Add option to provide signature for a token to verify key ownership (#14054)

* Add option to provide signed token to verify key ownership Currently we will only allow a key to be matched to a user if it matches an activated email address. This PR provides a different mechanism - if the user provides a signature for automatically generated token (based on the timestamp, user creation time, user ID, username and primary email. * Ensure verified keys can act for all active emails for the user * Add code to mark keys as verified * Slight UI adjustments * Slight UI adjustments 2 * Simplify signature verification slightly * fix postgres test * add api routes * handle swapped primary-keys * Verify the no-reply address for verified keys * Only add email addresses that are activated to keys * Fix committer shortcut properly * Restructure gpg_keys.go * Use common Verification Token code Signed-off-by: Andrew Thornton <art27@cantab.net>
author: zeripath <art27@cantab.net> 2021-07-13 14:28:07 +0100
committer: GitHub <noreply@github.com> 2021-07-13 15:28:07 +0200
commit: b82293270c7d2d36d79cb9c5731d07c3f5b33f6b (patch)
tree: a79131e08ecf19cc8e642fcc032bfee0e30959c0 /routers/web/user/setting/keys.go
parent: 67f135ca5ddfcab4391a00af4936d0260079cd97 (diff)
download: gitea-b82293270c7d2d36d79cb9c5731d07c3f5b33f6b.tar.gz
gitea-b82293270c7d2d36d79cb9c5731d07c3f5b33f6b.zip
1 files changed, 44 insertions, 1 deletions
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index e56a33afcb..d875d84a76 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -76,7 +76,13 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.add_principal_success", form.Content))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "gpg":
-		keys, err := models.AddGPGKey(ctx.User.ID, form.Content)
+		token := models.VerificationToken(ctx.User, 1)
+		lastToken := models.VerificationToken(ctx.User, 0)
+
+		keys, err := models.AddGPGKey(ctx.User.ID, form.Content, token, form.Signature)
+		if err != nil && models.IsErrGPGInvalidTokenSignature(err) {
+			keys, err = models.AddGPGKey(ctx.User.ID, form.Content, lastToken, form.Signature)
+		}
 		if err != nil {
 			ctx.Data["HasGPGError"] = true
 			switch {
@@ -88,10 +94,18 @@ func KeysPost(ctx *context.Context) {
 
 				ctx.Data["Err_Content"] = true
 				ctx.RenderWithErr(ctx.Tr("settings.gpg_key_id_used"), tplSettingsKeys, &form)
+			case models.IsErrGPGInvalidTokenSignature(err):
+				loadKeysData(ctx)
+				ctx.Data["Err_Content"] = true
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGInvalidTokenSignature).ID
+				ctx.RenderWithErr(ctx.Tr("settings.gpg_invalid_token_signature"), tplSettingsKeys, &form)
 			case models.IsErrGPGNoEmailFound(err):
 				loadKeysData(ctx)
 
 				ctx.Data["Err_Content"] = true
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGNoEmailFound).ID
 				ctx.RenderWithErr(ctx.Tr("settings.gpg_no_key_email_found"), tplSettingsKeys, &form)
 			default:
 				ctx.ServerError("AddPublicKey", err)
@@ -108,6 +122,29 @@ func KeysPost(ctx *context.Context) {
 		}
 		ctx.Flash.Success(ctx.Tr("settings.add_gpg_key_success", keyIDs))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
+	case "verify_gpg":
+		token := models.VerificationToken(ctx.User, 1)
+		lastToken := models.VerificationToken(ctx.User, 0)
+
+		keyID, err := models.VerifyGPGKey(ctx.User.ID, form.KeyID, token, form.Signature)
+		if err != nil && models.IsErrGPGInvalidTokenSignature(err) {
+			keyID, err = models.VerifyGPGKey(ctx.User.ID, form.KeyID, lastToken, form.Signature)
+		}
+		if err != nil {
+			ctx.Data["HasGPGVerifyError"] = true
+			switch {
+			case models.IsErrGPGInvalidTokenSignature(err):
+				loadKeysData(ctx)
+				ctx.Data["VerifyingID"] = form.KeyID
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGInvalidTokenSignature).ID
+				ctx.RenderWithErr(ctx.Tr("settings.gpg_invalid_token_signature"), tplSettingsKeys, &form)
+			default:
+				ctx.ServerError("VerifyGPG", err)
+			}
+		}
+		ctx.Flash.Success(ctx.Tr("settings.verify_gpg_key_success", keyID))
+		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "ssh":
 		content, err := models.CheckPublicKeyString(form.Content)
 		if err != nil {
@@ -216,6 +253,10 @@ func loadKeysData(ctx *context.Context) {
 		return
 	}
 	ctx.Data["GPGKeys"] = gpgkeys
+	tokenToSign := models.VerificationToken(ctx.User, 1)
+
+	// generate a new aes cipher using the csrfToken
+	ctx.Data["TokenToSign"] = tokenToSign
 
 	principals, err := models.ListPrincipalKeys(ctx.User.ID, models.ListOptions{})
 	if err != nil {
@@ -223,4 +264,6 @@ func loadKeysData(ctx *context.Context) {
 		return
 	}
 	ctx.Data["Principals"] = principals
+
+	ctx.Data["VerifyingID"] = ctx.Query("verify_gpg")
 }
author	zeripath <art27@cantab.net>	2021-07-13 14:28:07 +0100
committer	GitHub <noreply@github.com>	2021-07-13 15:28:07 +0200
commit	b82293270c7d2d36d79cb9c5731d07c3f5b33f6b (patch)
tree	a79131e08ecf19cc8e642fcc032bfee0e30959c0 /routers/web/user/setting/keys.go
parent	67f135ca5ddfcab4391a00af4936d0260079cd97 (diff)
download	gitea-b82293270c7d2d36d79cb9c5731d07c3f5b33f6b.tar.gz gitea-b82293270c7d2d36d79cb9c5731d07c3f5b33f6b.zip