Prevent double-login for Git HTTP and LFS and simplify login (#15303)
* Prevent double-login for Git HTTP and LFS and simplify login There are a number of inconsistencies with our current methods for logging in for git and lfs. The first is that there is a double login process. This is particularly evident in 1.13 where there are no less than 4 hash checks for basic authentication due to the previous IsPasswordSet behaviour. This duplicated code had individual inconsistencies that were not helpful and caused confusion. This PR does the following: * Remove the specific login code from the git and lfs handlers except for the lfs special bearer token * Simplify the meaning of DisableBasicAuthentication to allow Token and Oauth2 sign-in. * The removal of the specific code from git and lfs means that these both now have the same login semantics and can - if not DisableBasicAuthentication - login from external services. Further it allows Oauth2 token authentication as per our standard mechanisms. * The change in the recovery handler prevents the service from re-attempting to login - primarily because this could easily cause a further panic and it is wasteful. * add test Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>tokarchuk/v1.17
parent
ba526ceffe
commit
17c5c654a5
@ -0,0 +1,124 @@ |
|||||||
|
// Copyright 2014 The Gogs Authors. All rights reserved.
|
||||||
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package sso |
||||||
|
|
||||||
|
import ( |
||||||
|
"net/http" |
||||||
|
"testing" |
||||||
|
|
||||||
|
"code.gitea.io/gitea/modules/setting" |
||||||
|
) |
||||||
|
|
||||||
|
func Test_isGitOrLFSPath(t *testing.T) { |
||||||
|
|
||||||
|
tests := []struct { |
||||||
|
path string |
||||||
|
|
||||||
|
want bool |
||||||
|
}{ |
||||||
|
{ |
||||||
|
"/owner/repo/git-upload-pack", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/git-receive-pack", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/info/refs", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/HEAD", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/info/alternates", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/info/http-alternates", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/info/packs", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/info/blahahsdhsdkla", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/01/23456789abcdef0123456789abcdef01234567", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/pack/pack-123456789012345678921234567893124567894.pack", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx", |
||||||
|
true, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/stars", |
||||||
|
false, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/notowner", |
||||||
|
false, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo", |
||||||
|
false, |
||||||
|
}, |
||||||
|
{ |
||||||
|
"/owner/repo/commit/123456789012345678921234567893124567894", |
||||||
|
false, |
||||||
|
}, |
||||||
|
} |
||||||
|
lfsTests := []string{ |
||||||
|
"/owner/repo/info/lfs/", |
||||||
|
"/owner/repo/info/lfs/objects/batch", |
||||||
|
"/owner/repo/info/lfs/objects/oid/filename", |
||||||
|
"/owner/repo/info/lfs/objects/oid", |
||||||
|
"/owner/repo/info/lfs/objects", |
||||||
|
"/owner/repo/info/lfs/verify", |
||||||
|
"/owner/repo/info/lfs/locks", |
||||||
|
"/owner/repo/info/lfs/locks/verify", |
||||||
|
"/owner/repo/info/lfs/locks/123/unlock", |
||||||
|
} |
||||||
|
|
||||||
|
origLFSStartServer := setting.LFS.StartServer |
||||||
|
|
||||||
|
for _, tt := range tests { |
||||||
|
t.Run(tt.path, func(t *testing.T) { |
||||||
|
req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil) |
||||||
|
setting.LFS.StartServer = false |
||||||
|
if got := isGitOrLFSPath(req); got != tt.want { |
||||||
|
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) |
||||||
|
} |
||||||
|
setting.LFS.StartServer = true |
||||||
|
if got := isGitOrLFSPath(req); got != tt.want { |
||||||
|
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) |
||||||
|
} |
||||||
|
}) |
||||||
|
} |
||||||
|
for _, tt := range lfsTests { |
||||||
|
t.Run(tt, func(t *testing.T) { |
||||||
|
req, _ := http.NewRequest("POST", tt, nil) |
||||||
|
setting.LFS.StartServer = false |
||||||
|
if got := isGitOrLFSPath(req); got != setting.LFS.StartServer { |
||||||
|
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitPathRe.MatchString(tt)) |
||||||
|
} |
||||||
|
setting.LFS.StartServer = true |
||||||
|
if got := isGitOrLFSPath(req); got != setting.LFS.StartServer { |
||||||
|
t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer) |
||||||
|
} |
||||||
|
}) |
||||||
|
} |
||||||
|
setting.LFS.StartServer = origLFSStartServer |
||||||
|
} |
Loading…
Reference in new issue