Add actions support to package auth verification (#23729)

yp05327 · web-flow · commit bb6c670cff1a · 2023-04-10T15:21:03.000+08:00
Partly fixes #23642 Error info: ![image](https://user-images.githubusercontent.com/18380374/227827027-4280a368-ec9e-49e0-bb93-6b496ada7cd9.png) ActionsUser (userID -2) is used to login in to docker in action jobs. Due to we have no permission policy settings of ActionsUser now, ActionsUser can only access public registry by this quick fix.
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
@@ -44,35 +44,38 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 	}
 }
 
-// CommonRoutes provide endpoints for most package managers (except containers - see below)
-// These are mounted on `/api/packages` (not `/api/v1/packages`)
-func CommonRoutes(ctx gocontext.Context) *web.Route {
-	r := web.NewRoute()
-
-	r.Use(context.PackageContexter(ctx))
-
-	authMethods := []auth.Method{
-		&auth.OAuth2{},
-		&auth.Basic{},
-		&nuget.Auth{},
-		&conan.Auth{},
-		&chef.Auth{},
-	}
+func verifyAuth(r *web.Route, authMethods []auth.Method) {
 	if setting.Service.EnableReverseProxyAuth {
 		authMethods = append(authMethods, &auth.ReverseProxy{})
 	}
-
 	authGroup := auth.NewGroup(authMethods...)
+
 	r.Use(func(ctx *context.Context) {
 		var err error
 		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
 		if err != nil {
-			log.Error("Verify: %v", err)
+			log.Error("Failed to verify user: %v", err)
 			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
 			return
 		}
 		ctx.IsSigned = ctx.Doer != nil
 	})
+}
+
+// CommonRoutes provide endpoints for most package managers (except containers - see below)
+// These are mounted on `/api/packages` (not `/api/v1/packages`)
+func CommonRoutes(ctx gocontext.Context) *web.Route {
+	r := web.NewRoute()
+
+	r.Use(context.PackageContexter(ctx))
+
+	verifyAuth(r, []auth.Method{
+		&auth.OAuth2{},
+		&auth.Basic{},
+		&nuget.Auth{},
+		&conan.Auth{},
+		&chef.Auth{},
+	})
 
 	r.Group("/{username}", func() {
 		r.Group("/cargo", func() {
@@ -437,24 +440,9 @@ func ContainerRoutes(ctx gocontext.Context) *web.Route {
 
 	r.Use(context.PackageContexter(ctx))
 
-	authMethods := []auth.Method{
+	verifyAuth(r, []auth.Method{
 		&auth.Basic{},
 		&container.Auth{},
-	}
-	if setting.Service.EnableReverseProxyAuth {
-		authMethods = append(authMethods, &auth.ReverseProxy{})
-	}
-
-	authGroup := auth.NewGroup(authMethods...)
-	r.Use(func(ctx *context.Context) {
-		var err error
-		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
-		if err != nil {
-			log.Error("Failed to verify user: %v", err)
-			ctx.Error(http.StatusUnauthorized, "Verify")
-			return
-		}
-		ctx.IsSigned = ctx.Doer != nil
 	})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go
@@ -30,13 +30,10 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 	if uid == 0 {
 		return nil, nil
 	}
-	if uid == -1 {
-		return user_model.NewGhostUser(), nil
-	}
 
-	u, err := user_model.GetUserByID(req.Context(), uid)
+	u, err := user_model.GetPossibleUserByID(req.Context(), uid)
 	if err != nil {
-		log.Error("GetUserByID:  %v", err)
+		log.Error("GetPossibleUserByID:  %v", err)
 		return nil, err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -30,13 +30,10 @@ func (a Auth) Verify(req http.Request, w http.ResponseWriter, store auth.DataS`
`30`	`30`	`if uid == 0 {`
`31`	`31`	`return nil, nil`
`32`	`32`	`}`
`33`		`- if uid == -1 {`
`34`		`- return user_model.NewGhostUser(), nil`
`35`		`- }`
`36`	`33`
`37`		`- u, err := user_model.GetUserByID(req.Context(), uid)`
	`34`	`+ u, err := user_model.GetPossibleUserByID(req.Context(), uid)`
`38`	`35`	`if err != nil {`
`39`		`- log.Error("GetUserByID: %v", err)`
	`36`	`+ log.Error("GetPossibleUserByID: %v", err)`
`40`	`37`	`return nil, err`
`41`	`38`	`}`
`42`	`39`