gitea/services/actions/auth.go

// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package actions

import (
	"fmt"
	"net/http"
	"strings"
	"time"

	"code.gitea.io/gitea/modules/json"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"

	"github.com/golang-jwt/jwt/v5"
)

type actionsClaims struct {
	jwt.RegisteredClaims
	Scp    string `json:"scp"`
	TaskID int64
	RunID  int64
	JobID  int64
	Ac     string `json:"ac"`
}

type actionsCacheScope struct {
	Scope      string
	Permission actionsCachePermission
}

type actionsCachePermission int

const (
	actionsCachePermissionRead = 1 << iota
	actionsCachePermissionWrite
)

func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {
	now := time.Now()

	ac, err := json.Marshal(&[]actionsCacheScope{
		{
			Scope:      "",
			Permission: actionsCachePermissionWrite,
		},
	})
	if err != nil {
		return "", err
	}

	claims := actionsClaims{
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),
			NotBefore: jwt.NewNumericDate(now),
		},
		Scp:    fmt.Sprintf("Actions.Results:%d:%d", runID, jobID),
		Ac:     string(ac),
		TaskID: taskID,
		RunID:  runID,
		JobID:  jobID,
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

	tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())
	if err != nil {
		return "", err
	}

	return tokenString, nil
}

func ParseAuthorizationToken(req *http.Request) (int64, error) {
	h := req.Header.Get("Authorization")
	if h == "" {
		return 0, nil
	}

	parts := strings.SplitN(h, " ", 2)
	if len(parts) != 2 {
		log.Error("split token failed: %s", h)
		return 0, fmt.Errorf("split token failed")
	}

	return TokenToTaskID(parts[1])
}

// TokenToTaskID returns the TaskID associated with the provided JWT token
func TokenToTaskID(token string) (int64, error) {
	parsedToken, err := jwt.ParseWithClaims(token, &actionsClaims{}, func(t *jwt.Token) (any, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
		}
		return setting.GetGeneralTokenSigningSecret(), nil
	})
	if err != nil {
		return 0, err
	}

	c, ok := parsedToken.Claims.(*actionsClaims)
	if !parsedToken.Valid || !ok {
		return 0, fmt.Errorf("invalid token claim")
	}

	return c.TaskID, nil
}
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`// Copyright 2024 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package actions`

			`import (`
			`"fmt"`
			`"net/http"`
			`"strings"`
			`"time"`

Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` 2024-03-05 18:34:42 +01:00			`"code.gitea.io/gitea/modules/json"`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`"code.gitea.io/gitea/modules/log"`
			`"code.gitea.io/gitea/modules/setting"`

			`"github.com/golang-jwt/jwt/v5"`
			`)`

			`type actionsClaims struct {`
			`jwt.RegisteredClaims`
			Scp string `json:"scp"`
			`TaskID int64`
			`RunID int64`
			`JobID int64`
Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` 2024-03-05 18:34:42 +01:00			Ac string `json:"ac"`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`}`

Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` 2024-03-05 18:34:42 +01:00			`type actionsCacheScope struct {`
			`Scope string`
			`Permission actionsCachePermission`
			`}`

			`type actionsCachePermission int`

			`const (`
			`actionsCachePermissionRead = 1 << iota`
			`actionsCachePermissionWrite`
			`)`

Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {`
			`now := time.Now()`

Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` 2024-03-05 18:34:42 +01:00			`ac, err := json.Marshal(&[]actionsCacheScope{`
			`{`
			`Scope: "",`
			`Permission: actionsCachePermissionWrite,`
			`},`
			`})`
			`if err != nil {`
			`return "", err`
			`}`

Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`claims := actionsClaims{`
			`RegisteredClaims: jwt.RegisteredClaims{`
			`ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),`
			`NotBefore: jwt.NewNumericDate(now),`
			`},`
			`Scp: fmt.Sprintf("Actions.Results:%d:%d", runID, jobID),`
Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` 2024-03-05 18:34:42 +01:00			`Ac: string(ac),`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`TaskID: taskID,`
			`RunID: runID,`
			`JobID: jobID,`
			`}`
			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`

Use general token signing secret (#29205) Use a clearly defined "signing secret" for token signing. 2024-02-19 01:39:04 +08:00			`tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`if err != nil {`
			`return "", err`
			`}`

			`return tokenString, nil`
			`}`

			`func ParseAuthorizationToken(req *http.Request) (int64, error) {`
			`h := req.Header.Get("Authorization")`
			`if h == "" {`
			`return 0, nil`
			`}`

			`parts := strings.SplitN(h, " ", 2)`
			`if len(parts) != 2 {`
			`log.Error("split token failed: %s", h)`
			`return 0, fmt.Errorf("split token failed")`
			`}`

allow the actions user to login via the jwt token (#32527) We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a corresponding update to `act_runner`) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting to parse Oauth JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT. 2024-11-20 09:24:09 -06:00			`return TokenToTaskID(parts[1])`
			`}`

			`// TokenToTaskID returns the TaskID associated with the provided JWT token`
			`func TokenToTaskID(token string) (int64, error) {`
			`parsedToken, err := jwt.ParseWithClaims(token, &actionsClaims{}, func(t *jwt.Token) (any, error) {`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])`
			`}`
Use general token signing secret (#29205) Use a clearly defined "signing secret" for token signing. 2024-02-19 01:39:04 +08:00			`return setting.GetGeneralTokenSigningSecret(), nil`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`})`
			`if err != nil {`
			`return 0, err`
			`}`

allow the actions user to login via the jwt token (#32527) We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a corresponding update to `act_runner`) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting to parse Oauth JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT. 2024-11-20 09:24:09 -06:00			`c, ok := parsedToken.Claims.(*actionsClaims)`
			`if !parsedToken.Valid \|\| !ok {`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`return 0, fmt.Errorf("invalid token claim")`
			`}`

			`return c.TaskID, nil`
			`}`