Backport #23729 by @yp05327 Partly fixes https://github.com/go-gitea/gitea/issues/23642 Error info: ![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png) ActionsUser (userID -2) is used to login in to docker in action jobs. Due to we have no permission policy settings of ActionsUser now, ActionsUser can only access public registry by this quick fix. Co-authored-by: yp05327 <576951401@qq.com>
This commit is contained in:
parent
abf0386e2e
commit
27dbe97542
2 changed files with 22 additions and 37 deletions
|
@ -43,6 +43,24 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
|
|||
}
|
||||
}
|
||||
|
||||
func verifyAuth(r *web.Route, authMethods []auth.Method) {
|
||||
if setting.Service.EnableReverseProxyAuth {
|
||||
authMethods = append(authMethods, &auth.ReverseProxy{})
|
||||
}
|
||||
authGroup := auth.NewGroup(authMethods...)
|
||||
|
||||
r.Use(func(ctx *context.Context) {
|
||||
var err error
|
||||
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
log.Error("Failed to verify user: %v", err)
|
||||
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
|
||||
return
|
||||
}
|
||||
ctx.IsSigned = ctx.Doer != nil
|
||||
})
|
||||
}
|
||||
|
||||
// CommonRoutes provide endpoints for most package managers (except containers - see below)
|
||||
// These are mounted on `/api/packages` (not `/api/v1/packages`)
|
||||
func CommonRoutes(ctx gocontext.Context) *web.Route {
|
||||
|
@ -50,27 +68,12 @@ func CommonRoutes(ctx gocontext.Context) *web.Route {
|
|||
|
||||
r.Use(context.PackageContexter(ctx))
|
||||
|
||||
authMethods := []auth.Method{
|
||||
verifyAuth(r, []auth.Method{
|
||||
&auth.OAuth2{},
|
||||
&auth.Basic{},
|
||||
&nuget.Auth{},
|
||||
&conan.Auth{},
|
||||
&chef.Auth{},
|
||||
}
|
||||
if setting.Service.EnableReverseProxyAuth {
|
||||
authMethods = append(authMethods, &auth.ReverseProxy{})
|
||||
}
|
||||
|
||||
authGroup := auth.NewGroup(authMethods...)
|
||||
r.Use(func(ctx *context.Context) {
|
||||
var err error
|
||||
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
log.Error("Verify: %v", err)
|
||||
ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
|
||||
return
|
||||
}
|
||||
ctx.IsSigned = ctx.Doer != nil
|
||||
})
|
||||
|
||||
r.Group("/{username}", func() {
|
||||
|
@ -401,24 +404,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
|
|||
|
||||
r.Use(context.PackageContexter(ctx))
|
||||
|
||||
authMethods := []auth.Method{
|
||||
verifyAuth(r, []auth.Method{
|
||||
&auth.Basic{},
|
||||
&container.Auth{},
|
||||
}
|
||||
if setting.Service.EnableReverseProxyAuth {
|
||||
authMethods = append(authMethods, &auth.ReverseProxy{})
|
||||
}
|
||||
|
||||
authGroup := auth.NewGroup(authMethods...)
|
||||
r.Use(func(ctx *context.Context) {
|
||||
var err error
|
||||
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if err != nil {
|
||||
log.Error("Failed to verify user: %v", err)
|
||||
ctx.Error(http.StatusUnauthorized, "Verify")
|
||||
return
|
||||
}
|
||||
ctx.IsSigned = ctx.Doer != nil
|
||||
})
|
||||
|
||||
r.Get("", container.ReqContainerAccess, container.DetermineSupport)
|
||||
|
|
|
@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
|
|||
if uid == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
if uid == -1 {
|
||||
return user_model.NewGhostUser(), nil
|
||||
}
|
||||
|
||||
u, err := user_model.GetUserByID(req.Context(), uid)
|
||||
u, err := user_model.GetPossibleUserByID(req.Context(), uid)
|
||||
if err != nil {
|
||||
log.Error("GetUserByID: %v", err)
|
||||
log.Error("GetPossibleUserByID: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue