feat(cli): allow updates to runners' secrets

This commit allows the `forgejo-cli actions register` command to change an existing runner's secret, as discussed in #4610. It refactors `RegisterRunner` to extract the code that hashes the token, moving this code to a method called `UpdateSecret` on `ActionRunner`. A test for the method has been added. The `RegisterRunner` function is updated so that: - it relies on `ActionRunner.UpdateSecret` when creating new runners, - it checks whether an existing runner's secret still matches the one passed on the command line, - it updates the runner's secret if it wasn't created and it no longer matches. A test has been added for the new behaviour.
2025-06-01 04:12:10 +00:00 · 2024-07-22 11:55:43 +02:00 · 2024-07-22 11:55:43 +02:00 · 320ab7ed7f
commit 320ab7ed7f
parent fdb1874ada
4 changed files with 88 additions and 12 deletions
--- a/models/actions/forgejo_test.go
+++ b/models/actions/forgejo_test.go
@ -11,6 +11,7 @@ import (
 	"code.gitea.io/gitea/models/unittest"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestActions_RegisterRunner_Token(t *testing.T) {
@ -28,6 +29,36 @@ func TestActions_RegisterRunner_Token(t *testing.T) {
 	assert.EqualValues(t, 1, subtle.ConstantTimeCompare([]byte(runner.TokenHash), []byte(auth_model.HashToken(token, runner.TokenSalt))), "the token cannot be verified with the same method as routers/api/actions/runner/interceptor.go as of 8228751c55d6a4263f0fec2932ca16181c09c97d")
 }

+// TestActions_RegisterRunner_TokenUpdate tests that a token's secret is updated
+// when a runner already exists and RegisterRunner is called with a token
+// parameter whose first 16 bytes match that record but where the last 24 bytes
+// do not match.
+func TestActions_RegisterRunner_TokenUpdate(t *testing.T) {
+	const recordID = 12345678
+	oldToken := "7e577e577e577e57feedfacefeedfacefeedface"
+	newToken := "7e577e577e577e57deadbeefdeadbeefdeadbeef"
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	before := unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: recordID})
+	require.Equal(t,
+		before.TokenHash, auth_model.HashToken(oldToken, before.TokenSalt),
+		"the initial token should match the runner's secret",
+	)
+
+	RegisterRunner(db.DefaultContext, before.OwnerID, before.RepoID, newToken, nil, before.Name, before.Version)
+
+	after := unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: recordID})
+
+	assert.Equal(t, before.UUID, after.UUID)
+	assert.NotEqual(t,
+		after.TokenHash, auth_model.HashToken(oldToken, after.TokenSalt),
+		"the old token can still be verified",
+	)
+	assert.Equal(t,
+		after.TokenHash, auth_model.HashToken(newToken, after.TokenSalt),
+		"the new token cannot be verified",
+	)
+}
+
 func TestActions_RegisterRunner_CreateWithLabels(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	ownerID := int64(0)