From e4dfb8c1c75819b02c0ed0360ca62d65c198df58 Mon Sep 17 00:00:00 2001 From: Finn Date: Thu, 12 Sep 2024 15:57:45 -0700 Subject: [PATCH] inject the vars and secrets into the job - should be environment variables eventually --- models/actions/variable.go | 5 ++++- models/secret/secret.go | 1 + routers/api/actions/artifacts.go | 2 +- routers/api/actions/oidc.go | 5 +++++ routers/init.go | 2 +- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/models/actions/variable.go b/models/actions/variable.go index d0f917d92..5a81cd725 100644 --- a/models/actions/variable.go +++ b/models/actions/variable.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "xorm.io/builder" @@ -102,7 +103,9 @@ func DeleteVariable(ctx context.Context, id int64) error { } func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) { - variables := map[string]string{} + variables := map[string]string{ + "ACTIONS_ID_TOKEN_REQUEST_URL": setting.AppURL + "/api/actions_token?api-version=2.0", + } if err := run.LoadRepo(ctx); err != nil { log.Error("LoadRepo: %v", err) diff --git a/models/secret/secret.go b/models/secret/secret.go index ce0ad65a7..cd78c6227 100644 --- a/models/secret/secret.go +++ b/models/secret/secret.go @@ -135,6 +135,7 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[ secrets["GITHUB_TOKEN"] = task.Token secrets["GITEA_TOKEN"] = task.Token + secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget { // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. diff --git a/routers/api/actions/artifacts.go b/routers/api/actions/artifacts.go index bc29e4481..0d4f53982 100644 --- a/routers/api/actions/artifacts.go +++ b/routers/api/actions/artifacts.go @@ -135,7 +135,7 @@ func ArtifactContexter() func(next http.Handler) http.Handler { // action task call server api with Bearer ACTIONS_RUNTIME_TOKEN // we should verify the ACTIONS_RUNTIME_TOKEN authHeader := req.Header.Get("Authorization") - if len(authHeader) == 0 || !strings.HasPrefix(authHeader, "Bearer ") { + if len(authHeader) == 0 || !strings.HasPrefix(strings.ToLower(authHeader), "bearer ") { ctx.Error(http.StatusUnauthorized, "Bad authorization header") return } diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go index 4d5a03cf1..d6102ce63 100644 --- a/routers/api/actions/oidc.go +++ b/routers/api/actions/oidc.go @@ -6,6 +6,7 @@ import ( "encoding/json" "fmt" "net/http" + "strings" "time" "code.gitea.io/gitea/modules/log" @@ -42,6 +43,8 @@ type openIDConfiguration struct { func OIDCRoutes(prefix string) *web.Route { m := web.NewRoute() + prefix = strings.TrimPrefix(prefix, "/") + // TODO: generate this once and store it across restarts. In the database I assume? _, caPrivateKey, err := ed25519.GenerateKey(rand.Reader) if err != nil { @@ -180,6 +183,7 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) { } func (o oidcRoutes) getJWKS(resp http.ResponseWriter, req *http.Request) { + resp.Header().Set("Content-Type", "application/json") err := json.NewEncoder(resp).Encode(o.jwks) if err != nil { log.Error("error encoding jwks response: ", err) @@ -189,6 +193,7 @@ func (o oidcRoutes) getJWKS(resp http.ResponseWriter, req *http.Request) { } func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.Request) { + resp.Header().Set("Content-Type", "application/json") err := json.NewEncoder(resp).Encode(o.openIDConfiguration) if err != nil { log.Error("error encoding jwks response: ", err) diff --git a/routers/init.go b/routers/init.go index 63cdd9cba..174fefb72 100644 --- a/routers/init.go +++ b/routers/init.go @@ -195,7 +195,7 @@ func NormalRoutes() *web.Route { prefix := "/api/actions" r.Mount(prefix, actions_router.Routes(prefix)) - prefix = "/api/actions_token" + prefix = "/api/actions_idtoken" r.Mount(prefix, actions_router.OIDCRoutes(prefix)) // TODO: not sure what prefix should be used here // TODO: Pipeline api used for runner internal communication with gitea server. but only artifact is used for now.