tyler.durden/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-07-21 21:05:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Support clone private repository in runner

Browse Source
This commit is contained in:
Lunny Xiao 2022-11-14 14:11:47 +08:00 committed by Jason Song
parent d8b401ab06
commit f55253e81d
2 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
routers/web/repo/http.go
View File

@ -20,6 +20,7 @@ import (
"time" "time"
"code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/auth"
bots_model "code.gitea.io/gitea/models/bots"
"code.gitea.io/gitea/models/perm" "code.gitea.io/gitea/models/perm"
access_model "code.gitea.io/gitea/models/perm/access" access_model "code.gitea.io/gitea/models/perm/access"
repo_model "code.gitea.io/gitea/models/repo" repo_model "code.gitea.io/gitea/models/repo"
@ -164,7 +165,7 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
return return
} }
if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true { if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true && ctx.Data["IsBotToken"] != true {
_, err = auth.GetTwoFactorByUID(ctx.Doer.ID) _, err = auth.GetTwoFactorByUID(ctx.Doer.ID)
if err == nil { if err == nil {
// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented // TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
@ -182,20 +183,32 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
} }
if repoExist { if repoExist {
p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
if err != nil {
ctx.ServerError("GetUserRepoPermission", err)
return
}
// Because of special ref "refs/for" .. , need delay write permission check // Because of special ref "refs/for" .. , need delay write permission check
if git.SupportProcReceive { if git.SupportProcReceive {
accessMode = perm.AccessModeRead accessMode = perm.AccessModeRead
} }
if !p.CanAccess(accessMode, unitType) { if ctx.Data["IsBotToken"] == true {
ctx.PlainText(http.StatusForbidden, "User permission denied") taskID := ctx.Data["BotTaskID"].(int64)
return task, err := bots_model.GetTaskByID(ctx, taskID)
if err != nil {
ctx.ServerError("GetTaskByID", err)
return
}
if task.RepoID != repo.ID {
ctx.PlainText(http.StatusForbidden, "User permission denied")
return
}
} else {
p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
if err != nil {
ctx.ServerError("GetUserRepoPermission", err)
return
}
if !p.CanAccess(accessMode, unitType) {
ctx.PlainText(http.StatusForbidden, "User permission denied")
return
}
} }
if !isPull && repo.IsMirror { if !isPull && repo.IsMirror {

3
services/auth/basic.go
View File

@ -114,6 +114,9 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
if err == nil && task != nil && task.Status.IsRunning() { if err == nil && task != nil && task.Status.IsRunning() {
log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID) log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
store.GetData()["IsBotToken"] = true
store.GetData()["BotTaskID"] = task.ID
return bots_model.NewBotUser() return bots_model.NewBotUser()
} else { } else {
log.Error("GetRunnerByToken: %v", err) log.Error("GetRunnerByToken: %v", err)