From ecf1f2d3f619e5e9dfe1e1782c39604d63ae4c38 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 28 Apr 2023 04:43:27 +0800 Subject: [PATCH] Fix auth check bug (#24382) Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324 `getAuthenticatedMeta` has checked them, these code are duplicated one. And the first invokation has a wrong permission check. `DownloadHandle` should require read permission but not write. --- services/lfs/server.go | 10 ------ tests/integration/lfs_getobject_test.go | 41 +++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 10 deletions(-) diff --git a/services/lfs/server.go b/services/lfs/server.go index 4c69e4751..64e120339 100644 --- a/services/lfs/server.go +++ b/services/lfs/server.go @@ -86,11 +86,6 @@ func DownloadHandler(ctx *context.Context) { return } - repository := getAuthenticatedRepository(ctx, rc, true) - if repository == nil { - return - } - // Support resume download using Range header var fromByte, toByte int64 toByte = meta.Size - 1 @@ -365,11 +360,6 @@ func VerifyHandler(ctx *context.Context) { return } - repository := getAuthenticatedRepository(ctx, rc, true) - if repository == nil { - return - } - contentStore := lfs_module.NewContentStore() ok, err := contentStore.Verify(meta.Pointer) diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go index 7b1b3e109..ba236d355 100644 --- a/tests/integration/lfs_getobject_test.go +++ b/tests/integration/lfs_getobject_test.go @@ -11,6 +11,7 @@ import ( "net/http/httptest" "testing" + "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" git_model "code.gitea.io/gitea/models/git" repo_model "code.gitea.io/gitea/models/repo" @@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string return pointer.Oid } +func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { + repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") + assert.NoError(t, err) + oid := storeObjectInRepo(t, repo.ID, content) + defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid) + + token := getUserToken(t, "user2", ts) + + // Request OID + req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test") + req.Header.Set("Accept-Encoding", "gzip") + req.SetBasicAuth("user2", token) + if extraHeader != nil { + for key, values := range *extraHeader { + for _, value := range values { + req.Header.Add(key, value) + } + } + } + + resp := MakeRequest(t, req, expectedStatus) + + return resp +} + func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") assert.NoError(t, err) @@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) { checkResponseTestContentEncoding(t, &content, resp, false) } +func TestGetLFSSmallToken(t *testing.T) { + defer tests.PrepareTestEnv(t)() + content := []byte("A very small file\n") + + resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK) + checkResponseTestContentEncoding(t, &content, resp, false) +} + +func TestGetLFSSmallTokenFail(t *testing.T) { + defer tests.PrepareTestEnv(t)() + content := []byte("A very small file\n") + + storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden) +} + func TestGetLFSLarge(t *testing.T) { defer tests.PrepareTestEnv(t)() content := make([]byte, web.GzipMinSize*10)