allow the actions user to login via the jwt token #32527

bohde · 2024-11-15T19:12:10Z

We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the ACTIONS_RUNTIME_TOKEN env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with /pull/28885 to be a JWT (with a corresponding update to act_runner) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user.

This restores that functionality by parsing Actions JWTs first, and then attempting to parse Oauth JWTs. The code to parse potential old ACTION_RUNTIME_TOKEN was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT.

The format of the env var `ACTIONS_RUNTIME_TOKEN` in actions jobs changed with go-gitea/pull/28885 to be a JWT. Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. This restores that functionality by parsing Actions JWTs first, and then attempting to parse OAUTH JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT.

bohde · 2024-11-15T20:22:05Z

Here's a minimal action workflow that previously worked before the linked PR, running on a server with setting.Service.RequireSignInView == true :

name: Check Server Version
on: [push]
jobs:
  check-server-version:
    runs-on: ubuntu-latest
    steps:
      - name: Output Server Version
        run: |
          curl -H "Authorization: token $ACTIONS_RUNTIME_TOKEN"  "$GITHUB_SERVER_URL/api/v1/version"

services/auth/oauth2.go

services/auth/oauth2_test.go

wxiaoguang

Overall LGTM except the naming nit.

GiteaBot · 2024-11-20T15:24:16Z

I was unable to create a backport for 1.22. @bohde, please send one manually. 🍵

go run ./contrib/backport 32527
...  // fix git conflicts if any
go run ./contrib/backport --continue

Backport go-gitea#32527 We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with go-gitea/pull/28885 to be a JWT (with a corresponding update to `act_runner`) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting to parse Oauth JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT.

Backport #32527 We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with /pull/28885 to be a JWT (with a corresponding update to `act_runner`) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting to parse Oauth JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT.

* giteaofficial/main: Add line-through for deleted branch on pull request view page (go-gitea#32500) Fix issue sidebar regression (go-gitea#32598) Fix PR diff review form submit (go-gitea#32596) Fix some typescript issues (go-gitea#32586) Fix GetInactiveUsers (go-gitea#32540) disable gravatar in test (go-gitea#32529) Add 'Copy path' button to file view (go-gitea#32584) Improve issue sidebar UI (go-gitea#32587) Supplement and Improvement for go-gitea#32558 (go-gitea#32585) make search box in issue sidebar dropdown list always show when scrolling (go-gitea#32576) Fix submodule parsing (go-gitea#32571) allow the actions user to login via the jwt token (go-gitea#32527) Support HTTP POST requests to `/userinfo`, aligning to OpenID Core specification (go-gitea#32578)

* SECURITY * Fix basic auth with webauthn (go-gitea#32531) (go-gitea#32536) * Refactor internal routers (partial backport, auth token const time comparing) (go-gitea#32473) (go-gitea#32479) * PERFORMANCE * Remove transaction for archive download (go-gitea#32186) (go-gitea#32520) * BUGFIXES * Fix `missing signature key` error when pulling Docker images with `SERVE_DIRECT` enabled (go-gitea#32365) (go-gitea#32397) * Fix get reviewers fails when selecting user without pull request permissions unit (go-gitea#32415) (go-gitea#32616) * Fix adding index files to tmp directory (go-gitea#32360) (go-gitea#32593) * Fix PR creation on forked repositories via API (go-gitea#31863) (go-gitea#32591) * Fix missing menu tabs in organization project view page (go-gitea#32313) (go-gitea#32592) * Support HTTP POST requests to `/userinfo`, aligning to OpenID Core specification (go-gitea#32578) (go-gitea#32594) * Fix debian package clean up cron job (go-gitea#32351) (go-gitea#32590) * Fix GetInactiveUsers (go-gitea#32540) (go-gitea#32588) * Allow the actions user to login via the jwt token (go-gitea#32527) (go-gitea#32580) * Fix submodule parsing (go-gitea#32571) (go-gitea#32577) * Refactor find forks and fix possible bugs that weaken permissions check (go-gitea#32528) (go-gitea#32547) * Fix some places that don't respect org full name setting (go-gitea#32243) (go-gitea#32550) * Refactor push mirror find and add check for updating push mirror (go-gitea#32539) (go-gitea#32549) * Fix basic auth with webauthn (go-gitea#32531) (go-gitea#32536) * Fix artifact v4 upload above 8MB (go-gitea#31664) (go-gitea#32523) * Fix oauth2 error handle not return immediately (go-gitea#32514) (go-gitea#32516) * Fix action not triggered when commit message is too long (go-gitea#32498) (go-gitea#32507) * Fix `GetRepoLink` nil pointer dereference on dashboard feed page when repo is deleted with actions enabled (go-gitea#32501) (go-gitea#32502) * Fix `missing signature key` error when pulling Docker images with `SERVE_DIRECT` enabled (go-gitea#32397) (go-gitea#32397) * Fix the permission check for user search API and limit the number of returned users for `/user/search` (go-gitea#32310) * Fix SearchIssues swagger docs (go-gitea#32208) (go-gitea#32298) * Fix dropdown content overflow (go-gitea#31610) (go-gitea#32250) * Disable Oauth check if oauth disabled (go-gitea#32368) (go-gitea#32480) * Respect renamed dependencies of Cargo registry (go-gitea#32430) (go-gitea#32478) * Fix mermaid diagram height when initially hidden (go-gitea#32457) (go-gitea#32464) * Fix broken releases when re-pushing tags (go-gitea#32435) (go-gitea#32449) * Only provide the commit summary for Discord webhook push events (go-gitea#32432) (go-gitea#32447) * Only query team tables if repository is under org when getting assignees (go-gitea#32414) (go-gitea#32426) * Fix created_unix for mirroring (go-gitea#32342) (go-gitea#32406) * Respect UI.ExploreDefaultSort setting again (go-gitea#32357) (go-gitea#32385) * Fix broken image when editing comment with non-image attachments (go-gitea#32319) (go-gitea#32345) * Fix disable 2fa bug (go-gitea#32320) (go-gitea#32330) * Always update expiration time when creating an artifact (go-gitea#32281) (go-gitea#32285) * Fix null errors on conversation holder (go-gitea#32258) (go-gitea#32266) (go-gitea#32282) * Only rename a user when they should receive a different name (go-gitea#32247) (go-gitea#32249) * Fix checkbox bug on private/archive filter (go-gitea#32236) (go-gitea#32240) * Add a doctor check to disable the "Actions" unit for mirrors (go-gitea#32424) (go-gitea#32497) * Quick fix milestone deadline 9999 (go-gitea#32423) * Make `show stats` work when only one file changed (go-gitea#32244) (go-gitea#32268) * Make `owner/repo/pulls` handlers use "PR reader" permission (go-gitea#32254) (go-gitea#32265) * Update scheduled tasks even if changes are pushed by "ActionsUser" (go-gitea#32246) (go-gitea#32252) * MISC * Remove unnecessary code: `GetPushMirrorsByRepoID` called on all repo pages (go-gitea#32560) (go-gitea#32567) * Improve some sanitizer rules (go-gitea#32534) * Update nix development environment vor v1.22.x (go-gitea#32495) * Add warn log when deleting inactive users (go-gitea#32318) (go-gitea#32321) * Update github.com/go-enry/go-enry to v2.9.1 (go-gitea#32295) (go-gitea#32296) * Warn users when they try to use a non-root-url to sign in/up (go-gitea#32272) (go-gitea#32273) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEumb2f9c/cFjXEtMIw7fJG2Mvc4oFAmdEyeoACgkQw7fJG2Mv # c4pythAAn57Z9Csfd8UrHbCd87SBlEGydhlng5Oc99pQIAvExR0hc9VFWjt5pFr4 # aXTajtzb/sDQkAPZEiL45CL471z+Ga81ixaKRfrBeMiSECB0wBaL4+XH94qQ3lw3 # /dNfQsc9bUnomGWQyEIbQ6mT85fJdvBD1nibUSH3b5P4WqOBHbY9YlehPmE96KY2 # 9k1IYvBvcfCjK6njVQ7m+sFOr7/Y2ZHe9FeN8hEf/1Bfnc75wtkeNyeXnlNe67Eo # ViFzcA35WyTXw4NRY+TG/8xZEXHl8DuOuUdPoBqkpFw9TzxR2svO0QLzRIHgJP+t # /Cdd16zZd6fQ+ET+DV8IaF2wlXdEgVDWs2aT04VDLGpSw9czxsUEUQ0ETWFFomXN # //goTLu1B3fVQYrE9MK2vfUQGe2Su3ChGwNtNEK9bMQpO6sLFGRE0nPgBJMPJ0yA # bfPhRlsVxnyEToqeKoC77wv0kPiOkzPfDm6sFLAt+tATcij5UlTU4nVXyXsELk14 # p5mtsTfaEqiH3U+JW0Drz8wV7nk8F599lZbYO92M3Z59bqC5TsOVYgqb1ODTpqQO # 7gLdgdKmQbKWTPHLA9Hz+0/3bT1MirMRdtXW7TmgW83TuN37wOuElCmXmJTN2feY # LG4k417kVrBwF+fdGPXo+T7H0MqxX1fTkVftG3C63sdaRQrUM1M= # =jyQM # -----END PGP SIGNATURE----- # gpg: Signature made Tue, Nov 26, 2024 3:03:06 AM # gpg: using RSA key BA66F67FD73F7058D712D308C3B7C91B632F738A # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: keydb_search failed: Connection timed out # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: Note: database_open 134217901 waiting for lock (held by 1152) ... # gpg: keydb_search failed: Connection timed out # gpg: Can't check signature: No public key

We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with go-gitea/pull/28885 to be a JWT (with a corresponding update to `act_runner`) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting to parse Oauth JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT. (cherry picked from commit 407b6e6) Conflicts: services/auth/oauth2.go trivial context conflicts because OAuth2 scopes are in Forgejo and not yet in Gitea

GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 15, 2024

pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 15, 2024

github-actions bot added the modifies/go Pull requests that update Go code label Nov 15, 2024

lunny requested review from wolfogre and Zettat123 November 18, 2024 18:10

wxiaoguang reviewed Nov 19, 2024

View reviewed changes

services/auth/oauth2.go Outdated Show resolved Hide resolved

lunny added backport/v1.22 This PR should be backported to Gitea 1.22 type/bug labels Nov 19, 2024

incorporate logic into userIDFromToken instead of a standalone function

6e876cc

pull-request-size bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 19, 2024

add tests for new functionality in auth/oauth.go

f5c0b53

bohde force-pushed the rb/fix-actions-jwt branch from 59dedf4 to f5c0b53 Compare November 19, 2024 19:11

lint

77c7056

wxiaoguang reviewed Nov 20, 2024

View reviewed changes

services/auth/oauth2_test.go Outdated Show resolved Hide resolved

wxiaoguang approved these changes Nov 20, 2024

View reviewed changes

GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 20, 2024

Zettat123 approved these changes Nov 20, 2024

View reviewed changes

GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 20, 2024

bohde and others added 2 commits November 20, 2024 08:47

rename CheckTaskID to CheckTaskIsRunning

6aafb51

Merge branch 'main' into rb/fix-actions-jwt

68289a2

wxiaoguang enabled auto-merge (squash) November 20, 2024 15:01

wxiaoguang merged commit 407b6e6 into go-gitea:main Nov 20, 2024
26 checks passed

GiteaBot added this to the 1.24.0 milestone Nov 20, 2024

GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Nov 20, 2024

bohde mentioned this pull request Nov 20, 2024

allow the actions user to login via the jwt token (#32527) #32580

Merged

lunny added the backport/done All backports for this PR have been created label Nov 20, 2024

lunny modified the milestones: 1.24.0, 1.23.0 Nov 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

allow the actions user to login via the jwt token #32527

allow the actions user to login via the jwt token #32527

bohde commented Nov 15, 2024

bohde commented Nov 15, 2024

wxiaoguang left a comment

GiteaBot commented Nov 20, 2024

allow the actions user to login via the jwt token #32527

allow the actions user to login via the jwt token #32527

Conversation

bohde commented Nov 15, 2024

bohde commented Nov 15, 2024

wxiaoguang left a comment

Choose a reason for hiding this comment

GiteaBot commented Nov 20, 2024