mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-05-19 16:58:09 +00:00
b896a87103
- After stumbling upon https://github.com/golang/go/issues/22397 and reading the implementations I realized that Forgejo code doesn't have `Sync()` and it doesn't properly error handle the `Close` function. - (likely) Resolves https://codeberg.org/forgejo/forgejo/issues/1446 (cherry picked from commit0efcb334c2) (cherry picked from commit04ef02c0dd) (cherry picked from commit85f2065c9b) (cherry picked from commit8d36b5cce6) (cherry picked from commit378dc30fb5) (cherry picked from commit2b28bf826e) (cherry picked from commitd0625a001e) (cherry picked from commitf161a4f60f) (cherry picked from commit7430ca43e5) (cherry picked from commitab6d38daf7) (cherry picked from commit0f703fd02e) (cherry picked from commit6931a8f6bb) (cherry picked from commit5e2065c1c0) (cherry picked from commit38c812acff) (cherry picked from commit494874e23f) (cherry picked from commitd396b7fd47) (cherry picked from commit7babc6efe1) (cherry picked from commit2d4dbbe741)
140 lines
4.1 KiB
Go
140 lines
4.1 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package asymkey
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/util"
|
|
)
|
|
|
|
// _____ __ .__ .__ .___
|
|
// / _ \ __ ___/ |_| |__ ___________|__|_______ ____ __| _/
|
|
// / /_\ \| | \ __\ | \ / _ \_ __ \ \___ // __ \ / __ |
|
|
// / | \ | /| | | Y ( <_> ) | \/ |/ /\ ___// /_/ |
|
|
// \____|__ /____/ |__| |___| /\____/|__| |__/_____ \\___ >____ |
|
|
// \/ \/ \/ \/ \/
|
|
// __________ .__ .__ .__
|
|
// \______ _______|__| ____ ____ |_____________ | | ______
|
|
// | ___\_ __ | |/ \_/ ___\| \____ \__ \ | | / ___/
|
|
// | | | | \| | | \ \___| | |_> / __ \| |__\___ \
|
|
// |____| |__| |__|___| /\___ |__| __(____ |____/____ >
|
|
// \/ \/ |__| \/ \/
|
|
//
|
|
// This file contains functions for creating authorized_principals files
|
|
//
|
|
// There is a dependence on the database within RewriteAllPrincipalKeys & RegeneratePrincipalKeys
|
|
// The sshOpLocker is used from ssh_key_authorized_keys.go
|
|
|
|
const authorizedPrincipalsFile = "authorized_principals"
|
|
|
|
// RewriteAllPrincipalKeys removes any authorized principal and rewrite all keys from database again.
|
|
// Note: db.GetEngine(ctx).Iterate does not get latest data after insert/delete, so we have to call this function
|
|
// outside any session scope independently.
|
|
func RewriteAllPrincipalKeys(ctx context.Context) error {
|
|
// Don't rewrite key if internal server
|
|
if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedPrincipalsFile {
|
|
return nil
|
|
}
|
|
|
|
sshOpLocker.Lock()
|
|
defer sshOpLocker.Unlock()
|
|
|
|
if setting.SSH.RootPath != "" {
|
|
// First of ensure that the RootPath is present, and if not make it with 0700 permissions
|
|
// This of course doesn't guarantee that this is the right directory for authorized_keys
|
|
// but at least if it's supposed to be this directory and it doesn't exist and we're the
|
|
// right user it will at least be created properly.
|
|
err := os.MkdirAll(setting.SSH.RootPath, 0o700)
|
|
if err != nil {
|
|
log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err)
|
|
return err
|
|
}
|
|
}
|
|
|
|
fPath := filepath.Join(setting.SSH.RootPath, authorizedPrincipalsFile)
|
|
tmpPath := fPath + ".tmp"
|
|
t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() {
|
|
t.Close()
|
|
os.Remove(tmpPath)
|
|
}()
|
|
|
|
if setting.SSH.AuthorizedPrincipalsBackup {
|
|
isExist, err := util.IsExist(fPath)
|
|
if err != nil {
|
|
log.Error("Unable to check if %s exists. Error: %v", fPath, err)
|
|
return err
|
|
}
|
|
if isExist {
|
|
bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix())
|
|
if err = util.CopyFile(fPath, bakPath); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := regeneratePrincipalKeys(ctx, t); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := t.Sync(); err != nil {
|
|
return err
|
|
}
|
|
if err := t.Close(); err != nil {
|
|
return err
|
|
}
|
|
return util.Rename(tmpPath, fPath)
|
|
}
|
|
|
|
func regeneratePrincipalKeys(ctx context.Context, t io.StringWriter) error {
|
|
if err := db.GetEngine(ctx).Where("type = ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean any) (err error) {
|
|
_, err = t.WriteString((bean.(*PublicKey)).AuthorizedString())
|
|
return err
|
|
}); err != nil {
|
|
return err
|
|
}
|
|
|
|
fPath := filepath.Join(setting.SSH.RootPath, authorizedPrincipalsFile)
|
|
isExist, err := util.IsExist(fPath)
|
|
if err != nil {
|
|
log.Error("Unable to check if %s exists. Error: %v", fPath, err)
|
|
return err
|
|
}
|
|
if isExist {
|
|
f, err := os.Open(fPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
scanner := bufio.NewScanner(f)
|
|
for scanner.Scan() {
|
|
line := scanner.Text()
|
|
if strings.HasPrefix(line, tplCommentPrefix) {
|
|
scanner.Scan()
|
|
continue
|
|
}
|
|
_, err = t.WriteString(line + "\n")
|
|
if err != nil {
|
|
f.Close()
|
|
return err
|
|
}
|
|
}
|
|
f.Close()
|
|
}
|
|
return nil
|
|
}
|