2022-06-05 10:16:14 +03:00
// Copyright 2022 The Gitea Authors. All rights reserved.
2022-11-27 21:20:29 +03:00
// SPDX-License-Identifier: MIT
2022-06-05 10:16:14 +03:00
2022-09-02 22:18:23 +03:00
package integration
2022-06-05 10:16:14 +03:00
import (
"encoding/base64"
"net/http"
"net/url"
"testing"
2023-01-18 00:46:03 +03:00
auth_model "code.gitea.io/gitea/models/auth"
2023-08-28 03:53:16 +03:00
"code.gitea.io/gitea/modules/setting"
2022-06-05 10:16:14 +03:00
api "code.gitea.io/gitea/modules/structs"
2023-08-28 03:53:16 +03:00
"code.gitea.io/gitea/modules/test"
2022-09-02 22:18:23 +03:00
"code.gitea.io/gitea/tests"
2022-06-05 10:16:14 +03:00
"github.com/go-fed/httpsig"
"golang.org/x/crypto/ssh"
)
const (
httpsigPrivateKey = ` -- -- - BEGIN OPENSSH PRIVATE KEY -- -- -
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqjmQeb5Eb1xV7qbNf9ErQ0XRvKZWzUsLFhJzZz + Ab7q8WtPs91vQ
fBiypw4i8OTG6WzDcgZaV8Ndxn7iHnIstdA1k89MVG4stydymmwmk9 + mrCMNsu5OmdIy9F
AZ61RDcKuf5VG2WKkmeK0VO + OMJIYfE1C6czNeJ6UAmcIOmhGxvjMI83XUO9n0ftwTwayp
+ XU5prvKx / fTvlPjbraPNU4OzwPjVLqXBzpoXYhBquPaZYFRVyvfFZLObYsmy + BrsxcloM
l + 9 w4P0ATJ9njB7dRDL + RrN4uhhYSihqOK4w4vaiOj1 + aA0eC0zXunEfLXfGIVQ / FhWcCy
5 f72mMiKnQAAA9AxSmzFMUpsxQAAAAdzc2gtcnNhAAABAQCqOZB5vkRvXFXups1 / 0 StDRd
G8plbNSwsWEnNnP4Bvurxa0 + z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xU
biy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5 / lUbZYqSZ4rRU744wkhh8TULpzM14npQ
CZwg6aEbG + MwjzddQ72fR + 3 BPBrKn5dTmmu8rH99O + U + Nuto81Tg7PA + NUupcHOmhdiEGq
49 plgVFXK98Vks5tiybL4GuzFyWgyX73Dg / QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6
PX5oDR4LTNe6cR8td8YhVD8WFZwLLl / vaYyIqdAAAAAwEAAQAAAQBz + nyBNi2SYir6SxPA
flcnoq5gBkUl4ndPNosCUbXEakpi5 / mQHzJRGtK + F1efIYCVEdGoIsPy / 90 onNKbQ9dKmO
2 oI5kx / U7iCzJ + HCm8nqkEp21x + AP9scWdx + Wg / OxmG8j5iU7f4X + gwOyyvTqCuA78Lgia
7 Oi9wiJCoIEqXr6dRYGJzfASwKA2dj995HzATexleLSD5fQCmZTF + Vh5OQ5WmE + c53JdZS
T3Plie / P / smgSWBtf1fWr6JL2 + EBsqQsIK1Jo7r / 7 rxsz + ILoVfnneNQY4QSa9W + t6ZAI +
caSA0Guv7vC92ewjlMVlwKa3XaEjMJb5sFlg1r6TYMwBAAAAgQDQwXvgSXNaSHIeH53 / Ab
t4BlNibtxK8vY8CZFloAKXkjrivKSlDAmQCM0twXOweX2ScPjE + XlSMV4AUsv / J6XHGHci
W3 + PGIBfc / fQRBpiyhzkoXYDVrlkSKHffCnAqTUQlYkhr0s7NkZpEeqPE0doAUs4dK3Iqb
zdtz8e5BPXZwAAAIEA4U / JskIu5Oge8Is2OLOhlol0EJGw5JGodpFyhbMC + QYK9nYqy7wI
a6mZ2EfOjjwIZD / + wYyulw6cRve4zXwgzUEXLIKp8 / H3sYvJK2UMeP7y68sQFqGxbm6Rnh
tyBBSaJQnOXVOFf9gqZGCyO / J0Illg3AXTuC8KS / cxwasC38EAAACBAMFo / 6 XQoR6E3ynj
VBaz2SilWqQBixUyvcNz8LY73IIDCecoccRMFSEKhWtvlJijxvFbF9M8g9oKAVPuub4V5r
CGmwVPEd5yt4C2iyV0PhLp1PA2 / i42FpCSnHaz / EXSz6ncTZcOMMuDqUbgUUpQg4VSUDl9
fhTNAzWwZoQ91aHdAAAAFHUwMDIyMTQ2QGljdHMtcC1ueC03AQIDBAUG
-- -- - END OPENSSH PRIVATE KEY -- -- - `
httpsigCertificate = ` ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgiR7SU8gmZLhopx4Y03nOXVuAb+4fyMcJYjMGcE1Z2oEAAAADAQABAAABAQCqOZB5vkRvXFXups1/0StDRdG8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xUbiy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQCZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqdAAAAAAAAAAEAAAABAAAABXVzZXIxAAAACQAAAAV1c2VyMQAAAABimoIOAAAAAMCWkRMAAAAAAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAm+AwtXTBZyeqV1qOxjMU3Ibc5iR2M3zerGfRQDxUeIozC3xpIvqJbzjDuRapdf8hpxn2xC0GtUusuLIUr4/+Svs1BUnJhF2H9xnK/O0aopS5MpNekUvnBzQdbvO8Ux2xE2mt58giXhkEaXeCEODSqG++OZsA2e40AR/AGRJ4OdDofMvH4vLJAQQc2mKdYpYL8xu+NC+7nsenx1etpsqtEl3gmvqCVI6t9uhVPMvlbGt9h/AN3u7ToF2T3bdk1TZbcdkvR9ljvETIuy32ksAETX8tc7vm30edK+nn/GMeWCgjM+MFm9Uh1NRkvNNJozo5SJy0DkWETTJUsEdfry5VQ3IjqhWqQ0m4/mDlTmsEdEdWqpUiqWZLd9w7jgT8fanuglZyIu2fj8fyqjPjiws5S2P0Uvi28UKQ1nH01UYj/kuakU3BNzN1IqDf3tARP9fjKV/dCBqb1ZAOtyC2GyhGuGzNwEi+woUwq+sTeV0/hqVSb3hSitXHzcfRMRyOK82BAAABlAAAAAxyc2Etc2hhMi01MTIAAAGAMBfgZFvz4BdxriGKYd6eRhMo6hf+I8S9uzNRsflJXHuA+HR9ExIm/Q9JjKmfThQzNyGGBOBILaDU205SAJuG+kk3SieSQDd75ZQd8YmNlCc+516AriOsTiyVCupnf3I2euTjMZqEZbJcBbkBljppTOWQVN7xxE8QakDfGhg0+RjJE9wYOTmkKpDBfII5Nw8V5DoOD7kNEpXYqHdy/8lVxpqUYNIP1J0dNP4f6qBcZcM1PDA12q8zwIGqSNNjf2UXY/Nr8nv9CnK4fB8NDOPKTBa4cm48BGbvM/X0l6dYKswuZ9Np8lw+y6+GxTgznGCrkzMmuEV4FzSq4xHp41H2L2MTwUkwYaeyG1VP6aWkvn6zPkSxaaJDfQX7CAFe17IhIGXR0UPLjKjh35nDLzMWb/W6/W1lK9YkZNHXSf7Z9m9MUAZN7yQgOggGsuYEW4imZxvZizMd+fdDu9mbhr0FDis89I7MSJDnyYRE9FXS7p3QpppBwGcss/9yV3JV3Bjc `
)
func TestHTTPSigPubKey ( t * testing . T ) {
// Add our public key to user1
2022-09-02 22:18:23 +03:00
defer tests . PrepareTestEnv ( t ) ( )
2023-08-28 03:53:16 +03:00
defer test . MockVariableValue ( & setting . SSH . MinimumKeySizeCheck , false ) ( )
2022-06-05 10:16:14 +03:00
session := loginUser ( t , "user1" )
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 21:57:16 +03:00
token := url . QueryEscape ( getTokenForLoggedInUser ( t , session , auth_model . AccessTokenScopeWriteUser ) )
2022-06-05 10:16:14 +03:00
keyType := "ssh-rsa"
keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABAQCqOZB5vkRvXFXups1/0StDRdG8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xUbiy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQCZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqd"
rawKeyBody := api . CreateKeyOption {
Title : "test-key" ,
Key : keyType + " " + keyContent ,
}
2023-12-22 02:59:59 +03:00
req := NewRequestWithJSON ( t , "POST" , "/api/v1/user/keys" , rawKeyBody ) .
AddTokenAuth ( token )
2022-12-02 06:39:42 +03:00
MakeRequest ( t , req , http . StatusCreated )
2022-06-05 10:16:14 +03:00
// parse our private key and create the httpsig request
sshSigner , _ := ssh . ParsePrivateKey ( [ ] byte ( httpsigPrivateKey ) )
keyID := ssh . FingerprintSHA256 ( sshSigner . PublicKey ( ) )
// create the request
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 21:57:16 +03:00
token = getTokenForLoggedInUser ( t , session , auth_model . AccessTokenScopeReadAdmin )
2023-12-22 02:59:59 +03:00
req = NewRequest ( t , "GET" , "/api/v1/admin/users" ) .
AddTokenAuth ( token )
2022-06-05 10:16:14 +03:00
signer , _ , err := httpsig . NewSSHSigner ( sshSigner , httpsig . DigestSha512 , [ ] string { httpsig . RequestTarget , "(created)" , "(expires)" } , httpsig . Signature , 10 )
if err != nil {
t . Fatal ( err )
}
// sign the request
2023-12-22 02:59:59 +03:00
err = signer . SignRequest ( keyID , req . Request , nil )
2022-06-05 10:16:14 +03:00
if err != nil {
t . Fatal ( err )
}
// make the request
MakeRequest ( t , req , http . StatusOK )
}
func TestHTTPSigCert ( t * testing . T ) {
// Add our public key to user1
2022-09-02 22:18:23 +03:00
defer tests . PrepareTestEnv ( t ) ( )
2022-06-05 10:16:14 +03:00
session := loginUser ( t , "user1" )
csrf := GetCSRF ( t , session , "/user/settings/keys" )
req := NewRequestWithValues ( t , "POST" , "/user/settings/keys" , map [ string ] string {
"_csrf" : csrf ,
"content" : "user1" ,
"title" : "principal" ,
"type" : "principal" ,
} )
session . MakeRequest ( t , req , http . StatusSeeOther )
pkcert , _ , _ , _ , err := ssh . ParseAuthorizedKey ( [ ] byte ( httpsigCertificate ) )
if err != nil {
t . Fatal ( err )
}
// parse our private key and create the httpsig request
sshSigner , _ := ssh . ParsePrivateKey ( [ ] byte ( httpsigPrivateKey ) )
keyID := "gitea"
// create our certificate signer using the ssh signer and our certificate
certSigner , err := ssh . NewCertSigner ( pkcert . ( * ssh . Certificate ) , sshSigner )
if err != nil {
t . Fatal ( err )
}
// create the request
req = NewRequest ( t , "GET" , "/api/v1/admin/users" )
// add our cert to the request
certString := base64 . RawStdEncoding . EncodeToString ( pkcert . ( * ssh . Certificate ) . Marshal ( ) )
2023-12-22 02:59:59 +03:00
req . SetHeader ( "x-ssh-certificate" , certString )
2022-06-05 10:16:14 +03:00
signer , _ , err := httpsig . NewSSHSigner ( certSigner , httpsig . DigestSha512 , [ ] string { httpsig . RequestTarget , "(created)" , "(expires)" , "x-ssh-certificate" } , httpsig . Signature , 10 )
if err != nil {
t . Fatal ( err )
}
// sign the request
2023-12-22 02:59:59 +03:00
err = signer . SignRequest ( keyID , req . Request , nil )
2022-06-05 10:16:14 +03:00
if err != nil {
t . Fatal ( err )
}
// make the request
MakeRequest ( t , req , http . StatusOK )
}