From 10d3ed53f1cc6d383b52637bedd7bc3679476eb4 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Thu, 27 Apr 2023 18:49:50 -0400 Subject: [PATCH] Fix auth check bug (#24382) (#24387) Backport #24382 by @lunny Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324 `getAuthenticatedMeta` has checked them, these code are duplicated one. And the first invokation has a wrong permission check. `DownloadHandle` should require read permission but not write. Co-authored-by: Lunny Xiao (cherry picked from commit 5999349ce7e311cd123bc5874a3ff2b282c7f6f5) --- services/lfs/server.go | 10 ------ tests/integration/lfs_getobject_test.go | 41 +++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 10 deletions(-) diff --git a/services/lfs/server.go b/services/lfs/server.go index 53d72780db..81a6f6a9e7 100644 --- a/services/lfs/server.go +++ b/services/lfs/server.go @@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) { return } - repository := getAuthenticatedRepository(ctx, rc, true) - if repository == nil { - return - } - // Support resume download using Range header var fromByte, toByte int64 toByte = meta.Size - 1 @@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) { return } - repository := getAuthenticatedRepository(ctx, rc, true) - if repository == nil { - return - } - contentStore := lfs_module.NewContentStore() ok, err := contentStore.Verify(meta.Pointer) diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go index 7b1b3e109c..ba236d355f 100644 --- a/tests/integration/lfs_getobject_test.go +++ b/tests/integration/lfs_getobject_test.go @@ -11,6 +11,7 @@ import ( "net/http/httptest" "testing" + "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" git_model "code.gitea.io/gitea/models/git" repo_model "code.gitea.io/gitea/models/repo" @@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string return pointer.Oid } +func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { + repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") + assert.NoError(t, err) + oid := storeObjectInRepo(t, repo.ID, content) + defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid) + + token := getUserToken(t, "user2", ts) + + // Request OID + req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test") + req.Header.Set("Accept-Encoding", "gzip") + req.SetBasicAuth("user2", token) + if extraHeader != nil { + for key, values := range *extraHeader { + for _, value := range values { + req.Header.Add(key, value) + } + } + } + + resp := MakeRequest(t, req, expectedStatus) + + return resp +} + func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") assert.NoError(t, err) @@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) { checkResponseTestContentEncoding(t, &content, resp, false) } +func TestGetLFSSmallToken(t *testing.T) { + defer tests.PrepareTestEnv(t)() + content := []byte("A very small file\n") + + resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK) + checkResponseTestContentEncoding(t, &content, resp, false) +} + +func TestGetLFSSmallTokenFail(t *testing.T) { + defer tests.PrepareTestEnv(t)() + content := []byte("A very small file\n") + + storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden) +} + func TestGetLFSLarge(t *testing.T) { defer tests.PrepareTestEnv(t)() content := make([]byte, web.GzipMinSize*10)