mirror of
https://github.com/go-gitea/gitea
synced 2024-11-18 08:19:36 +01:00
de484e86bc
This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
424 lines
16 KiB
Go
424 lines
16 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/models"
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
|
"code.gitea.io/gitea/models/db"
|
|
issues_model "code.gitea.io/gitea/models/issues"
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
|
"code.gitea.io/gitea/models/unittest"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
"code.gitea.io/gitea/models/webhook"
|
|
"code.gitea.io/gitea/modules/git"
|
|
repo_module "code.gitea.io/gitea/modules/repository"
|
|
api "code.gitea.io/gitea/modules/structs"
|
|
"code.gitea.io/gitea/modules/test"
|
|
"code.gitea.io/gitea/modules/translation"
|
|
"code.gitea.io/gitea/services/pull"
|
|
repo_service "code.gitea.io/gitea/services/repository"
|
|
files_service "code.gitea.io/gitea/services/repository/files"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func testPullMerge(t *testing.T, session *TestSession, user, repo, pullnum string, mergeStyle repo_model.MergeStyle) *httptest.ResponseRecorder {
|
|
req := NewRequest(t, "GET", path.Join(user, repo, "pulls", pullnum))
|
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
link := path.Join(user, repo, "pulls", pullnum, "merge")
|
|
req = NewRequestWithValues(t, "POST", link, map[string]string{
|
|
"_csrf": htmlDoc.GetCSRF(),
|
|
"do": string(mergeStyle),
|
|
})
|
|
resp = session.MakeRequest(t, req, http.StatusSeeOther)
|
|
|
|
return resp
|
|
}
|
|
|
|
func testPullCleanUp(t *testing.T, session *TestSession, user, repo, pullnum string) *httptest.ResponseRecorder {
|
|
req := NewRequest(t, "GET", path.Join(user, repo, "pulls", pullnum))
|
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
// Click the little green button to create a pull
|
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
link, exists := htmlDoc.doc.Find(".timeline-item .delete-button").Attr("data-url")
|
|
assert.True(t, exists, "The template has changed, can not find delete button url")
|
|
req = NewRequestWithValues(t, "POST", link, map[string]string{
|
|
"_csrf": htmlDoc.GetCSRF(),
|
|
})
|
|
resp = session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
return resp
|
|
}
|
|
|
|
func TestPullMerge(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
|
|
assert.NoError(t, err)
|
|
hookTasksLenBefore := len(hookTasks)
|
|
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited)\n")
|
|
|
|
resp := testPullCreate(t, session, "user1", "repo1", "master", "This is a pull title")
|
|
|
|
elem := strings.Split(test.RedirectURL(resp), "/")
|
|
assert.EqualValues(t, "pulls", elem[3])
|
|
testPullMerge(t, session, elem[1], elem[2], elem[4], repo_model.MergeStyleMerge)
|
|
|
|
hookTasks, err = webhook.HookTasks(1, 1)
|
|
assert.NoError(t, err)
|
|
assert.Len(t, hookTasks, hookTasksLenBefore+1)
|
|
})
|
|
}
|
|
|
|
func TestPullRebase(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
|
|
assert.NoError(t, err)
|
|
hookTasksLenBefore := len(hookTasks)
|
|
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited)\n")
|
|
|
|
resp := testPullCreate(t, session, "user1", "repo1", "master", "This is a pull title")
|
|
|
|
elem := strings.Split(test.RedirectURL(resp), "/")
|
|
assert.EqualValues(t, "pulls", elem[3])
|
|
testPullMerge(t, session, elem[1], elem[2], elem[4], repo_model.MergeStyleRebase)
|
|
|
|
hookTasks, err = webhook.HookTasks(1, 1)
|
|
assert.NoError(t, err)
|
|
assert.Len(t, hookTasks, hookTasksLenBefore+1)
|
|
})
|
|
}
|
|
|
|
func TestPullRebaseMerge(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
|
|
assert.NoError(t, err)
|
|
hookTasksLenBefore := len(hookTasks)
|
|
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited)\n")
|
|
|
|
resp := testPullCreate(t, session, "user1", "repo1", "master", "This is a pull title")
|
|
|
|
elem := strings.Split(test.RedirectURL(resp), "/")
|
|
assert.EqualValues(t, "pulls", elem[3])
|
|
testPullMerge(t, session, elem[1], elem[2], elem[4], repo_model.MergeStyleRebaseMerge)
|
|
|
|
hookTasks, err = webhook.HookTasks(1, 1)
|
|
assert.NoError(t, err)
|
|
assert.Len(t, hookTasks, hookTasksLenBefore+1)
|
|
})
|
|
}
|
|
|
|
func TestPullSquash(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
|
|
assert.NoError(t, err)
|
|
hookTasksLenBefore := len(hookTasks)
|
|
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited)\n")
|
|
testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited!)\n")
|
|
|
|
resp := testPullCreate(t, session, "user1", "repo1", "master", "This is a pull title")
|
|
|
|
elem := strings.Split(test.RedirectURL(resp), "/")
|
|
assert.EqualValues(t, "pulls", elem[3])
|
|
testPullMerge(t, session, elem[1], elem[2], elem[4], repo_model.MergeStyleSquash)
|
|
|
|
hookTasks, err = webhook.HookTasks(1, 1)
|
|
assert.NoError(t, err)
|
|
assert.Len(t, hookTasks, hookTasksLenBefore+1)
|
|
})
|
|
}
|
|
|
|
func TestPullCleanUpAfterMerge(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "feature/test", "README.md", "Hello, World (Edited - TestPullCleanUpAfterMerge)\n")
|
|
|
|
resp := testPullCreate(t, session, "user1", "repo1", "feature/test", "This is a pull title")
|
|
|
|
elem := strings.Split(test.RedirectURL(resp), "/")
|
|
assert.EqualValues(t, "pulls", elem[3])
|
|
testPullMerge(t, session, elem[1], elem[2], elem[4], repo_model.MergeStyleMerge)
|
|
|
|
// Check PR branch deletion
|
|
resp = testPullCleanUp(t, session, elem[1], elem[2], elem[4])
|
|
respJSON := struct {
|
|
Redirect string
|
|
}{}
|
|
DecodeJSON(t, resp, &respJSON)
|
|
|
|
assert.NotEmpty(t, respJSON.Redirect, "Redirected URL is not found")
|
|
|
|
elem = strings.Split(respJSON.Redirect, "/")
|
|
assert.EqualValues(t, "pulls", elem[3])
|
|
|
|
// Check branch deletion result
|
|
req := NewRequest(t, "GET", respJSON.Redirect)
|
|
resp = session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
resultMsg := htmlDoc.doc.Find(".ui.message>p").Text()
|
|
|
|
assert.EqualValues(t, "Branch 'user1/feature/test' has been deleted.", resultMsg)
|
|
})
|
|
}
|
|
|
|
func TestCantMergeWorkInProgress(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited)\n")
|
|
|
|
resp := testPullCreate(t, session, "user1", "repo1", "master", "[wip] This is a pull title")
|
|
|
|
req := NewRequest(t, "GET", resp.Header().Get("Location"))
|
|
resp = session.MakeRequest(t, req, http.StatusOK)
|
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
text := strings.TrimSpace(htmlDoc.doc.Find(".merge-section > .item").Last().Text())
|
|
assert.NotEmpty(t, text, "Can't find WIP text")
|
|
|
|
assert.Contains(t, text, translation.NewLocale("en-US").Tr("repo.pulls.cannot_merge_work_in_progress"), "Unable to find WIP text")
|
|
assert.Contains(t, text, "[wip]", "Unable to find WIP text")
|
|
})
|
|
}
|
|
|
|
func TestCantMergeConflict(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "conflict", "README.md", "Hello, World (Edited Once)\n")
|
|
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "base", "README.md", "Hello, World (Edited Twice)\n")
|
|
|
|
// Use API to create a conflicting pr
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
|
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
|
|
Head: "conflict",
|
|
Base: "base",
|
|
Title: "create a conflicting pr",
|
|
})
|
|
session.MakeRequest(t, req, http.StatusCreated)
|
|
|
|
// Now this PR will be marked conflict - or at least a race will do - so drop down to pure code at this point...
|
|
user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{
|
|
Name: "user1",
|
|
})
|
|
repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{
|
|
OwnerID: user1.ID,
|
|
Name: "repo1",
|
|
})
|
|
|
|
pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{
|
|
HeadRepoID: repo1.ID,
|
|
BaseRepoID: repo1.ID,
|
|
HeadBranch: "conflict",
|
|
BaseBranch: "base",
|
|
})
|
|
|
|
gitRepo, err := git.OpenRepository(git.DefaultContext, repo_model.RepoPath(user1.Name, repo1.Name))
|
|
assert.NoError(t, err)
|
|
|
|
err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleMerge, "", "CONFLICT", false)
|
|
assert.Error(t, err, "Merge should return an error due to conflict")
|
|
assert.True(t, models.IsErrMergeConflicts(err), "Merge error is not a conflict error")
|
|
|
|
err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleRebase, "", "CONFLICT", false)
|
|
assert.Error(t, err, "Merge should return an error due to conflict")
|
|
assert.True(t, models.IsErrRebaseConflicts(err), "Merge error is not a conflict error")
|
|
gitRepo.Close()
|
|
})
|
|
}
|
|
|
|
func TestCantMergeUnrelated(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
session := loginUser(t, "user1")
|
|
testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
|
|
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "base", "README.md", "Hello, World (Edited Twice)\n")
|
|
|
|
// Now we want to create a commit on a branch that is totally unrelated to our current head
|
|
// Drop down to pure code at this point
|
|
user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{
|
|
Name: "user1",
|
|
})
|
|
repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{
|
|
OwnerID: user1.ID,
|
|
Name: "repo1",
|
|
})
|
|
path := repo_model.RepoPath(user1.Name, repo1.Name)
|
|
|
|
err := git.NewCommand(git.DefaultContext, "read-tree", "--empty").Run(&git.RunOpts{Dir: path})
|
|
assert.NoError(t, err)
|
|
|
|
stdin := bytes.NewBufferString("Unrelated File")
|
|
var stdout strings.Builder
|
|
err = git.NewCommand(git.DefaultContext, "hash-object", "-w", "--stdin").Run(&git.RunOpts{
|
|
Dir: path,
|
|
Stdin: stdin,
|
|
Stdout: &stdout,
|
|
})
|
|
|
|
assert.NoError(t, err)
|
|
sha := strings.TrimSpace(stdout.String())
|
|
|
|
_, _, err = git.NewCommand(git.DefaultContext, "update-index", "--add", "--replace", "--cacheinfo", "100644", git.CmdArgCheck(sha), "somewher-over-the-rainbow").RunStdString(&git.RunOpts{Dir: path})
|
|
assert.NoError(t, err)
|
|
|
|
treeSha, _, err := git.NewCommand(git.DefaultContext, "write-tree").RunStdString(&git.RunOpts{Dir: path})
|
|
assert.NoError(t, err)
|
|
treeSha = strings.TrimSpace(treeSha)
|
|
|
|
commitTimeStr := time.Now().Format(time.RFC3339)
|
|
doerSig := user1.NewGitSig()
|
|
env := append(os.Environ(),
|
|
"GIT_AUTHOR_NAME="+doerSig.Name,
|
|
"GIT_AUTHOR_EMAIL="+doerSig.Email,
|
|
"GIT_AUTHOR_DATE="+commitTimeStr,
|
|
"GIT_COMMITTER_NAME="+doerSig.Name,
|
|
"GIT_COMMITTER_EMAIL="+doerSig.Email,
|
|
"GIT_COMMITTER_DATE="+commitTimeStr,
|
|
)
|
|
|
|
messageBytes := new(bytes.Buffer)
|
|
_, _ = messageBytes.WriteString("Unrelated")
|
|
_, _ = messageBytes.WriteString("\n")
|
|
|
|
stdout.Reset()
|
|
err = git.NewCommand(git.DefaultContext, "commit-tree").AddDynamicArguments(treeSha).
|
|
Run(&git.RunOpts{
|
|
Env: env,
|
|
Dir: path,
|
|
Stdin: messageBytes,
|
|
Stdout: &stdout,
|
|
})
|
|
assert.NoError(t, err)
|
|
commitSha := strings.TrimSpace(stdout.String())
|
|
|
|
_, _, err = git.NewCommand(git.DefaultContext, "branch", "unrelated").AddDynamicArguments(commitSha).RunStdString(&git.RunOpts{Dir: path})
|
|
assert.NoError(t, err)
|
|
|
|
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "conflict", "README.md", "Hello, World (Edited Once)\n")
|
|
|
|
// Use API to create a conflicting pr
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
|
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
|
|
Head: "unrelated",
|
|
Base: "base",
|
|
Title: "create an unrelated pr",
|
|
})
|
|
session.MakeRequest(t, req, http.StatusCreated)
|
|
|
|
// Now this PR could be marked conflict - or at least a race may occur - so drop down to pure code at this point...
|
|
gitRepo, err := git.OpenRepository(git.DefaultContext, path)
|
|
assert.NoError(t, err)
|
|
pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{
|
|
HeadRepoID: repo1.ID,
|
|
BaseRepoID: repo1.ID,
|
|
HeadBranch: "unrelated",
|
|
BaseBranch: "base",
|
|
})
|
|
|
|
err = pull.Merge(context.Background(), pr, user1, gitRepo, repo_model.MergeStyleMerge, "", "UNRELATED", false)
|
|
assert.Error(t, err, "Merge should return an error due to unrelated")
|
|
assert.True(t, models.IsErrMergeUnrelatedHistories(err), "Merge error is not a unrelated histories error")
|
|
gitRepo.Close()
|
|
})
|
|
}
|
|
|
|
func TestConflictChecking(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
|
|
// Create new clean repo to test conflict checking.
|
|
baseRepo, err := repo_service.CreateRepository(user, user, repo_module.CreateRepoOptions{
|
|
Name: "conflict-checking",
|
|
Description: "Tempo repo",
|
|
AutoInit: true,
|
|
Readme: "Default",
|
|
DefaultBranch: "main",
|
|
})
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, baseRepo)
|
|
|
|
// create a commit on new branch.
|
|
_, err = files_service.CreateOrUpdateRepoFile(git.DefaultContext, baseRepo, user, &files_service.UpdateRepoFileOptions{
|
|
TreePath: "important_file",
|
|
Message: "Add a important file",
|
|
Content: "Just a non-important file",
|
|
IsNewFile: true,
|
|
OldBranch: "main",
|
|
NewBranch: "important-secrets",
|
|
})
|
|
assert.NoError(t, err)
|
|
|
|
// create a commit on main branch.
|
|
_, err = files_service.CreateOrUpdateRepoFile(git.DefaultContext, baseRepo, user, &files_service.UpdateRepoFileOptions{
|
|
TreePath: "important_file",
|
|
Message: "Add a important file",
|
|
Content: "Not the same content :P",
|
|
IsNewFile: true,
|
|
OldBranch: "main",
|
|
NewBranch: "main",
|
|
})
|
|
assert.NoError(t, err)
|
|
|
|
// create Pull to merge the important-secrets branch into main branch.
|
|
pullIssue := &issues_model.Issue{
|
|
RepoID: baseRepo.ID,
|
|
Title: "PR with conflict!",
|
|
PosterID: user.ID,
|
|
Poster: user,
|
|
IsPull: true,
|
|
}
|
|
|
|
pullRequest := &issues_model.PullRequest{
|
|
HeadRepoID: baseRepo.ID,
|
|
BaseRepoID: baseRepo.ID,
|
|
HeadBranch: "important-secrets",
|
|
BaseBranch: "main",
|
|
HeadRepo: baseRepo,
|
|
BaseRepo: baseRepo,
|
|
Type: issues_model.PullRequestGitea,
|
|
}
|
|
err = pull.NewPullRequest(git.DefaultContext, baseRepo, pullIssue, nil, nil, pullRequest, nil)
|
|
assert.NoError(t, err)
|
|
|
|
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{Title: "PR with conflict!"})
|
|
conflictingPR, err := issues_model.GetPullRequestByIssueID(db.DefaultContext, issue.ID)
|
|
assert.NoError(t, err)
|
|
|
|
// Ensure conflictedFiles is populated.
|
|
assert.Equal(t, 1, len(conflictingPR.ConflictedFiles))
|
|
// Check if status is correct.
|
|
assert.Equal(t, issues_model.PullRequestStatusConflict, conflictingPR.Status)
|
|
// Ensure that mergeable returns false
|
|
assert.False(t, conflictingPR.Mergeable())
|
|
})
|
|
}
|