Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix package permission(Read and Write) is not as expected #30895

Closed
wants to merge 4 commits into from
Closed

Fix package permission(Read and Write) is not as expected #30895

wants to merge 4 commits into from

Conversation

littleplus
Copy link

I create an access token with package(Read and Write) permission from web:
image

Client Log:

DEBU[0000] endpoints for <Domain>/<Repo>/<Module>:20240508-8654cc5-linux-amd64: [{false https://<Domain>v2 false false true 0xc000492680}]
DEBU[0001] continuing on error (errcode.Error) unauthorized: reqPackageAccess
no such manifest: <Domain>/<Repo>/<Module>:20240508-8654cc5-linux-amd64

Server Log:

2024/05/08 02:05:58 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/<Repo>/<Module>/manifests/20240508-8654cc5-linux-amd64 for <Client-IP>:0, 401 Unauthorized in 1.1ms @ packages/api.go:43(packages.ContainerRoutes.reqPackageAccess)

However, I can't pull the image with the same token, and I find the code, where write token is not permitted to do read package:

gitea/routers/api/packages/api.go

Line 48 in d9b37d0

if accessMode == perm.AccessModeRead {

@littleplus
Fix package Permission(Read and Write) is not as expected with the re…
ac502da 
…ad permission

Co-authored-by: littleplus<11694750+littleplus@users.noreply.github.com>
Signed-off-by: littleplus<11694750+littleplus@users.noreply.github.com>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 8, 2024
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 8, 2024
@littleplus littleplus changed the title Fix package Permission(Read and Write) is not as expected Fix package permission(Read and Write) is not as expected May 8, 2024
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels May 8, 2024
@lunny lunny added type/bug backport/v1.21 This PR should be backported to Gitea 1.21 backport/v1.22 This PR should be backported to Gitea 1.22 labels May 8, 2024
@lunny
Copy link
Member

lunny commented May 8, 2024

Good catch. Can you add some tests for the PR?

@littleplus
Copy link
Author

@lunny Where the test file should I create in?

Is it /routers/api/packages/api_test.go ?

@wxiaoguang
Copy link
Contributor

Ideally the logic could be:

if accessMode == read {
    scopeMatched = hasScope(Read) || hasScope(Write)
} else if accessMode == write {
    scopeMatched = hasWrite
}

It is clearer than if accessMode == perm.AccessModeWrite || !scopeMatched

@wxiaoguang wxiaoguang requested a review from jolheiser May 8, 2024 13:47
@littleplus
Copy link
Author

@wxiaoguang Of course, I have the same idea before, and I also notice that the duplicated code will bring more unmaintainability while trying to edit the logic of func hasScope, and maybe create funcs called hasAllScopes and hasOneOfScopes should be the more reusable way.

@wxiaoguang
Copy link
Contributor

Ping the original author @jolheiser

@lunny
Copy link
Member

lunny commented May 11, 2024

@lunny Where the test file should I create in?

Is it /routers/api/packages/api_test.go ?

For unit test, it's OK.

@wxiaoguang

This comment was marked as outdated.

Sign in to view
@wxiaoguang

This comment was marked as outdated.

Sign in to view
@wxiaoguang
Copy link
Contributor

However, I can't pull the image with the same token, and I find the code, where write token is not permitted to do read package:

By reading the code:

	accessTokenScopeReadPackageBits  accessTokenScopeBitmap = 1 << iota
	accessTokenScopeWritePackageBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadPackageBits

So package:write should already allow "read". And this test succeeds:

func TestTemp(t *testing.T) {
	matched, err := AccessTokenScopeWritePackage.HasScope(AccessTokenScopeReadPackage)
	assert.NoError(t, err)
	assert.True(t, matched)
}

So the existing logic looks right. Could you explain why it doesn't work in your case?

@wxiaoguang wxiaoguang added issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail and removed backport/v1.21 This PR should be backported to Gitea 1.21 backport/v1.22 This PR should be backported to Gitea 1.22 labels May 13, 2024
@littleplus
Copy link
Author

Yes, the code seem right, and I lost my first key and can not reproduce with new key. Looks like it's my mistake, I will close it first before I find the problem.

@littleplus littleplus closed this May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jolheiser jolheiser Awaiting requested review from jolheiser

Assignees
No one assigned
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@littleplus @lunny @wxiaoguang @GiteaBot