You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

900 lines
24 KiB

10 years ago
10 years ago
10 years ago
8 years ago
8 years ago
10 years ago
8 years ago
10 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
  1. // Copyright 2014 The Gogs Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "bufio"
  7. "encoding/base64"
  8. "encoding/binary"
  9. "errors"
  10. "fmt"
  11. "io/ioutil"
  12. "math/big"
  13. "os"
  14. "path/filepath"
  15. "strings"
  16. "sync"
  17. "time"
  18. "code.gitea.io/gitea/modules/log"
  19. "code.gitea.io/gitea/modules/process"
  20. "code.gitea.io/gitea/modules/setting"
  21. "code.gitea.io/gitea/modules/util"
  22. "github.com/Unknwon/com"
  23. "github.com/go-xorm/builder"
  24. "github.com/go-xorm/xorm"
  25. "golang.org/x/crypto/ssh"
  26. )
  27. const (
  28. tplCommentPrefix = `# gitea public key`
  29. tplPublicKey = tplCommentPrefix + "\n" + `command="%s serv key-%d --config='%s'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n"
  30. )
  31. var sshOpLocker sync.Mutex
  32. // KeyType specifies the key type
  33. type KeyType int
  34. const (
  35. // KeyTypeUser specifies the user key
  36. KeyTypeUser = iota + 1
  37. // KeyTypeDeploy specifies the deploy key
  38. KeyTypeDeploy
  39. )
  40. // PublicKey represents a user or deploy SSH public key.
  41. type PublicKey struct {
  42. ID int64 `xorm:"pk autoincr"`
  43. OwnerID int64 `xorm:"INDEX NOT NULL"`
  44. Name string `xorm:"NOT NULL"`
  45. Fingerprint string `xorm:"INDEX NOT NULL"`
  46. Content string `xorm:"TEXT NOT NULL"`
  47. Mode AccessMode `xorm:"NOT NULL DEFAULT 2"`
  48. Type KeyType `xorm:"NOT NULL DEFAULT 1"`
  49. LoginSourceID int64 `xorm:"NOT NULL DEFAULT 0"`
  50. CreatedUnix util.TimeStamp `xorm:"created"`
  51. UpdatedUnix util.TimeStamp `xorm:"updated"`
  52. HasRecentActivity bool `xorm:"-"`
  53. HasUsed bool `xorm:"-"`
  54. }
  55. // AfterLoad is invoked from XORM after setting the values of all fields of this object.
  56. func (key *PublicKey) AfterLoad() {
  57. key.HasUsed = key.UpdatedUnix > key.CreatedUnix
  58. key.HasRecentActivity = key.UpdatedUnix.AddDuration(7*24*time.Hour) > util.TimeStampNow()
  59. }
  60. // OmitEmail returns content of public key without email address.
  61. func (key *PublicKey) OmitEmail() string {
  62. return strings.Join(strings.Split(key.Content, " ")[:2], " ")
  63. }
  64. // AuthorizedString returns formatted public key string for authorized_keys file.
  65. func (key *PublicKey) AuthorizedString() string {
  66. return fmt.Sprintf(tplPublicKey, setting.AppPath, key.ID, setting.CustomConf, key.Content)
  67. }
  68. func extractTypeFromBase64Key(key string) (string, error) {
  69. b, err := base64.StdEncoding.DecodeString(key)
  70. if err != nil || len(b) < 4 {
  71. return "", fmt.Errorf("invalid key format: %v", err)
  72. }
  73. keyLength := int(binary.BigEndian.Uint32(b))
  74. if len(b) < 4+keyLength {
  75. return "", fmt.Errorf("invalid key format: not enough length %d", keyLength)
  76. }
  77. return string(b[4 : 4+keyLength]), nil
  78. }
  79. // parseKeyString parses any key string in OpenSSH or SSH2 format to clean OpenSSH string (RFC4253).
  80. func parseKeyString(content string) (string, error) {
  81. // Transform all legal line endings to a single "\n".
  82. content = strings.NewReplacer("\r\n", "\n", "\r", "\n").Replace(content)
  83. // remove trailing newline (and beginning spaces too)
  84. content = strings.TrimSpace(content)
  85. lines := strings.Split(content, "\n")
  86. var keyType, keyContent, keyComment string
  87. if len(lines) == 1 {
  88. // Parse OpenSSH format.
  89. parts := strings.SplitN(lines[0], " ", 3)
  90. switch len(parts) {
  91. case 0:
  92. return "", errors.New("empty key")
  93. case 1:
  94. keyContent = parts[0]
  95. case 2:
  96. keyType = parts[0]
  97. keyContent = parts[1]
  98. default:
  99. keyType = parts[0]
  100. keyContent = parts[1]
  101. keyComment = parts[2]
  102. }
  103. // If keyType is not given, extract it from content. If given, validate it.
  104. t, err := extractTypeFromBase64Key(keyContent)
  105. if err != nil {
  106. return "", fmt.Errorf("extractTypeFromBase64Key: %v", err)
  107. }
  108. if len(keyType) == 0 {
  109. keyType = t
  110. } else if keyType != t {
  111. return "", fmt.Errorf("key type and content does not match: %s - %s", keyType, t)
  112. }
  113. } else {
  114. // Parse SSH2 file format.
  115. continuationLine := false
  116. for _, line := range lines {
  117. // Skip lines that:
  118. // 1) are a continuation of the previous line,
  119. // 2) contain ":" as that are comment lines
  120. // 3) contain "-" as that are begin and end tags
  121. if continuationLine || strings.ContainsAny(line, ":-") {
  122. continuationLine = strings.HasSuffix(line, "\\")
  123. } else {
  124. keyContent = keyContent + line
  125. }
  126. }
  127. t, err := extractTypeFromBase64Key(keyContent)
  128. if err != nil {
  129. return "", fmt.Errorf("extractTypeFromBase64Key: %v", err)
  130. }
  131. keyType = t
  132. }
  133. return keyType + " " + keyContent + " " + keyComment, nil
  134. }
  135. // writeTmpKeyFile writes key content to a temporary file
  136. // and returns the name of that file, along with any possible errors.
  137. func writeTmpKeyFile(content string) (string, error) {
  138. tmpFile, err := ioutil.TempFile(setting.SSH.KeyTestPath, "gitea_keytest")
  139. if err != nil {
  140. return "", fmt.Errorf("TempFile: %v", err)
  141. }
  142. defer tmpFile.Close()
  143. if _, err = tmpFile.WriteString(content); err != nil {
  144. return "", fmt.Errorf("WriteString: %v", err)
  145. }
  146. return tmpFile.Name(), nil
  147. }
  148. // SSHKeyGenParsePublicKey extracts key type and length using ssh-keygen.
  149. func SSHKeyGenParsePublicKey(key string) (string, int, error) {
  150. // The ssh-keygen in Windows does not print key type, so no need go further.
  151. if setting.IsWindows {
  152. return "", 0, nil
  153. }
  154. tmpName, err := writeTmpKeyFile(key)
  155. if err != nil {
  156. return "", 0, fmt.Errorf("writeTmpKeyFile: %v", err)
  157. }
  158. defer os.Remove(tmpName)
  159. stdout, stderr, err := process.GetManager().Exec("SSHKeyGenParsePublicKey", setting.SSH.KeygenPath, "-lf", tmpName)
  160. if err != nil {
  161. return "", 0, fmt.Errorf("fail to parse public key: %s - %s", err, stderr)
  162. }
  163. if strings.Contains(stdout, "is not a public key file") {
  164. return "", 0, ErrKeyUnableVerify{stdout}
  165. }
  166. fields := strings.Split(stdout, " ")
  167. if len(fields) < 4 {
  168. return "", 0, fmt.Errorf("invalid public key line: %s", stdout)
  169. }
  170. keyType := strings.Trim(fields[len(fields)-1], "()\r\n")
  171. return strings.ToLower(keyType), com.StrTo(fields[0]).MustInt(), nil
  172. }
  173. // SSHNativeParsePublicKey extracts the key type and length using the golang SSH library.
  174. func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
  175. fields := strings.Fields(keyLine)
  176. if len(fields) < 2 {
  177. return "", 0, fmt.Errorf("not enough fields in public key line: %s", keyLine)
  178. }
  179. raw, err := base64.StdEncoding.DecodeString(fields[1])
  180. if err != nil {
  181. return "", 0, err
  182. }
  183. pkey, err := ssh.ParsePublicKey(raw)
  184. if err != nil {
  185. if strings.Contains(err.Error(), "ssh: unknown key algorithm") {
  186. return "", 0, ErrKeyUnableVerify{err.Error()}
  187. }
  188. return "", 0, fmt.Errorf("ParsePublicKey: %v", err)
  189. }
  190. // The ssh library can parse the key, so next we find out what key exactly we have.
  191. switch pkey.Type() {
  192. case ssh.KeyAlgoDSA:
  193. rawPub := struct {
  194. Name string
  195. P, Q, G, Y *big.Int
  196. }{}
  197. if err := ssh.Unmarshal(pkey.Marshal(), &rawPub); err != nil {
  198. return "", 0, err
  199. }
  200. // as per https://bugzilla.mindrot.org/show_bug.cgi?id=1647 we should never
  201. // see dsa keys != 1024 bit, but as it seems to work, we will not check here
  202. return "dsa", rawPub.P.BitLen(), nil // use P as per crypto/dsa/dsa.go (is L)
  203. case ssh.KeyAlgoRSA:
  204. rawPub := struct {
  205. Name string
  206. E *big.Int
  207. N *big.Int
  208. }{}
  209. if err := ssh.Unmarshal(pkey.Marshal(), &rawPub); err != nil {
  210. return "", 0, err
  211. }
  212. return "rsa", rawPub.N.BitLen(), nil // use N as per crypto/rsa/rsa.go (is bits)
  213. case ssh.KeyAlgoECDSA256:
  214. return "ecdsa", 256, nil
  215. case ssh.KeyAlgoECDSA384:
  216. return "ecdsa", 384, nil
  217. case ssh.KeyAlgoECDSA521:
  218. return "ecdsa", 521, nil
  219. case ssh.KeyAlgoED25519:
  220. return "ed25519", 256, nil
  221. }
  222. return "", 0, fmt.Errorf("unsupported key length detection for type: %s", pkey.Type())
  223. }
  224. // CheckPublicKeyString checks if the given public key string is recognized by SSH.
  225. // It returns the actual public key line on success.
  226. func CheckPublicKeyString(content string) (_ string, err error) {
  227. if setting.SSH.Disabled {
  228. return "", ErrSSHDisabled{}
  229. }
  230. content, err = parseKeyString(content)
  231. if err != nil {
  232. return "", err
  233. }
  234. content = strings.TrimRight(content, "\n\r")
  235. if strings.ContainsAny(content, "\n\r") {
  236. return "", errors.New("only a single line with a single key please")
  237. }
  238. // remove any unnecessary whitespace now
  239. content = strings.TrimSpace(content)
  240. if !setting.SSH.MinimumKeySizeCheck {
  241. return content, nil
  242. }
  243. var (
  244. fnName string
  245. keyType string
  246. length int
  247. )
  248. if setting.SSH.StartBuiltinServer {
  249. fnName = "SSHNativeParsePublicKey"
  250. keyType, length, err = SSHNativeParsePublicKey(content)
  251. } else {
  252. fnName = "SSHKeyGenParsePublicKey"
  253. keyType, length, err = SSHKeyGenParsePublicKey(content)
  254. }
  255. if err != nil {
  256. return "", fmt.Errorf("%s: %v", fnName, err)
  257. }
  258. log.Trace("Key info [native: %v]: %s-%d", setting.SSH.StartBuiltinServer, keyType, length)
  259. if minLen, found := setting.SSH.MinimumKeySizes[keyType]; found && length >= minLen {
  260. return content, nil
  261. } else if found && length < minLen {
  262. return "", fmt.Errorf("key length is not enough: got %d, needs %d", length, minLen)
  263. }
  264. return "", fmt.Errorf("key type is not allowed: %s", keyType)
  265. }
  266. // appendAuthorizedKeysToFile appends new SSH keys' content to authorized_keys file.
  267. func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
  268. // Don't need to rewrite this file if builtin SSH server is enabled.
  269. if setting.SSH.StartBuiltinServer {
  270. return nil
  271. }
  272. sshOpLocker.Lock()
  273. defer sshOpLocker.Unlock()
  274. fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
  275. f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
  276. if err != nil {
  277. return err
  278. }
  279. defer f.Close()
  280. // Note: chmod command does not support in Windows.
  281. if !setting.IsWindows {
  282. fi, err := f.Stat()
  283. if err != nil {
  284. return err
  285. }
  286. // .ssh directory should have mode 700, and authorized_keys file should have mode 600.
  287. if fi.Mode().Perm() > 0600 {
  288. log.Error("authorized_keys file has unusual permission flags: %s - setting to -rw-------", fi.Mode().Perm().String())
  289. if err = f.Chmod(0600); err != nil {
  290. return err
  291. }
  292. }
  293. }
  294. for _, key := range keys {
  295. if _, err = f.WriteString(key.AuthorizedString()); err != nil {
  296. return err
  297. }
  298. }
  299. return nil
  300. }
  301. // checkKeyFingerprint only checks if key fingerprint has been used as public key,
  302. // it is OK to use same key as deploy key for multiple repositories/users.
  303. func checkKeyFingerprint(e Engine, fingerprint string) error {
  304. has, err := e.Get(&PublicKey{
  305. Fingerprint: fingerprint,
  306. })
  307. if err != nil {
  308. return err
  309. } else if has {
  310. return ErrKeyAlreadyExist{0, fingerprint, ""}
  311. }
  312. return nil
  313. }
  314. func calcFingerprint(publicKeyContent string) (string, error) {
  315. // Calculate fingerprint.
  316. tmpPath, err := writeTmpKeyFile(publicKeyContent)
  317. if err != nil {
  318. return "", err
  319. }
  320. defer os.Remove(tmpPath)
  321. stdout, stderr, err := process.GetManager().Exec("AddPublicKey", "ssh-keygen", "-lf", tmpPath)
  322. if err != nil {
  323. return "", fmt.Errorf("'ssh-keygen -lf %s' failed with error '%s': %s", tmpPath, err, stderr)
  324. } else if len(stdout) < 2 {
  325. return "", errors.New("not enough output for calculating fingerprint: " + stdout)
  326. }
  327. return strings.Split(stdout, " ")[1], nil
  328. }
  329. func addKey(e Engine, key *PublicKey) (err error) {
  330. if len(key.Fingerprint) == 0 {
  331. key.Fingerprint, err = calcFingerprint(key.Content)
  332. if err != nil {
  333. return err
  334. }
  335. }
  336. // Save SSH key.
  337. if _, err = e.Insert(key); err != nil {
  338. return err
  339. }
  340. return appendAuthorizedKeysToFile(key)
  341. }
  342. // AddPublicKey adds new public key to database and authorized_keys file.
  343. func AddPublicKey(ownerID int64, name, content string, LoginSourceID int64) (*PublicKey, error) {
  344. log.Trace(content)
  345. fingerprint, err := calcFingerprint(content)
  346. if err != nil {
  347. return nil, err
  348. }
  349. sess := x.NewSession()
  350. defer sess.Close()
  351. if err = sess.Begin(); err != nil {
  352. return nil, err
  353. }
  354. if err := checkKeyFingerprint(sess, fingerprint); err != nil {
  355. return nil, err
  356. }
  357. // Key name of same user cannot be duplicated.
  358. has, err := sess.
  359. Where("owner_id = ? AND name = ?", ownerID, name).
  360. Get(new(PublicKey))
  361. if err != nil {
  362. return nil, err
  363. } else if has {
  364. return nil, ErrKeyNameAlreadyUsed{ownerID, name}
  365. }
  366. key := &PublicKey{
  367. OwnerID: ownerID,
  368. Name: name,
  369. Fingerprint: fingerprint,
  370. Content: content,
  371. Mode: AccessModeWrite,
  372. Type: KeyTypeUser,
  373. LoginSourceID: LoginSourceID,
  374. }
  375. if err = addKey(sess, key); err != nil {
  376. return nil, fmt.Errorf("addKey: %v", err)
  377. }
  378. return key, sess.Commit()
  379. }
  380. // GetPublicKeyByID returns public key by given ID.
  381. func GetPublicKeyByID(keyID int64) (*PublicKey, error) {
  382. key := new(PublicKey)
  383. has, err := x.
  384. Id(keyID).
  385. Get(key)
  386. if err != nil {
  387. return nil, err
  388. } else if !has {
  389. return nil, ErrKeyNotExist{keyID}
  390. }
  391. return key, nil
  392. }
  393. func searchPublicKeyByContentWithEngine(e Engine, content string) (*PublicKey, error) {
  394. key := new(PublicKey)
  395. has, err := e.
  396. Where("content like ?", content+"%").
  397. Get(key)
  398. if err != nil {
  399. return nil, err
  400. } else if !has {
  401. return nil, ErrKeyNotExist{}
  402. }
  403. return key, nil
  404. }
  405. // SearchPublicKeyByContent searches content as prefix (leak e-mail part)
  406. // and returns public key found.
  407. func SearchPublicKeyByContent(content string) (*PublicKey, error) {
  408. return searchPublicKeyByContentWithEngine(x, content)
  409. }
  410. // SearchPublicKey returns a list of public keys matching the provided arguments.
  411. func SearchPublicKey(uid int64, fingerprint string) ([]*PublicKey, error) {
  412. keys := make([]*PublicKey, 0, 5)
  413. cond := builder.NewCond()
  414. if uid != 0 {
  415. cond = cond.And(builder.Eq{"owner_id": uid})
  416. }
  417. if fingerprint != "" {
  418. cond = cond.And(builder.Eq{"fingerprint": fingerprint})
  419. }
  420. return keys, x.Where(cond).Find(&keys)
  421. }
  422. // ListPublicKeys returns a list of public keys belongs to given user.
  423. func ListPublicKeys(uid int64) ([]*PublicKey, error) {
  424. keys := make([]*PublicKey, 0, 5)
  425. return keys, x.
  426. Where("owner_id = ?", uid).
  427. Find(&keys)
  428. }
  429. // ListPublicLdapSSHKeys returns a list of synchronized public ldap ssh keys belongs to given user and login source.
  430. func ListPublicLdapSSHKeys(uid int64, LoginSourceID int64) ([]*PublicKey, error) {
  431. keys := make([]*PublicKey, 0, 5)
  432. return keys, x.
  433. Where("owner_id = ? AND login_source_id = ?", uid, LoginSourceID).
  434. Find(&keys)
  435. }
  436. // UpdatePublicKeyUpdated updates public key use time.
  437. func UpdatePublicKeyUpdated(id int64) error {
  438. // Check if key exists before update as affected rows count is unreliable
  439. // and will return 0 affected rows if two updates are made at the same time
  440. if cnt, err := x.ID(id).Count(&PublicKey{}); err != nil {
  441. return err
  442. } else if cnt != 1 {
  443. return ErrKeyNotExist{id}
  444. }
  445. _, err := x.ID(id).Cols("updated_unix").Update(&PublicKey{
  446. UpdatedUnix: util.TimeStampNow(),
  447. })
  448. if err != nil {
  449. return err
  450. }
  451. return nil
  452. }
  453. // deletePublicKeys does the actual key deletion but does not update authorized_keys file.
  454. func deletePublicKeys(e Engine, keyIDs ...int64) error {
  455. if len(keyIDs) == 0 {
  456. return nil
  457. }
  458. _, err := e.In("id", keyIDs).Delete(new(PublicKey))
  459. return err
  460. }
  461. // DeletePublicKey deletes SSH key information both in database and authorized_keys file.
  462. func DeletePublicKey(doer *User, id int64) (err error) {
  463. key, err := GetPublicKeyByID(id)
  464. if err != nil {
  465. return err
  466. }
  467. // Check if user has access to delete this key.
  468. if !doer.IsAdmin && doer.ID != key.OwnerID {
  469. return ErrKeyAccessDenied{doer.ID, key.ID, "public"}
  470. }
  471. sess := x.NewSession()
  472. defer sess.Close()
  473. if err = sess.Begin(); err != nil {
  474. return err
  475. }
  476. if err = deletePublicKeys(sess, id); err != nil {
  477. return err
  478. }
  479. if err = sess.Commit(); err != nil {
  480. return err
  481. }
  482. sess.Close()
  483. return RewriteAllPublicKeys()
  484. }
  485. // RewriteAllPublicKeys removes any authorized key and rewrite all keys from database again.
  486. // Note: x.Iterate does not get latest data after insert/delete, so we have to call this function
  487. // outside any session scope independently.
  488. func RewriteAllPublicKeys() error {
  489. return rewriteAllPublicKeys(x)
  490. }
  491. func rewriteAllPublicKeys(e Engine) error {
  492. //Don't rewrite key if internal server
  493. if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile {
  494. return nil
  495. }
  496. sshOpLocker.Lock()
  497. defer sshOpLocker.Unlock()
  498. fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
  499. tmpPath := fPath + ".tmp"
  500. t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
  501. if err != nil {
  502. return err
  503. }
  504. defer func() {
  505. t.Close()
  506. os.Remove(tmpPath)
  507. }()
  508. if setting.SSH.AuthorizedKeysBackup && com.IsExist(fPath) {
  509. bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix())
  510. if err = com.Copy(fPath, bakPath); err != nil {
  511. return err
  512. }
  513. }
  514. err = e.Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) {
  515. _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString())
  516. return err
  517. })
  518. if err != nil {
  519. return err
  520. }
  521. if com.IsExist(fPath) {
  522. f, err := os.Open(fPath)
  523. if err != nil {
  524. return err
  525. }
  526. scanner := bufio.NewScanner(f)
  527. for scanner.Scan() {
  528. line := scanner.Text()
  529. if strings.HasPrefix(line, tplCommentPrefix) {
  530. scanner.Scan()
  531. continue
  532. }
  533. _, err = t.WriteString(line + "\n")
  534. if err != nil {
  535. return err
  536. }
  537. }
  538. defer f.Close()
  539. }
  540. return os.Rename(tmpPath, fPath)
  541. }
  542. // ________ .__ ____ __.
  543. // \______ \ ____ ______ | | ____ ___.__.| |/ _|____ ___.__.
  544. // | | \_/ __ \\____ \| | / _ < | || <_/ __ < | |
  545. // | ` \ ___/| |_> > |_( <_> )___ || | \ ___/\___ |
  546. // /_______ /\___ > __/|____/\____// ____||____|__ \___ > ____|
  547. // \/ \/|__| \/ \/ \/\/
  548. // DeployKey represents deploy key information and its relation with repository.
  549. type DeployKey struct {
  550. ID int64 `xorm:"pk autoincr"`
  551. KeyID int64 `xorm:"UNIQUE(s) INDEX"`
  552. RepoID int64 `xorm:"UNIQUE(s) INDEX"`
  553. Name string
  554. Fingerprint string
  555. Content string `xorm:"-"`
  556. Mode AccessMode `xorm:"NOT NULL DEFAULT 1"`
  557. CreatedUnix util.TimeStamp `xorm:"created"`
  558. UpdatedUnix util.TimeStamp `xorm:"updated"`
  559. HasRecentActivity bool `xorm:"-"`
  560. HasUsed bool `xorm:"-"`
  561. }
  562. // AfterLoad is invoked from XORM after setting the values of all fields of this object.
  563. func (key *DeployKey) AfterLoad() {
  564. key.HasUsed = key.UpdatedUnix > key.CreatedUnix
  565. key.HasRecentActivity = key.UpdatedUnix.AddDuration(7*24*time.Hour) > util.TimeStampNow()
  566. }
  567. // GetContent gets associated public key content.
  568. func (key *DeployKey) GetContent() error {
  569. pkey, err := GetPublicKeyByID(key.KeyID)
  570. if err != nil {
  571. return err
  572. }
  573. key.Content = pkey.Content
  574. return nil
  575. }
  576. // IsReadOnly checks if the key can only be used for read operations
  577. func (key *DeployKey) IsReadOnly() bool {
  578. return key.Mode == AccessModeRead
  579. }
  580. func checkDeployKey(e Engine, keyID, repoID int64, name string) error {
  581. // Note: We want error detail, not just true or false here.
  582. has, err := e.
  583. Where("key_id = ? AND repo_id = ?", keyID, repoID).
  584. Get(new(DeployKey))
  585. if err != nil {
  586. return err
  587. } else if has {
  588. return ErrDeployKeyAlreadyExist{keyID, repoID}
  589. }
  590. has, err = e.
  591. Where("repo_id = ? AND name = ?", repoID, name).
  592. Get(new(DeployKey))
  593. if err != nil {
  594. return err
  595. } else if has {
  596. return ErrDeployKeyNameAlreadyUsed{repoID, name}
  597. }
  598. return nil
  599. }
  600. // addDeployKey adds new key-repo relation.
  601. func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string, mode AccessMode) (*DeployKey, error) {
  602. if err := checkDeployKey(e, keyID, repoID, name); err != nil {
  603. return nil, err
  604. }
  605. key := &DeployKey{
  606. KeyID: keyID,
  607. RepoID: repoID,
  608. Name: name,
  609. Fingerprint: fingerprint,
  610. Mode: mode,
  611. }
  612. _, err := e.Insert(key)
  613. return key, err
  614. }
  615. // HasDeployKey returns true if public key is a deploy key of given repository.
  616. func HasDeployKey(keyID, repoID int64) bool {
  617. has, _ := x.
  618. Where("key_id = ? AND repo_id = ?", keyID, repoID).
  619. Get(new(DeployKey))
  620. return has
  621. }
  622. // AddDeployKey add new deploy key to database and authorized_keys file.
  623. func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey, error) {
  624. fingerprint, err := calcFingerprint(content)
  625. if err != nil {
  626. return nil, err
  627. }
  628. accessMode := AccessModeRead
  629. if !readOnly {
  630. accessMode = AccessModeWrite
  631. }
  632. sess := x.NewSession()
  633. defer sess.Close()
  634. if err = sess.Begin(); err != nil {
  635. return nil, err
  636. }
  637. pkey := &PublicKey{
  638. Fingerprint: fingerprint,
  639. }
  640. has, err := sess.Get(pkey)
  641. if err != nil {
  642. return nil, err
  643. }
  644. if has {
  645. if pkey.Type != KeyTypeDeploy {
  646. return nil, ErrKeyAlreadyExist{0, fingerprint, ""}
  647. }
  648. } else {
  649. // First time use this deploy key.
  650. pkey.Mode = accessMode
  651. pkey.Type = KeyTypeDeploy
  652. pkey.Content = content
  653. pkey.Name = name
  654. if err = addKey(sess, pkey); err != nil {
  655. return nil, fmt.Errorf("addKey: %v", err)
  656. }
  657. }
  658. key, err := addDeployKey(sess, pkey.ID, repoID, name, pkey.Fingerprint, accessMode)
  659. if err != nil {
  660. return nil, err
  661. }
  662. return key, sess.Commit()
  663. }
  664. // GetDeployKeyByID returns deploy key by given ID.
  665. func GetDeployKeyByID(id int64) (*DeployKey, error) {
  666. return getDeployKeyByID(x, id)
  667. }
  668. func getDeployKeyByID(e Engine, id int64) (*DeployKey, error) {
  669. key := new(DeployKey)
  670. has, err := e.ID(id).Get(key)
  671. if err != nil {
  672. return nil, err
  673. } else if !has {
  674. return nil, ErrDeployKeyNotExist{id, 0, 0}
  675. }
  676. return key, nil
  677. }
  678. // GetDeployKeyByRepo returns deploy key by given public key ID and repository ID.
  679. func GetDeployKeyByRepo(keyID, repoID int64) (*DeployKey, error) {
  680. return getDeployKeyByRepo(x, keyID, repoID)
  681. }
  682. func getDeployKeyByRepo(e Engine, keyID, repoID int64) (*DeployKey, error) {
  683. key := &DeployKey{
  684. KeyID: keyID,
  685. RepoID: repoID,
  686. }
  687. has, err := e.Get(key)
  688. if err != nil {
  689. return nil, err
  690. } else if !has {
  691. return nil, ErrDeployKeyNotExist{0, keyID, repoID}
  692. }
  693. return key, nil
  694. }
  695. // UpdateDeployKeyCols updates deploy key information in the specified columns.
  696. func UpdateDeployKeyCols(key *DeployKey, cols ...string) error {
  697. _, err := x.ID(key.ID).Cols(cols...).Update(key)
  698. return err
  699. }
  700. // UpdateDeployKey updates deploy key information.
  701. func UpdateDeployKey(key *DeployKey) error {
  702. _, err := x.ID(key.ID).AllCols().Update(key)
  703. return err
  704. }
  705. // DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed.
  706. func DeleteDeployKey(doer *User, id int64) error {
  707. sess := x.NewSession()
  708. defer sess.Close()
  709. if err := sess.Begin(); err != nil {
  710. return err
  711. }
  712. if err := deleteDeployKey(sess, doer, id); err != nil {
  713. return err
  714. }
  715. return sess.Commit()
  716. }
  717. func deleteDeployKey(sess Engine, doer *User, id int64) error {
  718. key, err := getDeployKeyByID(sess, id)
  719. if err != nil {
  720. if IsErrDeployKeyNotExist(err) {
  721. return nil
  722. }
  723. return fmt.Errorf("GetDeployKeyByID: %v", err)
  724. }
  725. // Check if user has access to delete this key.
  726. if !doer.IsAdmin {
  727. repo, err := getRepositoryByID(sess, key.RepoID)
  728. if err != nil {
  729. return fmt.Errorf("GetRepositoryByID: %v", err)
  730. }
  731. has, err := isUserRepoAdmin(sess, repo, doer)
  732. if err != nil {
  733. return fmt.Errorf("GetUserRepoPermission: %v", err)
  734. } else if !has {
  735. return ErrKeyAccessDenied{doer.ID, key.ID, "deploy"}
  736. }
  737. }
  738. if _, err = sess.ID(key.ID).Delete(new(DeployKey)); err != nil {
  739. return fmt.Errorf("delete deploy key [%d]: %v", key.ID, err)
  740. }
  741. // Check if this is the last reference to same key content.
  742. has, err := sess.
  743. Where("key_id = ?", key.KeyID).
  744. Get(new(DeployKey))
  745. if err != nil {
  746. return err
  747. } else if !has {
  748. if err = deletePublicKeys(sess, key.KeyID); err != nil {
  749. return err
  750. }
  751. // after deleted the public keys, should rewrite the public keys file
  752. if err = rewriteAllPublicKeys(sess); err != nil {
  753. return err
  754. }
  755. }
  756. return nil
  757. }
  758. // ListDeployKeys returns all deploy keys by given repository ID.
  759. func ListDeployKeys(repoID int64) ([]*DeployKey, error) {
  760. return listDeployKeys(x, repoID)
  761. }
  762. func listDeployKeys(e Engine, repoID int64) ([]*DeployKey, error) {
  763. keys := make([]*DeployKey, 0, 5)
  764. return keys, e.
  765. Where("repo_id = ?", repoID).
  766. Find(&keys)
  767. }
  768. // SearchDeployKeys returns a list of deploy keys matching the provided arguments.
  769. func SearchDeployKeys(repoID int64, keyID int64, fingerprint string) ([]*DeployKey, error) {
  770. keys := make([]*DeployKey, 0, 5)
  771. cond := builder.NewCond()
  772. if repoID != 0 {
  773. cond = cond.And(builder.Eq{"repo_id": repoID})
  774. }
  775. if keyID != 0 {
  776. cond = cond.And(builder.Eq{"key_id": keyID})
  777. }
  778. if fingerprint != "" {
  779. cond = cond.And(builder.Eq{"fingerprint": fingerprint})
  780. }
  781. return keys, x.Where(cond).Find(&keys)
  782. }