Skip to content

Commit 4597aeb

Browse files
lunnylunny
committed
Disable Oauth check if oauth disabled
1 parent a920fcf commit 4597aeb

File tree

3 files changed

+64
-34
lines changed

3 files changed

+64
-34
lines changed

routers/web/web.go

Lines changed: 37 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -546,17 +546,19 @@ func registerRoutes(m *web.Router) {
546546

547547
m.Any("/user/events", routing.MarkLongPolling, events.Events)
548548

549-
m.Group("/login/oauth", func() {
550-
m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
551-
m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
552-
// TODO manage redirection
553-
m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
554-
}, ignSignInAndCsrf, reqSignIn)
555-
556-
m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
557-
m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
558-
m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
559-
m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
549+
if setting.OAuth2.Enabled {
550+
m.Group("/login/oauth", func() {
551+
m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
552+
m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
553+
// TODO manage redirection
554+
m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
555+
}, ignSignInAndCsrf, reqSignIn)
556+
557+
m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
558+
m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
559+
m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
560+
m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
561+
}
560562

561563
m.Group("/user/settings", func() {
562564
m.Get("", user_setting.Profile)
@@ -597,16 +599,20 @@ func registerRoutes(m *web.Router) {
597599
}, openIDSignInEnabled)
598600
m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
599601
})
600-
m.Group("/applications/oauth2", func() {
601-
m.Get("/{id}", user_setting.OAuth2ApplicationShow)
602-
m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
603-
m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
604-
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
605-
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
606-
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
607-
})
608-
m.Combo("/applications").Get(user_setting.Applications).
609-
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
602+
603+
if setting.OAuth2.Enabled {
604+
m.Group("/applications/oauth2", func() {
605+
m.Get("/{id}", user_setting.OAuth2ApplicationShow)
606+
m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
607+
m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
608+
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
609+
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
610+
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
611+
})
612+
m.Combo("/applications").Get(user_setting.Applications).
613+
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
614+
}
615+
610616
m.Post("/applications/delete", user_setting.DeleteApplication)
611617
m.Combo("/keys").Get(user_setting.Keys).
612618
Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost)
@@ -773,20 +779,17 @@ func registerRoutes(m *web.Router) {
773779
m.Post("/empty", admin.EmptyNotices)
774780
})
775781

776-
m.Group("/applications", func() {
777-
m.Get("", admin.Applications)
778-
m.Post("/oauth2", web.Bind(forms.EditOAuth2ApplicationForm{}), admin.ApplicationsPost)
779-
m.Group("/oauth2/{id}", func() {
780-
m.Combo("").Get(admin.EditApplication).Post(web.Bind(forms.EditOAuth2ApplicationForm{}), admin.EditApplicationPost)
781-
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
782-
m.Post("/delete", admin.DeleteApplication)
782+
if setting.OAuth2.Enabled {
783+
m.Group("/applications", func() {
784+
m.Get("", admin.Applications)
785+
m.Post("/oauth2", web.Bind(forms.EditOAuth2ApplicationForm{}), admin.ApplicationsPost)
786+
m.Group("/oauth2/{id}", func() {
787+
m.Combo("").Get(admin.EditApplication).Post(web.Bind(forms.EditOAuth2ApplicationForm{}), admin.EditApplicationPost)
788+
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
789+
m.Post("/delete", admin.DeleteApplication)
790+
})
783791
})
784-
}, func(ctx *context.Context) {
785-
if !setting.OAuth2.Enabled {
786-
ctx.Error(http.StatusForbidden)
787-
return
788-
}
789-
})
792+
}
790793

791794
m.Group("/actions", func() {
792795
m.Get("", admin.RedirectToDefaultSetting)

services/auth/oauth2.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,10 @@ func CheckOAuthAccessToken(ctx context.Context, accessToken string) int64 {
3131
if !strings.Contains(accessToken, ".") {
3232
return 0
3333
}
34+
if !setting.OAuth2.Enabled {
35+
return 0
36+
}
37+
3438
token, err := oauth2_provider.ParseToken(accessToken, oauth2_provider.DefaultSigningKey)
3539
if err != nil {
3640
log.Trace("oauth2.ParseToken: %v", err)

tests/integration/oauth_test.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,10 @@ import (
77
"bytes"
88
"io"
99
"net/http"
10+
"net/url"
1011
"testing"
1112

13+
auth_model "code.gitea.io/gitea/models/auth"
1214
"code.gitea.io/gitea/modules/json"
1315
"code.gitea.io/gitea/modules/setting"
1416
oauth2_provider "code.gitea.io/gitea/services/oauth2_provider"
@@ -477,3 +479,24 @@ func TestOAuthIntrospection(t *testing.T) {
477479
resp = MakeRequest(t, req, http.StatusUnauthorized)
478480
assert.Contains(t, resp.Body.String(), "no valid authorization")
479481
}
482+
483+
func TestGitOpWithOAuthDisabled(t *testing.T) {
484+
defer tests.PrepareTestEnv(t)()
485+
486+
setting.OAuth2.Enabled = true
487+
defer func() {
488+
setting.OAuth2.Enabled = false
489+
}()
490+
491+
onGiteaRun(t, func(t *testing.T, u *url.URL) {
492+
httpContext := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeWriteRepository)
493+
494+
u.Path = httpContext.GitPath()
495+
dstPath := t.TempDir()
496+
497+
u.Path = httpContext.GitPath()
498+
u.User = url.UserPassword("user2", userPassword)
499+
500+
t.Run("Clone", doGitClone(dstPath, u))
501+
})
502+
}

0 commit comments

Comments
 (0)