Support scoped access tokens (#20908)

This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
2023-01-17 16:46:03 -05:00 · 2023-01-17 16:46:03 -05:00 · de484e86bc
commit de484e86bc
parent db2286bbb6
79 changed files with 1221 additions and 449 deletions
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@ -59,6 +59,8 @@ func (o *OAuth2) Name() string {
 }

 // userIDFromToken returns the user id corresponding to the OAuth token.
+// It will set 'IsApiToken' to true if the token is an API token and
+// set 'ApiTokenScope' to the scope of the access token
 func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
 	_ = req.ParseForm()

@ -86,6 +88,7 @@ func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
 		uid := CheckOAuthAccessToken(tokenSHA)
 		if uid != 0 {
 			store.GetData()["IsApiToken"] = true
+			store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScopeAll // fallback to all
 		}
 		return uid
 	}
@ -101,6 +104,7 @@ func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
 		log.Error("UpdateAccessToken: %v", err)
 	}
 	store.GetData()["IsApiToken"] = true
+	store.GetData()["ApiTokenScope"] = t.Scope
 	return t.UID
 }

--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@ -9,6 +9,7 @@ import (
 	"net/http"
 	"strings"

+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
@ -377,7 +378,8 @@ func (f *AddSecretForm) Validate(req *http.Request, errs binding.Errors) binding

 // NewAccessTokenForm form for creating access token
 type NewAccessTokenForm struct {
-	Name string `binding:"Required;MaxSize(255)"`
+	Name  string `binding:"Required;MaxSize(255)"`
+	Scope []string
 }

 // Validate validates the fields
@ -386,6 +388,12 @@ func (f *NewAccessTokenForm) Validate(req *http.Request, errs binding.Errors) bi
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }

+func (f *NewAccessTokenForm) GetScope() (auth_model.AccessTokenScope, error) {
+	scope := strings.Join(f.Scope, ",")
+	s, err := auth_model.AccessTokenScope(scope).Normalize()
+	return s, err
+}
+
 // EditOAuth2ApplicationForm form for editing oauth2 applications
 type EditOAuth2ApplicationForm struct {
 	Name               string `binding:"Required;MaxSize(255)" form:"application_name"`
--- a/services/forms/user_form_test.go
+++ b/services/forms/user_form_test.go
@ -4,8 +4,10 @@
 package forms

 import (
+	"strconv"
 	"testing"

+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/setting"

 	"github.com/stretchr/testify/assert"
@ -83,3 +85,28 @@ func TestRegisterForm_IsDomainAllowed_BlocklistedEmail(t *testing.T) {
 		assert.Equal(t, v.valid, form.IsEmailDomainAllowed())
 	}
 }
+
+func TestNewAccessTokenForm_GetScope(t *testing.T) {
+	tests := []struct {
+		form        NewAccessTokenForm
+		scope       auth_model.AccessTokenScope
+		expectedErr error
+	}{
+		{
+			form:  NewAccessTokenForm{Name: "test", Scope: []string{"repo"}},
+			scope: "repo",
+		},
+		{
+			form:  NewAccessTokenForm{Name: "test", Scope: []string{"repo", "user"}},
+			scope: "repo,user",
+		},
+	}
+
+	for i, test := range tests {
+		t.Run(strconv.Itoa(i), func(t *testing.T) {
+			scope, err := test.form.GetScope()
+			assert.Equal(t, test.expectedErr, err)
+			assert.Equal(t, test.scope, scope)
+		})
+	}
+}