fix: partial secure cache

2025-08-31 18:30:58 +00:00 · 2024-11-21 22:49:12 +01:00 · 2024-11-21 22:49:12 +01:00 · 1082b31367
commit 1082b31367
parent ea79e3de41
6 changed files with 143 additions and 31 deletions
--- a/act/artifactcache/mac.go
+++ b/act/artifactcache/mac.go
@ -0,0 +1,41 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"errors"
+	"hash"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+var (
+	ErrValidation   = errors.New("repo validation error")
+	cachePrefixPath = "repo:/run:/time:/mac:/"
+)
+
+func (h *Handler) validateMac(params httprouter.Params) (string, error) {
+	repo := params.ByName("repo")
+	run := params.ByName("run")
+	time := params.ByName("time")
+	messageMAC := params.ByName("mac")
+
+	mac := computeMac(h.secret, repo, run, time)
+	expectedMAC := mac.Sum(nil)
+
+	if hmac.Equal([]byte(messageMAC), expectedMAC) {
+		return repo, nil
+	}
+	return repo, ErrValidation
+}
+
+func computeMac(key, repo, run, time string) hash.Hash {
+	mac := hmac.New(sha256.New, []byte(key))
+	mac.Write([]byte(repo))
+	mac.Write([]byte(run))
+	mac.Write([]byte(time))
+	return mac
+}