Add temporary authentication via environment variables (#639)

#633

Co-authored-by: Tim Riedl <mail@tim-riedl.de>
Co-authored-by: techknowlogick <techknowlogick@noreply.gitea.com>
Co-authored-by: Lunny Xiao <lunny@noreply.gitea.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/tea/pulls/639
Co-authored-by: Tim Riedl <uvulpos@noreply.gitea.com>
Co-committed-by: Tim Riedl <uvulpos@noreply.gitea.com>
This commit is contained in:
Tim Riedl
2025-08-11 18:53:09 +00:00
committed by techknowlogick
parent 449b2e3117
commit d2ccead88b
3 changed files with 98 additions and 17 deletions

View File

@ -9,7 +9,9 @@ import (
"log"
"os"
"path"
"strconv"
"strings"
"time"
"code.gitea.io/sdk/gitea"
"code.gitea.io/tea/modules/config"
@ -20,9 +22,7 @@ import (
"github.com/urfave/cli/v3"
)
var (
errNotAGiteaRepo = errors.New("No Gitea login found. You might want to specify --repo (and --login) to work outside of a repository")
)
var errNotAGiteaRepo = errors.New("No Gitea login found. You might want to specify --repo (and --login) to work outside of a repository")
// TeaContext contains all context derived during command initialization and wraps cli.Context
type TeaContext struct {
@ -125,6 +125,16 @@ func InitCommand(cmd *cli.Command) *TeaContext {
c.RepoSlug = repoFlag
}
// override config user with env variable
envLogin := GetLoginByEnvVar()
if envLogin != nil {
_, err := utils.ValidateAuthenticationMethod(envLogin.URL, envLogin.Token, "", "", false, "", "")
if err != nil {
log.Fatal(err.Error())
}
c.Login = envLogin
}
// override login from flag, or use default login if repo based detection failed
if len(loginFlag) != 0 {
c.Login = config.GetLoginByName(loginFlag)
@ -230,3 +240,40 @@ func contextFromLocalRepo(repoPath, remoteValue string) (*git.TeaRepo, *config.L
return repo, nil, "", errNotAGiteaRepo
}
// GetLoginByEnvVar returns a login based on environment variables, or nil if no login can be created
func GetLoginByEnvVar() *config.Login {
var token string
giteaToken := os.Getenv("GITEA_TOKEN")
githubToken := os.Getenv("GH_TOKEN")
giteaInstanceURL := os.Getenv("GITEA_INSTANCE_URL")
instanceInsecure := os.Getenv("GITEA_INSTANCE_INSECURE")
insecure := false
if len(instanceInsecure) > 0 {
insecure, _ = strconv.ParseBool(instanceInsecure)
}
// if no tokens are set, or no instance url for gitea fail fast
if len(giteaInstanceURL) == 0 || (len(giteaToken) == 0 && len(githubToken) == 0) {
return nil
}
token = giteaToken
if len(giteaToken) == 0 {
token = githubToken
}
return &config.Login{
Name: "GITEA_LOGIN_VIA_ENV",
URL: giteaInstanceURL,
Token: token,
Insecure: insecure,
SSHKey: "",
SSHCertPrincipal: "",
SSHKeyFingerprint: "",
SSHAgent: false,
Created: time.Now().Unix(),
VersionCheck: false,
}
}

View File

@ -63,21 +63,17 @@ func CreateLogin(name, token, user, passwd, otp, scopes, sshKey, giteaURL, sshCe
return fmt.Errorf("token already been used, delete login '%s' first", login.Name)
}
if !sshAgent && sshCertPrincipal == "" && sshKey == "" {
// .. if we have enough information to authenticate
if len(token) == 0 && (len(user)+len(passwd)) == 0 {
return fmt.Errorf("No token set")
} else if len(user) != 0 && len(passwd) == 0 {
return fmt.Errorf("No password set")
} else if len(user) == 0 && len(passwd) != 0 {
return fmt.Errorf("No user set")
}
}
// Normalize URL
serverURL, err := utils.NormalizeURL(giteaURL)
serverURL, err := utils.ValidateAuthenticationMethod(
giteaURL,
token,
user,
passwd,
sshAgent,
sshKey,
sshCertPrincipal,
)
if err != nil {
return fmt.Errorf("Unable to parse URL: %s", err)
return err
}
// check if it's a certificate the principal doesn't matter as the user

38
modules/utils/validate.go Normal file
View File

@ -0,0 +1,38 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package utils
import (
"fmt"
"net/url"
)
// ValidateAuthenticationMethod checks the provided authentication method parameters
func ValidateAuthenticationMethod(
giteaURL string,
token string,
user string,
passwd string,
sshAgent bool,
sshKey string,
sshCertPrincipal string,
) (*url.URL, error) {
// Normalize URL
serverURL, err := NormalizeURL(giteaURL)
if err != nil {
return nil, fmt.Errorf("Unable to parse URL: %s", err)
}
if !sshAgent && sshCertPrincipal == "" && sshKey == "" {
// .. if we have enough information to authenticate
if len(token) == 0 && (len(user)+len(passwd)) == 0 {
return nil, fmt.Errorf("No token set")
} else if len(user) != 0 && len(passwd) == 0 {
return nil, fmt.Errorf("No password set")
} else if len(user) == 0 && len(passwd) != 0 {
return nil, fmt.Errorf("No user set")
}
}
return serverURL, nil
}