Add ssh certificate support (#12281)

* Add ssh certificate support

* Add ssh certificate support to builtin ssh

* Write trusted-user-ca-keys.pem based on configuration

* Update app.example.ini

* Update templates/user/settings/keys_principal.tmpl

Co-authored-by: silverwind <me@silverwind.io>

* Remove unused locale string

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* Add missing creation of SSH.Rootpath

* Update cheatsheet, example and locale strings

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

* Optimizations based on feedback

* Validate CA keys for external sshd

* Add filename option and change default filename

Add a SSH_TRUSTED_USER_CA_KEYS_FILENAME option which default is
RUN_USER/.ssh/gitea-trusted-user-ca-keys.pem

Do not write a file when SSH_TRUSTED_USER_CA_KEYS is empty.

Add some more documentation.

* Remove unneeded principalkey functions

* Add blank line

* Apply suggestions from code review

Co-authored-by: zeripath <art27@cantab.net>

* Add SSH_AUTHORIZED_PRINCIPALS_ALLOW option

This adds a SSH_AUTHORIZED_PRINCIPALS_ALLOW which is default
email,username this means that users only can add the principals
that match their email or username.

To allow anything the admin need to set the option anything.

This allows for a safe default in gitea which protects against malicious
users using other user's prinicipals. (before that user could set it).

This commit also has some small other fixes from the last code review.

* Rewrite principal keys file on user deletion

* Use correct rewrite method

* Set correct AuthorizedPrincipalsBackup default setting

* Rewrite principalsfile when adding principals

* Add update authorized_principals option to admin dashboard

* Handle non-primary emails

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Add the command actually to the dashboard template

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* By default do not show principal options unless there are CA keys set or they are explicitly set

Signed-off-by: Andrew Thornton <art27@cantab.net>

* allow settings when enabled

* Fix typos in TrustedUserCAKeys path

* Allow every CASignatureAlgorithms algorithm

As this depends on the content of TrustedUserCAKeys we should allow all
signature algorithms as admins can choose the specific algorithm on their
signing CA

* Update models/ssh_key.go

Co-authored-by: Lauris BH <lauris@nix.lv>

* Fix linting issue

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>

1 files changed, 14 insertions, 2 deletions

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 9acc9b8bf6..45feaf8c04 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -383,6 +383,7 @@ cannot_add_org_to_team = An organization cannot be added as a team member.
 
 invalid_ssh_key = Can not verify your SSH key: %s
 invalid_gpg_key = Can not verify your GPG key: %s
+invalid_ssh_principal = Invalid principal: %s
 unable_verify_ssh_key = "Can not verify the SSH key; double-check it for mistakes."
 auth_failed = Authentication failed: %v
 
@@ -501,9 +502,11 @@ keep_email_private_popup = Your email address will be hidden from other users.
 openid_desc = OpenID lets you delegate authentication to an external provider.
 
 manage_ssh_keys = Manage SSH Keys
+manage_ssh_principals = Manage SSH Certificate Principals
 manage_gpg_keys = Manage GPG Keys
 add_key = Add Key
 ssh_desc = These public SSH keys are associated with your account. The corresponding private keys allow full access to your repositories.
+principal_desc = These SSH certificate principals are associated with your account and allow full access to your repositories.
 gpg_desc = These public GPG keys are associated with your account. Keep your private keys safe as they allow commits to be verified.
 ssh_helper = <strong>Need help?</strong> Have a look at GitHub's guide to <a href="%s">create your own SSH keys</a> or solve <a href="%s">common problems</a> you may encounter using SSH.
 gpg_helper = <strong>Need help?</strong> Have a look at GitHub's guide <a href="%s">about GPG</a>.
@@ -511,23 +514,30 @@ add_new_key = Add SSH Key
 add_new_gpg_key = Add GPG Key
 key_content_ssh_placeholder = Begins with 'ssh-ed25519', 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', or 'ecdsa-sha2-nistp521'
 key_content_gpg_placeholder = Begins with '-----BEGIN PGP PUBLIC KEY BLOCK-----'
+add_new_principal = Add Principal
 ssh_key_been_used = This SSH key has already been added to the server.
-ssh_key_name_used = An SSH key with same name is already added to your account.
+ssh_key_name_used = An SSH key with same name already exists on your account.
+ssh_principal_been_used = This principal has already been added to the server.
 gpg_key_id_used = A public GPG key with same ID already exists.
 gpg_no_key_email_found = This GPG key is not usable with any email address associated with your account.
 subkeys = Subkeys
 key_id = Key ID
 key_name = Key Name
 key_content = Content
+principal_content = Content
 add_key_success = The SSH key '%s' has been added.
 add_gpg_key_success = The GPG key '%s' has been added.
+add_principal_success = The SSH certificate principal '%s' has been added.
 delete_key = Remove
 ssh_key_deletion = Remove SSH Key
 gpg_key_deletion = Remove GPG Key
+ssh_principal_deletion = Remove SSH Certificate Principal
 ssh_key_deletion_desc = Removing an SSH key revokes its access to your account. Continue?
 gpg_key_deletion_desc = Removing a GPG key un-verifies commits signed by it. Continue?
+ssh_principal_deletion_desc = Removing a SSH Certificate Principal revokes its access to your account. Continue?
 ssh_key_deletion_success = The SSH key has been removed.
 gpg_key_deletion_success = The GPG key has been removed.
+ssh_principal_deletion_success = The principal has been removed.
 add_on = Added on
 valid_until = Valid until
 valid_forever = Valid forever
@@ -537,10 +547,10 @@ can_read_info = Read
 can_write_info = Write
 key_state_desc = This key has been used in the last 7 days
 token_state_desc = This token has been used in the last 7 days
+principal_state_desc = This principal has been used in the last 7 days
 show_openid = Show on profile
 hide_openid = Hide from profile
 ssh_disabled = SSH Disabled
-
 manage_social = Manage Associated Social Accounts
 social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account.
 unbind = Unlink
@@ -1994,6 +2004,8 @@ dashboard.update_migration_poster_id = Update migration poster IDs
 dashboard.git_gc_repos = Garbage collect all repositories
 dashboard.resync_all_sshkeys = Update the '.ssh/authorized_keys' file with Gitea SSH keys.
 dashboard.resync_all_sshkeys.desc = (Not needed for the built-in SSH server.)
+dashboard.resync_all_sshprincipals = Update the '.ssh/authorized_principals' file with Gitea SSH principals.
+dashboard.resync_all_sshprincipals.desc = (Not needed for the built-in SSH server.)
 dashboard.resync_all_hooks = Resynchronize pre-receive, update and post-receive hooks of all repositories.
 dashboard.reinit_missing_repos = Reinitialize all missing Git repositories for which records exist
 dashboard.sync_external_users = Synchronize external user data