1
1
mirror of https://github.com/go-gitea/gitea synced 2025-07-22 18:28:37 +00:00

Prevent double-login for Git HTTP and LFS and simplify login (#15303)

* Prevent double-login for Git HTTP and LFS and simplify login

There are a number of inconsistencies with our current methods for
logging in for git and lfs. The first is that there is a double login
process. This is particularly evident in 1.13 where there are no less
than 4 hash checks for basic authentication due to the previous
IsPasswordSet behaviour.

This duplicated code had individual inconsistencies that were not
helpful and caused confusion.

This PR does the following:

* Remove the specific login code from the git and lfs handlers except
for the lfs special bearer token
* Simplify the meaning of DisableBasicAuthentication to allow Token and
Oauth2 sign-in.
* The removal of the specific code from git and lfs means that these
both now have the same login semantics and can - if not
DisableBasicAuthentication - login from external services. Further it
allows Oauth2 token authentication as per our standard mechanisms.
* The change in the recovery handler prevents the service from
re-attempting to login - primarily because this could easily cause a
further panic and it is wasteful.

* add test

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath
2021-05-15 16:32:09 +01:00
committed by GitHub
parent ba526ceffe
commit 17c5c654a5
10 changed files with 292 additions and 221 deletions

View File

@@ -31,15 +31,6 @@ func checkIsValidRequest(ctx *context.Context) bool {
writeStatus(ctx, http.StatusBadRequest)
return false
}
if !ctx.IsSigned {
user, _, _, err := parseToken(ctx.Req.Header.Get("Authorization"))
if err != nil {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
writeStatus(ctx, http.StatusUnauthorized)
return false
}
ctx.User = user
}
return true
}
@@ -73,19 +64,21 @@ func GetListLockHandler(ctx *context.Context) {
// Status is written in checkIsValidRequest
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
rv, _ := unpack(ctx)
repository, err := models.GetRepositoryByOwnerAndName(rv.User, rv.Repo)
if err != nil {
log.Debug("Could not find repository: %s/%s - %s", rv.User, rv.Repo, err)
writeStatus(ctx, 404)
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(401, api.LFSLockError{
Message: "You must have pull access to list locks",
})
return
}
repository.MustOwner()
authenticated := authenticate(ctx, repository, rv.Authorization, false)
authenticated := authenticate(ctx, repository, rv.Authorization, true, false)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
@@ -93,6 +86,7 @@ func GetListLockHandler(ctx *context.Context) {
})
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
cursor := ctx.QueryInt("cursor")
if cursor < 0 {
@@ -160,7 +154,6 @@ func PostLockHandler(ctx *context.Context) {
// Status is written in checkIsValidRequest
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
userName := ctx.Params("username")
repoName := strings.TrimSuffix(ctx.Params("reponame"), ".git")
@@ -169,12 +162,15 @@ func PostLockHandler(ctx *context.Context) {
repository, err := models.GetRepositoryByOwnerAndName(userName, repoName)
if err != nil {
log.Error("Unable to get repository: %s/%s Error: %v", userName, repoName, err)
writeStatus(ctx, 404)
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(401, api.LFSLockError{
Message: "You must have push access to create locks",
})
return
}
repository.MustOwner()
authenticated := authenticate(ctx, repository, authorization, true)
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
@@ -183,6 +179,8 @@ func PostLockHandler(ctx *context.Context) {
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
var req api.LFSLockRequest
bodyReader := ctx.Req.Body
defer bodyReader.Close()
@@ -229,7 +227,6 @@ func VerifyLockHandler(ctx *context.Context) {
// Status is written in checkIsValidRequest
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
userName := ctx.Params("username")
repoName := strings.TrimSuffix(ctx.Params("reponame"), ".git")
@@ -238,12 +235,15 @@ func VerifyLockHandler(ctx *context.Context) {
repository, err := models.GetRepositoryByOwnerAndName(userName, repoName)
if err != nil {
log.Error("Unable to get repository: %s/%s Error: %v", userName, repoName, err)
writeStatus(ctx, 404)
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(401, api.LFSLockError{
Message: "You must have push access to verify locks",
})
return
}
repository.MustOwner()
authenticated := authenticate(ctx, repository, authorization, true)
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
@@ -252,6 +252,8 @@ func VerifyLockHandler(ctx *context.Context) {
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
cursor := ctx.QueryInt("cursor")
if cursor < 0 {
cursor = 0
@@ -296,7 +298,6 @@ func UnLockHandler(ctx *context.Context) {
// Status is written in checkIsValidRequest
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
userName := ctx.Params("username")
repoName := strings.TrimSuffix(ctx.Params("reponame"), ".git")
@@ -305,12 +306,15 @@ func UnLockHandler(ctx *context.Context) {
repository, err := models.GetRepositoryByOwnerAndName(userName, repoName)
if err != nil {
log.Error("Unable to get repository: %s/%s Error: %v", userName, repoName, err)
writeStatus(ctx, 404)
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(401, api.LFSLockError{
Message: "You must have push access to delete locks",
})
return
}
repository.MustOwner()
authenticated := authenticate(ctx, repository, authorization, true)
authenticated := authenticate(ctx, repository, authorization, true, true)
if !authenticated {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
@@ -319,6 +323,8 @@ func UnLockHandler(ctx *context.Context) {
return
}
ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
var req api.LFSLockDeleteRequest
bodyReader := ctx.Req.Body
defer bodyReader.Close()