Refactor LFS SSH and internal routers (#32473)

Gitea instance keeps reporting a lot of errors like "LFS SSH transfer connection denied, pure SSH protocol is disabled". When starting debugging the problem, there are more problems found. Try to address most of them: * avoid unnecessary server side error logs (change `fail()` to not log them) * figure out the broken tests/user2/lfs.git (added comments) * avoid `migratePushMirrors` failure when a repository doesn't exist (ignore them) * avoid "Authorization" (internal&lfs) header conflicts, remove the tricky "swapAuth" and use "X-Gitea-Internal-Auth" * make internal token comparing constant time (it wasn't a serous problem because in a real world it's nearly impossible to timing-attack the token, but good to fix and backport) * avoid duplicate routers (introduce AddOwnerRepoGitLFSRoutes) * avoid "internal (private)" routes using session/web context (they should use private context) * fix incorrect "path" usages (use "filepath") * fix incorrect mocked route point handling (need to check func nil correctly) * split some tests from "git general tests" to "git misc tests" (to keep "git_general_test.go" simple) Still no correct result for Git LFS SSH tests. So the code is kept there (`tests/integration/git_lfs_ssh_test.go`) and a FIXME explains the details.
2024-11-12 10:38:22 +08:00 · 2024-11-12 10:38:22 +08:00 · 580e21dd2e
commit 580e21dd2e
parent f35e2b0cd1
17 changed files with 376 additions and 264 deletions
--- a/tests/integration/git_lfs_ssh_test.go
+++ b/tests/integration/git_lfs_ssh_test.go
@ -0,0 +1,61 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/url"
+	"sync"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/routers/private"
+	"code.gitea.io/gitea/services/context"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGitLFSSSH(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		dstPath := t.TempDir()
+		apiTestContext := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+
+		var mu sync.Mutex
+		var routerCalls []string
+		web.RouteMock(private.RouterMockPointInternalLFS, func(ctx *context.PrivateContext) {
+			mu.Lock()
+			routerCalls = append(routerCalls, ctx.Req.Method+" "+ctx.Req.URL.Path)
+			mu.Unlock()
+		})
+
+		withKeyFile(t, "my-testing-key", func(keyFile string) {
+			t.Run("CreateUserKey", doAPICreateUserKey(apiTestContext, "test-key", keyFile))
+			cloneURL := createSSHUrl(apiTestContext.GitPath(), u)
+			t.Run("Clone", doGitClone(dstPath, cloneURL))
+
+			cfg, err := setting.CfgProvider.PrepareSaving()
+			require.NoError(t, err)
+			cfg.Section("server").Key("LFS_ALLOW_PURE_SSH").SetValue("true")
+			setting.LFS.AllowPureSSH = true
+			require.NoError(t, cfg.Save())
+
+			// do LFS SSH transfer?
+			lfsCommitAndPushTest(t, dstPath, 10)
+		})
+
+		// FIXME: Here we only see the following calls, but actually there should be calls to "PUT"?
+		// 0 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
+		// 1 = {string} "POST /api/internal/repo/user2/repo1.git/info/lfs/objects/batch"
+		// 2 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
+		// 3 = {string} "POST /api/internal/repo/user2/repo1.git/info/lfs/locks"
+		// 4 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
+		// 5 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
+		// 6 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
+		// 7 = {string} "POST /api/internal/repo/user2/repo1.git/info/lfs/locks/24/unlock"
+		assert.NotEmpty(t, routerCalls)
+		// assert.Contains(t, routerCalls, "PUT /api/internal/repo/user2/repo1.git/info/lfs/objects/....")
+	})
+}