Skip to content

Commit

Permalink
Prevent anonymous container access if RequireSignInView is enabled (g…
Browse files Browse the repository at this point in the history
…o-gitea#28877)

Fixes go-gitea#28875

If `RequireSignInView` is enabled, the ghost user has no access rights.
  • Loading branch information
KN4CK3R authored and GiteaBot committed Jan 21, 2024
1 parent 8c7bda8 commit 04a07d8
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 6 deletions.
2 changes: 1 addition & 1 deletion modules/context/package.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func packageAssignment(ctx *packageAssignmentCtx, errCb func(int, string, any))
}

func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.AccessMode, error) {
if setting.Service.RequireSignInView && doer == nil {
if setting.Service.RequireSignInView && (doer == nil || doer.IsGhost()) {
return perm.AccessModeNone, nil
}

Expand Down
19 changes: 14 additions & 5 deletions routers/api/packages/container/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,11 +114,15 @@ func apiErrorDefined(ctx *context.Context, err *namedError) {
})
}

// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost for anonymous access)
func apiUnauthorizedError(ctx *context.Context) {
ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
apiErrorDefined(ctx, errUnauthorized)
}

// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
func ReqContainerAccess(ctx *context.Context) {
if ctx.Doer == nil {
ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
apiErrorDefined(ctx, errUnauthorized)
if ctx.Doer == nil || (setting.Service.RequireSignInView && ctx.Doer.IsGhost()) {
apiUnauthorizedError(ctx)
}
}

Expand All @@ -138,10 +142,15 @@ func DetermineSupport(ctx *context.Context) {
}

// Authenticate creates a token for the current user
// If the current user is anonymous, the ghost user is used
// If the current user is anonymous, the ghost user is used unless RequireSignInView is enabled.
func Authenticate(ctx *context.Context) {
u := ctx.Doer
if u == nil {
if setting.Service.RequireSignInView {
apiUnauthorizedError(ctx)
return
}

u = user_model.NewGhostUser()
}

Expand Down
9 changes: 9 additions & 0 deletions tests/integration/api_packages_container_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
container_module "code.gitea.io/gitea/modules/packages/container"
"code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/test"
"code.gitea.io/gitea/tests"

"github.com/minio/sha256-simd"
Expand Down Expand Up @@ -106,6 +107,14 @@ func TestPackageContainer(t *testing.T) {
req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
addTokenAuthHeader(req, anonymousToken)
MakeRequest(t, req, http.StatusOK)

defer test.MockVariableValue(&setting.Service.RequireSignInView, true)()

req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
MakeRequest(t, req, http.StatusUnauthorized)

req = NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
MakeRequest(t, req, http.StatusUnauthorized)
})

t.Run("User", func(t *testing.T) {
Expand Down

0 comments on commit 04a07d8

Please sign in to comment.