( t * testing . T , giteaURL * url . URL ) {
2022-08-16 10:22:25 +08:00
user := unittest . AssertExistsAndLoadBean ( t , & user_model . User { ID : 2 } )
2022-04-21 21:55:45 +00:00
// Create new clean repo to test conflict checking.
2023-09-06 20:08:51 +08:00
baseRepo , err := repo_service . CreateRepository ( db . DefaultContext , user , user , repo_service . CreateRepoOptions {
2022-04-21 21:55:45 +00:00
Name : "conflict-checking" ,
Description : "Tempo repo" ,
AutoInit : true ,
Readme : "Default" ,
DefaultBranch : "main" ,
} )
assert . NoError ( t , err )
assert . NotEmpty ( t , baseRepo )
// create a commit on new branch.
2023-05-29 11:41:35 +02:00
_ , err = files_service . ChangeRepoFiles ( git . DefaultContext , baseRepo , user , & files_service . ChangeRepoFilesOptions {
Files : [ ] * files_service . ChangeRepoFile {
{
2023-07-19 02:14:47 +08:00
Operation : "create" ,
TreePath : "important_file" ,
ContentReader : strings . NewReader ( "Just a non-important file" ) ,
2023-05-29 11:41:35 +02:00
} ,
} ,
2022-04-21 21:55:45 +00:00
Message : "Add a important file" ,
OldBranch : "main" ,
NewBranch : "important-secrets" ,
} )
assert . NoError ( t , err )
// create a commit on main branch.
2023-05-29 11:41:35 +02:00
_ , err = files_service . ChangeRepoFiles ( git . DefaultContext , baseRepo , user , & files_service . ChangeRepoFilesOptions {
Files : [ ] * files_service . ChangeRepoFile {
{
2023-07-19 02:14:47 +08:00
Operation : "create" ,
TreePath : "important_file" ,
ContentReader : strings . NewReader ( "Not the same content :P" ) ,
2023-05-29 11:41:35 +02:00
} ,
} ,
2022-04-21 21:55:45 +00:00
Message : "Add a important file" ,
OldBranch : "main" ,
NewBranch : "main" ,
} )
assert . NoError ( t , err )
// create Pull to merge the important-secrets branch into main branch.
2022-06-13 17:37:59 +08:00
pullIssue := & issues_model . Issue {
2022-04-21 21:55:45 +00:00
RepoID : baseRepo . ID ,
Title : "PR with conflict!" ,
PosterID : user . ID ,
Poster : user ,
IsPull : true ,
}
2022-06-13 17:37:59 +08:00
pullRequest := & issues_model . PullRequest {
2022-04-21 21:55:45 +00:00
HeadRepoID : baseRepo . ID ,
BaseRepoID : baseRepo . ID ,
HeadBranch : "important-secrets" ,
BaseBranch : "main" ,
HeadRepo : baseRepo ,
BaseRepo : baseRepo ,
2022-06-13 17:37:59 +08:00
Type : issues_model . PullRequestGitea ,
2022-04-21 21:55:45 +00:00
}
err = pull . NewPullRequest ( git . DefaultContext , baseRepo , pullIssue , nil , nil , pullRequest , nil )
assert . NoError ( t , err )
2022-08-16 10:22:25 +08:00
issue := unittest . AssertExistsAndLoadBean ( t , & issues_model . Issue { Title : "PR with conflict!" } )
2022-06-13 17:37:59 +08:00
conflictingPR , err := issues_model . GetPullRequestByIssueID ( db . DefaultContext , issue . ID )
2022-04-21 21:55:45 +00:00
assert . NoError ( t , err )
// Ensure conflictedFiles is populated.
2023-04-22 23:56:27 +02:00
assert . Len ( t , conflictingPR . ConflictedFiles , 1 )
2022-04-21 21:55:45 +00:00
// Check if status is correct.
2022-06-13 17:37:59 +08:00
assert . Equal ( t , issues_model . PullRequestStatusConflict , conflictingPR . Status )
2022-04-21 21:55:45 +00:00
// Ensure that mergeable returns false
2023-10-11 06:24:07 +02:00
assert . False ( t , conflictingPR . Mergeable ( db . DefaultContext ) )
2022-04-21 21:55:45 +00:00
} )
}