mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-02-18 23:27:53 -05:00
5b6bbabd74
As described in [this comment](https://gitea.com/gitea/act_runner/issues/19#issuecomment-739221) one-job runners are not secure when running in host mode. We implemented a routine preventing runner tokens from receiving a second job in order to render a potentially compromised token useless. Also we implemented a routine that removes finished runners as soon as possible. Big thanks to [ChristopherHX](https://github.com/ChristopherHX) who did all the work for gitea! Rel: #9407 ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9962 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Manuel Ganter <manuel.ganter@think-ahead.tech> Co-committed-by: Manuel Ganter <manuel.ganter@think-ahead.tech>
324 lines
11 KiB
Go
324 lines
11 KiB
Go
// Copyright 2025 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"testing"
|
|
|
|
actions_model "forgejo.org/models/actions"
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
api "forgejo.org/modules/structs"
|
|
"forgejo.org/routers/api/v1/shared"
|
|
"forgejo.org/tests"
|
|
|
|
gouuid "github.com/google/uuid"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestActionsAPISearchActionJobs_UserRunner(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
normalUsername := "user2"
|
|
session := loginUser(t, normalUsername)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 394})
|
|
|
|
req := NewRequest(t, "GET",
|
|
fmt.Sprintf("/api/v1/user/actions/runners/jobs?labels=%s", "debian-latest")).
|
|
AddTokenAuth(token)
|
|
res := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var jobs []*api.ActionRunJob
|
|
DecodeJSON(t, res, &jobs)
|
|
|
|
assert.Len(t, jobs, 1)
|
|
assert.Equal(t, job.ID, jobs[0].ID)
|
|
}
|
|
|
|
func TestActionsAPISearchActionJobs_UserRunnerAllPendingJobsWithoutLabels(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
normalUsername := "user1"
|
|
session := loginUser(t, normalUsername)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 196})
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user/actions/runners/jobs?labels=").
|
|
AddTokenAuth(token)
|
|
res := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var jobs []*api.ActionRunJob
|
|
DecodeJSON(t, res, &jobs)
|
|
|
|
assert.Len(t, jobs, 1)
|
|
assert.Equal(t, job.ID, jobs[0].ID)
|
|
}
|
|
|
|
func TestActionsAPISearchActionJobs_UserRunnerAllPendingJobs(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
normalUsername := "user2"
|
|
session := loginUser(t, normalUsername)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 394})
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user/actions/runners/jobs").
|
|
AddTokenAuth(token)
|
|
res := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var jobs []*api.ActionRunJob
|
|
DecodeJSON(t, res, &jobs)
|
|
|
|
assert.Len(t, jobs, 1)
|
|
assert.Equal(t, job.ID, jobs[0].ID)
|
|
}
|
|
|
|
func TestAPIUserActionsRunnerRegistrationTokenOperations(t *testing.T) {
|
|
defer unittest.OverrideFixtures("tests/integration/fixtures/TestAPIUserActionsRunnerRegistrationTokenOperations")()
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
session := loginUser(t, user2.Name)
|
|
readToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
|
|
|
t.Run("GetRegistrationToken", func(t *testing.T) {
|
|
request := NewRequest(t, "GET", "/api/v1/user/actions/runners/registration-token")
|
|
request.AddTokenAuth(readToken)
|
|
response := MakeRequest(t, request, http.StatusOK)
|
|
|
|
var registrationToken shared.RegistrationToken
|
|
DecodeJSON(t, response, ®istrationToken)
|
|
|
|
expected := shared.RegistrationToken{Token: "Xb3WmQBum2S0-WwFY399A0DhnPkgRdXzpEOJaMmL5UT"}
|
|
|
|
assert.Equal(t, expected, registrationToken)
|
|
})
|
|
}
|
|
|
|
func TestAPIUserActionsRunnerOperations(t *testing.T) {
|
|
defer unittest.OverrideFixtures("tests/integration/fixtures/TestAPIUserActionsRunnerOperations")()
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
session := loginUser(t, user2.Name)
|
|
readToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
|
writeToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
|
|
t.Run("Get runners", func(t *testing.T) {
|
|
request := NewRequest(t, "GET", "/api/v1/user/actions/runners")
|
|
request.AddTokenAuth(readToken)
|
|
response := MakeRequest(t, request, http.StatusOK)
|
|
|
|
assert.Equal(t, "3", response.Header().Get("X-Total-Count"))
|
|
|
|
var runners []*api.ActionRunner
|
|
DecodeJSON(t, response, &runners)
|
|
|
|
runnerOne := &api.ActionRunner{
|
|
ID: 71301,
|
|
UUID: "99fc4a58-a25e-4dbe-b6ea-3d55dddcd216",
|
|
Name: "runner-1-user",
|
|
Version: "dev",
|
|
OwnerID: 2,
|
|
RepoID: 0,
|
|
Description: "A superb runner",
|
|
Labels: []string{"debian", "gpu"},
|
|
Status: "offline",
|
|
}
|
|
runnerThree := &api.ActionRunner{
|
|
ID: 71303,
|
|
UUID: "70bc0da3-35b2-4129-bbc9-4679dfdda4d0",
|
|
Name: "runner-3-user",
|
|
Version: "11.3.1",
|
|
OwnerID: 2,
|
|
RepoID: 0,
|
|
Description: "Another fine runner",
|
|
Labels: []string{"fedora"},
|
|
Status: "offline",
|
|
}
|
|
runnerFive := &api.ActionRunner{
|
|
ID: 71305,
|
|
UUID: "3ca04a95-3e75-4e48-8b7a-63427ebcf3b8",
|
|
Name: "runner-5-user-ephemeral",
|
|
Version: "1.0.0",
|
|
OwnerID: 2,
|
|
RepoID: 0,
|
|
Description: "An ephemeral runner",
|
|
Labels: []string{"ephemeral-label"},
|
|
Status: "offline",
|
|
Ephemeral: true,
|
|
}
|
|
|
|
assert.ElementsMatch(t, []*api.ActionRunner{runnerOne, runnerThree, runnerFive}, runners)
|
|
})
|
|
|
|
t.Run("Get runners paginated", func(t *testing.T) {
|
|
request := NewRequest(t, "GET", "/api/v1/user/actions/runners?page=1&limit=1")
|
|
request.AddTokenAuth(readToken)
|
|
response := MakeRequest(t, request, http.StatusOK)
|
|
|
|
var runners []*api.ActionRunner
|
|
DecodeJSON(t, response, &runners)
|
|
|
|
assert.NotEmpty(t, response.Header().Get("Link"))
|
|
assert.NotEmpty(t, response.Header().Get("X-Total-Count"))
|
|
assert.Len(t, runners, 1)
|
|
})
|
|
|
|
t.Run("Get runner", func(t *testing.T) {
|
|
request := NewRequest(t, "GET", "/api/v1/user/actions/runners/71303")
|
|
request.AddTokenAuth(readToken)
|
|
response := MakeRequest(t, request, http.StatusOK)
|
|
|
|
var runner *api.ActionRunner
|
|
DecodeJSON(t, response, &runner)
|
|
|
|
runnerThree := &api.ActionRunner{
|
|
ID: 71303,
|
|
UUID: "70bc0da3-35b2-4129-bbc9-4679dfdda4d0",
|
|
Name: "runner-3-user",
|
|
Version: "11.3.1",
|
|
OwnerID: 2,
|
|
RepoID: 0,
|
|
Description: "Another fine runner",
|
|
Labels: []string{"fedora"},
|
|
Status: "offline",
|
|
}
|
|
|
|
assert.Equal(t, runnerThree, runner)
|
|
})
|
|
|
|
t.Run("Get ephemeral runner", func(t *testing.T) {
|
|
request := NewRequest(t, "GET", "/api/v1/user/actions/runners/71305")
|
|
request.AddTokenAuth(readToken)
|
|
response := MakeRequest(t, request, http.StatusOK)
|
|
|
|
var runner *api.ActionRunner
|
|
DecodeJSON(t, response, &runner)
|
|
|
|
expectedRunner := &api.ActionRunner{
|
|
ID: 71305,
|
|
UUID: "3ca04a95-3e75-4e48-8b7a-63427ebcf3b8",
|
|
Name: "runner-5-user-ephemeral",
|
|
Version: "1.0.0",
|
|
OwnerID: 2,
|
|
RepoID: 0,
|
|
Description: "An ephemeral runner",
|
|
Labels: []string{"ephemeral-label"},
|
|
Status: "offline",
|
|
Ephemeral: true,
|
|
}
|
|
|
|
assert.Equal(t, expectedRunner, runner)
|
|
})
|
|
|
|
t.Run("Delete runner", func(t *testing.T) {
|
|
url := "/api/v1/user/actions/runners/71303"
|
|
|
|
request := NewRequest(t, "GET", url)
|
|
request.AddTokenAuth(readToken)
|
|
MakeRequest(t, request, http.StatusOK)
|
|
|
|
deleteRequest := NewRequest(t, "DELETE", url)
|
|
deleteRequest.AddTokenAuth(writeToken)
|
|
MakeRequest(t, deleteRequest, http.StatusNoContent)
|
|
|
|
request = NewRequest(t, "GET", url)
|
|
request.AddTokenAuth(readToken)
|
|
MakeRequest(t, request, http.StatusNotFound)
|
|
})
|
|
|
|
t.Run("Register runner", func(t *testing.T) {
|
|
options := api.RegisterRunnerOptions{Name: "api-runner", Description: "Some description"}
|
|
|
|
request := NewRequestWithJSON(t, "POST", "/api/v1/user/actions/runners", options)
|
|
request.AddTokenAuth(writeToken)
|
|
response := MakeRequest(t, request, http.StatusCreated)
|
|
|
|
var registerRunnerResponse *api.RegisterRunnerResponse
|
|
DecodeJSON(t, response, ®isterRunnerResponse)
|
|
|
|
assert.NotNil(t, registerRunnerResponse)
|
|
assert.Positive(t, registerRunnerResponse.ID)
|
|
assert.Equal(t, gouuid.Version(4), gouuid.MustParse(registerRunnerResponse.UUID).Version())
|
|
assert.Regexp(t, "(?i)^[0-9a-f]{40}$", registerRunnerResponse.Token)
|
|
assert.False(t, registerRunnerResponse.Ephemeral)
|
|
|
|
registeredRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{UUID: registerRunnerResponse.UUID})
|
|
assert.Equal(t, registerRunnerResponse.ID, registeredRunner.ID)
|
|
assert.Equal(t, registerRunnerResponse.UUID, registeredRunner.UUID)
|
|
assert.Equal(t, user2.ID, registeredRunner.OwnerID)
|
|
assert.Zero(t, registeredRunner.RepoID)
|
|
assert.Equal(t, "api-runner", registeredRunner.Name)
|
|
assert.Equal(t, "Some description", registeredRunner.Description)
|
|
assert.Empty(t, registeredRunner.AgentLabels)
|
|
assert.Empty(t, registeredRunner.Version)
|
|
assert.NotEmpty(t, registeredRunner.TokenHash)
|
|
assert.NotEmpty(t, registeredRunner.TokenSalt)
|
|
assert.False(t, registeredRunner.Ephemeral)
|
|
})
|
|
|
|
t.Run("Register ephemeral runner", func(t *testing.T) {
|
|
options := api.RegisterRunnerOptions{Name: "ephemeral-runner", Description: "Ephemeral runner", Ephemeral: true}
|
|
|
|
request := NewRequestWithJSON(t, "POST", "/api/v1/user/actions/runners", options)
|
|
request.AddTokenAuth(writeToken)
|
|
response := MakeRequest(t, request, http.StatusCreated)
|
|
|
|
var registerRunnerResponse *api.RegisterRunnerResponse
|
|
DecodeJSON(t, response, ®isterRunnerResponse)
|
|
|
|
assert.True(t, registerRunnerResponse.Ephemeral)
|
|
|
|
registeredRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{UUID: registerRunnerResponse.UUID})
|
|
assert.Equal(t, registerRunnerResponse.UUID, registeredRunner.UUID)
|
|
assert.True(t, registeredRunner.Ephemeral)
|
|
})
|
|
|
|
t.Run("Runner registration does not update runner with identical name", func(t *testing.T) {
|
|
options := api.RegisterRunnerOptions{Name: "api-runner"}
|
|
|
|
request := NewRequestWithJSON(t, "POST", "/api/v1/user/actions/runners", options)
|
|
request.AddTokenAuth(writeToken)
|
|
response := MakeRequest(t, request, http.StatusCreated)
|
|
|
|
var registerRunnerResponse *api.RegisterRunnerResponse
|
|
DecodeJSON(t, response, ®isterRunnerResponse)
|
|
|
|
secondRequest := NewRequestWithJSON(t, "POST", "/api/v1/user/actions/runners", options)
|
|
secondRequest.AddTokenAuth(writeToken)
|
|
secondResponse := MakeRequest(t, secondRequest, http.StatusCreated)
|
|
|
|
var secondRegisterRunnerResponse *api.RegisterRunnerResponse
|
|
DecodeJSON(t, secondResponse, &secondRegisterRunnerResponse)
|
|
|
|
firstRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{UUID: registerRunnerResponse.UUID})
|
|
secondRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{UUID: secondRegisterRunnerResponse.UUID})
|
|
|
|
assert.NotEqual(t, firstRunner.ID, secondRunner.ID)
|
|
assert.NotEqual(t, firstRunner.UUID, secondRunner.UUID)
|
|
})
|
|
|
|
t.Run("Runner registration requires write token for user scope", func(t *testing.T) {
|
|
options := api.RegisterRunnerOptions{Name: "api-runner"}
|
|
|
|
request := NewRequestWithJSON(t, "POST", "/api/v1/user/actions/runners", options)
|
|
request.AddTokenAuth(readToken)
|
|
response := MakeRequest(t, request, http.StatusForbidden)
|
|
|
|
type errorResponse struct {
|
|
Message string `json:"message"`
|
|
}
|
|
|
|
var errorMessage *errorResponse
|
|
DecodeJSON(t, response, &errorMessage)
|
|
|
|
assert.Equal(t, "token does not have at least one of required scope(s): [write:user]", errorMessage.Message)
|
|
})
|
|
}
|