Fix nuget/conan/container packages upload bugs (#31967)

2025-07-22 18:28:37 +00:00 · 2024-09-05 15:05:42 +08:00
parent 74b1c589c6
commit 5c05dddbed
11 changed files with 512 additions and 90 deletions
--- a/routers/api/packages/conan/auth.go
+++ b/routers/api/packages/conan/auth.go
@@ -22,21 +22,25 @@ func (a *Auth) Name() string {

 // Verify extracts the user from the Bearer token
 func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
-	uid, err := packages.ParseAuthorizationToken(req)
+	packageMeta, err := packages.ParseAuthorizationRequest(req)
 	if err != nil {
 		log.Trace("ParseAuthorizationToken: %v", err)
 		return nil, err
 	}

-	if uid == 0 {
+	if packageMeta == nil || packageMeta.UserID == 0 {
 		return nil, nil
 	}

-	u, err := user_model.GetUserByID(req.Context(), uid)
+	u, err := user_model.GetUserByID(req.Context(), packageMeta.UserID)
 	if err != nil {
 		log.Error("GetUserByID:  %v", err)
 		return nil, err
 	}
+	if packageMeta.Scope != "" {
+		store.GetData()["IsApiToken"] = true
+		store.GetData()["ApiTokenScope"] = packageMeta.Scope
+	}

 	return u, nil
 }
--- a/routers/api/packages/conan/conan.go
+++ b/routers/api/packages/conan/conan.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	packages_model "code.gitea.io/gitea/models/packages"
 	conan_model "code.gitea.io/gitea/models/packages/conan"
@@ -21,6 +22,7 @@ import (
 	conan_module "code.gitea.io/gitea/modules/packages/conan"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/routers/api/packages/helper"
+	auth_service "code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/context"
 	notify_service "code.gitea.io/gitea/services/notify"
 	packages_service "code.gitea.io/gitea/services/packages"
@@ -117,7 +119,20 @@ func Authenticate(ctx *context.Context) {
 		return
 	}

-	token, err := packages_service.CreateAuthorizationToken(ctx.Doer)
+	packageScope := auth_service.GetAccessScope(ctx.Data)
+	if has, err := packageScope.HasAnyScope(
+		auth_model.AccessTokenScopeReadPackage,
+		auth_model.AccessTokenScopeWritePackage,
+		auth_model.AccessTokenScopeAll,
+	); !has {
+		if err != nil {
+			log.Error("Error checking access scope: %v", err)
+		}
+		apiError(ctx, http.StatusForbidden, nil)
+		return
+	}
+
+	token, err := packages_service.CreateAuthorizationToken(ctx.Doer, packageScope)
 	if err != nil {
 		apiError(ctx, http.StatusInternalServerError, err)
 		return
@@ -130,9 +145,23 @@ func Authenticate(ctx *context.Context) {
 func CheckCredentials(ctx *context.Context) {
 	if ctx.Doer == nil {
 		ctx.Status(http.StatusUnauthorized)
-	} else {
-		ctx.Status(http.StatusOK)
+		return
 	}
+
+	packageScope := auth_service.GetAccessScope(ctx.Data)
+	if has, err := packageScope.HasAnyScope(
+		auth_model.AccessTokenScopeReadPackage,
+		auth_model.AccessTokenScopeWritePackage,
+		auth_model.AccessTokenScopeAll,
+	); !has {
+		if err != nil {
+			log.Error("Error checking access scope: %v", err)
+		}
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	ctx.Status(http.StatusOK)
 }

 // RecipeSnapshot displays the recipe files with their md5 hash