| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | // Copyright 2024 The Forgejo Authors. All rights reserved. | 
					
						
							|  |  |  | // SPDX-License-Identifier: MIT | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | package artifactcache | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							|  |  |  | 	"crypto/hmac" | 
					
						
							|  |  |  | 	"crypto/sha256" | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 	"encoding/hex" | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | 	"errors" | 
					
						
							| 
									
										
										
										
											2024-11-22 01:36:40 +01:00
										 |  |  | 	"strconv" | 
					
						
							|  |  |  | 	"time" | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 	"github.com/nektos/act/pkg/cacheproxy" | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | var ( | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 	ErrValidation = errors.New("validation error") | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | func (h *Handler) validateMac(rundata cacheproxy.RunData) (string, error) { | 
					
						
							| 
									
										
										
										
											2024-11-22 01:36:40 +01:00
										 |  |  | 	// TODO: allow configurable max age | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 	if !validateAge(rundata.Timestamp) { | 
					
						
							| 
									
										
										
										
											2024-11-22 01:36:40 +01:00
										 |  |  | 		return "", ErrValidation | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 	expectedMAC := computeMac(h.secret, rundata.RepositoryFullName, rundata.RunNumber, rundata.Timestamp) | 
					
						
							| 
									
										
										
										
											2025-01-26 11:50:03 +01:00
										 |  |  | 	if hmac.Equal([]byte(expectedMAC), []byte(rundata.RepositoryMAC)) { | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 		return rundata.RepositoryFullName, nil | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2025-03-21 13:57:25 +01:00
										 |  |  | 	return "", ErrValidation | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-11-22 01:36:40 +01:00
										 |  |  | func validateAge(ts string) bool { | 
					
						
							|  |  |  | 	tsInt, err := strconv.ParseInt(ts, 10, 64) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return false | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if tsInt > time.Now().Unix() { | 
					
						
							|  |  |  | 		return false | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return true | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | func computeMac(secret, repo, run, ts string) string { | 
					
						
							|  |  |  | 	mac := hmac.New(sha256.New, []byte(secret)) | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | 	mac.Write([]byte(repo)) | 
					
						
							| 
									
										
										
										
											2025-01-26 15:56:55 +01:00
										 |  |  | 	mac.Write([]byte(">")) | 
					
						
							| 
									
										
										
										
											2024-11-21 22:49:12 +01:00
										 |  |  | 	mac.Write([]byte(run)) | 
					
						
							| 
									
										
										
										
											2025-01-26 15:56:55 +01:00
										 |  |  | 	mac.Write([]byte(">")) | 
					
						
							| 
									
										
										
										
											2024-11-22 01:36:40 +01:00
										 |  |  | 	mac.Write([]byte(ts)) | 
					
						
							| 
									
										
										
										
											2024-12-07 17:48:07 +01:00
										 |  |  | 	return hex.EncodeToString(mac.Sum(nil)) | 
					
						
							| 
									
										
										
										
											2024-11-22 01:36:40 +01:00
										 |  |  | } |