github/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-08-08 13:11:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

add token scope

Browse Source
This commit is contained in:
Lunny Xiao 2025-07-06 15:11:20 -07:00
parent 899efca7c4
commit 0df053f2ae
No known key found for this signature in database
GPG Key ID: C3B7C91B632F738A
4 changed files with 41 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
models/auth/access_token_scope.go
View File

@ -24,6 +24,7 @@ const (
AccessTokenScopeCategoryIssue AccessTokenScopeCategoryIssue
AccessTokenScopeCategoryRepository AccessTokenScopeCategoryRepository
AccessTokenScopeCategoryUser AccessTokenScopeCategoryUser
AccessTokenScopeCategoryProject
) )
// AllAccessTokenScopeCategories contains all access token scope categories // AllAccessTokenScopeCategories contains all access token scope categories
@ -37,6 +38,7 @@ var AllAccessTokenScopeCategories = []AccessTokenScopeCategory{
AccessTokenScopeCategoryIssue, AccessTokenScopeCategoryIssue,
AccessTokenScopeCategoryRepository, AccessTokenScopeCategoryRepository,
AccessTokenScopeCategoryUser, AccessTokenScopeCategoryUser,
AccessTokenScopeCategoryProject,
} }
// AccessTokenScopeLevel represents the access levels without a given scope category // AccessTokenScopeLevel represents the access levels without a given scope category
@ -82,6 +84,9 @@ const (
AccessTokenScopeReadUser AccessTokenScope = "read:user" AccessTokenScopeReadUser AccessTokenScope = "read:user"
AccessTokenScopeWriteUser AccessTokenScope = "write:user" AccessTokenScopeWriteUser AccessTokenScope = "write:user"
AccessTokenScopeReadProject AccessTokenScope = "read:project"
AccessTokenScopeWriteProject AccessTokenScope = "write:project"
) )
// accessTokenScopeBitmap represents a bitmap of access token scopes. // accessTokenScopeBitmap represents a bitmap of access token scopes.
@ -124,6 +129,9 @@ const (
accessTokenScopeReadUserBits accessTokenScopeBitmap = 1 << iota accessTokenScopeReadUserBits accessTokenScopeBitmap = 1 << iota
accessTokenScopeWriteUserBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadUserBits accessTokenScopeWriteUserBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadUserBits
accessTokenScopeReadProjectBits accessTokenScopeBitmap = 1 << iota
accessTokenScopeWriteProjectBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadProjectBits
// The current implementation only supports up to 64 token scopes. // The current implementation only supports up to 64 token scopes.
// If we need to support > 64 scopes, // If we need to support > 64 scopes,
// refactoring the whole implementation in this file (and only this file) is needed. // refactoring the whole implementation in this file (and only this file) is needed.
@ -142,6 +150,7 @@ var allAccessTokenScopes = []AccessTokenScope{
AccessTokenScopeWriteIssue, AccessTokenScopeReadIssue, AccessTokenScopeWriteIssue, AccessTokenScopeReadIssue,
AccessTokenScopeWriteRepository, AccessTokenScopeReadRepository, AccessTokenScopeWriteRepository, AccessTokenScopeReadRepository,
AccessTokenScopeWriteUser, AccessTokenScopeReadUser, AccessTokenScopeWriteUser, AccessTokenScopeReadUser,
AccessTokenScopeWriteProject, AccessTokenScopeReadProject,
} }
// allAccessTokenScopeBits contains all access token scopes. // allAccessTokenScopeBits contains all access token scopes.
@ -166,6 +175,8 @@ var allAccessTokenScopeBits = map[AccessTokenScope]accessTokenScopeBitmap{
AccessTokenScopeWriteRepository: accessTokenScopeWriteRepositoryBits, AccessTokenScopeWriteRepository: accessTokenScopeWriteRepositoryBits,
AccessTokenScopeReadUser: accessTokenScopeReadUserBits, AccessTokenScopeReadUser: accessTokenScopeReadUserBits,
AccessTokenScopeWriteUser: accessTokenScopeWriteUserBits, AccessTokenScopeWriteUser: accessTokenScopeWriteUserBits,
AccessTokenScopeReadProject: accessTokenScopeReadProjectBits,
AccessTokenScopeWriteProject: accessTokenScopeWriteProjectBits,
} }
// readAccessTokenScopes maps a scope category to the read permission scope // readAccessTokenScopes maps a scope category to the read permission scope
@ -180,6 +191,7 @@ var accessTokenScopes = map[AccessTokenScopeLevel]map[AccessTokenScopeCategory]A
AccessTokenScopeCategoryIssue: AccessTokenScopeReadIssue, AccessTokenScopeCategoryIssue: AccessTokenScopeReadIssue,
AccessTokenScopeCategoryRepository: AccessTokenScopeReadRepository, AccessTokenScopeCategoryRepository: AccessTokenScopeReadRepository,
AccessTokenScopeCategoryUser: AccessTokenScopeReadUser, AccessTokenScopeCategoryUser: AccessTokenScopeReadUser,
AccessTokenScopeCategoryProject: AccessTokenScopeReadProject,
}, },
Write: { Write: {
AccessTokenScopeCategoryActivityPub: AccessTokenScopeWriteActivityPub, AccessTokenScopeCategoryActivityPub: AccessTokenScopeWriteActivityPub,
@ -191,6 +203,7 @@ var accessTokenScopes = map[AccessTokenScopeLevel]map[AccessTokenScopeCategory]A
AccessTokenScopeCategoryIssue: AccessTokenScopeWriteIssue, AccessTokenScopeCategoryIssue: AccessTokenScopeWriteIssue,
AccessTokenScopeCategoryRepository: AccessTokenScopeWriteRepository, AccessTokenScopeCategoryRepository: AccessTokenScopeWriteRepository,
AccessTokenScopeCategoryUser: AccessTokenScopeWriteUser, AccessTokenScopeCategoryUser: AccessTokenScopeWriteUser,
AccessTokenScopeCategoryProject: AccessTokenScopeWriteProject,
}, },
} }

23
routers/api/v1/api.go
View File

@ -1042,6 +1042,13 @@ func Routes() *web.Router {
m.Get("/subscriptions", user.GetWatchedRepos) m.Get("/subscriptions", user.GetWatchedRepos)
}, context.UserAssignmentAPI(), checkTokenPublicOnly()) }, context.UserAssignmentAPI(), checkTokenPublicOnly())
m.Group("/{username}", func() {
m.Group("/projects", func() {
m.Get("", projects.ListUserProjects)
m.Post("", bind(api.NewProjectOption{}), projects.CreateUserProject)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryProject))
}, context.UserAssignmentAPI())
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken()) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())
// Users (requires user scope) // Users (requires user scope)
@ -1162,11 +1169,6 @@ func Routes() *web.Router {
m.Delete("", user.UnblockUser) m.Delete("", user.UnblockUser)
}, context.UserAssignmentAPI(), checkTokenPublicOnly()) }, context.UserAssignmentAPI(), checkTokenPublicOnly())
}) })
m.Group("/projects", func() {
m.Get("", projects.ListUserProjects)
m.Post("", bind(api.NewProjectOption{}), projects.CreateUserProject)
})
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken()) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())
// Repositories (requires repo scope, org scope) // Repositories (requires repo scope, org scope)
@ -1476,7 +1478,7 @@ func Routes() *web.Router {
m.Group("/projects", func() { m.Group("/projects", func() {
m.Post("", bind(api.NewProjectOption{}), projects.CreateRepoProject) m.Post("", bind(api.NewProjectOption{}), projects.CreateRepoProject)
}) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryProject))
}, repoAssignment(), checkTokenPublicOnly()) }, repoAssignment(), checkTokenPublicOnly())
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository)) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))
@ -1701,7 +1703,7 @@ func Routes() *web.Router {
m.Group("/projects", func() { m.Group("/projects", func() {
m.Post("", bind(api.NewProjectOption{}), projects.CreateOrgProject) m.Post("", bind(api.NewProjectOption{}), projects.CreateOrgProject)
m.Get("", projects.ListOrgProjects) m.Get("", projects.ListOrgProjects)
}) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryProject))
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(true), checkTokenPublicOnly()) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(true), checkTokenPublicOnly())
m.Group("/teams/{teamid}", func() { m.Group("/teams/{teamid}", func() {
m.Combo("").Get(reqToken(), org.GetTeam). m.Combo("").Get(reqToken(), org.GetTeam).
@ -1724,6 +1726,13 @@ func Routes() *web.Router {
m.Get("/activities/feeds", org.ListTeamActivityFeeds) m.Get("/activities/feeds", org.ListTeamActivityFeeds)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(false, true), reqToken(), reqTeamMembership(), checkTokenPublicOnly()) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(false, true), reqToken(), reqTeamMembership(), checkTokenPublicOnly())
// Projects
m.Group("/projects", func() {
m.Get("{project_id}", projects.GetProject)
m.Patch("{project_id}", bind(api.UpdateProjectOption{}), projects.UpdateProject)
m.Delete("{project_id}", projects.DeleteProject)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryProject), reqToken())
m.Group("/admin", func() { m.Group("/admin", func() {
m.Group("/cron", func() { m.Group("/cron", func() {
m.Get("", admin.ListCronTasks) m.Get("", admin.ListCronTasks)

6
routers/api/v1/projects/project.go
View File

@ -158,7 +158,7 @@ func GetProject(ctx *context.APIContext) {
// "$ref": "#/responses/forbidden" // "$ref": "#/responses/forbidden"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
project, err := project_model.GetProjectByID(ctx, ctx.FormInt64("id")) project, err := project_model.GetProjectByID(ctx, ctx.FormInt64("project_id"))
if err != nil { if err != nil {
if project_model.IsErrProjectNotExist(err) { if project_model.IsErrProjectNotExist(err) {
ctx.APIError(http.StatusNotFound, err) ctx.APIError(http.StatusNotFound, err)
@ -202,7 +202,7 @@ func UpdateProject(ctx *context.APIContext) {
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
form := web.GetForm(ctx).(*api.UpdateProjectOption) form := web.GetForm(ctx).(*api.UpdateProjectOption)
project, err := project_model.GetProjectByID(ctx, ctx.FormInt64("id")) project, err := project_model.GetProjectByID(ctx, ctx.FormInt64("project_id"))
if err != nil { if err != nil {
if project_model.IsErrProjectNotExist(err) { if project_model.IsErrProjectNotExist(err) {
ctx.APIError(http.StatusNotFound, err) ctx.APIError(http.StatusNotFound, err)
@ -249,7 +249,7 @@ func DeleteProject(ctx *context.APIContext) {
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
if err := project_model.DeleteProjectByID(ctx, ctx.FormInt64("id")); err != nil { if err := project_model.DeleteProjectByID(ctx, ctx.FormInt64("project_id")); err != nil {
ctx.APIErrorInternal(err) ctx.APIErrorInternal(err)
return return
} }

18
tests/integration/api_project_test.go
View File

@ -23,9 +23,9 @@ func TestAPICreateUserProject(t *testing.T) {
const title, description = "project_name", "project_description" const title, description = "project_name", "project_description"
templateType := project_model.TemplateTypeBasicKanban.ToString() templateType := project_model.TemplateTypeBasicKanban.ToString()
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteIssue, auth_model.AccessTokenScopeWriteUser) token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteProject, auth_model.AccessTokenScopeWriteUser)
req := NewRequestWithJSON(t, "POST", "/api/v1/user/projects", &api.NewProjectOption{ req := NewRequestWithJSON(t, "POST", "/api/v1/users/user2/projects", &api.NewProjectOption{
Name: title, Name: title,
Body: description, Body: description,
TemplateType: templateType, TemplateType: templateType,
@ -91,7 +91,7 @@ func TestAPIListUserProjects(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadIssue) token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadIssue)
link, _ := url.Parse("/api/v1/user/projects") link, _ := url.Parse("/api/v1/users/user2/projects")
req := NewRequest(t, "GET", link.String()).AddTokenAuth(token) req := NewRequest(t, "GET", link.String()).AddTokenAuth(token)
var apiProjects []*api.Project var apiProjects []*api.Project
@ -134,8 +134,8 @@ func TestAPIListRepoProjects(t *testing.T) {
func TestAPIGetProject(t *testing.T) { func TestAPIGetProject(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadIssue) token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadProject)
link, _ := url.Parse(fmt.Sprintf("/api/v1/projects/%d", 1)) link, _ := url.Parse(fmt.Sprintf("/api/v1/projects/%d", 4))
req := NewRequest(t, "GET", link.String()).AddTokenAuth(token) req := NewRequest(t, "GET", link.String()).AddTokenAuth(token)
var apiProject *api.Project var apiProject *api.Project
@ -149,8 +149,8 @@ func TestAPIGetProject(t *testing.T) {
func TestAPIUpdateProject(t *testing.T) { func TestAPIUpdateProject(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteUser, auth_model.AccessTokenScopeWriteIssue) token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteProject)
link, _ := url.Parse(fmt.Sprintf("/api/v1/projects/%d", 1)) link, _ := url.Parse(fmt.Sprintf("/api/v1/projects/%d", 4))
req := NewRequestWithJSON(t, "PATCH", link.String(), &api.UpdateProjectOption{Name: "First project updated"}).AddTokenAuth(token) req := NewRequestWithJSON(t, "PATCH", link.String(), &api.UpdateProjectOption{Name: "First project updated"}).AddTokenAuth(token)
@ -163,8 +163,8 @@ func TestAPIUpdateProject(t *testing.T) {
func TestAPIDeleteProject(t *testing.T) { func TestAPIDeleteProject(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteUser, auth_model.AccessTokenScopeWriteIssue) token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteProject)
link, _ := url.Parse(fmt.Sprintf("/api/v1/projects/%d", 1)) link, _ := url.Parse(fmt.Sprintf("/api/v1/projects/%d", 4))
req := NewRequest(t, "DELETE", link.String()).AddTokenAuth(token) req := NewRequest(t, "DELETE", link.String()).AddTokenAuth(token)