Always set userID on LFS authentication (#7224)

* Always set userID on LFS authentication

Fix #5478
Fix #7219

* Deploy keys should only be able to read their repos
This commit is contained in:
zeripath 2019-06-17 16:36:42 +01:00 committed by Lauris BH
parent dbd0a2e6dc
commit 5d1a8d23b0

View File

@ -219,8 +219,9 @@ func runServ(c *cli.Context) error {
var ( var (
keyID int64 keyID int64
user *models.User user *models.User
userID int64
) )
if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
keys := strings.Split(c.Args()[0], "-") keys := strings.Split(c.Args()[0], "-")
if len(keys) != 2 { if len(keys) != 2 {
fail("Key ID format error", "Invalid key argument: %s", c.Args()[0]) fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
@ -231,8 +232,8 @@ func runServ(c *cli.Context) error {
fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err) fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err)
} }
keyID = key.ID keyID = key.ID
userID = key.OwnerID
// Check deploy key or user key.
if key.Type == models.KeyTypeDeploy { if key.Type == models.KeyTypeDeploy {
// Now we have to get the deploy key for this repo // Now we have to get the deploy key for this repo
deployKey, err := private.GetDeployKey(key.ID, repo.ID) deployKey, err := private.GetDeployKey(key.ID, repo.ID)
@ -258,7 +259,9 @@ func runServ(c *cli.Context) error {
// so for now use the owner // so for now use the owner
os.Setenv(models.EnvPusherName, username) os.Setenv(models.EnvPusherName, username)
os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID)) os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID))
} else { userID = repo.OwnerID
} else if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
// Check deploy key or user key.
user, err = private.GetUserByKeyID(key.ID) user, err = private.GetUserByKeyID(key.ID)
if err != nil { if err != nil {
fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err) fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
@ -286,7 +289,6 @@ func runServ(c *cli.Context) error {
os.Setenv(models.EnvPusherName, user.Name) os.Setenv(models.EnvPusherName, user.Name)
os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", user.ID)) os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", user.ID))
} }
}
//LFS token authentication //LFS token authentication
if verb == lfsAuthenticateVerb { if verb == lfsAuthenticateVerb {
@ -299,8 +301,8 @@ func runServ(c *cli.Context) error {
"exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(), "exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
"nbf": now.Unix(), "nbf": now.Unix(),
} }
if user != nil { if userID > 0 {
claims["user"] = user.ID claims["user"] = userID
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)