Disable Oauth check if oauth disabled (#32368)

Fix #32367

---------

Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 840ad7eefe2b49ab453b9a89b153a264a8c9f8a2)

Conflicts:
	services/auth/oauth2.go
  trivial context conflict
This commit is contained in:
Lunny Xiao 2024-11-12 13:33:35 -08:00 committed by Earl Warren
parent 7f51210672
commit 56971f9ed9
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
2 changed files with 40 additions and 31 deletions

View file

@ -327,6 +327,13 @@ func registerRoutes(m *web.Route) {
} }
} }
oauth2Enabled := func(ctx *context.Context) {
if !setting.OAuth2.Enabled {
ctx.Error(http.StatusForbidden)
return
}
}
reqMilestonesDashboardPageEnabled := func(ctx *context.Context) { reqMilestonesDashboardPageEnabled := func(ctx *context.Context) {
if !setting.Service.ShowMilestonesDashboardPage { if !setting.Service.ShowMilestonesDashboardPage {
ctx.Error(http.StatusForbidden) ctx.Error(http.StatusForbidden)
@ -516,16 +523,18 @@ func registerRoutes(m *web.Route) {
m.Any("/user/events", routing.MarkLongPolling, events.Events) m.Any("/user/events", routing.MarkLongPolling, events.Events)
m.Group("/login/oauth", func() { m.Group("/login/oauth", func() {
m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) m.Group("", func() {
m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth) m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
// TODO manage redirection m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) // TODO manage redirection
}, ignSignInAndCsrf, reqSignIn) m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
}, ignSignInAndCsrf, reqSignIn)
m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth) m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth) m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys) m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth) m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
}, oauth2Enabled)
m.Group("/user/settings", func() { m.Group("/user/settings", func() {
m.Get("", user_setting.Profile) m.Get("", user_setting.Profile)
@ -567,17 +576,24 @@ func registerRoutes(m *web.Route) {
}, openIDSignInEnabled) }, openIDSignInEnabled)
m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink) m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
}) })
m.Group("/applications/oauth2", func() {
m.Get("/{id}", user_setting.OAuth2ApplicationShow) m.Group("/applications", func() {
m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit) // oauth2 applications
m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret) m.Group("/oauth2", func() {
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost) m.Get("/{id}", user_setting.OAuth2ApplicationShow)
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application) m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant) m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
}, oauth2Enabled)
// access token applications
m.Combo("").Get(user_setting.Applications).
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
m.Post("/delete", user_setting.DeleteApplication)
}) })
m.Combo("/applications").Get(user_setting.Applications).
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
m.Post("/applications/delete", user_setting.DeleteApplication)
m.Combo("/keys").Get(user_setting.Keys). m.Combo("/keys").Get(user_setting.Keys).
Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost) Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost)
m.Post("/keys/delete", user_setting.DeleteKey) m.Post("/keys/delete", user_setting.DeleteKey)
@ -755,12 +771,7 @@ func registerRoutes(m *web.Route) {
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret) m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
m.Post("/delete", admin.DeleteApplication) m.Post("/delete", admin.DeleteApplication)
}) })
}, func(ctx *context.Context) { }, oauth2Enabled)
if !setting.OAuth2.Enabled {
ctx.Error(http.StatusForbidden)
return
}
})
m.Group("/actions", func() { m.Group("/actions", func() {
m.Get("", admin.RedirectToDefaultSetting) m.Get("", admin.RedirectToDefaultSetting)
@ -883,12 +894,7 @@ func registerRoutes(m *web.Route) {
m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret) m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret)
m.Post("/delete", org.DeleteOAuth2Application) m.Post("/delete", org.DeleteOAuth2Application)
}) })
}, func(ctx *context.Context) { }, oauth2Enabled)
if !setting.OAuth2.Enabled {
ctx.Error(http.StatusForbidden)
return
}
})
m.Group("/hooks", func() { m.Group("/hooks", func() {
m.Get("", org.Webhooks) m.Get("", org.Webhooks)

View file

@ -68,6 +68,9 @@ func grantAdditionalScopes(grantScopes string) string {
// CheckOAuthAccessToken returns uid of user from oauth token // CheckOAuthAccessToken returns uid of user from oauth token
// + non default openid scopes requested // + non default openid scopes requested
func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) { func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) {
if !setting.OAuth2.Enabled {
return 0, ""
}
// JWT tokens require a "." // JWT tokens require a "."
if !strings.Contains(accessToken, ".") { if !strings.Contains(accessToken, ".") {
return 0, "" return 0, ""