| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | // Copyright 2021 The Gitea Authors. All rights reserved. | 
					
						
							| 
									
										
										
										
											2022-11-27 13:20:29 -05:00
										 |  |  | // SPDX-License-Identifier: MIT | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-10 16:14:24 +08:00
										 |  |  | package asymkey | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2023-09-14 19:09:32 +02:00
										 |  |  | 	"context" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	"fmt" | 
					
						
							|  |  |  | 	"strings" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-27 19:40:14 +00:00
										 |  |  | 	"forgejo.org/models/db" | 
					
						
							|  |  |  | 	"forgejo.org/models/perm" | 
					
						
							|  |  |  | 	user_model "forgejo.org/models/user" | 
					
						
							|  |  |  | 	"forgejo.org/modules/setting" | 
					
						
							|  |  |  | 	"forgejo.org/modules/util" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // AddPrincipalKey adds new principal to database and authorized_principals file. | 
					
						
							| 
									
										
										
										
											2023-10-14 10:37:24 +02:00
										 |  |  | func AddPrincipalKey(ctx context.Context, ownerID int64, content string, authSourceID int64) (*PublicKey, error) { | 
					
						
							|  |  |  | 	dbCtx, committer, err := db.TxContext(ctx) | 
					
						
							| 
									
										
										
										
											2021-11-21 23:41:00 +08:00
										 |  |  | 	if err != nil { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-11-21 23:41:00 +08:00
										 |  |  | 	defer committer.Close() | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	// Principals cannot be duplicated. | 
					
						
							| 
									
										
										
										
											2023-10-14 10:37:24 +02:00
										 |  |  | 	has, err := db.GetEngine(dbCtx). | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		Where("content = ? AND type = ?", content, KeyTypePrincipal). | 
					
						
							|  |  |  | 		Get(new(PublicKey)) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} else if has { | 
					
						
							|  |  |  | 		return nil, ErrKeyAlreadyExist{0, "", content} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	key := &PublicKey{ | 
					
						
							|  |  |  | 		OwnerID:       ownerID, | 
					
						
							|  |  |  | 		Name:          content, | 
					
						
							|  |  |  | 		Content:       content, | 
					
						
							| 
									
										
										
										
											2021-11-28 19:58:28 +08:00
										 |  |  | 		Mode:          perm.AccessModeWrite, | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		Type:          KeyTypePrincipal, | 
					
						
							| 
									
										
										
										
											2022-01-02 21:12:35 +08:00
										 |  |  | 		LoginSourceID: authSourceID, | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2023-10-14 10:37:24 +02:00
										 |  |  | 	if err = db.Insert(dbCtx, key); err != nil { | 
					
						
							| 
									
										
										
										
											2022-10-24 21:29:17 +02:00
										 |  |  | 		return nil, fmt.Errorf("addKey: %w", err) | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-21 23:41:00 +08:00
										 |  |  | 	if err = committer.Commit(); err != nil { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-21 23:41:00 +08:00
										 |  |  | 	committer.Close() | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-10-14 10:37:24 +02:00
										 |  |  | 	return key, RewriteAllPrincipalKeys(ctx) | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // CheckPrincipalKeyString strips spaces and returns an error if the given principal contains newlines | 
					
						
							| 
									
										
										
										
											2023-09-14 19:09:32 +02:00
										 |  |  | func CheckPrincipalKeyString(ctx context.Context, user *user_model.User, content string) (_ string, err error) { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	if setting.SSH.Disabled { | 
					
						
							| 
									
										
										
										
											2021-12-10 16:14:24 +08:00
										 |  |  | 		return "", db.ErrSSHDisabled{} | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	content = strings.TrimSpace(content) | 
					
						
							|  |  |  | 	if strings.ContainsAny(content, "\r\n") { | 
					
						
							| 
									
										
										
										
											2022-12-31 12:49:37 +01:00
										 |  |  | 		return "", util.NewInvalidArgumentErrorf("only a single line with a single principal please") | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// check all the allowed principals, email, username or anything | 
					
						
							|  |  |  | 	// if any matches, return ok | 
					
						
							|  |  |  | 	for _, v := range setting.SSH.AuthorizedPrincipalsAllow { | 
					
						
							|  |  |  | 		switch v { | 
					
						
							|  |  |  | 		case "anything": | 
					
						
							|  |  |  | 			return content, nil | 
					
						
							|  |  |  | 		case "email": | 
					
						
							| 
									
										
										
										
											2023-09-14 19:09:32 +02:00
										 |  |  | 			emails, err := user_model.GetEmailAddresses(ctx, user.ID) | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 			if err != nil { | 
					
						
							|  |  |  | 				return "", err | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			for _, email := range emails { | 
					
						
							|  |  |  | 				if !email.IsActivated { | 
					
						
							|  |  |  | 					continue | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 				if content == email.Email { | 
					
						
							|  |  |  | 					return content, nil | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		case "username": | 
					
						
							|  |  |  | 			if content == user.Name { | 
					
						
							|  |  |  | 				return content, nil | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return "", fmt.Errorf("didn't match allowed principals: %s", setting.SSH.AuthorizedPrincipalsAllow) | 
					
						
							|  |  |  | } |