You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

813 lines
23 KiB

Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
API add/generalize pagination (#9452) * paginate results * fixed deadlock * prevented breaking change * updated swagger * go fmt * fixed find topic * go mod tidy * go mod vendor with go1.13.5 * fixed repo find topics * fixed unit test * added Limit method to Engine struct; use engine variable when provided; fixed gitignore * use ItemsPerPage for default pagesize; fix GetWatchers, getOrgUsersByOrgID and GetStargazers; fix GetAllCommits headers; reverted some changed behaviors * set Page value on Home route * improved memory allocations * fixed response headers * removed logfiles * fixed import order * import order * improved swagger * added function to get models.ListOptions from context * removed pagesize diff on unit test * fixed imports * removed unnecessary struct field * fixed go fmt * scoped PR * code improvements * code improvements * go mod tidy * fixed import order * fixed commit statuses session * fixed files headers * fixed headers; added pagination for notifications * go mod tidy * go fmt * removed Private from user search options; added setting.UI.IssuePagingNum as default valeu on repo's issues list * Apply suggestions from code review Co-Authored-By: 6543 <6543@obermui.de> Co-Authored-By: zeripath <art27@cantab.net> * fixed build error * CI.restart() * fixed merge conflicts resolve * fixed conflicts resolve * improved FindTrackedTimesOptions.ToOptions() method * added backwards compatibility on ListReleases request; fixed issue tracked time ToSession * fixed build error; fixed swagger template * fixed swagger template * fixed ListReleases backwards compatibility * added page to user search route Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
4 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
API add/generalize pagination (#9452) * paginate results * fixed deadlock * prevented breaking change * updated swagger * go fmt * fixed find topic * go mod tidy * go mod vendor with go1.13.5 * fixed repo find topics * fixed unit test * added Limit method to Engine struct; use engine variable when provided; fixed gitignore * use ItemsPerPage for default pagesize; fix GetWatchers, getOrgUsersByOrgID and GetStargazers; fix GetAllCommits headers; reverted some changed behaviors * set Page value on Home route * improved memory allocations * fixed response headers * removed logfiles * fixed import order * import order * improved swagger * added function to get models.ListOptions from context * removed pagesize diff on unit test * fixed imports * removed unnecessary struct field * fixed go fmt * scoped PR * code improvements * code improvements * go mod tidy * fixed import order * fixed commit statuses session * fixed files headers * fixed headers; added pagination for notifications * go mod tidy * go fmt * removed Private from user search options; added setting.UI.IssuePagingNum as default valeu on repo's issues list * Apply suggestions from code review Co-Authored-By: 6543 <6543@obermui.de> Co-Authored-By: zeripath <art27@cantab.net> * fixed build error * CI.restart() * fixed merge conflicts resolve * fixed conflicts resolve * improved FindTrackedTimesOptions.ToOptions() method * added backwards compatibility on ListReleases request; fixed issue tracked time ToSession * fixed build error; fixed swagger template * fixed swagger template * fixed ListReleases backwards compatibility * added page to user search route Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
4 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631) This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
5 years ago
  1. // Copyright 2017 The Gitea Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "bytes"
  7. "container/list"
  8. "crypto"
  9. "encoding/base64"
  10. "fmt"
  11. "hash"
  12. "io"
  13. "strings"
  14. "time"
  15. "code.gitea.io/gitea/modules/git"
  16. "code.gitea.io/gitea/modules/log"
  17. "code.gitea.io/gitea/modules/setting"
  18. "code.gitea.io/gitea/modules/timeutil"
  19. "github.com/keybase/go-crypto/openpgp"
  20. "github.com/keybase/go-crypto/openpgp/armor"
  21. "github.com/keybase/go-crypto/openpgp/packet"
  22. "xorm.io/xorm"
  23. )
  24. // GPGKey represents a GPG key.
  25. type GPGKey struct {
  26. ID int64 `xorm:"pk autoincr"`
  27. OwnerID int64 `xorm:"INDEX NOT NULL"`
  28. KeyID string `xorm:"INDEX CHAR(16) NOT NULL"`
  29. PrimaryKeyID string `xorm:"CHAR(16)"`
  30. Content string `xorm:"TEXT NOT NULL"`
  31. CreatedUnix timeutil.TimeStamp `xorm:"created"`
  32. ExpiredUnix timeutil.TimeStamp
  33. AddedUnix timeutil.TimeStamp
  34. SubsKey []*GPGKey `xorm:"-"`
  35. Emails []*EmailAddress
  36. CanSign bool
  37. CanEncryptComms bool
  38. CanEncryptStorage bool
  39. CanCertify bool
  40. }
  41. //GPGKeyImport the original import of key
  42. type GPGKeyImport struct {
  43. KeyID string `xorm:"pk CHAR(16) NOT NULL"`
  44. Content string `xorm:"TEXT NOT NULL"`
  45. }
  46. // BeforeInsert will be invoked by XORM before inserting a record
  47. func (key *GPGKey) BeforeInsert() {
  48. key.AddedUnix = timeutil.TimeStampNow()
  49. }
  50. // AfterLoad is invoked from XORM after setting the values of all fields of this object.
  51. func (key *GPGKey) AfterLoad(session *xorm.Session) {
  52. err := session.Where("primary_key_id=?", key.KeyID).Find(&key.SubsKey)
  53. if err != nil {
  54. log.Error("Find Sub GPGkeys[%s]: %v", key.KeyID, err)
  55. }
  56. }
  57. // ListGPGKeys returns a list of public keys belongs to given user.
  58. func ListGPGKeys(uid int64, listOptions ListOptions) ([]*GPGKey, error) {
  59. sess := x.Where("owner_id=? AND primary_key_id=''", uid)
  60. if listOptions.Page != 0 {
  61. sess = listOptions.setSessionPagination(sess)
  62. }
  63. keys := make([]*GPGKey, 0, 2)
  64. return keys, sess.Find(&keys)
  65. }
  66. // GetGPGKeyByID returns public key by given ID.
  67. func GetGPGKeyByID(keyID int64) (*GPGKey, error) {
  68. key := new(GPGKey)
  69. has, err := x.ID(keyID).Get(key)
  70. if err != nil {
  71. return nil, err
  72. } else if !has {
  73. return nil, ErrGPGKeyNotExist{keyID}
  74. }
  75. return key, nil
  76. }
  77. // GetGPGKeysByKeyID returns public key by given ID.
  78. func GetGPGKeysByKeyID(keyID string) ([]*GPGKey, error) {
  79. keys := make([]*GPGKey, 0, 1)
  80. return keys, x.Where("key_id=?", keyID).Find(&keys)
  81. }
  82. // GetGPGImportByKeyID returns the import public armored key by given KeyID.
  83. func GetGPGImportByKeyID(keyID string) (*GPGKeyImport, error) {
  84. key := new(GPGKeyImport)
  85. has, err := x.ID(keyID).Get(key)
  86. if err != nil {
  87. return nil, err
  88. } else if !has {
  89. return nil, ErrGPGKeyImportNotExist{keyID}
  90. }
  91. return key, nil
  92. }
  93. // checkArmoredGPGKeyString checks if the given key string is a valid GPG armored key.
  94. // The function returns the actual public key on success
  95. func checkArmoredGPGKeyString(content string) (*openpgp.Entity, error) {
  96. list, err := openpgp.ReadArmoredKeyRing(strings.NewReader(content))
  97. if err != nil {
  98. return nil, ErrGPGKeyParsing{err}
  99. }
  100. return list[0], nil
  101. }
  102. //addGPGKey add key, import and subkeys to database
  103. func addGPGKey(e Engine, key *GPGKey, content string) (err error) {
  104. //Add GPGKeyImport
  105. if _, err = e.Insert(GPGKeyImport{
  106. KeyID: key.KeyID,
  107. Content: content,
  108. }); err != nil {
  109. return err
  110. }
  111. // Save GPG primary key.
  112. if _, err = e.Insert(key); err != nil {
  113. return err
  114. }
  115. // Save GPG subs key.
  116. for _, subkey := range key.SubsKey {
  117. if err := addGPGSubKey(e, subkey); err != nil {
  118. return err
  119. }
  120. }
  121. return nil
  122. }
  123. //addGPGSubKey add subkeys to database
  124. func addGPGSubKey(e Engine, key *GPGKey) (err error) {
  125. // Save GPG primary key.
  126. if _, err = e.Insert(key); err != nil {
  127. return err
  128. }
  129. // Save GPG subs key.
  130. for _, subkey := range key.SubsKey {
  131. if err := addGPGSubKey(e, subkey); err != nil {
  132. return err
  133. }
  134. }
  135. return nil
  136. }
  137. // AddGPGKey adds new public key to database.
  138. func AddGPGKey(ownerID int64, content string) (*GPGKey, error) {
  139. ekey, err := checkArmoredGPGKeyString(content)
  140. if err != nil {
  141. return nil, err
  142. }
  143. // Key ID cannot be duplicated.
  144. has, err := x.Where("key_id=?", ekey.PrimaryKey.KeyIdString()).
  145. Get(new(GPGKey))
  146. if err != nil {
  147. return nil, err
  148. } else if has {
  149. return nil, ErrGPGKeyIDAlreadyUsed{ekey.PrimaryKey.KeyIdString()}
  150. }
  151. //Get DB session
  152. sess := x.NewSession()
  153. defer sess.Close()
  154. if err = sess.Begin(); err != nil {
  155. return nil, err
  156. }
  157. key, err := parseGPGKey(ownerID, ekey)
  158. if err != nil {
  159. return nil, err
  160. }
  161. if err = addGPGKey(sess, key, content); err != nil {
  162. return nil, err
  163. }
  164. return key, sess.Commit()
  165. }
  166. //base64EncPubKey encode public key content to base 64
  167. func base64EncPubKey(pubkey *packet.PublicKey) (string, error) {
  168. var w bytes.Buffer
  169. err := pubkey.Serialize(&w)
  170. if err != nil {
  171. return "", err
  172. }
  173. return base64.StdEncoding.EncodeToString(w.Bytes()), nil
  174. }
  175. //base64DecPubKey decode public key content from base 64
  176. func base64DecPubKey(content string) (*packet.PublicKey, error) {
  177. b, err := readerFromBase64(content)
  178. if err != nil {
  179. return nil, err
  180. }
  181. //Read key
  182. p, err := packet.Read(b)
  183. if err != nil {
  184. return nil, err
  185. }
  186. //Check type
  187. pkey, ok := p.(*packet.PublicKey)
  188. if !ok {
  189. return nil, fmt.Errorf("key is not a public key")
  190. }
  191. return pkey, nil
  192. }
  193. //GPGKeyToEntity retrieve the imported key and the traducted entity
  194. func GPGKeyToEntity(k *GPGKey) (*openpgp.Entity, error) {
  195. impKey, err := GetGPGImportByKeyID(k.KeyID)
  196. if err != nil {
  197. return nil, err
  198. }
  199. return checkArmoredGPGKeyString(impKey.Content)
  200. }
  201. //parseSubGPGKey parse a sub Key
  202. func parseSubGPGKey(ownerID int64, primaryID string, pubkey *packet.PublicKey, expiry time.Time) (*GPGKey, error) {
  203. content, err := base64EncPubKey(pubkey)
  204. if err != nil {
  205. return nil, err
  206. }
  207. return &GPGKey{
  208. OwnerID: ownerID,
  209. KeyID: pubkey.KeyIdString(),
  210. PrimaryKeyID: primaryID,
  211. Content: content,
  212. CreatedUnix: timeutil.TimeStamp(pubkey.CreationTime.Unix()),
  213. ExpiredUnix: timeutil.TimeStamp(expiry.Unix()),
  214. CanSign: pubkey.CanSign(),
  215. CanEncryptComms: pubkey.PubKeyAlgo.CanEncrypt(),
  216. CanEncryptStorage: pubkey.PubKeyAlgo.CanEncrypt(),
  217. CanCertify: pubkey.PubKeyAlgo.CanSign(),
  218. }, nil
  219. }
  220. //getExpiryTime extract the expire time of primary key based on sig
  221. func getExpiryTime(e *openpgp.Entity) time.Time {
  222. expiry := time.Time{}
  223. //Extract self-sign for expire date based on : https://github.com/golang/crypto/blob/master/openpgp/keys.go#L165
  224. var selfSig *packet.Signature
  225. for _, ident := range e.Identities {
  226. if selfSig == nil {
  227. selfSig = ident.SelfSignature
  228. } else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
  229. selfSig = ident.SelfSignature
  230. break
  231. }
  232. }
  233. if selfSig.KeyLifetimeSecs != nil {
  234. expiry = e.PrimaryKey.CreationTime.Add(time.Duration(*selfSig.KeyLifetimeSecs) * time.Second)
  235. }
  236. return expiry
  237. }
  238. //parseGPGKey parse a PrimaryKey entity (primary key + subs keys + self-signature)
  239. func parseGPGKey(ownerID int64, e *openpgp.Entity) (*GPGKey, error) {
  240. pubkey := e.PrimaryKey
  241. expiry := getExpiryTime(e)
  242. //Parse Subkeys
  243. subkeys := make([]*GPGKey, len(e.Subkeys))
  244. for i, k := range e.Subkeys {
  245. subs, err := parseSubGPGKey(ownerID, pubkey.KeyIdString(), k.PublicKey, expiry)
  246. if err != nil {
  247. return nil, err
  248. }
  249. subkeys[i] = subs
  250. }
  251. //Check emails
  252. userEmails, err := GetEmailAddresses(ownerID)
  253. if err != nil {
  254. return nil, err
  255. }
  256. emails := make([]*EmailAddress, 0, len(e.Identities))
  257. for _, ident := range e.Identities {
  258. email := strings.ToLower(strings.TrimSpace(ident.UserId.Email))
  259. for _, e := range userEmails {
  260. if e.Email == email {
  261. emails = append(emails, e)
  262. break
  263. }
  264. }
  265. }
  266. //In the case no email as been found
  267. if len(emails) == 0 {
  268. failedEmails := make([]string, 0, len(e.Identities))
  269. for _, ident := range e.Identities {
  270. failedEmails = append(failedEmails, ident.UserId.Email)
  271. }
  272. return nil, ErrGPGNoEmailFound{failedEmails}
  273. }
  274. content, err := base64EncPubKey(pubkey)
  275. if err != nil {
  276. return nil, err
  277. }
  278. return &GPGKey{
  279. OwnerID: ownerID,
  280. KeyID: pubkey.KeyIdString(),
  281. PrimaryKeyID: "",
  282. Content: content,
  283. CreatedUnix: timeutil.TimeStamp(pubkey.CreationTime.Unix()),
  284. ExpiredUnix: timeutil.TimeStamp(expiry.Unix()),
  285. Emails: emails,
  286. SubsKey: subkeys,
  287. CanSign: pubkey.CanSign(),
  288. CanEncryptComms: pubkey.PubKeyAlgo.CanEncrypt(),
  289. CanEncryptStorage: pubkey.PubKeyAlgo.CanEncrypt(),
  290. CanCertify: pubkey.PubKeyAlgo.CanSign(),
  291. }, nil
  292. }
  293. // deleteGPGKey does the actual key deletion
  294. func deleteGPGKey(e *xorm.Session, keyID string) (int64, error) {
  295. if keyID == "" {
  296. return 0, fmt.Errorf("empty KeyId forbidden") //Should never happen but just to be sure
  297. }
  298. //Delete imported key
  299. n, err := e.Where("key_id=?", keyID).Delete(new(GPGKeyImport))
  300. if err != nil {
  301. return n, err
  302. }
  303. return e.Where("key_id=?", keyID).Or("primary_key_id=?", keyID).Delete(new(GPGKey))
  304. }
  305. // DeleteGPGKey deletes GPG key information in database.
  306. func DeleteGPGKey(doer *User, id int64) (err error) {
  307. key, err := GetGPGKeyByID(id)
  308. if err != nil {
  309. if IsErrGPGKeyNotExist(err) {
  310. return nil
  311. }
  312. return fmt.Errorf("GetPublicKeyByID: %v", err)
  313. }
  314. // Check if user has access to delete this key.
  315. if !doer.IsAdmin && doer.ID != key.OwnerID {
  316. return ErrGPGKeyAccessDenied{doer.ID, key.ID}
  317. }
  318. sess := x.NewSession()
  319. defer sess.Close()
  320. if err = sess.Begin(); err != nil {
  321. return err
  322. }
  323. if _, err = deleteGPGKey(sess, key.KeyID); err != nil {
  324. return err
  325. }
  326. return sess.Commit()
  327. }
  328. // CommitVerification represents a commit validation of signature
  329. type CommitVerification struct {
  330. Verified bool
  331. Warning bool
  332. Reason string
  333. SigningUser *User
  334. CommittingUser *User
  335. SigningEmail string
  336. SigningKey *GPGKey
  337. TrustStatus string
  338. }
  339. // SignCommit represents a commit with validation of signature.
  340. type SignCommit struct {
  341. Verification *CommitVerification
  342. *UserCommit
  343. }
  344. const (
  345. // BadSignature is used as the reason when the signature has a KeyID that is in the db
  346. // but no key that has that ID verifies the signature. This is a suspicious failure.
  347. BadSignature = "gpg.error.probable_bad_signature"
  348. // BadDefaultSignature is used as the reason when the signature has a KeyID that matches the
  349. // default Key but is not verified by the default key. This is a suspicious failure.
  350. BadDefaultSignature = "gpg.error.probable_bad_default_signature"
  351. // NoKeyFound is used as the reason when no key can be found to verify the signature.
  352. NoKeyFound = "gpg.error.no_gpg_keys_found"
  353. )
  354. func readerFromBase64(s string) (io.Reader, error) {
  355. bs, err := base64.StdEncoding.DecodeString(s)
  356. if err != nil {
  357. return nil, err
  358. }
  359. return bytes.NewBuffer(bs), nil
  360. }
  361. func populateHash(hashFunc crypto.Hash, msg []byte) (hash.Hash, error) {
  362. h := hashFunc.New()
  363. if _, err := h.Write(msg); err != nil {
  364. return nil, err
  365. }
  366. return h, nil
  367. }
  368. // readArmoredSign read an armored signature block with the given type. https://sourcegraph.com/github.com/golang/crypto/-/blob/openpgp/read.go#L24:6-24:17
  369. func readArmoredSign(r io.Reader) (body io.Reader, err error) {
  370. block, err := armor.Decode(r)
  371. if err != nil {
  372. return
  373. }
  374. if block.Type != openpgp.SignatureType {
  375. return nil, fmt.Errorf("expected '" + openpgp.SignatureType + "', got: " + block.Type)
  376. }
  377. return block.Body, nil
  378. }
  379. func extractSignature(s string) (*packet.Signature, error) {
  380. r, err := readArmoredSign(strings.NewReader(s))
  381. if err != nil {
  382. return nil, fmt.Errorf("Failed to read signature armor")
  383. }
  384. p, err := packet.Read(r)
  385. if err != nil {
  386. return nil, fmt.Errorf("Failed to read signature packet")
  387. }
  388. sig, ok := p.(*packet.Signature)
  389. if !ok {
  390. return nil, fmt.Errorf("Packet is not a signature")
  391. }
  392. return sig, nil
  393. }
  394. func verifySign(s *packet.Signature, h hash.Hash, k *GPGKey) error {
  395. //Check if key can sign
  396. if !k.CanSign {
  397. return fmt.Errorf("key can not sign")
  398. }
  399. //Decode key
  400. pkey, err := base64DecPubKey(k.Content)
  401. if err != nil {
  402. return err
  403. }
  404. return pkey.VerifySignature(h, s)
  405. }
  406. func hashAndVerify(sig *packet.Signature, payload string, k *GPGKey, committer, signer *User, email string) *CommitVerification {
  407. //Generating hash of commit
  408. hash, err := populateHash(sig.Hash, []byte(payload))
  409. if err != nil { //Skipping failed to generate hash
  410. log.Error("PopulateHash: %v", err)
  411. return &CommitVerification{
  412. CommittingUser: committer,
  413. Verified: false,
  414. Reason: "gpg.error.generate_hash",
  415. }
  416. }
  417. if err := verifySign(sig, hash, k); err == nil {
  418. return &CommitVerification{ //Everything is ok
  419. CommittingUser: committer,
  420. Verified: true,
  421. Reason: fmt.Sprintf("%s <%s> / %s", signer.Name, signer.Email, k.KeyID),
  422. SigningUser: signer,
  423. SigningKey: k,
  424. SigningEmail: email,
  425. }
  426. }
  427. return nil
  428. }
  429. func hashAndVerifyWithSubKeys(sig *packet.Signature, payload string, k *GPGKey, committer, signer *User, email string) *CommitVerification {
  430. commitVerification := hashAndVerify(sig, payload, k, committer, signer, email)
  431. if commitVerification != nil {
  432. return commitVerification
  433. }
  434. //And test also SubsKey
  435. for _, sk := range k.SubsKey {
  436. commitVerification := hashAndVerify(sig, payload, sk, committer, signer, email)
  437. if commitVerification != nil {
  438. return commitVerification
  439. }
  440. }
  441. return nil
  442. }
  443. func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *User, keyID, name, email string) *CommitVerification {
  444. if keyID == "" {
  445. return nil
  446. }
  447. keys, err := GetGPGKeysByKeyID(keyID)
  448. if err != nil {
  449. log.Error("GetGPGKeysByKeyID: %v", err)
  450. return &CommitVerification{
  451. CommittingUser: committer,
  452. Verified: false,
  453. Reason: "gpg.error.failed_retrieval_gpg_keys",
  454. }
  455. }
  456. if len(keys) == 0 {
  457. return nil
  458. }
  459. for _, key := range keys {
  460. activated := false
  461. if len(email) != 0 {
  462. for _, e := range key.Emails {
  463. if e.IsActivated && strings.EqualFold(e.Email, email) {
  464. activated = true
  465. email = e.Email
  466. break
  467. }
  468. }
  469. } else {
  470. for _, e := range key.Emails {
  471. if e.IsActivated {
  472. activated = true
  473. email = e.Email
  474. break
  475. }
  476. }
  477. }
  478. if !activated {
  479. continue
  480. }
  481. signer := &User{
  482. Name: name,
  483. Email: email,
  484. }
  485. if key.OwnerID != 0 {
  486. owner, err := GetUserByID(key.OwnerID)
  487. if err == nil {
  488. signer = owner
  489. } else if !IsErrUserNotExist(err) {
  490. log.Error("Failed to GetUserByID: %d for key ID: %d (%s) %v", key.OwnerID, key.ID, key.KeyID, err)
  491. return &CommitVerification{
  492. CommittingUser: committer,
  493. Verified: false,
  494. Reason: "gpg.error.no_committer_account",
  495. }
  496. }
  497. }
  498. commitVerification := hashAndVerifyWithSubKeys(sig, payload, key, committer, signer, email)
  499. if commitVerification != nil {
  500. return commitVerification
  501. }
  502. }
  503. // This is a bad situation ... We have a key id that is in our database but the signature doesn't match.
  504. return &CommitVerification{
  505. CommittingUser: committer,
  506. Verified: false,
  507. Warning: true,
  508. Reason: BadSignature,
  509. }
  510. }
  511. // ParseCommitWithSignature check if signature is good against keystore.
  512. func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
  513. var committer *User
  514. if c.Committer != nil {
  515. var err error
  516. //Find Committer account
  517. committer, err = GetUserByEmail(c.Committer.Email) //This finds the user by primary email or activated email so commit will not be valid if email is not
  518. if err != nil { //Skipping not user for commiter
  519. committer = &User{
  520. Name: c.Committer.Name,
  521. Email: c.Committer.Email,
  522. }
  523. // We can expect this to often be an ErrUserNotExist. in the case
  524. // it is not, however, it is important to log it.
  525. if !IsErrUserNotExist(err) {
  526. log.Error("GetUserByEmail: %v", err)
  527. return &CommitVerification{
  528. CommittingUser: committer,
  529. Verified: false,
  530. Reason: "gpg.error.no_committer_account",
  531. }
  532. }
  533. }
  534. }
  535. // If no signature just report the committer
  536. if c.Signature == nil {
  537. return &CommitVerification{
  538. CommittingUser: committer,
  539. Verified: false, //Default value
  540. Reason: "gpg.error.not_signed_commit", //Default value
  541. }
  542. }
  543. //Parsing signature
  544. sig, err := extractSignature(c.Signature.Signature)
  545. if err != nil { //Skipping failed to extract sign
  546. log.Error("SignatureRead err: %v", err)
  547. return &CommitVerification{
  548. CommittingUser: committer,
  549. Verified: false,
  550. Reason: "gpg.error.extract_sign",
  551. }
  552. }
  553. keyID := ""
  554. if sig.IssuerKeyId != nil && (*sig.IssuerKeyId) != 0 {
  555. keyID = fmt.Sprintf("%X", *sig.IssuerKeyId)
  556. }
  557. if keyID == "" && sig.IssuerFingerprint != nil && len(sig.IssuerFingerprint) > 0 {
  558. keyID = fmt.Sprintf("%X", sig.IssuerFingerprint[12:20])
  559. }
  560. defaultReason := NoKeyFound
  561. // First check if the sig has a keyID and if so just look at that
  562. if commitVerification := hashAndVerifyForKeyID(
  563. sig,
  564. c.Signature.Payload,
  565. committer,
  566. keyID,
  567. setting.AppName,
  568. ""); commitVerification != nil {
  569. if commitVerification.Reason == BadSignature {
  570. defaultReason = BadSignature
  571. } else {
  572. return commitVerification
  573. }
  574. }
  575. // Now try to associate the signature with the committer, if present
  576. if committer.ID != 0 {
  577. keys, err := ListGPGKeys(committer.ID, ListOptions{})
  578. if err != nil { //Skipping failed to get gpg keys of user
  579. log.Error("ListGPGKeys: %v", err)
  580. return &CommitVerification{
  581. CommittingUser: committer,
  582. Verified: false,
  583. Reason: "gpg.error.failed_retrieval_gpg_keys",
  584. }
  585. }
  586. for _, k := range keys {
  587. //Pre-check (& optimization) that emails attached to key can be attached to the commiter email and can validate
  588. canValidate := false
  589. email := ""
  590. for _, e := range k.Emails {
  591. if e.IsActivated && strings.EqualFold(e.Email, c.Committer.Email) {
  592. canValidate = true
  593. email = e.Email
  594. break
  595. }
  596. }
  597. if !canValidate {
  598. continue //Skip this key
  599. }
  600. commitVerification := hashAndVerifyWithSubKeys(sig, c.Signature.Payload, k, committer, committer, email)
  601. if commitVerification != nil {
  602. return commitVerification
  603. }
  604. }
  605. }
  606. if setting.Repository.Signing.SigningKey != "" && setting.Repository.Signing.SigningKey != "default" && setting.Repository.Signing.SigningKey != "none" {
  607. // OK we should try the default key
  608. gpgSettings := git.GPGSettings{
  609. Sign: true,
  610. KeyID: setting.Repository.Signing.SigningKey,
  611. Name: setting.Repository.Signing.SigningName,
  612. Email: setting.Repository.Signing.SigningEmail,
  613. }
  614. if err := gpgSettings.LoadPublicKeyContent(); err != nil {
  615. log.Error("Error getting default signing key: %s %v", gpgSettings.KeyID, err)
  616. } else if commitVerification := verifyWithGPGSettings(&gpgSettings, sig, c.Signature.Payload, committer, keyID); commitVerification != nil {
  617. if commitVerification.Reason == BadSignature {
  618. defaultReason = BadSignature
  619. } else {
  620. return commitVerification
  621. }
  622. }
  623. }
  624. defaultGPGSettings, err := c.GetRepositoryDefaultPublicGPGKey(false)
  625. if err != nil {
  626. log.Error("Error getting default public gpg key: %v", err)
  627. } else if defaultGPGSettings == nil {
  628. log.Warn("Unable to get defaultGPGSettings for unattached commit: %s", c.ID.String())
  629. } else if defaultGPGSettings.Sign {
  630. if commitVerification := verifyWithGPGSettings(defaultGPGSettings, sig, c.Signature.Payload, committer, keyID); commitVerification != nil {
  631. if commitVerification.Reason == BadSignature {
  632. defaultReason = BadSignature
  633. } else {
  634. return commitVerification
  635. }
  636. }
  637. }
  638. return &CommitVerification{ //Default at this stage
  639. CommittingUser: committer,
  640. Verified: false,
  641. Warning: defaultReason != NoKeyFound,
  642. Reason: defaultReason,
  643. SigningKey: &GPGKey{
  644. KeyID: keyID,
  645. },
  646. }
  647. }
  648. func verifyWithGPGSettings(gpgSettings *git.GPGSettings, sig *packet.Signature, payload string, committer *User, keyID string) *CommitVerification {
  649. // First try to find the key in the db
  650. if commitVerification := hashAndVerifyForKeyID(sig, payload, committer, gpgSettings.KeyID, gpgSettings.Name, gpgSettings.Email); commitVerification != nil {
  651. return commitVerification
  652. }
  653. // Otherwise we have to parse the key
  654. ekey, err := checkArmoredGPGKeyString(gpgSettings.PublicKeyContent)
  655. if err != nil {
  656. log.Error("Unable to get default signing key: %v", err)
  657. return &CommitVerification{
  658. CommittingUser: committer,
  659. Verified: false,
  660. Reason: "gpg.error.generate_hash",
  661. }
  662. }
  663. pubkey := ekey.PrimaryKey
  664. content, err := base64EncPubKey(pubkey)
  665. if err != nil {
  666. return &CommitVerification{
  667. CommittingUser: committer,
  668. Verified: false,
  669. Reason: "gpg.error.generate_hash",
  670. }
  671. }
  672. k := &GPGKey{
  673. Content: content,
  674. CanSign: pubkey.CanSign(),
  675. KeyID: pubkey.KeyIdString(),
  676. }
  677. if commitVerification := hashAndVerifyWithSubKeys(sig, payload, k, committer, &User{
  678. Name: gpgSettings.Name,
  679. Email: gpgSettings.Email,
  680. }, gpgSettings.Email); commitVerification != nil {
  681. return commitVerification
  682. }
  683. if keyID == k.KeyID {
  684. // This is a bad situation ... We have a key id that matches our default key but the signature doesn't match.
  685. return &CommitVerification{
  686. CommittingUser: committer,
  687. Verified: false,
  688. Warning: true,
  689. Reason: BadSignature,
  690. }
  691. }
  692. return nil
  693. }
  694. // ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys.
  695. func ParseCommitsWithSignature(oldCommits *list.List, repository *Repository) *list.List {
  696. var (
  697. newCommits = list.New()
  698. e = oldCommits.Front()
  699. )
  700. memberMap := map[int64]bool{}
  701. for e != nil {
  702. c := e.Value.(UserCommit)
  703. signCommit := SignCommit{
  704. UserCommit: &c,
  705. Verification: ParseCommitWithSignature(c.Commit),
  706. }
  707. _ = CalculateTrustStatus(signCommit.Verification, repository, &memberMap)
  708. newCommits.PushBack(signCommit)
  709. e = e.Next()
  710. }
  711. return newCommits
  712. }
  713. // CalculateTrustStatus will calculate the TrustStatus for a commit verification within a repository
  714. func CalculateTrustStatus(verification *CommitVerification, repository *Repository, memberMap *map[int64]bool) (err error) {
  715. if verification.Verified {
  716. verification.TrustStatus = "trusted"
  717. if verification.SigningUser.ID != 0 {
  718. var isMember bool
  719. if memberMap != nil {
  720. var has bool
  721. isMember, has = (*memberMap)[verification.SigningUser.ID]
  722. if !has {
  723. isMember, err = repository.IsOwnerMemberCollaborator(verification.SigningUser.ID)
  724. (*memberMap)[verification.SigningUser.ID] = isMember
  725. }
  726. } else {
  727. isMember, err = repository.IsOwnerMemberCollaborator(verification.SigningUser.ID)
  728. }
  729. if !isMember {
  730. verification.TrustStatus = "untrusted"
  731. if verification.CommittingUser.ID != verification.SigningUser.ID {
  732. // The committing user and the signing user are not the same and are not the default key
  733. // This should be marked as questionable unless the signing user is a collaborator/team member etc.
  734. verification.TrustStatus = "unmatched"
  735. }
  736. }
  737. }
  738. }
  739. return
  740. }