fix

Author: wxiaoguang

routers/common/lfs.go

@@ -10,6 +10,8 @@ import (
 	"code.gitea.io/gitea/services/lfs"
 )
 
+const RouterMockPointCommonLFS = "common-lfs"
+
 func AddOwnerRepoGitLFSRoutes(m *web.Router, middlewares ...any) {
 	// shared by web and internal routers
 	m.Group("/{username}/{reponame}/info/lfs", func() {
@@ -25,5 +27,5 @@ func AddOwnerRepoGitLFSRoutes(m *web.Router, middlewares ...any) {
 			m.Post("/{lid}/unlock", lfs.UnLockHandler)
 		}, lfs.CheckAcceptMediaType)
 		m.Any("/*", http.NotFound)
-	}, middlewares...)
+	}, append([]any{web.RouterMockPoint(RouterMockPointCommonLFS)}, middlewares...)...)
 }

routers/private/internal.go

@@ -20,8 +20,6 @@ import (
 	chi_middleware "github.com/go-chi/chi/v5/middleware"
 )
 
-const RouterMockPointInternalLFS = "internal-lfs"
-
 func authInternal(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		if setting.InternalToken == "" {
@@ -87,10 +85,11 @@ func Routes() *web.Router {
 
 	r.Group("/repo", func() {
 		// FIXME: it is not right to use context.Contexter here because all routes here should use PrivateContext
+		// Fortunately, the LFS handlers are able to handle requests without a complete web context
 		common.AddOwnerRepoGitLFSRoutes(r, func(ctx *context.PrivateContext) {
 			webContext := &context.Context{Base: ctx.Base}
 			ctx.AppendContextValue(context.WebContextKey, webContext)
-		}, web.RouterMockPoint(RouterMockPointInternalLFS))
+		})
 	})
 
 	return r

routers/web/auth/oauth2_provider.go

@@ -91,7 +91,7 @@ type userInfoResponse struct {
 // InfoOAuth manages request for userinfo endpoint
 func InfoOAuth(ctx *context.Context) {
 	if ctx.Doer == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() {
-		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
+		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm="Gitea OAuth2"`)
 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
 		return
 	}
@@ -136,7 +136,7 @@ func IntrospectOAuth(ctx *context.Context) {
 		clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret))
 	}
 	if !clientIDValid {
-		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm=""`)
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea OAuth2"`)
 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
 		return
 	}

services/context/base.go

@@ -30,6 +30,10 @@ type contextValuePair struct {
 	valueFn func() any
 }
 
+type BaseContextKeyType struct{}
+
+var BaseContextKey BaseContextKeyType
+
 type Base struct {
 	originCtx     context.Context
 	contextValues []contextValuePair
@@ -315,6 +319,7 @@ func NewBaseContext(resp http.ResponseWriter, req *http.Request) (b *Base, close
 		Data:      middleware.GetContextData(req.Context()),
 	}
 	b.Req = b.Req.WithContext(b)
+	b.AppendContextValue(BaseContextKey, b)
 	b.AppendContextValue(translation.ContextKey, b.Locale)
 	b.AppendContextValue(httplib.RequestContextKey, b.Req)
 	return b, b.cleanUp

services/context/context.go

@@ -65,6 +65,9 @@ type Context struct {
 type TemplateContext map[string]any
 
 func init() {
+	web.RegisterResponseStatusProvider[*Base](func(req *http.Request) web_types.ResponseStatusProvider {
+		return req.Context().Value(BaseContextKey).(*Base)
+	})
 	web.RegisterResponseStatusProvider[*Context](func(req *http.Request) web_types.ResponseStatusProvider {
 		return req.Context().Value(WebContextKey).(*Context)
 	})

services/lfs/locks.go

@@ -51,7 +51,7 @@ func GetListLockHandler(ctx *context.Context) {
 	repository, err := repo_model.GetRepositoryByOwnerAndName(ctx, rv.User, rv.Repo)
 	if err != nil {
 		log.Debug("Could not find repository: %s/%s - %s", rv.User, rv.Repo, err)
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have pull access to list locks",
 		})
@@ -66,7 +66,7 @@ func GetListLockHandler(ctx *context.Context) {
 
 	authenticated := authenticate(ctx, repository, rv.Authorization, true, false)
 	if !authenticated {
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have pull access to list locks",
 		})
@@ -143,7 +143,7 @@ func PostLockHandler(ctx *context.Context) {
 	repository, err := repo_model.GetRepositoryByOwnerAndName(ctx, userName, repoName)
 	if err != nil {
 		log.Error("Unable to get repository: %s/%s Error: %v", userName, repoName, err)
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have push access to create locks",
 		})
@@ -158,7 +158,7 @@ func PostLockHandler(ctx *context.Context) {
 
 	authenticated := authenticate(ctx, repository, authorization, true, true)
 	if !authenticated {
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have push access to create locks",
 		})
@@ -191,7 +191,7 @@ func PostLockHandler(ctx *context.Context) {
 			return
 		}
 		if git_model.IsErrLFSUnauthorizedAction(err) {
-			ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+			ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 			ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 				Message: "You must have push access to create locks : " + err.Error(),
 			})
@@ -215,7 +215,7 @@ func VerifyLockHandler(ctx *context.Context) {
 	repository, err := repo_model.GetRepositoryByOwnerAndName(ctx, userName, repoName)
 	if err != nil {
 		log.Error("Unable to get repository: %s/%s Error: %v", userName, repoName, err)
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have push access to verify locks",
 		})
@@ -230,7 +230,7 @@ func VerifyLockHandler(ctx *context.Context) {
 
 	authenticated := authenticate(ctx, repository, authorization, true, true)
 	if !authenticated {
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have push access to verify locks",
 		})
@@ -286,7 +286,7 @@ func UnLockHandler(ctx *context.Context) {
 	repository, err := repo_model.GetRepositoryByOwnerAndName(ctx, userName, repoName)
 	if err != nil {
 		log.Error("Unable to get repository: %s/%s Error: %v", userName, repoName, err)
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have push access to delete locks",
 		})
@@ -301,7 +301,7 @@ func UnLockHandler(ctx *context.Context) {
 
 	authenticated := authenticate(ctx, repository, authorization, true, true)
 	if !authenticated {
-		ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+		ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 		ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 			Message: "You must have push access to delete locks",
 		})
@@ -324,7 +324,7 @@ func UnLockHandler(ctx *context.Context) {
 	lock, err := git_model.DeleteLFSLockByID(ctx, ctx.PathParamInt64("lid"), repository, ctx.Doer, req.Force)
 	if err != nil {
 		if git_model.IsErrLFSUnauthorizedAction(err) {
-			ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+			ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 			ctx.JSON(http.StatusUnauthorized, api.LFSLockError{
 				Message: "You must have push access to delete locks : " + err.Error(),
 			})

services/lfs/server.go

@@ -21,7 +21,7 @@ import (
 	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
 	git_model "code.gitea.io/gitea/models/git"
-	"code.gitea.io/gitea/models/perm"
+	perm_model "code.gitea.io/gitea/models/perm"
 	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
@@ -77,7 +77,7 @@ func CheckAcceptMediaType(ctx *context.Context) {
 	}
 }
 
-var rangeHeaderRegexp = regexp.MustCompile(`bytes=(\d+)\-(\d*).*`)
+var rangeHeaderRegexp = regexp.MustCompile(`bytes=(\d+)-(\d*).*`)
 
 // DownloadHandler gets the content from the content store
 func DownloadHandler(ctx *context.Context) {
@@ -507,11 +507,11 @@ func writeStatusMessage(ctx *context.Context, status int, message string) {
 }
 
 // authenticate uses the authorization string to determine whether
-// or not to proceed. This server assumes an HTTP Basic auth format.
+// to proceed. This server assumes an HTTP Basic auth format.
 func authenticate(ctx *context.Context, repository *repo_model.Repository, authorization string, requireSigned, requireWrite bool) bool {
-	accessMode := perm.AccessModeRead
+	accessMode := perm_model.AccessModeRead
 	if requireWrite {
-		accessMode = perm.AccessModeWrite
+		accessMode = perm_model.AccessModeWrite
 	}
 
 	if ctx.Data["IsActionsToken"] == true {
@@ -526,9 +526,9 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 		}
 
 		if task.IsForkPullRequest {
-			return accessMode <= perm.AccessModeRead
+			return accessMode <= perm_model.AccessModeRead
 		}
-		return accessMode <= perm.AccessModeWrite
+		return accessMode <= perm_model.AccessModeWrite
 	}
 
 	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
@@ -553,7 +553,7 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 	return true
 }
 
-func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repository, mode perm.AccessMode) (*user_model.User, error) {
+func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repository, mode perm_model.AccessMode) (*user_model.User, error) {
 	if !strings.Contains(tokenSHA, ".") {
 		return nil, nil
 	}
@@ -576,7 +576,7 @@ func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repo
 		return nil, fmt.Errorf("invalid token claim")
 	}
 
-	if mode == perm.AccessModeWrite && claims.Op != "upload" {
+	if mode == perm_model.AccessModeWrite && claims.Op != "upload" {
 		return nil, fmt.Errorf("invalid token claim")
 	}
 
@@ -588,7 +588,7 @@ func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repo
 	return u, nil
 }
 
-func parseToken(ctx stdCtx.Context, authorization string, target *repo_model.Repository, mode perm.AccessMode) (*user_model.User, error) {
+func parseToken(ctx stdCtx.Context, authorization string, target *repo_model.Repository, mode perm_model.AccessMode) (*user_model.User, error) {
 	if authorization == "" {
 		return nil, fmt.Errorf("no token")
 	}
@@ -608,6 +608,6 @@ func parseToken(ctx stdCtx.Context, authorization string, target *repo_model.Rep
 }
 
 func requireAuth(ctx *context.Context) {
-	ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")
+	ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="gitea-lfs"`)
 	writeStatus(ctx, http.StatusUnauthorized)
 }

tests/integration/git_lfs_ssh_test.go

@@ -4,14 +4,18 @@
 package integration
 
 import (
+	gocontext "context"
 	"net/url"
+	"slices"
+	"strings"
 	"sync"
 	"testing"
 
 	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web"
-	"code.gitea.io/gitea/routers/private"
+	"code.gitea.io/gitea/routers/common"
 	"code.gitea.io/gitea/services/context"
 
 	"github.com/stretchr/testify/assert"
@@ -25,7 +29,7 @@ func TestGitLFSSSH(t *testing.T) {
 
 		var mu sync.Mutex
 		var routerCalls []string
-		web.RouteMock(private.RouterMockPointInternalLFS, func(ctx *context.PrivateContext) {
+		web.RouteMock(common.RouterMockPointCommonLFS, func(ctx *context.Base) {
 			mu.Lock()
 			routerCalls = append(routerCalls, ctx.Req.Method+" "+ctx.Req.URL.Path)
 			mu.Unlock()
@@ -42,20 +46,18 @@ func TestGitLFSSSH(t *testing.T) {
 			setting.LFS.AllowPureSSH = true
 			require.NoError(t, cfg.Save())
 
-			// do LFS SSH transfer?
+			_, _, cmdErr := git.NewCommand(gocontext.Background(), "config", "lfs.sshtransfer", "always").RunStdString(&git.RunOpts{Dir: dstPath})
+			assert.NoError(t, cmdErr)
 			lfsCommitAndPushTest(t, dstPath, 10)
 		})
 
-		// FIXME: Here we only see the following calls, but actually there should be calls to "PUT"?
-		// 0 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
-		// 1 = {string} "POST /api/internal/repo/user2/repo1.git/info/lfs/objects/batch"
-		// 2 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
-		// 3 = {string} "POST /api/internal/repo/user2/repo1.git/info/lfs/locks"
-		// 4 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
-		// 5 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
-		// 6 = {string} "GET /api/internal/repo/user2/repo1.git/info/lfs/locks"
-		// 7 = {string} "POST /api/internal/repo/user2/repo1.git/info/lfs/locks/24/unlock"
-		assert.NotEmpty(t, routerCalls)
-		// assert.Contains(t, routerCalls, "PUT /api/internal/repo/user2/repo1.git/info/lfs/objects/....")
+		countBatch := slices.ContainsFunc(routerCalls, func(s string) bool {
+			return strings.Contains(s, "POST /api/internal/repo/user2/repo1.git/info/lfs/objects/batch")
+		})
+		countUpload := slices.ContainsFunc(routerCalls, func(s string) bool {
+			return strings.Contains(s, "PUT /user2/repo1.git/info/lfs/objects/")
+		})
+		assert.NotZero(t, countBatch)
+		assert.NotZero(t, countUpload)
 	})
 }