| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | // Copyright 2021 The Gitea Authors. All rights reserved. | 
					
						
							| 
									
										
										
										
											2022-11-27 13:20:29 -05:00
										 |  |  | // SPDX-License-Identifier: MIT | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-10 16:14:24 +08:00
										 |  |  | package asymkey | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							|  |  |  | 	"bufio" | 
					
						
							| 
									
										
										
										
											2022-05-20 22:08:52 +08:00
										 |  |  | 	"context" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	"fmt" | 
					
						
							|  |  |  | 	"io" | 
					
						
							|  |  |  | 	"os" | 
					
						
							|  |  |  | 	"path/filepath" | 
					
						
							|  |  |  | 	"strings" | 
					
						
							|  |  |  | 	"sync" | 
					
						
							|  |  |  | 	"time" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-27 19:40:14 +00:00
										 |  |  | 	"forgejo.org/models/db" | 
					
						
							|  |  |  | 	"forgejo.org/modules/log" | 
					
						
							|  |  |  | 	"forgejo.org/modules/setting" | 
					
						
							|  |  |  | 	"forgejo.org/modules/util" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | //  _____          __  .__                 .__                  .___ | 
					
						
							|  |  |  | // /  _  \  __ ___/  |_|  |__   ___________|__|_______ ____   __| _/ | 
					
						
							|  |  |  | // /  /_\  \|  |  \   __\  |  \ /  _ \_  __ \  \___   // __ \ / __ | | 
					
						
							|  |  |  | // /    |    \  |  /|  | |   Y  (  <_> )  | \/  |/    /\  ___// /_/ | | 
					
						
							|  |  |  | // \____|__  /____/ |__| |___|  /\____/|__|  |__/_____ \\___  >____ | | 
					
						
							|  |  |  | //         \/                 \/                      \/    \/     \/ | 
					
						
							|  |  |  | // ____  __. | 
					
						
							|  |  |  | // |    |/ _|____ ___.__. ______ | 
					
						
							|  |  |  | // |      <_/ __ <   |  |/  ___/ | 
					
						
							|  |  |  | // |    |  \  ___/\___  |\___ \ | 
					
						
							|  |  |  | // |____|__ \___  > ____/____  > | 
					
						
							|  |  |  | //         \/   \/\/         \/ | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // This file contains functions for creating authorized_keys files | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // There is a dependence on the database within RegeneratePublicKeys however most of these functions probably belong in a module | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | const ( | 
					
						
							|  |  |  | 	tplCommentPrefix = `# gitea public key` | 
					
						
							| 
									
										
										
										
											2021-11-23 03:44:26 +01:00
										 |  |  | 	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | var sshOpLocker sync.Mutex | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // AuthorizedStringForKey creates the authorized keys string appropriate for the provided key | 
					
						
							|  |  |  | func AuthorizedStringForKey(key *PublicKey) string { | 
					
						
							|  |  |  | 	sb := &strings.Builder{} | 
					
						
							| 
									
										
										
										
											2023-07-04 20:36:08 +02:00
										 |  |  | 	_ = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sb, map[string]any{ | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		"AppPath":     util.ShellEscape(setting.AppPath), | 
					
						
							|  |  |  | 		"AppWorkPath": util.ShellEscape(setting.AppWorkPath), | 
					
						
							|  |  |  | 		"CustomConf":  util.ShellEscape(setting.CustomConf), | 
					
						
							|  |  |  | 		"CustomPath":  util.ShellEscape(setting.CustomPath), | 
					
						
							|  |  |  | 		"Key":         key, | 
					
						
							|  |  |  | 	}) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return fmt.Sprintf(tplPublicKey, util.ShellEscape(sb.String()), key.Content) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // appendAuthorizedKeysToFile appends new SSH keys' content to authorized_keys file. | 
					
						
							|  |  |  | func appendAuthorizedKeysToFile(keys ...*PublicKey) error { | 
					
						
							|  |  |  | 	// Don't need to rewrite this file if builtin SSH server is enabled. | 
					
						
							|  |  |  | 	if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile { | 
					
						
							|  |  |  | 		return nil | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	sshOpLocker.Lock() | 
					
						
							|  |  |  | 	defer sshOpLocker.Unlock() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if setting.SSH.RootPath != "" { | 
					
						
							|  |  |  | 		// First of ensure that the RootPath is present, and if not make it with 0700 permissions | 
					
						
							|  |  |  | 		// This of course doesn't guarantee that this is the right directory for authorized_keys | 
					
						
							|  |  |  | 		// but at least if it's supposed to be this directory and it doesn't exist and we're the | 
					
						
							|  |  |  | 		// right user it will at least be created properly. | 
					
						
							|  |  |  | 		err := os.MkdirAll(setting.SSH.RootPath, 0o700) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) | 
					
						
							|  |  |  | 			return err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") | 
					
						
							|  |  |  | 	f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o600) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	defer f.Close() | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-08 00:43:41 +00:00
										 |  |  | 	fi, err := f.Stat() | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-08 00:43:41 +00:00
										 |  |  | 	// .ssh directory should have mode 700, and authorized_keys file should have mode 600. | 
					
						
							|  |  |  | 	if fi.Mode().Perm() > 0o600 { | 
					
						
							|  |  |  | 		log.Error("authorized_keys file has unusual permission flags: %s - setting to -rw-------", fi.Mode().Perm().String()) | 
					
						
							|  |  |  | 		if err = f.Chmod(0o600); err != nil { | 
					
						
							|  |  |  | 			return err | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	for _, key := range keys { | 
					
						
							|  |  |  | 		if key.Type == KeyTypePrincipal { | 
					
						
							|  |  |  | 			continue | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		if _, err = f.WriteString(key.AuthorizedString()); err != nil { | 
					
						
							|  |  |  | 			return err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // RewriteAllPublicKeys removes any authorized key and rewrite all keys from database again. | 
					
						
							| 
									
										
										
										
											2023-10-15 23:46:06 +08:00
										 |  |  | // Note: db.GetEngine(ctx).Iterate does not get latest data after insert/delete, so we have to call this function | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | // outside any session scope independently. | 
					
						
							| 
									
										
										
										
											2023-09-25 15:17:37 +02:00
										 |  |  | func RewriteAllPublicKeys(ctx context.Context) error { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	// Don't rewrite key if internal server | 
					
						
							|  |  |  | 	if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile { | 
					
						
							|  |  |  | 		return nil | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	sshOpLocker.Lock() | 
					
						
							|  |  |  | 	defer sshOpLocker.Unlock() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if setting.SSH.RootPath != "" { | 
					
						
							|  |  |  | 		// First of ensure that the RootPath is present, and if not make it with 0700 permissions | 
					
						
							|  |  |  | 		// This of course doesn't guarantee that this is the right directory for authorized_keys | 
					
						
							|  |  |  | 		// but at least if it's supposed to be this directory and it doesn't exist and we're the | 
					
						
							|  |  |  | 		// right user it will at least be created properly. | 
					
						
							|  |  |  | 		err := os.MkdirAll(setting.SSH.RootPath, 0o700) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) | 
					
						
							|  |  |  | 			return err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") | 
					
						
							|  |  |  | 	tmpPath := fPath + ".tmp" | 
					
						
							|  |  |  | 	t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	defer func() { | 
					
						
							|  |  |  | 		t.Close() | 
					
						
							|  |  |  | 		if err := util.Remove(tmpPath); err != nil { | 
					
						
							|  |  |  | 			log.Warn("Unable to remove temporary authorized keys file: %s: Error: %v", tmpPath, err) | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	}() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if setting.SSH.AuthorizedKeysBackup { | 
					
						
							|  |  |  | 		isExist, err := util.IsExist(fPath) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			log.Error("Unable to check if %s exists. Error: %v", fPath, err) | 
					
						
							|  |  |  | 			return err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		if isExist { | 
					
						
							|  |  |  | 			bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix()) | 
					
						
							|  |  |  | 			if err = util.CopyFile(fPath, bakPath); err != nil { | 
					
						
							|  |  |  | 				return err | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-09-25 15:17:37 +02:00
										 |  |  | 	if err := RegeneratePublicKeys(ctx, t); err != nil { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-09-30 22:16:47 +02:00
										 |  |  | 	if err := t.Sync(); err != nil { | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if err := t.Close(); err != nil { | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	return util.Rename(tmpPath, fPath) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // RegeneratePublicKeys regenerates the authorized_keys file | 
					
						
							| 
									
										
										
										
											2022-05-20 22:08:52 +08:00
										 |  |  | func RegeneratePublicKeys(ctx context.Context, t io.StringWriter) error { | 
					
						
							| 
									
										
										
										
											2023-07-04 20:36:08 +02:00
										 |  |  | 	if err := db.GetEngine(ctx).Where("type != ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean any) (err error) { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		_, err = t.WriteString((bean.(*PublicKey)).AuthorizedString()) | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	}); err != nil { | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") | 
					
						
							|  |  |  | 	isExist, err := util.IsExist(fPath) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		log.Error("Unable to check if %s exists. Error: %v", fPath, err) | 
					
						
							|  |  |  | 		return err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if isExist { | 
					
						
							|  |  |  | 		f, err := os.Open(fPath) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			return err | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2024-03-22 19:17:30 +08:00
										 |  |  | 		defer f.Close() | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		scanner := bufio.NewScanner(f) | 
					
						
							|  |  |  | 		for scanner.Scan() { | 
					
						
							|  |  |  | 			line := scanner.Text() | 
					
						
							|  |  |  | 			if strings.HasPrefix(line, tplCommentPrefix) { | 
					
						
							|  |  |  | 				scanner.Scan() | 
					
						
							|  |  |  | 				continue | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			_, err = t.WriteString(line + "\n") | 
					
						
							|  |  |  | 			if err != nil { | 
					
						
							|  |  |  | 				return err | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2024-03-22 19:17:30 +08:00
										 |  |  | 		if err = scanner.Err(); err != nil { | 
					
						
							|  |  |  | 			return fmt.Errorf("RegeneratePublicKeys scan: %w", err) | 
					
						
							| 
									
										
										
										
											2024-03-19 10:20:36 +08:00
										 |  |  | 		} | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	return nil | 
					
						
							|  |  |  | } |