Add internal routes for ssh hook comands (#1471)

* add internal routes for ssh hook comands

* fix lint

* add comment on why package named private not internal but the route name is internal

* add comment above package private why package named private not internal but the route name is internal

* remove exp time on internal access

* move routes from /internal to /api/internal

* add comment and defer on UpdatePublicKeyUpdated

3 files changed, 105 insertions, 9 deletions

diff --git a/modules/httplib/httplib.go b/modules/httplib/httplib.go
index 38b55e64e4..f2d9a2bfaa 100644
--- a/modules/httplib/httplib.go
+++ b/modules/httplib/httplib.go
@@ -62,6 +62,11 @@ func newRequest(url, method string) *Request {
 	return &Request{url, &req, map[string]string{}, map[string]string{}, defaultSetting, &resp, nil}
 }
 
+// NewRequest returns *Request with specific method
+func NewRequest(url, method string) *Request {
+	return newRequest(url, method)
+}
+
 // Get returns *Request with GET method.
 func Get(url string) *Request {
 	return newRequest(url, "GET")
diff --git a/modules/private/internal.go b/modules/private/internal.go
new file mode 100644
index 0000000000..017e265b7c
--- /dev/null
+++ b/modules/private/internal.go
@@ -0,0 +1,53 @@
+package private
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"code.gitea.io/gitea/modules/httplib"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+func newRequest(url, method string) *httplib.Request {
+	return httplib.NewRequest(url, method).Header("Authorization",
+		fmt.Sprintf("Bearer %s", setting.InternalToken))
+}
+
+// Response internal request response
+type Response struct {
+	Err string `json:"err"`
+}
+
+func decodeJSONError(resp *http.Response) *Response {
+	var res Response
+	err := json.NewDecoder(resp.Body).Decode(&res)
+	if err != nil {
+		res.Err = err.Error()
+	}
+	return &res
+}
+
+// UpdatePublicKeyUpdated update publick key updates
+func UpdatePublicKeyUpdated(keyID int64) error {
+	// Ask for running deliver hook and test pull request tasks.
+	reqURL := setting.LocalURL + fmt.Sprintf("api/internal/ssh/%d/update", keyID)
+	log.GitLogger.Trace("UpdatePublicKeyUpdated: %s", reqURL)
+
+	resp, err := newRequest(reqURL, "POST").SetTLSClientConfig(&tls.Config{
+		InsecureSkipVerify: true,
+	}).Response()
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	// All 2XX status codes are accepted and others will return an error
+	if resp.StatusCode/100 != 2 {
+		return fmt.Errorf("Failed to update public key: %s", decodeJSONError(resp).Err)
+	}
+	return nil
+}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index c2e08b0c14..8a2db2b4ba 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -27,6 +27,7 @@ import (
 	"code.gitea.io/gitea/modules/user"
 
 	"github.com/Unknwon/com"
+	"github.com/dgrijalva/jwt-go"
 	_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache
 	_ "github.com/go-macaron/cache/redis"
 	"github.com/go-macaron/session"
@@ -442,14 +443,15 @@ var (
 	ShowFooterTemplateLoadTime bool
 
 	// Global setting objects
-	Cfg          *ini.File
-	CustomPath   string // Custom directory path
-	CustomConf   string
-	CustomPID    string
-	ProdMode     bool
-	RunUser      string
-	IsWindows    bool
-	HasRobotsTxt bool
+	Cfg           *ini.File
+	CustomPath    string // Custom directory path
+	CustomConf    string
+	CustomPID     string
+	ProdMode      bool
+	RunUser       string
+	IsWindows     bool
+	HasRobotsTxt  bool
+	InternalToken string // internal access token
 )
 
 // DateLang transforms standard language locale name to corresponding value in datetime plugin.
@@ -764,6 +766,43 @@ please consider changing to GITEA_CUSTOM`)
 	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
 	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
+	InternalToken = sec.Key("INTERNAL_TOKEN").String()
+	if len(InternalToken) == 0 {
+		secretBytes := make([]byte, 32)
+		_, err := io.ReadFull(rand.Reader, secretBytes)
+		if err != nil {
+			log.Fatal(4, "Error reading random bytes: %v", err)
+		}
+
+		secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
+
+		now := time.Now()
+		InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"nbf": now.Unix(),
+		}).SignedString([]byte(secretKey))
+
+		if err != nil {
+			log.Fatal(4, "Error generate internal token: %v", err)
+		}
+
+		// Save secret
+		cfgSave := ini.Empty()
+		if com.IsFile(CustomConf) {
+			// Keeps custom settings if there is already something.
+			if err := cfgSave.Append(CustomConf); err != nil {
+				log.Error(4, "Failed to load custom conf '%s': %v", CustomConf, err)
+			}
+		}
+
+		cfgSave.Section("security").Key("INTERNAL_TOKEN").SetValue(InternalToken)
+
+		if err := os.MkdirAll(filepath.Dir(CustomConf), os.ModePerm); err != nil {
+			log.Fatal(4, "Failed to create '%s': %v", CustomConf, err)
+		}
+		if err := cfgSave.SaveTo(CustomConf); err != nil {
+			log.Fatal(4, "Error saving generated JWT Secret to custom config: %v", err)
+		}
+	}
 
 	sec = Cfg.Section("attachment")
 	AttachmentPath = sec.Key("PATH").MustString(path.Join(AppDataPath, "attachments"))
@@ -940,7 +979,6 @@ var Service struct {
 	EnableOpenIDSignUp bool
 	OpenIDWhitelist    []*regexp.Regexp
 	OpenIDBlacklist    []*regexp.Regexp
-
 }
 
 func newService() {