Add actions support to package auth verification

[yp05327]

Partly fixes #23642

Error info:

ActionsUser (userID -2) is used to login in to docker in action jobs.

Due to we have no permission policy settings of ActionsUser now, ActionsUser can only access public registry by this quick fix.

[yp05327]

I found that we already have a func called GetPossibleUserByID to handle both normal users and system users.

[KN4CK3R]

This will only work if you pull images from a public registry. And you can do that without auth. The action user will not pass permission checks.

[wxiaoguang]

This will only work if you pull images from a public registry. And you can do that without auth. The action user will not pass permission checks.

That's also an unclear question in my mind, how the "action" user works with permissions (or how it should work).

Is there any document?

[KN4CK3R]

open questions I asked in Discord:

the first question is if that task token should/could be used to access the package registry
if the answer is yes, we need a definition of who is the real user behind that task
is it the owner of the repo, the user which triggered the task?

And after that we may need to change how we use ctx.Doer. It's not clear to me where the actions user should be the doer or the real user.

[yp05327]

So GITEA_TOKEN needs to be run.TriggerUser's temporary token instead of task.Token?
So ctx.Doer needs to be github.actor or github.repository_owner?

[yp05327]

Team.Authorize and TeamUnit.AccessMode confused me.
It seems that we only have Team.Authorize before #17811, so maybe Team.Authorize is unnecessary now?
If it is unnecessary, maybe we need to do some changes to GetUserOrgsPermissions too.

gitea/routers/api/v1/org/org.go

Lines 105 to 169 in 6706ac2

	func GetUserOrgsPermissions(ctx *context.APIContext) {
	// swagger:operation GET /users/{username}/orgs/{org}/permissions organization orgGetUserPermissions
	// ---
	// summary: Get user permissions in organization
	// produces:
	// - application/json
	// parameters:
	// - name: username
	// in: path
	// description: username of user
	// type: string
	// required: true
	// - name: org
	// in: path
	// description: name of the organization
	// type: string
	// required: true
	// responses:
	// "200":
	// "$ref": "#/responses/OrganizationPermissions"
	// "403":
	// "$ref": "#/responses/forbidden"
	// "404":
	// "$ref": "#/responses/notFound"
	var o *user_model.User
	if o = user.GetUserByParamsName(ctx, ":org"); o == nil {
	return
	}
	op := api.OrganizationPermissions{}
	if !organization.HasOrgOrUserVisible(ctx, o, ctx.ContextUser) {
	ctx.NotFound("HasOrgOrUserVisible", nil)
	return
	}
	org := organization.OrgFromUser(o)
	authorizeLevel, err := org.GetOrgUserMaxAuthorizeLevel(ctx.ContextUser.ID)
	if err != nil {
	ctx.Error(http.StatusInternalServerError, "GetOrgUserAuthorizeLevel", err)
	return
	}
	if authorizeLevel > perm.AccessModeNone {
	op.CanRead = true
	}
	if authorizeLevel > perm.AccessModeRead {
	op.CanWrite = true
	}
	if authorizeLevel > perm.AccessModeWrite {
	op.IsAdmin = true
	}
	if authorizeLevel > perm.AccessModeAdmin {
	op.IsOwner = true
	}
	op.CanCreateRepository, err = org.CanCreateOrgRepo(ctx.ContextUser.ID)
	if err != nil {
	ctx.Error(http.StatusInternalServerError, "CanCreateOrgRepo", err)
	return
	}
	ctx.JSON(http.StatusOK, op)
	}

[yp05327]

So before this, we need to give permission conservatively. Maybe it is a good choice to keep actions bot user without any permission to packages.

I agree.
So is it okey to only allow action bot user pull images from public registry in this PR, and add TODO for the permission check of private registry?

[wolfogre]

So before this, we need to give permission conservatively. Maybe it is a good choice to keep actions bot user without any permission to packages.

I agree.
So is it okey to only allow action bot user pull images from public registry in this PR, and add TODO for the permission check of private registry?

👍🏻I believe this is the optimal solution at the moment

[yp05327]

Removed permission check in this PR, and added TODO in https://github.com/go-gitea/gitea/pull/23879/files#diff-af878eff8f52037e8272d864e1b4d7ace9935f2149f3ed60fcf49cb6be891355R95

[wolfogre]

Removed permission check in this PR, and added TODO in #23879 (files)

Please update the description of this PR. 😄

[yp05327]

Removed permission check in this PR, and added TODO in #23879 (files)

Please update the description of this PR. 😄

Done.

Maybe it is better to create a summary (tasks) for this problem? It seems that the discussion is in many different issues/PRs comments.