// Copyright 2023 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package v1_20 //nolint import ( "fmt" "strings" "code.gitea.io/gitea/modules/log" "xorm.io/xorm" ) // unknownAccessTokenScope represents the scope for an access token that isn't // known be an old token or a new token. type unknownAccessTokenScope string // AccessTokenScope represents the scope for an access token. type AccessTokenScope string // for all categories, write implies read const ( AccessTokenScopeAll AccessTokenScope = "all" AccessTokenScopePublicOnly AccessTokenScope = "public-only" // limited to public orgs/repos AccessTokenScopeReadActivityPub AccessTokenScope = "read:activitypub" AccessTokenScopeWriteActivityPub AccessTokenScope = "write:activitypub" AccessTokenScopeReadAdmin AccessTokenScope = "read:admin" AccessTokenScopeWriteAdmin AccessTokenScope = "write:admin" AccessTokenScopeReadMisc AccessTokenScope = "read:misc" AccessTokenScopeWriteMisc AccessTokenScope = "write:misc" AccessTokenScopeReadNotification AccessTokenScope = "read:notification" AccessTokenScopeWriteNotification AccessTokenScope = "write:notification" AccessTokenScopeReadOrganization AccessTokenScope = "read:organization" AccessTokenScopeWriteOrganization AccessTokenScope = "write:organization" AccessTokenScopeReadPackage AccessTokenScope = "read:package" AccessTokenScopeWritePackage AccessTokenScope = "write:package" AccessTokenScopeReadIssue AccessTokenScope = "read:issue" AccessTokenScopeWriteIssue AccessTokenScope = "write:issue" AccessTokenScopeReadRepository AccessTokenScope = "read:repository" AccessTokenScopeWriteRepository AccessTokenScope = "write:repository" AccessTokenScopeReadUser AccessTokenScope = "read:user" AccessTokenScopeWriteUser AccessTokenScope = "write:user" ) // accessTokenScopeBitmap represents a bitmap of access token scopes. type accessTokenScopeBitmap uint64 // Bitmap of each scope, including the child scopes. const ( // AccessTokenScopeAllBits is the bitmap of all access token scopes accessTokenScopeAllBits accessTokenScopeBitmap = accessTokenScopeWriteActivityPubBits | accessTokenScopeWriteAdminBits | accessTokenScopeWriteMiscBits | accessTokenScopeWriteNotificationBits | accessTokenScopeWriteOrganizationBits | accessTokenScopeWritePackageBits | accessTokenScopeWriteIssueBits | accessTokenScopeWriteRepositoryBits | accessTokenScopeWriteUserBits accessTokenScopePublicOnlyBits accessTokenScopeBitmap = 1 << iota accessTokenScopeReadActivityPubBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteActivityPubBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadActivityPubBits accessTokenScopeReadAdminBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteAdminBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadAdminBits accessTokenScopeReadMiscBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteMiscBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadMiscBits accessTokenScopeReadNotificationBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteNotificationBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadNotificationBits accessTokenScopeReadOrganizationBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteOrganizationBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadOrganizationBits accessTokenScopeReadPackageBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWritePackageBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadPackageBits accessTokenScopeReadIssueBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteIssueBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadIssueBits accessTokenScopeReadRepositoryBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteRepositoryBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadRepositoryBits accessTokenScopeReadUserBits accessTokenScopeBitmap = 1 << iota accessTokenScopeWriteUserBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadUserBits // The current implementation only supports up to 64 token scopes. // If we need to support > 64 scopes, // refactoring the whole implementation in this file (and only this file) is needed. ) // allAccessTokenScopes contains all access token scopes. // The order is important: parent scope must precede child scopes. var allAccessTokenScopes = []AccessTokenScope{ AccessTokenScopePublicOnly, AccessTokenScopeWriteActivityPub, AccessTokenScopeReadActivityPub, AccessTokenScopeWriteAdmin, AccessTokenScopeReadAdmin, AccessTokenScopeWriteMisc, AccessTokenScopeReadMisc, AccessTokenScopeWriteNotification, AccessTokenScopeReadNotification, AccessTokenScopeWriteOrganization, AccessTokenScopeReadOrganization, AccessTokenScopeWritePackage, AccessTokenScopeReadPackage, AccessTokenScopeWriteIssue, AccessTokenScopeReadIssue, AccessTokenScopeWriteRepository, AccessTokenScopeReadRepository, AccessTokenScopeWriteUser, AccessTokenScopeReadUser, } // allAccessTokenScopeBits contains all access token scopes. var allAccessTokenScopeBits = map[AccessTokenScope]accessTokenScopeBitmap{ AccessTokenScopeAll: accessTokenScopeAllBits, AccessTokenScopePublicOnly: accessTokenScopePublicOnlyBits, AccessTokenScopeReadActivityPub: accessTokenScopeReadActivityPubBits, AccessTokenScopeWriteActivityPub: accessTokenScopeWriteActivityPubBits, AccessTokenScopeReadAdmin: accessTokenScopeReadAdminBits, AccessTokenScopeWriteAdmin: accessTokenScopeWriteAdminBits, AccessTokenScopeReadMisc: accessTokenScopeReadMiscBits, AccessTokenScopeWriteMisc: accessTokenScopeWriteMiscBits, AccessTokenScopeReadNotification: accessTokenScopeReadNotificationBits, AccessTokenScopeWriteNotification: accessTokenScopeWriteNotificationBits, AccessTokenScopeReadOrganization: accessTokenScopeReadOrganizationBits, AccessTokenScopeWriteOrganization: accessTokenScopeWriteOrganizationBits, AccessTokenScopeReadPackage: accessTokenScopeReadPackageBits, AccessTokenScopeWritePackage: accessTokenScopeWritePackageBits, AccessTokenScopeReadIssue: accessTokenScopeReadIssueBits, AccessTokenScopeWriteIssue: accessTokenScopeWriteIssueBits, AccessTokenScopeReadRepository: accessTokenScopeReadRepositoryBits, AccessTokenScopeWriteRepository: accessTokenScopeWriteRepositoryBits, AccessTokenScopeReadUser: accessTokenScopeReadUserBits, AccessTokenScopeWriteUser: accessTokenScopeWriteUserBits, } // hasScope returns true if the string has the given scope func (bitmap accessTokenScopeBitmap) hasScope(scope AccessTokenScope) (bool, error) { expectedBits, ok := allAccessTokenScopeBits[scope] if !ok { return false, fmt.Errorf("invalid access token scope: %s", scope) } return bitmap&expectedBits == expectedBits, nil } // toScope returns a normalized scope string without any duplicates. func (bitmap accessTokenScopeBitmap) toScope(unknownScopes *[]unknownAccessTokenScope) AccessTokenScope { var scopes []string // Preserve unknown scopes, and put them at the beginning so that it's clear // when debugging. if unknownScopes != nil { for _, unknownScope := range *unknownScopes { scopes = append(scopes, string(unknownScope)) } } // iterate over all scopes, and reconstruct the bitmap // if the reconstructed bitmap doesn't change, then the scope is already included var reconstruct accessTokenScopeBitmap for _, singleScope := range allAccessTokenScopes { // no need for error checking here, since we know the scope is valid if ok, _ := bitmap.hasScope(singleScope); ok { current := reconstruct | allAccessTokenScopeBits[singleScope] if current == reconstruct { continue } reconstruct = current scopes = append(scopes, string(singleScope)) } } scope := AccessTokenScope(strings.Join(scopes, ",")) scope = AccessTokenScope(strings.ReplaceAll( string(scope), "write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user", "all", )) return scope } // parse the scope string into a bitmap, thus removing possible duplicates. func (s AccessTokenScope) parse() (accessTokenScopeBitmap, *[]unknownAccessTokenScope) { var bitmap accessTokenScopeBitmap var unknownScopes []unknownAccessTokenScope // The following is the more performant equivalent of 'for _, v := range strings.Split(remainingScope, ",")' as this is hot code remainingScopes := string(s) for len(remainingScopes) > 0 { i := strings.IndexByte(remainingScopes, ',') var v string if i < 0 { v = remainingScopes remainingScopes = "" } else if i+1 >= len(remainingScopes) { v = remainingScopes[:i] remainingScopes = "" } else { v = remainingScopes[:i] remainingScopes = remainingScopes[i+1:] } singleScope := AccessTokenScope(v) if singleScope == "" { continue } if singleScope == AccessTokenScopeAll { bitmap |= accessTokenScopeAllBits continue } bits, ok := allAccessTokenScopeBits[singleScope] if !ok { unknownScopes = append(unknownScopes, unknownAccessTokenScope(string(singleScope))) } bitmap |= bits } return bitmap, &unknownScopes } // NormalizePreservingUnknown returns a normalized scope string without any // duplicates. Unknown scopes are included. func (s AccessTokenScope) NormalizePreservingUnknown() AccessTokenScope { bitmap, unknownScopes := s.parse() return bitmap.toScope(unknownScopes) } // OldAccessTokenScope represents the scope for an access token. type OldAccessTokenScope string const ( OldAccessTokenScopeAll OldAccessTokenScope = "all" OldAccessTokenScopeRepo OldAccessTokenScope = "repo" OldAccessTokenScopeRepoStatus OldAccessTokenScope = "repo:status" OldAccessTokenScopePublicRepo OldAccessTokenScope = "public_repo" OldAccessTokenScopeAdminOrg OldAccessTokenScope = "admin:org" OldAccessTokenScopeWriteOrg OldAccessTokenScope = "write:org" OldAccessTokenScopeReadOrg OldAccessTokenScope = "read:org" OldAccessTokenScopeAdminPublicKey OldAccessTokenScope = "admin:public_key" OldAccessTokenScopeWritePublicKey OldAccessTokenScope = "write:public_key" OldAccessTokenScopeReadPublicKey OldAccessTokenScope = "read:public_key" OldAccessTokenScopeAdminRepoHook OldAccessTokenScope = "admin:repo_hook" OldAccessTokenScopeWriteRepoHook OldAccessTokenScope = "write:repo_hook" OldAccessTokenScopeReadRepoHook OldAccessTokenScope = "read:repo_hook" OldAccessTokenScopeAdminOrgHook OldAccessTokenScope = "admin:org_hook" OldAccessTokenScopeNotification OldAccessTokenScope = "notification" OldAccessTokenScopeUser OldAccessTokenScope = "user" OldAccessTokenScopeReadUser OldAccessTokenScope = "read:user" OldAccessTokenScopeUserEmail OldAccessTokenScope = "user:email" OldAccessTokenScopeUserFollow OldAccessTokenScope = "user:follow" OldAccessTokenScopeDeleteRepo OldAccessTokenScope = "delete_repo" OldAccessTokenScopePackage OldAccessTokenScope = "package" OldAccessTokenScopeWritePackage OldAccessTokenScope = "write:package" OldAccessTokenScopeReadPackage OldAccessTokenScope = "read:package" OldAccessTokenScopeDeletePackage OldAccessTokenScope = "delete:package" OldAccessTokenScopeAdminGPGKey OldAccessTokenScope = "admin:gpg_key" OldAccessTokenScopeWriteGPGKey OldAccessTokenScope = "write:gpg_key" OldAccessTokenScopeReadGPGKey OldAccessTokenScope = "read:gpg_key" OldAccessTokenScopeAdminApplication OldAccessTokenScope = "admin:application" OldAccessTokenScopeWriteApplication OldAccessTokenScope = "write:application" OldAccessTokenScopeReadApplication OldAccessTokenScope = "read:application" OldAccessTokenScopeSudo OldAccessTokenScope = "sudo" ) var accessTokenScopeMap = map[OldAccessTokenScope][]AccessTokenScope{ OldAccessTokenScopeAll: {AccessTokenScopeAll}, OldAccessTokenScopeRepo: {AccessTokenScopeWriteRepository}, OldAccessTokenScopeRepoStatus: {AccessTokenScopeWriteRepository}, OldAccessTokenScopePublicRepo: {AccessTokenScopePublicOnly, AccessTokenScopeWriteRepository}, OldAccessTokenScopeAdminOrg: {AccessTokenScopeWriteOrganization}, OldAccessTokenScopeWriteOrg: {AccessTokenScopeWriteOrganization}, OldAccessTokenScopeReadOrg: {AccessTokenScopeReadOrganization}, OldAccessTokenScopeAdminPublicKey: {AccessTokenScopeWriteUser}, OldAccessTokenScopeWritePublicKey: {AccessTokenScopeWriteUser}, OldAccessTokenScopeReadPublicKey: {AccessTokenScopeReadUser}, OldAccessTokenScopeAdminRepoHook: {AccessTokenScopeWriteRepository}, OldAccessTokenScopeWriteRepoHook: {AccessTokenScopeWriteRepository}, OldAccessTokenScopeReadRepoHook: {AccessTokenScopeReadRepository}, OldAccessTokenScopeAdminOrgHook: {AccessTokenScopeWriteOrganization}, OldAccessTokenScopeNotification: {AccessTokenScopeWriteNotification}, OldAccessTokenScopeUser: {AccessTokenScopeWriteUser}, OldAccessTokenScopeReadUser: {AccessTokenScopeReadUser}, OldAccessTokenScopeUserEmail: {AccessTokenScopeWriteUser}, OldAccessTokenScopeUserFollow: {AccessTokenScopeWriteUser}, OldAccessTokenScopeDeleteRepo: {AccessTokenScopeWriteRepository}, OldAccessTokenScopePackage: {AccessTokenScopeWritePackage}, OldAccessTokenScopeWritePackage: {AccessTokenScopeWritePackage}, OldAccessTokenScopeReadPackage: {AccessTokenScopeReadPackage}, OldAccessTokenScopeDeletePackage: {AccessTokenScopeWritePackage}, OldAccessTokenScopeAdminGPGKey: {AccessTokenScopeWriteUser}, OldAccessTokenScopeWriteGPGKey: {AccessTokenScopeWriteUser}, OldAccessTokenScopeReadGPGKey: {AccessTokenScopeReadUser}, OldAccessTokenScopeAdminApplication: {AccessTokenScopeWriteUser}, OldAccessTokenScopeWriteApplication: {AccessTokenScopeWriteUser}, OldAccessTokenScopeReadApplication: {AccessTokenScopeReadUser}, OldAccessTokenScopeSudo: {AccessTokenScopeWriteAdmin}, } type AccessToken struct { ID int64 `xorm:"pk autoincr"` Scope string } func ConvertScopedAccessTokens(x *xorm.Engine) error { var tokens []*AccessToken if err := x.Find(&tokens); err != nil { return err } for _, token := range tokens { var scopes []string allNewScopesMap := make(map[AccessTokenScope]bool) for _, oldScope := range strings.Split(token.Scope, ",") { if newScopes, exists := accessTokenScopeMap[OldAccessTokenScope(oldScope)]; exists { for _, newScope := range newScopes { allNewScopesMap[newScope] = true } } else { log.Debug("access token scope not recognized as old token scope %s; preserving it", oldScope) scopes = append(scopes, oldScope) } } for s := range allNewScopesMap { scopes = append(scopes, string(s)) } scope := AccessTokenScope(strings.Join(scopes, ",")) // normalize the scope normScope := scope.NormalizePreservingUnknown() token.Scope = string(normScope) // update the db entry with the new scope if _, err := x.Cols("scope").ID(token.ID).Update(token); err != nil { return err } } return nil }