From d1a49977b089afefc40172711d02eb795d2234de Mon Sep 17 00:00:00 2001 From: zeripath Date: Tue, 17 Dec 2019 01:49:07 +0000 Subject: [PATCH] AuthorizedKeysCommand should not query db directly (#9371) * AuthorizedKeysCommand should not query db directly * Update routers/private/internal.go * Fix import order --- cmd/keys.go | 10 +-- docs/content/doc/usage/command-line.en-us.md | 1 + integrations/cmd_keys_test.go | 81 ++++++++++---------- modules/private/key.go | 25 ++++++ routers/private/internal.go | 1 + routers/private/key.go | 25 +++++- 6 files changed, 93 insertions(+), 50 deletions(-) diff --git a/cmd/keys.go b/cmd/keys.go index 39153c7cb76c..c0818fd2d2cc 100644 --- a/cmd/keys.go +++ b/cmd/keys.go @@ -9,7 +9,7 @@ import ( "fmt" "strings" - "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/private" "github.com/urfave/cli" ) @@ -62,14 +62,12 @@ func runKeys(c *cli.Context) error { return errors.New("No key type and content provided") } - if err := initDBDisableConsole(true); err != nil { - return err - } + setup("keys.log") - publicKey, err := models.SearchPublicKeyByContent(content) + authorizedString, err := private.AuthorizedPublicKeyByContent(content) if err != nil { return err } - fmt.Println(publicKey.AuthorizedString()) + fmt.Println(strings.TrimSpace(authorizedString)) return nil } diff --git a/docs/content/doc/usage/command-line.en-us.md b/docs/content/doc/usage/command-line.en-us.md index 6b0cfae3ba0d..0f7b4f61a20d 100644 --- a/docs/content/doc/usage/command-line.en-us.md +++ b/docs/content/doc/usage/command-line.en-us.md @@ -281,6 +281,7 @@ provided key. You should also set the value NB: opensshd requires the gitea program to be owned by root and not writable by group or others. The program must be specified by an absolute path. +NB: Gitea must be running for this command to succeed. #### migrate Migrates the database. This command can be used to run other commands before starting the server for the first time. diff --git a/integrations/cmd_keys_test.go b/integrations/cmd_keys_test.go index 4294c3199018..c97a9ffe43ce 100644 --- a/integrations/cmd_keys_test.go +++ b/integrations/cmd_keys_test.go @@ -8,6 +8,7 @@ import ( "bytes" "flag" "io" + "net/url" "os" "testing" @@ -18,45 +19,45 @@ import ( ) func Test_CmdKeys(t *testing.T) { - defer prepareTestEnv(t)() + onGiteaRun(t, func(*testing.T, *url.URL) { + tests := []struct { + name string + args []string + wantErr bool + expectedOutput string + }{ + {"test_empty_1", []string{"keys", "--username=git", "--type=test", "--content=test"}, true, ""}, + {"test_empty_2", []string{"keys", "-e", "git", "-u", "git", "-t", "test", "-k", "test"}, true, ""}, + {"with_key", + []string{"keys", "-e", "git", "-u", "git", "-t", "ssh-rsa", "-k", "AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM="}, + false, + "# gitea public key\ncommand=\"" + setting.AppPath + " --config='" + setting.CustomConf + "' serv key-1\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM= user2@localhost\n", + }, + {"invalid", []string{"keys", "--not-a-flag=git"}, true, "Incorrect Usage: flag provided but not defined: -not-a-flag\n\n"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + realStdout := os.Stdout //Backup Stdout + r, w, _ := os.Pipe() + os.Stdout = w - tests := []struct { - name string - args []string - wantErr bool - expectedOutput string - }{ - {"test_empty_1", []string{"keys", "--username=git", "--type=test", "--content=test"}, true, ""}, - {"test_empty_2", []string{"keys", "-e", "git", "-u", "git", "-t", "test", "-k", "test"}, true, ""}, - {"with_key", - []string{"keys", "-e", "git", "-u", "git", "-t", "ssh-rsa", "-k", "AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM="}, - false, - "# gitea public key\ncommand=\"" + setting.AppPath + " --config='" + setting.CustomConf + "' serv key-1\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM= user2@localhost\n\n", - }, - {"invalid", []string{"keys", "--not-a-flag=git"}, true, "Incorrect Usage: flag provided but not defined: -not-a-flag\n\n"}, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - realStdout := os.Stdout //Backup Stdout - r, w, _ := os.Pipe() - os.Stdout = w - - set := flag.NewFlagSet("keys", 0) - _ = set.Parse(tt.args) - context := cli.NewContext(&cli.App{Writer: os.Stdout}, set, nil) - err := cmd.CmdKeys.Run(context) - if (err != nil) != tt.wantErr { - t.Errorf("CmdKeys.Run() error = %v, wantErr %v", err, tt.wantErr) - } - w.Close() - var buf bytes.Buffer - io.Copy(&buf, r) - commandOutput := buf.String() - if tt.expectedOutput != commandOutput { - t.Errorf("expectedOutput: %#v, commandOutput: %#v", tt.expectedOutput, commandOutput) - } - //Restore stdout - os.Stdout = realStdout - }) - } + set := flag.NewFlagSet("keys", 0) + _ = set.Parse(tt.args) + context := cli.NewContext(&cli.App{Writer: os.Stdout}, set, nil) + err := cmd.CmdKeys.Run(context) + if (err != nil) != tt.wantErr { + t.Errorf("CmdKeys.Run() error = %v, wantErr %v", err, tt.wantErr) + } + w.Close() + var buf bytes.Buffer + io.Copy(&buf, r) + commandOutput := buf.String() + if tt.expectedOutput != commandOutput { + t.Errorf("expectedOutput: %#v, commandOutput: %#v", tt.expectedOutput, commandOutput) + } + //Restore stdout + os.Stdout = realStdout + }) + } + }) } diff --git a/modules/private/key.go b/modules/private/key.go index ebc28eb87139..40e1c492f8ef 100644 --- a/modules/private/key.go +++ b/modules/private/key.go @@ -6,6 +6,8 @@ package private import ( "fmt" + "io/ioutil" + "net/http" "code.gitea.io/gitea/modules/setting" ) @@ -27,3 +29,26 @@ func UpdatePublicKeyInRepo(keyID, repoID int64) error { } return nil } + +// AuthorizedPublicKeyByContent searches content as prefix (leak e-mail part) +// and returns public key found. +func AuthorizedPublicKeyByContent(content string) (string, error) { + // Ask for running deliver hook and test pull request tasks. + reqURL := setting.LocalURL + fmt.Sprintf("api/internal/ssh/authorized_keys") + req := newInternalRequest(reqURL, "POST") + req.Param("content", content) + resp, err := req.Response() + if err != nil { + return "", err + } + + defer resp.Body.Close() + + // All 2XX status codes are accepted and others will return an error + if resp.StatusCode != http.StatusOK { + return "", fmt.Errorf("Failed to update public key: %s", decodeJSONError(resp).Err) + } + bs, err := ioutil.ReadAll(resp.Body) + + return string(bs), err +} diff --git a/routers/private/internal.go b/routers/private/internal.go index 3a48f5384d8c..cfbad196789d 100644 --- a/routers/private/internal.go +++ b/routers/private/internal.go @@ -76,6 +76,7 @@ func CheckUnitUser(ctx *macaron.Context) { // These APIs will be invoked by internal commands for example `gitea serv` and etc. func RegisterRoutes(m *macaron.Macaron) { m.Group("/", func() { + m.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent) m.Post("/ssh/:id/update/:repoid", UpdatePublicKeyInRepo) m.Get("/hook/pre-receive/:owner/:repo", HookPreReceive) m.Get("/hook/post-receive/:owner/:repo", HookPostReceive) diff --git a/routers/private/key.go b/routers/private/key.go index dcf597d6ba4b..c00330fe883a 100644 --- a/routers/private/key.go +++ b/routers/private/key.go @@ -6,6 +6,8 @@ package private import ( + "net/http" + "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/timeutil" @@ -17,7 +19,7 @@ func UpdatePublicKeyInRepo(ctx *macaron.Context) { keyID := ctx.ParamsInt64(":id") repoID := ctx.ParamsInt64(":repoid") if err := models.UpdatePublicKeyUpdated(keyID); err != nil { - ctx.JSON(500, map[string]interface{}{ + ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "err": err.Error(), }) return @@ -29,18 +31,33 @@ func UpdatePublicKeyInRepo(ctx *macaron.Context) { ctx.PlainText(200, []byte("success")) return } - ctx.JSON(500, map[string]interface{}{ + ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "err": err.Error(), }) return } deployKey.UpdatedUnix = timeutil.TimeStampNow() if err = models.UpdateDeployKeyCols(deployKey, "updated_unix"); err != nil { - ctx.JSON(500, map[string]interface{}{ + ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "err": err.Error(), }) return } - ctx.PlainText(200, []byte("success")) + ctx.PlainText(http.StatusOK, []byte("success")) +} + +// AuthorizedPublicKeyByContent searches content as prefix (leak e-mail part) +// and returns public key found. +func AuthorizedPublicKeyByContent(ctx *macaron.Context) { + content := ctx.Query("content") + + publicKey, err := models.SearchPublicKeyByContent(content) + if err != nil { + ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ + "err": err.Error(), + }) + return + } + ctx.PlainText(http.StatusOK, []byte(publicKey.AuthorizedString())) }