meissa
/
forgejo
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
forgejo-federated-star
forgejo
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3caec9d9eb'
${ noResults }
forgejo/tests/integration/api_oauth2_apps_test.go

174 lines
5.8 KiB
Go
Raw Normal View History Unescape Escape

adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
// Copyright 2020 The Gitea Authors. All rights reserved.
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2 years ago
// SPDX-License-Identifier: MIT
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2 years ago
package integration
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
import (
"fmt"
"net/http"
"testing"
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
auth_model "code.gitea.io/gitea/models/auth"
Decouple unit test, remove intermediate `unittestbridge` package (#17662) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
3 years ago
"code.gitea.io/gitea/models/unittest"
Move user related model into models/user (#17781) * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge
3 years ago
user_model "code.gitea.io/gitea/models/user"
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
api "code.gitea.io/gitea/modules/structs"
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2 years ago
"code.gitea.io/gitea/tests"
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
"github.com/stretchr/testify/assert"
)
func TestOAuth2Application(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2 years ago
defer tests.PrepareTestEnv(t)()
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
testAPICreateOAuth2Application(t)
testAPIListOAuth2Applications(t)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
testAPIGetOAuth2Application(t)
testAPIUpdateOAuth2Application(t)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
testAPIDeleteOAuth2Application(t)
}
func testAPICreateOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
appBody := api.CreateOAuth2ApplicationOptions{
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
ConfidentialClient: true,
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
}
req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &appBody)
req = AddBasicAuthHeader(req, user.Name)
resp := MakeRequest(t, req, http.StatusCreated)
var createdApp *api.OAuth2Application
DecodeJSON(t, resp, &createdApp)
assert.EqualValues(t, appBody.Name, createdApp.Name)
Use `CryptoRandomBytes` instead of `CryptoRandomString` (#18439) - Switch to use `CryptoRandomBytes` instead of `CryptoRandomString`, OAuth's secrets are copied pasted and don't need to avoid dubious characters etc. - `CryptoRandomBytes` gives ![2^256 = 1.15 * 10^77](https://render.githubusercontent.com/render/math?math=2^256%20=%201.15%20\cdot%2010^77) `CryptoRandomString` gives ![62^44 = 7.33 * 10^78](https://render.githubusercontent.com/render/math?math=62^44%20=%207.33%20\cdot%2010^78) possible states. - Add a prefix, such that code scanners can easily grep these in source code. - 32 Bytes + prefix
2 years ago
assert.Len(t, createdApp.ClientSecret, 56)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
assert.Len(t, createdApp.ClientID, 36)
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
assert.True(t, createdApp.ConfidentialClient)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
assert.NotEmpty(t, createdApp.Created)
assert.EqualValues(t, appBody.RedirectURIs[0], createdApp.RedirectURIs[0])
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{UID: user.ID, Name: createdApp.Name})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
}
func testAPIListOAuth2Applications(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
session := loginUser(t, user.Name)
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadApplication)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
existApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
ConfidentialClient: true,
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2?token=%s", token)
req := NewRequest(t, "GET", urlStr)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2 years ago
resp := MakeRequest(t, req, http.StatusOK)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
var appList api.OAuth2ApplicationList
DecodeJSON(t, resp, &appList)
expectedApp := appList[0]
assert.EqualValues(t, existApp.Name, expectedApp.Name)
assert.EqualValues(t, existApp.ClientID, expectedApp.ClientID)
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
assert.Equal(t, existApp.ConfidentialClient, expectedApp.ConfidentialClient)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
assert.Len(t, expectedApp.ClientID, 36)
assert.Empty(t, expectedApp.ClientSecret)
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
}
func testAPIDeleteOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
session := loginUser(t, user.Name)
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteApplication)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
oldApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
UID: user.ID,
Name: "test-app-1",
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
})
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", oldApp.ID, token)
req := NewRequest(t, "DELETE", urlStr)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2 years ago
MakeRequest(t, req, http.StatusNoContent)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
unittest.AssertNotExistsBean(t, &auth_model.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name})
Fix delete nonexist oauth application 500 and prevent deadlock (#15384) * Fix delete nonexist oauth application 500 * Fix test * Close the session Signed-off-by: Andrew Thornton <art27@cantab.net> * Update integrations/api_oauth2_apps_test.go * Fix more missed sess.Close * Remove unnecessary blank line Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
3 years ago
// Delete again will return not found
req = NewRequest(t, "DELETE", urlStr)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2 years ago
MakeRequest(t, req, http.StatusNotFound)
adds API endpoints to manage OAuth2 Application (list/create/delete) (#10437) * add API endpoint to create OAuth2 Application. * move endpoint to /user. Add swagger documentations and proper response type. * change json tags to snake_case. add CreateOAuth2ApplicationOptions to swagger docs. * change response status to Created (201) * add methods to list OAuth2 apps and delete an existing OAuth2 app by ID. * add APIFormat convert method and file header * fixed header * hide secret on oauth2 application list * add Created time to API response * add API integration tests for create/list/delete OAuth2 applications. Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
4 years ago
}
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
func testAPIGetOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
session := loginUser(t, user.Name)
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadApplication)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
existApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
ConfidentialClient: true,
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", existApp.ID, token)
req := NewRequest(t, "GET", urlStr)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2 years ago
resp := MakeRequest(t, req, http.StatusOK)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
var app api.OAuth2Application
DecodeJSON(t, resp, &app)
expectedApp := app
assert.EqualValues(t, existApp.Name, expectedApp.Name)
assert.EqualValues(t, existApp.ClientID, expectedApp.ClientID)
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
assert.Equal(t, existApp.ConfidentialClient, expectedApp.ConfidentialClient)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
assert.Len(t, expectedApp.ClientID, 36)
assert.Empty(t, expectedApp.ClientSecret)
Fixed assert statements. (#16089)
3 years ago
assert.Len(t, expectedApp.RedirectURIs, 1)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
}
func testAPIUpdateOAuth2Application(t *testing.T) {
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
existApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
UID: user.ID,
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com",
},
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2 years ago
})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
appBody := api.CreateOAuth2ApplicationOptions{
Name: "test-app-1",
RedirectURIs: []string{
"http://www.google.com/",
"http://www.github.com/",
},
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
ConfidentialClient: true,
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
}
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d", existApp.ID)
req := NewRequestWithJSON(t, "PATCH", urlStr, &appBody)
req = AddBasicAuthHeader(req, user.Name)
resp := MakeRequest(t, req, http.StatusOK)
var app api.OAuth2Application
DecodeJSON(t, resp, &app)
expectedApp := app
Fixed assert statements. (#16089)
3 years ago
assert.Len(t, expectedApp.RedirectURIs, 2)
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
assert.EqualValues(t, expectedApp.RedirectURIs[0], appBody.RedirectURIs[0])
assert.EqualValues(t, expectedApp.RedirectURIs[1], appBody.RedirectURIs[1])
Record OAuth client type at registration (#21316) The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2 years ago
assert.Equal(t, expectedApp.ConfidentialClient, appBody.ConfidentialClient)
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
1 year ago
unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
Add Get/Update for api/v1/user/applications/oauth2 (#11008) Add api methods for getting and updating user oauth2 applications. Signed-off-by: Dan Molik <dan@danmolik.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
4 years ago
}