forgejo/services/actions/auth_test.go

// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package actions

import (
	"net/http"
	"testing"

	"code.gitea.io/gitea/modules/json"
	"code.gitea.io/gitea/modules/setting"

	"github.com/golang-jwt/jwt/v5"
	"github.com/stretchr/testify/assert"
)

func TestCreateAuthorizationToken(t *testing.T) {
	var taskID int64 = 23
	token, err := CreateAuthorizationToken(taskID, 1, 2)
	assert.Nil(t, err)
	assert.NotEqual(t, "", token)
	claims := jwt.MapClaims{}
	_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
		return setting.GetGeneralTokenSigningSecret(), nil
	})
	assert.Nil(t, err)
	scp, ok := claims["scp"]
	assert.True(t, ok, "Has scp claim in jwt token")
	assert.Contains(t, scp, "Actions.Results:1:2")
	taskIDClaim, ok := claims["TaskID"]
	assert.True(t, ok, "Has TaskID claim in jwt token")
	assert.Equal(t, float64(taskID), taskIDClaim, "Supplied taskid must match stored one")
	acClaim, ok := claims["ac"]
	assert.True(t, ok, "Has ac claim in jwt token")
	ac, ok := acClaim.(string)
	assert.True(t, ok, "ac claim is a string for buildx gha cache")
	scopes := []actionsCacheScope{}
	err = json.Unmarshal([]byte(ac), &scopes)
	assert.NoError(t, err, "ac claim is a json list for buildx gha cache")
	assert.GreaterOrEqual(t, len(scopes), 1, "Expected at least one action cache scope for buildx gha cache")
}

func TestParseAuthorizationToken(t *testing.T) {
	var taskID int64 = 23
	token, err := CreateAuthorizationToken(taskID, 1, 2)
	assert.Nil(t, err)
	assert.NotEqual(t, "", token)
	headers := http.Header{}
	headers.Set("Authorization", "Bearer "+token)
	rTaskID, err := ParseAuthorizationToken(&http.Request{
		Header: headers,
	})
	assert.Nil(t, err)
	assert.Equal(t, taskID, rTaskID)
}

func TestParseAuthorizationTokenNoAuthHeader(t *testing.T) {
	headers := http.Header{}
	rTaskID, err := ParseAuthorizationToken(&http.Request{
		Header: headers,
	})
	assert.Nil(t, err)
	assert.Equal(t, int64(0), rTaskID)
}
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`// Copyright 2024 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package actions`

			`import (`
			`"net/http"`
			`"testing"`

Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` (cherry picked from commit 368743baf3d904f86b553a88718583906f571c87) 2024-03-05 18:34:42 +01:00			`"code.gitea.io/gitea/modules/json"`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`"code.gitea.io/gitea/modules/setting"`

			`"github.com/golang-jwt/jwt/v5"`
			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestCreateAuthorizationToken(t *testing.T) {`
			`var taskID int64 = 23`
			`token, err := CreateAuthorizationToken(taskID, 1, 2)`
			`assert.Nil(t, err)`
			`assert.NotEqual(t, "", token)`
			`claims := jwt.MapClaims{}`
Add `interface{}` to `any` replacement to `make fmt`, exclude `.pb.go` (#30461) Since https://github.com/go-gitea/gitea/pull/25686, a few `interface{}` have sneaked into the codebase. Add this replacement to `make fmt` to prevent this from happening again. Ideally a linter would do this, but I haven't found any suitable. (cherry picked from commit c77e8140bc2ac6521dbebfb77613dce2648bfcb8) Conflicts: - .gitattributes Trivial conflict resolved by picking our choice of language for `.tmpl` files. 2024-04-13 19:32:15 +02:00			`_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {`
Port "Use general token signing secret" Port of https://github.com/go-gitea/gitea/pull/29205 Use a clearly defined "signing secret" for token signing. (cherry picked from commit 8be198cdef0a486f417663b1fd6878458d7e5d92) 2024-02-18 18:39:04 +01:00			`return setting.GetGeneralTokenSigningSecret(), nil`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`})`
			`assert.Nil(t, err)`
			`scp, ok := claims["scp"]`
			`assert.True(t, ok, "Has scp claim in jwt token")`
			`assert.Contains(t, scp, "Actions.Results:1:2")`
			`taskIDClaim, ok := claims["TaskID"]`
			`assert.True(t, ok, "Has TaskID claim in jwt token")`
			`assert.Equal(t, float64(taskID), taskIDClaim, "Supplied taskid must match stored one")`
Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584) Also resolves a warning for current releases ``` \| ##[group]GitHub Actions runtime token ACs \| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON \| ##[endgroup] ====> \| ##[group]GitHub Actions runtime token ACs \| ##[endgroup] ``` \* this is an error in v3 References in the docker org: - https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24 - https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61 No known official action of GitHub makes use of this claim. Current releases throw an error when configure to use actions cache ``` \| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls \| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls ``` (cherry picked from commit 368743baf3d904f86b553a88718583906f571c87) 2024-03-05 18:34:42 +01:00			`acClaim, ok := claims["ac"]`
			`assert.True(t, ok, "Has ac claim in jwt token")`
			`ac, ok := acClaim.(string)`
			`assert.True(t, ok, "ac claim is a string for buildx gha cache")`
			`scopes := []actionsCacheScope{}`
			`err = json.Unmarshal([]byte(ac), &scopes)`
			`assert.NoError(t, err, "ac claim is a json list for buildx gha cache")`
			`assert.GreaterOrEqual(t, len(scopes), 1, "Expected at least one action cache scope for buildx gha cache")`
Add artifacts v4 jwt to job message and accept it (#28885) This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471> 2024-02-02 15:25:59 +01:00			`}`

			`func TestParseAuthorizationToken(t *testing.T) {`
			`var taskID int64 = 23`
			`token, err := CreateAuthorizationToken(taskID, 1, 2)`
			`assert.Nil(t, err)`
			`assert.NotEqual(t, "", token)`
			`headers := http.Header{}`
			`headers.Set("Authorization", "Bearer "+token)`
			`rTaskID, err := ParseAuthorizationToken(&http.Request{`
			`Header: headers,`
			`})`
			`assert.Nil(t, err)`
			`assert.Equal(t, taskID, rTaskID)`
			`}`

			`func TestParseAuthorizationTokenNoAuthHeader(t *testing.T) {`
			`headers := http.Header{}`
			`rTaskID, err := ParseAuthorizationToken(&http.Request{`
			`Header: headers,`
			`})`
			`assert.Nil(t, err)`
			`assert.Equal(t, int64(0), rTaskID)`
			`}`