mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-18 03:17:56 +01:00
878c236f49
These are the three conflicted changes from #4716: * https://github.com/go-gitea/gitea/pull/31632 * https://github.com/go-gitea/gitea/pull/31688 * https://github.com/go-gitea/gitea/pull/31706 cc @earl-warren; as per discussion on https://github.com/go-gitea/gitea/pull/31632 this involves a small compatibility break (OIDC introspection requests now require a valid client ID and secret, instead of a valid OIDC token) ## Checklist The [developer guide](https://forgejo.org/docs/next/developer/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Draft release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking features - [PR](https://codeberg.org/forgejo/forgejo/pulls/4724): <!--number 4724 --><!--line 0 --><!--description T0lEQyBpbnRlZ3JhdGlvbnMgdGhhdCBQT1NUIHRvIGAvbG9naW4vb2F1dGgvaW50cm9zcGVjdGAgd2l0aG91dCBzZW5kaW5nIEhUVFAgYmFzaWMgYXV0aGVudGljYXRpb24gd2lsbCBub3cgZmFpbCB3aXRoIGEgNDAxIEhUVFAgVW5hdXRob3JpemVkIGVycm9yLiBUbyBmaXggdGhlIGVycm9yLCB0aGUgY2xpZW50IG11c3QgYmVnaW4gc2VuZGluZyBIVFRQIGJhc2ljIGF1dGhlbnRpY2F0aW9uIHdpdGggYSB2YWxpZCBjbGllbnQgSUQgYW5kIHNlY3JldC4gVGhpcyBlbmRwb2ludCB3YXMgcHJldmlvdXNseSBhdXRoZW50aWNhdGVkIHZpYSB0aGUgaW50cm9zcGVjdGlvbiB0b2tlbiBpdHNlbGYsIHdoaWNoIGlzIGxlc3Mgc2VjdXJlLg==-->OIDC integrations that POST to `/login/oauth/introspect` without sending HTTP basic authentication will now fail with a 401 HTTP Unauthorized error. To fix the error, the client must begin sending HTTP basic authentication with a valid client ID and secret. This endpoint was previously authenticated via the introspection token itself, which is less secure.<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4724 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Shivaram Lingamneni <slingamn@cs.stanford.edu> Co-committed-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
186 lines
6.5 KiB
Go
186 lines
6.5 KiB
Go
// Copyright 2020 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package base
|
|
|
|
import (
|
|
"crypto/sha1"
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/test"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestEncodeSha256(t *testing.T) {
|
|
assert.Equal(t,
|
|
"c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2",
|
|
EncodeSha256("foobar"),
|
|
)
|
|
}
|
|
|
|
func TestShortSha(t *testing.T) {
|
|
assert.Equal(t, "veryverylo", ShortSha("veryverylong"))
|
|
}
|
|
|
|
func TestBasicAuthDecode(t *testing.T) {
|
|
_, _, err := BasicAuthDecode("?")
|
|
assert.Equal(t, "illegal base64 data at input byte 0", err.Error())
|
|
|
|
user, pass, err := BasicAuthDecode("Zm9vOmJhcg==")
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "foo", user)
|
|
assert.Equal(t, "bar", pass)
|
|
|
|
_, _, err = BasicAuthDecode("aW52YWxpZA==")
|
|
require.Error(t, err)
|
|
|
|
_, _, err = BasicAuthDecode("invalid")
|
|
require.Error(t, err)
|
|
|
|
_, _, err = BasicAuthDecode("YWxpY2U=") // "alice", no colon
|
|
require.Error(t, err)
|
|
}
|
|
|
|
func TestVerifyTimeLimitCode(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.InstallLock, true)()
|
|
initGeneralSecret := func(secret string) {
|
|
setting.InstallLock = true
|
|
setting.CfgProvider, _ = setting.NewConfigProviderFromData(fmt.Sprintf(`
|
|
[oauth2]
|
|
JWT_SECRET = %s
|
|
`, secret))
|
|
setting.LoadCommonSettings()
|
|
}
|
|
|
|
initGeneralSecret("KZb_QLUd4fYVyxetjxC4eZkrBgWM2SndOOWDNtgUUko")
|
|
now := time.Now()
|
|
|
|
t.Run("TestGenericParameter", func(t *testing.T) {
|
|
time2000 := time.Date(2000, 1, 2, 3, 4, 5, 0, time.Local)
|
|
assert.Equal(t, "2000010203040000026fa5221b2731b7cf80b1b506f5e39e38c115fee5", CreateTimeLimitCode("test-sha1", 2, time2000, sha1.New()))
|
|
assert.Equal(t, "2000010203040000026fa5221b2731b7cf80b1b506f5e39e38c115fee5", CreateTimeLimitCode("test-sha1", 2, "200001020304", sha1.New()))
|
|
assert.Equal(t, "2000010203040000024842227a2f87041ff82025199c0187410a9297bf", CreateTimeLimitCode("test-hmac", 2, time2000, nil))
|
|
assert.Equal(t, "2000010203040000024842227a2f87041ff82025199c0187410a9297bf", CreateTimeLimitCode("test-hmac", 2, "200001020304", nil))
|
|
})
|
|
|
|
t.Run("TestInvalidCode", func(t *testing.T) {
|
|
assert.False(t, VerifyTimeLimitCode(now, "data", 2, ""))
|
|
assert.False(t, VerifyTimeLimitCode(now, "data", 2, "invalid code"))
|
|
})
|
|
|
|
t.Run("TestCreateAndVerify", func(t *testing.T) {
|
|
code := CreateTimeLimitCode("data", 2, now, nil)
|
|
assert.False(t, VerifyTimeLimitCode(now.Add(-time.Minute), "data", 2, code)) // not started yet
|
|
assert.True(t, VerifyTimeLimitCode(now, "data", 2, code))
|
|
assert.True(t, VerifyTimeLimitCode(now.Add(time.Minute), "data", 2, code))
|
|
assert.False(t, VerifyTimeLimitCode(now.Add(time.Minute), "DATA", 2, code)) // invalid data
|
|
assert.False(t, VerifyTimeLimitCode(now.Add(2*time.Minute), "data", 2, code)) // expired
|
|
})
|
|
|
|
t.Run("TestDifferentSecret", func(t *testing.T) {
|
|
// use another secret to ensure the code is invalid for different secret
|
|
verifyDataCode := func(c string) bool {
|
|
return VerifyTimeLimitCode(now, "data", 2, c)
|
|
}
|
|
code1 := CreateTimeLimitCode("data", 2, now, sha1.New())
|
|
code2 := CreateTimeLimitCode("data", 2, now, nil)
|
|
assert.True(t, verifyDataCode(code1))
|
|
assert.True(t, verifyDataCode(code2))
|
|
initGeneralSecret("000_QLUd4fYVyxetjxC4eZkrBgWM2SndOOWDNtgUUko")
|
|
assert.False(t, verifyDataCode(code1))
|
|
assert.False(t, verifyDataCode(code2))
|
|
})
|
|
}
|
|
|
|
func TestFileSize(t *testing.T) {
|
|
var size int64 = 512
|
|
assert.Equal(t, "512 B", FileSize(size))
|
|
size *= 1024
|
|
assert.Equal(t, "512 KiB", FileSize(size))
|
|
size *= 1024
|
|
assert.Equal(t, "512 MiB", FileSize(size))
|
|
size *= 1024
|
|
assert.Equal(t, "512 GiB", FileSize(size))
|
|
size *= 1024
|
|
assert.Equal(t, "512 TiB", FileSize(size))
|
|
size *= 1024
|
|
assert.Equal(t, "512 PiB", FileSize(size))
|
|
size *= 4
|
|
assert.Equal(t, "2.0 EiB", FileSize(size))
|
|
}
|
|
|
|
func TestEllipsisString(t *testing.T) {
|
|
assert.Equal(t, "...", EllipsisString("foobar", 0))
|
|
assert.Equal(t, "...", EllipsisString("foobar", 1))
|
|
assert.Equal(t, "...", EllipsisString("foobar", 2))
|
|
assert.Equal(t, "...", EllipsisString("foobar", 3))
|
|
assert.Equal(t, "f...", EllipsisString("foobar", 4))
|
|
assert.Equal(t, "fo...", EllipsisString("foobar", 5))
|
|
assert.Equal(t, "foobar", EllipsisString("foobar", 6))
|
|
assert.Equal(t, "foobar", EllipsisString("foobar", 10))
|
|
assert.Equal(t, "测...", EllipsisString("测试文本一二三四", 4))
|
|
assert.Equal(t, "测试...", EllipsisString("测试文本一二三四", 5))
|
|
assert.Equal(t, "测试文...", EllipsisString("测试文本一二三四", 6))
|
|
assert.Equal(t, "测试文本一二三四", EllipsisString("测试文本一二三四", 10))
|
|
}
|
|
|
|
func TestTruncateString(t *testing.T) {
|
|
assert.Equal(t, "", TruncateString("foobar", 0))
|
|
assert.Equal(t, "f", TruncateString("foobar", 1))
|
|
assert.Equal(t, "fo", TruncateString("foobar", 2))
|
|
assert.Equal(t, "foo", TruncateString("foobar", 3))
|
|
assert.Equal(t, "foob", TruncateString("foobar", 4))
|
|
assert.Equal(t, "fooba", TruncateString("foobar", 5))
|
|
assert.Equal(t, "foobar", TruncateString("foobar", 6))
|
|
assert.Equal(t, "foobar", TruncateString("foobar", 7))
|
|
assert.Equal(t, "测试文本", TruncateString("测试文本一二三四", 4))
|
|
assert.Equal(t, "测试文本一", TruncateString("测试文本一二三四", 5))
|
|
assert.Equal(t, "测试文本一二", TruncateString("测试文本一二三四", 6))
|
|
assert.Equal(t, "测试文本一二三", TruncateString("测试文本一二三四", 7))
|
|
}
|
|
|
|
func TestStringsToInt64s(t *testing.T) {
|
|
testSuccess := func(input []string, expected []int64) {
|
|
result, err := StringsToInt64s(input)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, expected, result)
|
|
}
|
|
testSuccess(nil, nil)
|
|
testSuccess([]string{}, []int64{})
|
|
testSuccess([]string{"-1234"}, []int64{-1234})
|
|
testSuccess([]string{"1", "4", "16", "64", "256"}, []int64{1, 4, 16, 64, 256})
|
|
|
|
ints, err := StringsToInt64s([]string{"-1", "a"})
|
|
assert.Empty(t, ints)
|
|
require.Error(t, err)
|
|
}
|
|
|
|
func TestInt64sToStrings(t *testing.T) {
|
|
assert.Equal(t, []string{}, Int64sToStrings([]int64{}))
|
|
assert.Equal(t,
|
|
[]string{"1", "4", "16", "64", "256"},
|
|
Int64sToStrings([]int64{1, 4, 16, 64, 256}),
|
|
)
|
|
}
|
|
|
|
// TODO: Test EntryIcon
|
|
|
|
func TestSetupGiteaRoot(t *testing.T) {
|
|
t.Setenv("GITEA_ROOT", "test")
|
|
assert.Equal(t, "test", SetupGiteaRoot())
|
|
t.Setenv("GITEA_ROOT", "")
|
|
assert.NotEqual(t, "test", SetupGiteaRoot())
|
|
}
|
|
|
|
func TestFormatNumberSI(t *testing.T) {
|
|
assert.Equal(t, "125", FormatNumberSI(int(125)))
|
|
assert.Equal(t, "1.3k", FormatNumberSI(int64(1317)))
|
|
assert.Equal(t, "21.3M", FormatNumberSI(21317675))
|
|
assert.Equal(t, "45.7G", FormatNumberSI(45721317675))
|
|
assert.Equal(t, "", FormatNumberSI("test"))
|
|
}
|