allow the actions user to login via the jwt token

The format of the env var `ACTIONS_RUNTIME_TOKEN` in actions jobs changed with
/pull/28885 to be a JWT. Since it was a JWT, the OAuth
parsing logic attempted to parse it as an OAuth token, and would
return user not found, instead of falling back to look up the running
task and assigning it to the actions user.

This restores that functionality by parsing Actions JWTs first, and
then attempting to parse OAUTH JWTs. The code to parse potential old
`ACTION_RUNTIME_TOKEN` was kept in case someone is running an older
version of act_runner that doesn't support the Actions JWT.

Author: bohde

services/auth/oauth2.go

@@ -6,6 +6,7 @@ package auth
 
 import (
 	"context"
+	"errors"
 	"net/http"
 	"strings"
 	"time"
@@ -16,7 +17,9 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/services/oauth2_provider"
 )
 
@@ -131,6 +134,40 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 	return t.UID
 }
 
+// parseActionJWT identifies actions runner JWTs that look like an
+// OAuth token, but needs to be parsed by its code
+func parseActionsJWT(req *http.Request, store DataStore) (*user_model.User, error) {
+	taskID, err := actions.ParseAuthorizationToken(req)
+	if err != nil || taskID == 0 {
+		return nil, nil
+	}
+
+	// Verify the task exists
+	task, err := actions_model.GetTaskByID(req.Context(), taskID)
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	// Verify that it's running
+	if task.Status != actions_model.StatusRunning {
+		return nil, nil
+	}
+
+	store.GetData()["IsActionsToken"] = true
+	store.GetData()["ActionsTaskID"] = taskID
+
+	user, err := user_model.GetPossibleUserByID(req.Context(), user_model.ActionsUserID)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
 // Verify extracts the user ID from the OAuth token in the query parameters
 // or the "Authorization" header and returns the corresponding user object for that ID.
 // If verification is successful returns an existing user object.
@@ -142,6 +179,15 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor
 		return nil, nil
 	}
 
+	user, err := parseActionsJWT(req, store)
+	if err != nil {
+		return nil, err
+	}
+
+	if user != nil {
+		return user, nil
+	}
+
 	token, ok := parseToken(req)
 	if !ok {
 		return nil, nil
@@ -154,7 +200,7 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor
 	}
 	log.Trace("OAuth2 Authorization: Found token for user[%d]", id)
 
-	user, err := user_model.GetPossibleUserByID(req.Context(), id)
+	user, err = user_model.GetPossibleUserByID(req.Context(), id)
 	if err != nil {
 		if !user_model.IsErrUserNotExist(err) {
 			log.Error("GetUserByName: %v", err)