From f55253e81d3e9b821eb3b132939b3db22df32012 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 14 Nov 2022 14:11:47 +0800
Subject: [PATCH] Support clone private repository in runner

---
 routers/web/repo/http.go | 33 +++++++++++++++++++++++----------
 services/auth/basic.go   |  3 +++
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/routers/web/repo/http.go b/routers/web/repo/http.go
index 1ec781bb13..8c3e25c273 100644
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models/auth"
+	bots_model "code.gitea.io/gitea/models/bots"
 	"code.gitea.io/gitea/models/perm"
 	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -164,7 +165,7 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 			return
 		}
 
-		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true {
+		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true && ctx.Data["IsBotToken"] != true {
 			_, err = auth.GetTwoFactorByUID(ctx.Doer.ID)
 			if err == nil {
 				// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
@@ -182,20 +183,32 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 		}
 
 		if repoExist {
-			p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
-			if err != nil {
-				ctx.ServerError("GetUserRepoPermission", err)
-				return
-			}
-
 			// Because of special ref "refs/for" .. , need delay write permission check
 			if git.SupportProcReceive {
 				accessMode = perm.AccessModeRead
 			}
 
-			if !p.CanAccess(accessMode, unitType) {
-				ctx.PlainText(http.StatusForbidden, "User permission denied")
-				return
+			if ctx.Data["IsBotToken"] == true {
+				taskID := ctx.Data["BotTaskID"].(int64)
+				task, err := bots_model.GetTaskByID(ctx, taskID)
+				if err != nil {
+					ctx.ServerError("GetTaskByID", err)
+					return
+				}
+				if task.RepoID != repo.ID {
+					ctx.PlainText(http.StatusForbidden, "User permission denied")
+					return
+				}
+			} else {
+				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
+				if err != nil {
+					ctx.ServerError("GetUserRepoPermission", err)
+					return
+				}
+				if !p.CanAccess(accessMode, unitType) {
+					ctx.PlainText(http.StatusForbidden, "User permission denied")
+					return
+				}
 			}
 
 			if !isPull && repo.IsMirror {
diff --git a/services/auth/basic.go b/services/auth/basic.go
index f6974c1250..24c6a02557 100644
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@@ -114,6 +114,9 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	if err == nil && task != nil && task.Status.IsRunning() {
 		log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
 
+		store.GetData()["IsBotToken"] = true
+		store.GetData()["BotTaskID"] = task.ID
+
 		return bots_model.NewBotUser()
 	} else {
 		log.Error("GetRunnerByToken: %v", err)