diff options
author | zeripath <art27@cantab.net> | 2020-12-26 04:24:47 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-25 23:24:47 -0500 |
commit | ad1164f73ba277f11a20ea838a62d9b8c8a7cb45 (patch) | |
tree | 7854283c1a6a12621cf36b0c6397a12bfea436d8 /models | |
parent | a19447aed128ecadfcd938d6a80cd4951af1f4ce (diff) | |
download | gitea-ad1164f73ba277f11a20ea838a62d9b8c8a7cb45.tar.gz gitea-ad1164f73ba277f11a20ea838a62d9b8c8a7cb45.zip |
Disable SSH key deletion of externally managed Keys (#13985)
* Disable SSH key addition and deletion when externally managed
When a user has a login source which has SSH key management
key addition and deletion using the UI should be disabled.
Fix #13983
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Make only externally managed keys disabled
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'models')
-rw-r--r-- | models/ssh_key.go | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/models/ssh_key.go b/models/ssh_key.go index b2e4326559..70512dccf5 100644 --- a/models/ssh_key.go +++ b/models/ssh_key.go @@ -665,6 +665,82 @@ func deletePublicKeys(e Engine, keyIDs ...int64) error { return err } +// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key +func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) { + sources := make([]*LoginSource, 0, 5) + externals := make([]bool, len(keys)) +keyloop: + for i, key := range keys { + if key.LoginSourceID == 0 { + externals[i] = false + continue keyloop + } + + var source *LoginSource + + sourceloop: + for _, s := range sources { + if s.ID == key.LoginSourceID { + source = s + break sourceloop + } + } + + if source == nil { + var err error + source, err = GetLoginSourceByID(key.LoginSourceID) + if err != nil { + if IsErrLoginSourceNotExist(err) { + externals[i] = false + sources[i] = &LoginSource{ + ID: key.LoginSourceID, + } + continue keyloop + } + return nil, err + } + } + + ldapSource := source.LDAP() + if ldapSource != nil && + source.IsSyncEnabled && + (source.Type == LoginLDAP || source.Type == LoginDLDAP) && + len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 { + // Disable setting SSH keys for this user + externals[i] = true + } + } + + return externals, nil +} + +// PublicKeyIsExternallyManaged returns whether the provided KeyID represents an externally managed Key +func PublicKeyIsExternallyManaged(id int64) (bool, error) { + key, err := GetPublicKeyByID(id) + if err != nil { + return false, err + } + if key.LoginSourceID == 0 { + return false, nil + } + source, err := GetLoginSourceByID(key.LoginSourceID) + if err != nil { + if IsErrLoginSourceNotExist(err) { + return false, nil + } + return false, err + } + ldapSource := source.LDAP() + if ldapSource != nil && + source.IsSyncEnabled && + (source.Type == LoginLDAP || source.Type == LoginDLDAP) && + len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 { + // Disable setting SSH keys for this user + return true, nil + } + return false, nil +} + // DeletePublicKey deletes SSH key information both in database and authorized_keys file. func DeletePublicKey(doer *User, id int64) (err error) { key, err := GetPublicKeyByID(id) |