mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-26 09:09:36 -05:00
a9bc590d5d
This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471>
55 lines
1.5 KiB
Go
55 lines
1.5 KiB
Go
// Copyright 2024 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package actions
|
|
|
|
import (
|
|
"net/http"
|
|
"testing"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestCreateAuthorizationToken(t *testing.T) {
|
|
var taskID int64 = 23
|
|
token, err := CreateAuthorizationToken(taskID, 1, 2)
|
|
assert.Nil(t, err)
|
|
assert.NotEqual(t, "", token)
|
|
claims := jwt.MapClaims{}
|
|
_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (interface{}, error) {
|
|
return []byte(setting.SecretKey), nil
|
|
})
|
|
assert.Nil(t, err)
|
|
scp, ok := claims["scp"]
|
|
assert.True(t, ok, "Has scp claim in jwt token")
|
|
assert.Contains(t, scp, "Actions.Results:1:2")
|
|
taskIDClaim, ok := claims["TaskID"]
|
|
assert.True(t, ok, "Has TaskID claim in jwt token")
|
|
assert.Equal(t, float64(taskID), taskIDClaim, "Supplied taskid must match stored one")
|
|
}
|
|
|
|
func TestParseAuthorizationToken(t *testing.T) {
|
|
var taskID int64 = 23
|
|
token, err := CreateAuthorizationToken(taskID, 1, 2)
|
|
assert.Nil(t, err)
|
|
assert.NotEqual(t, "", token)
|
|
headers := http.Header{}
|
|
headers.Set("Authorization", "Bearer "+token)
|
|
rTaskID, err := ParseAuthorizationToken(&http.Request{
|
|
Header: headers,
|
|
})
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, taskID, rTaskID)
|
|
}
|
|
|
|
func TestParseAuthorizationTokenNoAuthHeader(t *testing.T) {
|
|
headers := http.Header{}
|
|
rTaskID, err := ParseAuthorizationToken(&http.Request{
|
|
Header: headers,
|
|
})
|
|
assert.Nil(t, err)
|
|
assert.Equal(t, int64(0), rTaskID)
|
|
}
|