Support scoped access tokens (#20908)

This PR adds the support for scopes of access tokens, mimicking the
design of GitHub OAuth scopes.

The changes of the core logic are in `models/auth` that `AccessToken`
struct will have a `Scope` field. The normalized (no duplication of
scope), comma-separated scope string will be stored in `access_token`
table in the database.
In `services/auth`, the scope will be stored in context, which will be
used by `reqToken` middleware in API calls. Only OAuth2 tokens will have
granular token scopes, while others like BasicAuth will default to scope
`all`.
A large amount of work happens in `routers/api/v1/api.go` and the
corresponding `tests/integration` tests, that is adding necessary scopes
to each of the API calls as they fit.


- [x] Add `Scope` field to `AccessToken`
- [x] Add access control to all API endpoints
- [x] Update frontend & backend for when creating tokens
- [x] Add a database migration for `scope` column (enable 'all' access
to past tokens)

I'm aiming to complete it before Gitea 1.19 release.

Fixes #4300

Author: harryzcy

docs/content/doc/developers/oauth2-provider.en-us.md

@@ -42,7 +42,41 @@ To use the Authorization Code Grant as a third party application it is required
 
 ## Scopes
 
-Currently Gitea does not support scopes (see [#4300](https://github.com/go-gitea/gitea/issues/4300)) and all third party applications will be granted access to all resources of the user and their organizations.
+Gitea supports the following scopes for tokens:
+
+| Name | Description |
+| ---- | ----------- |
+| **(no scope)** | Grants read-only access to public user profile and public repositories. |
+| **repo** | Full control over all repositories. |
+|     **repo:status** | Grants read/write access to commit status in all repositories. |
+|     **public_repo** | Grants read/write access to public repositories only. |
+| **admin:repo_hook** | Grants access to repository hooks of all repositories. This is included in the `repo` scope. |
+|     **write:repo_hook** | Grants read/write access to repository hooks |
+|     **read:repo_hook** | Grants read-only access to repository hooks |
+| **admin:org** | Grants full access to organization settings |
+|     **write:org** | Grants read/write access to organization settings |
+|     **read:org** | Grants read-only access to organization settings |
+| **admin:public_key** | Grants full access for managing public keys |
+|     **write:public_key** | Grant read/write access to public keys |
+|     **read:public_key** | Grant read-only access to public keys |
+| **admin:org_hook** | Grants full access to organizational-level hooks |
+| **notification** | Grants full access to notifications |
+| **user** | Grants full access to user profile info |
+|     **read:user** | Grants read access to user's profile |
+|     **user:email** | Grants read access to user's email addresses |
+|     **user:follow** | Grants access to follow/un-follow a user |
+| **delete_repo** | Grants access to delete repositories as an admin |
+| **package** | Grants full access to hosted packages |
+|     **write:package** | Grants read/write access to packages |
+|     **read:package** | Grants read access to packages |
+|     **delete:package** | Grants delete access to packages |
+| **admin:gpg_key** | Grants full access for managing GPG keys |
+|     **write:gpg_key** | Grants read/write access to GPG keys |
+|     **read:gpg_key** | Grants read-only access to GPG keys |
+| **admin:application** | Grants full access to manage applications |
+|     **write:application** | Grants read/write access for managing applications |
+|     **read:application** | Grants read access for managing applications |
+| **sudo** | Allows to perform actions as the site admin. |
 
 ## Client types
 

models/auth/token.go

@@ -65,6 +65,7 @@ type AccessToken struct {
 	TokenHash      string `xorm:"UNIQUE"` // sha256 of token
 	TokenSalt      string
 	TokenLastEight string `xorm:"INDEX token_last_eight"`
+	Scope          AccessTokenScope
 
 	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix       timeutil.TimeStamp `xorm:"INDEX updated"`

models/auth/token_scope.go

@@ -0,0 +1,251 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"fmt"
+	"strings"
+)
+
+// AccessTokenScope represents the scope for an access token.
+type AccessTokenScope string
+
+const (
+	AccessTokenScopeAll AccessTokenScope = "all"
+
+	AccessTokenScopeRepo       AccessTokenScope = "repo"
+	AccessTokenScopeRepoStatus AccessTokenScope = "repo:status"
+	AccessTokenScopePublicRepo AccessTokenScope = "public_repo"
+
+	AccessTokenScopeAdminOrg AccessTokenScope = "admin:org"
+	AccessTokenScopeWriteOrg AccessTokenScope = "write:org"
+	AccessTokenScopeReadOrg  AccessTokenScope = "read:org"
+
+	AccessTokenScopeAdminPublicKey AccessTokenScope = "admin:public_key"
+	AccessTokenScopeWritePublicKey AccessTokenScope = "write:public_key"
+	AccessTokenScopeReadPublicKey  AccessTokenScope = "read:public_key"
+
+	AccessTokenScopeAdminRepoHook AccessTokenScope = "admin:repo_hook"
+	AccessTokenScopeWriteRepoHook AccessTokenScope = "write:repo_hook"
+	AccessTokenScopeReadRepoHook  AccessTokenScope = "read:repo_hook"
+
+	AccessTokenScopeAdminOrgHook AccessTokenScope = "admin:org_hook"
+
+	AccessTokenScopeNotification AccessTokenScope = "notification"
+
+	AccessTokenScopeUser       AccessTokenScope = "user"
+	AccessTokenScopeReadUser   AccessTokenScope = "read:user"
+	AccessTokenScopeUserEmail  AccessTokenScope = "user:email"
+	AccessTokenScopeUserFollow AccessTokenScope = "user:follow"
+
+	AccessTokenScopeDeleteRepo AccessTokenScope = "delete_repo"
+
+	AccessTokenScopePackage       AccessTokenScope = "package"
+	AccessTokenScopeWritePackage  AccessTokenScope = "write:package"
+	AccessTokenScopeReadPackage   AccessTokenScope = "read:package"
+	AccessTokenScopeDeletePackage AccessTokenScope = "delete:package"
+
+	AccessTokenScopeAdminGPGKey AccessTokenScope = "admin:gpg_key"
+	AccessTokenScopeWriteGPGKey AccessTokenScope = "write:gpg_key"
+	AccessTokenScopeReadGPGKey  AccessTokenScope = "read:gpg_key"
+
+	AccessTokenScopeAdminApplication AccessTokenScope = "admin:application"
+	AccessTokenScopeWriteApplication AccessTokenScope = "write:application"
+	AccessTokenScopeReadApplication  AccessTokenScope = "read:application"
+
+	AccessTokenScopeSudo AccessTokenScope = "sudo"
+)
+
+// AccessTokenScopeBitmap represents a bitmap of access token scopes.
+type AccessTokenScopeBitmap uint64
+
+// Bitmap of each scope, including the child scopes.
+const (
+	// AccessTokenScopeAllBits is the bitmap of all access token scopes, except `sudo`.
+	AccessTokenScopeAllBits AccessTokenScopeBitmap = AccessTokenScopeRepoBits |
+		AccessTokenScopeAdminOrgBits | AccessTokenScopeAdminPublicKeyBits | AccessTokenScopeAdminOrgHookBits |
+		AccessTokenScopeNotificationBits | AccessTokenScopeUserBits | AccessTokenScopeDeleteRepoBits |
+		AccessTokenScopePackageBits | AccessTokenScopeAdminGPGKeyBits | AccessTokenScopeAdminApplicationBits
+
+	AccessTokenScopeRepoBits       AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeRepoStatusBits | AccessTokenScopePublicRepoBits | AccessTokenScopeAdminRepoHookBits
+	AccessTokenScopeRepoStatusBits AccessTokenScopeBitmap = 1 << iota
+	AccessTokenScopePublicRepoBits AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeAdminOrgBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeWriteOrgBits
+	AccessTokenScopeWriteOrgBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadOrgBits
+	AccessTokenScopeReadOrgBits  AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeAdminPublicKeyBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeWritePublicKeyBits
+	AccessTokenScopeWritePublicKeyBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadPublicKeyBits
+	AccessTokenScopeReadPublicKeyBits  AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeAdminRepoHookBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeWriteRepoHookBits
+	AccessTokenScopeWriteRepoHookBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadRepoHookBits
+	AccessTokenScopeReadRepoHookBits  AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeAdminOrgHookBits AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeNotificationBits AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeUserBits       AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadUserBits | AccessTokenScopeUserEmailBits | AccessTokenScopeUserFollowBits
+	AccessTokenScopeReadUserBits   AccessTokenScopeBitmap = 1 << iota
+	AccessTokenScopeUserEmailBits  AccessTokenScopeBitmap = 1 << iota
+	AccessTokenScopeUserFollowBits AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeDeleteRepoBits AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopePackageBits       AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeWritePackageBits | AccessTokenScopeDeletePackageBits
+	AccessTokenScopeWritePackageBits  AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadPackageBits
+	AccessTokenScopeReadPackageBits   AccessTokenScopeBitmap = 1 << iota
+	AccessTokenScopeDeletePackageBits AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeAdminGPGKeyBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeWriteGPGKeyBits
+	AccessTokenScopeWriteGPGKeyBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadGPGKeyBits
+	AccessTokenScopeReadGPGKeyBits  AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeAdminApplicationBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeWriteApplicationBits
+	AccessTokenScopeWriteApplicationBits AccessTokenScopeBitmap = 1<<iota | AccessTokenScopeReadApplicationBits
+	AccessTokenScopeReadApplicationBits  AccessTokenScopeBitmap = 1 << iota
+
+	AccessTokenScopeSudoBits AccessTokenScopeBitmap = 1 << iota
+
+	// The current implementation only supports up to 64 token scopes.
+	// If we need to support > 64 scopes,
+	// refactoring the whole implementation in this file (and only this file) is needed.
+)
+
+// allAccessTokenScopes contains all access token scopes.
+// The order is important: parent scope must precedes child scopes.
+var allAccessTokenScopes = []AccessTokenScope{
+	AccessTokenScopeRepo, AccessTokenScopeRepoStatus, AccessTokenScopePublicRepo,
+	AccessTokenScopeAdminOrg, AccessTokenScopeWriteOrg, AccessTokenScopeReadOrg,
+	AccessTokenScopeAdminPublicKey, AccessTokenScopeWritePublicKey, AccessTokenScopeReadPublicKey,
+	AccessTokenScopeAdminRepoHook, AccessTokenScopeWriteRepoHook, AccessTokenScopeReadRepoHook,
+	AccessTokenScopeAdminOrgHook,
+	AccessTokenScopeNotification,
+	AccessTokenScopeUser, AccessTokenScopeReadUser, AccessTokenScopeUserEmail, AccessTokenScopeUserFollow,
+	AccessTokenScopeDeleteRepo,
+	AccessTokenScopePackage, AccessTokenScopeWritePackage, AccessTokenScopeReadPackage, AccessTokenScopeDeletePackage,
+	AccessTokenScopeAdminGPGKey, AccessTokenScopeWriteGPGKey, AccessTokenScopeReadGPGKey,
+	AccessTokenScopeAdminApplication, AccessTokenScopeWriteApplication, AccessTokenScopeReadApplication,
+	AccessTokenScopeSudo,
+}
+
+// allAccessTokenScopeBits contains all access token scopes.
+var allAccessTokenScopeBits = map[AccessTokenScope]AccessTokenScopeBitmap{
+	AccessTokenScopeRepo:             AccessTokenScopeRepoBits,
+	AccessTokenScopeRepoStatus:       AccessTokenScopeRepoStatusBits,
+	AccessTokenScopePublicRepo:       AccessTokenScopePublicRepoBits,
+	AccessTokenScopeAdminOrg:         AccessTokenScopeAdminOrgBits,
+	AccessTokenScopeWriteOrg:         AccessTokenScopeWriteOrgBits,
+	AccessTokenScopeReadOrg:          AccessTokenScopeReadOrgBits,
+	AccessTokenScopeAdminPublicKey:   AccessTokenScopeAdminPublicKeyBits,
+	AccessTokenScopeWritePublicKey:   AccessTokenScopeWritePublicKeyBits,
+	AccessTokenScopeReadPublicKey:    AccessTokenScopeReadPublicKeyBits,
+	AccessTokenScopeAdminRepoHook:    AccessTokenScopeAdminRepoHookBits,
+	AccessTokenScopeWriteRepoHook:    AccessTokenScopeWriteRepoHookBits,
+	AccessTokenScopeReadRepoHook:     AccessTokenScopeReadRepoHookBits,
+	AccessTokenScopeAdminOrgHook:     AccessTokenScopeAdminOrgHookBits,
+	AccessTokenScopeNotification:     AccessTokenScopeNotificationBits,
+	AccessTokenScopeUser:             AccessTokenScopeUserBits,
+	AccessTokenScopeReadUser:         AccessTokenScopeReadUserBits,
+	AccessTokenScopeUserEmail:        AccessTokenScopeUserEmailBits,
+	AccessTokenScopeUserFollow:       AccessTokenScopeUserFollowBits,
+	AccessTokenScopeDeleteRepo:       AccessTokenScopeDeleteRepoBits,
+	AccessTokenScopePackage:          AccessTokenScopePackageBits,
+	AccessTokenScopeWritePackage:     AccessTokenScopeWritePackageBits,
+	AccessTokenScopeReadPackage:      AccessTokenScopeReadPackageBits,
+	AccessTokenScopeDeletePackage:    AccessTokenScopeDeletePackageBits,
+	AccessTokenScopeAdminGPGKey:      AccessTokenScopeAdminGPGKeyBits,
+	AccessTokenScopeWriteGPGKey:      AccessTokenScopeWriteGPGKeyBits,
+	AccessTokenScopeReadGPGKey:       AccessTokenScopeReadGPGKeyBits,
+	AccessTokenScopeAdminApplication: AccessTokenScopeAdminApplicationBits,
+	AccessTokenScopeWriteApplication: AccessTokenScopeWriteApplicationBits,
+	AccessTokenScopeReadApplication:  AccessTokenScopeReadApplicationBits,
+	AccessTokenScopeSudo:             AccessTokenScopeSudoBits,
+}
+
+// Parse parses the scope string into a bitmap, thus removing possible duplicates.
+func (s AccessTokenScope) Parse() (AccessTokenScopeBitmap, error) {
+	list := strings.Split(string(s), ",")
+
+	var bitmap AccessTokenScopeBitmap
+	for _, v := range list {
+		singleScope := AccessTokenScope(v)
+		if singleScope == "" {
+			continue
+		}
+		if singleScope == AccessTokenScopeAll {
+			bitmap |= AccessTokenScopeAllBits
+			continue
+		}
+
+		bits, ok := allAccessTokenScopeBits[singleScope]
+		if !ok {
+			return 0, fmt.Errorf("invalid access token scope: %s", singleScope)
+		}
+		bitmap |= bits
+	}
+	return bitmap, nil
+}
+
+// Normalize returns a normalized scope string without any duplicates.
+func (s AccessTokenScope) Normalize() (AccessTokenScope, error) {
+	bitmap, err := s.Parse()
+	if err != nil {
+		return "", err
+	}
+
+	return bitmap.ToScope(), nil
+}
+
+// HasScope returns true if the string has the given scope
+func (s AccessTokenScope) HasScope(scope AccessTokenScope) (bool, error) {
+	bitmap, err := s.Parse()
+	if err != nil {
+		return false, err
+	}
+
+	return bitmap.HasScope(scope)
+}
+
+// HasScope returns true if the string has the given scope
+func (bitmap AccessTokenScopeBitmap) HasScope(scope AccessTokenScope) (bool, error) {
+	expectedBits, ok := allAccessTokenScopeBits[scope]
+	if !ok {
+		return false, fmt.Errorf("invalid access token scope: %s", scope)
+	}
+
+	return bitmap&expectedBits == expectedBits, nil
+}
+
+// ToScope returns a normalized scope string without any duplicates.
+func (bitmap AccessTokenScopeBitmap) ToScope() AccessTokenScope {
+	var scopes []string
+
+	// iterate over all scopes, and reconstruct the bitmap
+	// if the reconstructed bitmap doesn't change, then the scope is already included
+	var reconstruct AccessTokenScopeBitmap
+
+	for _, singleScope := range allAccessTokenScopes {
+		// no need for error checking here, since we know the scope is valid
+		if ok, _ := bitmap.HasScope(singleScope); ok {
+			current := reconstruct | allAccessTokenScopeBits[singleScope]
+			if current == reconstruct {
+				continue
+			}
+
+			reconstruct = current
+			scopes = append(scopes, string(singleScope))
+		}
+	}
+
+	scope := AccessTokenScope(strings.Join(scopes, ","))
+	scope = AccessTokenScope(strings.ReplaceAll(
+		string(scope),
+		"repo,admin:org,admin:public_key,admin:org_hook,notification,user,delete_repo,package,admin:gpg_key,admin:application",
+		"all",
+	))
+	return scope
+}

models/auth/token_scope_test.go

@@ -0,0 +1,84 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAccessTokenScope_Normalize(t *testing.T) {
+	tests := []struct {
+		in  AccessTokenScope
+		out AccessTokenScope
+		err error
+	}{
+		{"", "", nil},
+		{"repo", "repo", nil},
+		{"repo,repo:status", "repo", nil},
+		{"repo,public_repo", "repo", nil},
+		{"admin:public_key,write:public_key", "admin:public_key", nil},
+		{"admin:public_key,read:public_key", "admin:public_key", nil},
+		{"write:public_key,read:public_key", "write:public_key", nil}, // read is include in write
+		{"admin:repo_hook,write:repo_hook", "admin:repo_hook", nil},
+		{"admin:repo_hook,read:repo_hook", "admin:repo_hook", nil},
+		{"repo,admin:repo_hook,read:repo_hook", "repo", nil}, // admin:repo_hook is a child scope of repo
+		{"repo,read:repo_hook", "repo", nil},                 // read:repo_hook is a child scope of repo
+		{"user", "user", nil},
+		{"user,read:user", "user", nil},
+		{"user,admin:org,write:org", "admin:org,user", nil},
+		{"admin:org,write:org,user", "admin:org,user", nil},
+		{"package", "package", nil},
+		{"package,write:package", "package", nil},
+		{"package,write:package,delete:package", "package", nil},
+		{"write:package,read:package", "write:package", nil},                  // read is include in write
+		{"write:package,delete:package", "write:package,delete:package", nil}, // write and delete are not include in each other
+		{"admin:gpg_key", "admin:gpg_key", nil},
+		{"admin:gpg_key,write:gpg_key", "admin:gpg_key", nil},
+		{"admin:gpg_key,write:gpg_key,user", "user,admin:gpg_key", nil},
+		{"admin:application,write:application,user", "user,admin:application", nil},
+		{"all", "all", nil},
+		{"repo,admin:org,admin:public_key,admin:repo_hook,admin:org_hook,notification,user,delete_repo,package,admin:gpg_key,admin:application", "all", nil},
+		{"repo,admin:org,admin:public_key,admin:repo_hook,admin:org_hook,notification,user,delete_repo,package,admin:gpg_key,admin:application,sudo", "all,sudo", nil},
+	}
+
+	for _, test := range tests {
+		t.Run(string(test.in), func(t *testing.T) {
+			scope, err := test.in.Normalize()
+			assert.Equal(t, test.out, scope)
+			assert.Equal(t, test.err, err)
+		})
+	}
+}
+
+func TestAccessTokenScope_HasScope(t *testing.T) {
+	tests := []struct {
+		in    AccessTokenScope
+		scope AccessTokenScope
+		out   bool
+		err   error
+	}{
+		{"repo", "repo", true, nil},
+		{"repo", "repo:status", true, nil},
+		{"repo", "public_repo", true, nil},
+		{"repo", "admin:org", false, nil},
+		{"repo", "admin:public_key", false, nil},
+		{"repo:status", "repo", false, nil},
+		{"repo:status", "public_repo", false, nil},
+		{"admin:org", "write:org", true, nil},
+		{"admin:org", "read:org", true, nil},
+		{"admin:org", "admin:org", true, nil},
+		{"user", "read:user", true, nil},
+		{"package", "write:package", true, nil},
+	}
+
+	for _, test := range tests {
+		t.Run(string(test.in), func(t *testing.T) {
+			scope, err := test.in.HasScope(test.scope)
+			assert.Equal(t, test.out, scope)
+			assert.Equal(t, test.err, err)
+		})
+	}
+}

models/migrations/migrations.go

@@ -451,6 +451,8 @@ var migrations = []Migration{
 	NewMigration("Drop ForeignReference table", v1_19.DropForeignReferenceTable),
 	// v238 -> v239
 	NewMigration("Add updated unix to LFSMetaObject", v1_19.AddUpdatedUnixToLFSMetaObject),
+	// v239 -> v240
+	NewMigration("Add scope for access_token", v1_19.AddScopeForAccessTokens),
 }
 
 // GetCurrentDBVersion returns the current db version