afan
/
gitea
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Activity
gitea源码
1 Commit
2 Grenar
Träd: 61128e8e94
Grenar Taggar
${ item.name }
Create branch ${ searchTerm }
from '61128e8e94'
${ noResults }
gitea/services/actions/auth.go

auth.go 2.3KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 
  1. // Copyright 2024 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package actions

  5. 

  6. import (

  7. 	"errors"

  8. 	"fmt"

  9. 	"net/http"

  10. 	"strings"

  11. 	"time"

  12. 

  13. 	"code.gitea.io/gitea/modules/json"

  14. 	"code.gitea.io/gitea/modules/log"

  15. 	"code.gitea.io/gitea/modules/setting"

  16. 

  17. 	"github.com/golang-jwt/jwt/v5"

  18. )

  19. 

  20. type actionsClaims struct {

  21. 	jwt.RegisteredClaims

  22. 	Scp    string `json:"scp"`

  23. 	TaskID int64

  24. 	RunID  int64

  25. 	JobID  int64

  26. 	Ac     string `json:"ac"`

  27. }

  28. 

  29. type actionsCacheScope struct {

  30. 	Scope      string

  31. 	Permission actionsCachePermission

  32. }

  33. 

  34. type actionsCachePermission int

  35. 

  36. const (

  37. 	actionsCachePermissionRead = 1 << iota

  38. 	actionsCachePermissionWrite

  39. )

  40. 

  41. func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {

  42. 	now := time.Now()

  43. 

  44. 	ac, err := json.Marshal(&[]actionsCacheScope{

  45. 		{

  46. 			Scope:      "",

  47. 			Permission: actionsCachePermissionWrite,

  48. 		},

  49. 	})

  50. 	if err != nil {

  51. 		return "", err

  52. 	}

  53. 

  54. 	claims := actionsClaims{

  55. 		RegisteredClaims: jwt.RegisteredClaims{

  56. 			ExpiresAt: jwt.NewNumericDate(now.Add(1*time.Hour + setting.Actions.EndlessTaskTimeout)),

  57. 			NotBefore: jwt.NewNumericDate(now),

  58. 		},

  59. 		Scp:    fmt.Sprintf("Actions.Results:%d:%d", runID, jobID),

  60. 		Ac:     string(ac),

  61. 		TaskID: taskID,

  62. 		RunID:  runID,

  63. 		JobID:  jobID,

  64. 	}

  65. 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

  66. 

  67. 	tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())

  68. 	if err != nil {

  69. 		return "", err

  70. 	}

  71. 

  72. 	return tokenString, nil

  73. }

  74. 

  75. func ParseAuthorizationToken(req *http.Request) (int64, error) {

  76. 	h := req.Header.Get("Authorization")

  77. 	if h == "" {

  78. 		return 0, nil

  79. 	}

  80. 

  81. 	parts := strings.SplitN(h, " ", 2)

  82. 	if len(parts) != 2 {

  83. 		log.Error("split token failed: %s", h)

  84. 		return 0, errors.New("split token failed")

  85. 	}

  86. 

  87. 	return TokenToTaskID(parts[1])

  88. }

  89. 

  90. // TokenToTaskID returns the TaskID associated with the provided JWT token

  91. func TokenToTaskID(token string) (int64, error) {

  92. 	parsedToken, err := jwt.ParseWithClaims(token, &actionsClaims{}, func(t *jwt.Token) (any, error) {

  93. 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {

  94. 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])

  95. 		}

  96. 		return setting.GetGeneralTokenSigningSecret(), nil

  97. 	})

  98. 	if err != nil {

  99. 		return 0, err

  100. 	}

  101. 

  102. 	c, ok := parsedToken.Claims.(*actionsClaims)

  103. 	if !parsedToken.Valid || !ok {

  104. 		return 0, errors.New("invalid token claim")

  105. 	}

  106. 

  107. 	return c.TaskID, nil

  108. }