Hi,
please help me understand the drone/gitea integration: Is it possible to access the repositories of multiple gitea users from a single drone-server instance?
I’ve followed the installations instructions for gitea and have successfully created a new OAuth2 application in gitea. I successfully authorized drone and can now list all the repos of a single user on the command line.
… but how do I get the repositories of other users?
Looking at the drone server configuration, I find a single DRONE_GITEA_CLIENT_ID/DRONE_GITEA_CLIENT_SECRET configuration pair. And since on gitea-side, the OAuth2 configuration is done in the context of a single user, it doesn’t seem possible to access repositories of other users.
Is this a restriction of the drone/gitea combination or am I missing something?
My problem has nothing to do with gitea/oauht2/users/… The problem is that drone user add -token <token> <user> doesn’t properly handle the <token> value (see here for details, thank you user cu2)
A bit of background: I’m setting up a small devops playground with gitea and drone. I want to deploy pre-configure gitea and drone instances to demonstrate some basic ci/cd principles.
For this I created during the build of my drone docker image some users with the cli tool and authorized them in gitea with some curl calls. I was never able to see their repositories, because the user creation via the cli tool messes up the passed token.
So the solution is a bit hacky. I’m not creating any users via the commandline but let them create indirectly: The curl-calls to authorize drone in gitea will automatically create the drone users. I then do a select on the sqlite database to get the actual token.
We would like to connect a Drone instance to a Gitea instance as well. According to the docs we still need to create an OAuth Application for the client ID and secret. But applications still need to be added per user. This implies the Drone container config to be tied o one specific Gitea user account, as far as I understand.
Is there a way to connect the Drone instance to the Gitea instance in a user-agnostic way?
@mcnesium did you ever figure this out? I had the same question.
I don’t have enough rep here to post screenshots, so I’ve copied this whole post and added screenshots at Gitea and Multiple Users · GitHub.
Since you must have DRONE_GITEA_CLIENT_ID/DRONE_GITEA_CLIENT_SECRET, and Gitea only allows OAuth to be attached to users, I solved it by creating a puppet ci-admin account in Gitea. My deployment script scrambles and throws away its password once finished, and marks ci-admin as non-admin and unable to log in. Within that account’s settings you can see the connection to Drone.
The result is when someone logs in they see a prompt “Authorize Application (created by @ci-admin)”.
If they click the “@ci-admin” link they see a profile page hopefully explaining what the dummy account is there for.
And yes anyone logging in with this can access all their own repositories, even while ci-admin cannot.
The OAuth for sign-in has nothing to do with the OAuth for repositories. When someone signs in to Drone via Gitea, Gitea sends an OAuth token to Drone that grants access to whatever the signing in user can see.
If I (re-enable sign-in and) sign in as ci-admin I see nothing. In fact, if I poke around in sqlite3 /var/lib/drone/database.sqlite I can see that ci-admin doesn’t even normally have a OAuth token stored, since no one ever logs in through the web sign-in flow so Gitea never grants one.
I suppose, in theory, a malicious user could deploy a modified Drone that relays all the OAuth tokens to them. That’s the risk people take whenever they click that big red “Authorize Application” button. But Drone as it exists protects those credentials.
tl;dr: make a dummy user in Gitea and generate the OAuth credentials there.