Add option to provide signature for a token to verify key ownership (#14054)

* Add option to provide signed token to verify key ownership

Currently we will only allow a key to be matched to a user if it matches
an activated email address. This PR provides a different mechanism - if
the user provides a signature for automatically generated token (based
on the timestamp, user creation time, user ID, username and primary
email.

* Ensure verified keys can act for all active emails for the user

* Add code to mark keys as verified

* Slight UI adjustments

* Slight UI adjustments 2

* Simplify signature verification slightly

* fix postgres test

* add api routes

* handle swapped primary-keys

* Verify the no-reply address for verified keys

* Only add email addresses that are activated to keys

* Fix committer shortcut properly

* Restructure gpg_keys.go

* Use common Verification Token code

Signed-off-by: Andrew Thornton <art27@cantab.net>

3 files changed, 124 insertions, 5 deletions

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index b4f14bf2d1..4258ea5dc3 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -686,6 +686,9 @@ func Routes() *web.Route {
 					Delete(user.DeleteGPGKey)
 			})
 
+			m.Get("/gpg_key_token", user.GetVerificationToken)
+			m.Post("/gpg_key_verify", bind(api.VerifyGPGKeyOption{}), user.VerifyUserGPGKey)
+
 			m.Combo("/repos").Get(user.ListMyRepos).
 				Post(bind(api.CreateRepoOption{}), repo.Create)
 
diff --git a/routers/api/v1/user/gpg_key.go b/routers/api/v1/user/gpg_key.go
index 51bcaeacc6..ec03e305ba 100644
--- a/routers/api/v1/user/gpg_key.go
+++ b/routers/api/v1/user/gpg_key.go
@@ -5,6 +5,7 @@
 package user
 
 import (
+	"fmt"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -119,14 +120,84 @@ func GetGPGKey(ctx *context.APIContext) {
 
 // CreateUserGPGKey creates new GPG key to given user by ID.
 func CreateUserGPGKey(ctx *context.APIContext, form api.CreateGPGKeyOption, uid int64) {
-	keys, err := models.AddGPGKey(uid, form.ArmoredKey)
+	token := models.VerificationToken(ctx.User, 1)
+	lastToken := models.VerificationToken(ctx.User, 0)
+
+	keys, err := models.AddGPGKey(uid, form.ArmoredKey, token, form.Signature)
+	if err != nil && models.IsErrGPGInvalidTokenSignature(err) {
+		keys, err = models.AddGPGKey(uid, form.ArmoredKey, lastToken, form.Signature)
+	}
 	if err != nil {
-		HandleAddGPGKeyError(ctx, err)
+		HandleAddGPGKeyError(ctx, err, token)
 		return
 	}
 	ctx.JSON(http.StatusCreated, convert.ToGPGKey(keys[0]))
 }
 
+// GetVerificationToken returns the current token to be signed for this user
+func GetVerificationToken(ctx *context.APIContext) {
+	// swagger:operation GET /user/gpg_key_token user getVerificationToken
+	// ---
+	// summary: Get a Token to verify
+	// produces:
+	// - text/plain
+	// parameters:
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/string"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	token := models.VerificationToken(ctx.User, 1)
+	ctx.PlainText(http.StatusOK, []byte(token))
+}
+
+// VerifyUserGPGKey creates new GPG key to given user by ID.
+func VerifyUserGPGKey(ctx *context.APIContext) {
+	// swagger:operation POST /user/gpg_key_verify user userVerifyGPGKey
+	// ---
+	// summary: Verify a GPG key
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// responses:
+	//   "201":
+	//     "$ref": "#/responses/GPGKey"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	form := web.GetForm(ctx).(*api.VerifyGPGKeyOption)
+	token := models.VerificationToken(ctx.User, 1)
+	lastToken := models.VerificationToken(ctx.User, 0)
+
+	_, err := models.VerifyGPGKey(ctx.User.ID, form.KeyID, token, form.Signature)
+	if err != nil && models.IsErrGPGInvalidTokenSignature(err) {
+		_, err = models.VerifyGPGKey(ctx.User.ID, form.KeyID, lastToken, form.Signature)
+	}
+
+	if err != nil {
+		if models.IsErrGPGInvalidTokenSignature(err) {
+			ctx.Error(http.StatusUnprocessableEntity, "GPGInvalidSignature", fmt.Sprintf("The provided GPG key, signature and token do not match or token is out of date. Provide a valid signature for the token: %s", token))
+			return
+		}
+		ctx.Error(http.StatusInternalServerError, "VerifyUserGPGKey", err)
+	}
+
+	key, err := models.GetGPGKeysByKeyID(form.KeyID)
+	if err != nil {
+		if models.IsErrGPGKeyNotExist(err) {
+			ctx.NotFound()
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetGPGKeysByKeyID", err)
+		}
+		return
+	}
+	ctx.JSON(http.StatusOK, convert.ToGPGKey(key[0]))
+}
+
 // swagger:parameters userCurrentPostGPGKey
 type swaggerUserCurrentPostGPGKey struct {
 	// in:body
@@ -189,7 +260,7 @@ func DeleteGPGKey(ctx *context.APIContext) {
 }
 
 // HandleAddGPGKeyError handle add GPGKey error
-func HandleAddGPGKeyError(ctx *context.APIContext, err error) {
+func HandleAddGPGKeyError(ctx *context.APIContext, err error, token string) {
 	switch {
 	case models.IsErrGPGKeyAccessDenied(err):
 		ctx.Error(http.StatusUnprocessableEntity, "GPGKeyAccessDenied", "You do not have access to this GPG key")
@@ -198,7 +269,9 @@ func HandleAddGPGKeyError(ctx *context.APIContext, err error) {
 	case models.IsErrGPGKeyParsing(err):
 		ctx.Error(http.StatusUnprocessableEntity, "GPGKeyParsing", err)
 	case models.IsErrGPGNoEmailFound(err):
-		ctx.Error(http.StatusNotFound, "GPGNoEmailFound", err)
+		ctx.Error(http.StatusNotFound, "GPGNoEmailFound", fmt.Sprintf("None of the emails attached to the GPG key could be found. It may still be added if you provide a valid signature for the token: %s", token))
+	case models.IsErrGPGInvalidTokenSignature(err):
+		ctx.Error(http.StatusUnprocessableEntity, "GPGInvalidSignature", fmt.Sprintf("The provided GPG key, signature and token do not match or token is out of date. Provide a valid signature for the token: %s", token))
 	default:
 		ctx.Error(http.StatusInternalServerError, "AddGPGKey", err)
 	}
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index e56a33afcb..d875d84a76 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -76,7 +76,13 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.add_principal_success", form.Content))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "gpg":
-		keys, err := models.AddGPGKey(ctx.User.ID, form.Content)
+		token := models.VerificationToken(ctx.User, 1)
+		lastToken := models.VerificationToken(ctx.User, 0)
+
+		keys, err := models.AddGPGKey(ctx.User.ID, form.Content, token, form.Signature)
+		if err != nil && models.IsErrGPGInvalidTokenSignature(err) {
+			keys, err = models.AddGPGKey(ctx.User.ID, form.Content, lastToken, form.Signature)
+		}
 		if err != nil {
 			ctx.Data["HasGPGError"] = true
 			switch {
@@ -88,10 +94,18 @@ func KeysPost(ctx *context.Context) {
 
 				ctx.Data["Err_Content"] = true
 				ctx.RenderWithErr(ctx.Tr("settings.gpg_key_id_used"), tplSettingsKeys, &form)
+			case models.IsErrGPGInvalidTokenSignature(err):
+				loadKeysData(ctx)
+				ctx.Data["Err_Content"] = true
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGInvalidTokenSignature).ID
+				ctx.RenderWithErr(ctx.Tr("settings.gpg_invalid_token_signature"), tplSettingsKeys, &form)
 			case models.IsErrGPGNoEmailFound(err):
 				loadKeysData(ctx)
 
 				ctx.Data["Err_Content"] = true
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGNoEmailFound).ID
 				ctx.RenderWithErr(ctx.Tr("settings.gpg_no_key_email_found"), tplSettingsKeys, &form)
 			default:
 				ctx.ServerError("AddPublicKey", err)
@@ -108,6 +122,29 @@ func KeysPost(ctx *context.Context) {
 		}
 		ctx.Flash.Success(ctx.Tr("settings.add_gpg_key_success", keyIDs))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
+	case "verify_gpg":
+		token := models.VerificationToken(ctx.User, 1)
+		lastToken := models.VerificationToken(ctx.User, 0)
+
+		keyID, err := models.VerifyGPGKey(ctx.User.ID, form.KeyID, token, form.Signature)
+		if err != nil && models.IsErrGPGInvalidTokenSignature(err) {
+			keyID, err = models.VerifyGPGKey(ctx.User.ID, form.KeyID, lastToken, form.Signature)
+		}
+		if err != nil {
+			ctx.Data["HasGPGVerifyError"] = true
+			switch {
+			case models.IsErrGPGInvalidTokenSignature(err):
+				loadKeysData(ctx)
+				ctx.Data["VerifyingID"] = form.KeyID
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGInvalidTokenSignature).ID
+				ctx.RenderWithErr(ctx.Tr("settings.gpg_invalid_token_signature"), tplSettingsKeys, &form)
+			default:
+				ctx.ServerError("VerifyGPG", err)
+			}
+		}
+		ctx.Flash.Success(ctx.Tr("settings.verify_gpg_key_success", keyID))
+		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "ssh":
 		content, err := models.CheckPublicKeyString(form.Content)
 		if err != nil {
@@ -216,6 +253,10 @@ func loadKeysData(ctx *context.Context) {
 		return
 	}
 	ctx.Data["GPGKeys"] = gpgkeys
+	tokenToSign := models.VerificationToken(ctx.User, 1)
+
+	// generate a new aes cipher using the csrfToken
+	ctx.Data["TokenToSign"] = tokenToSign
 
 	principals, err := models.ListPrincipalKeys(ctx.User.ID, models.ListOptions{})
 	if err != nil {
@@ -223,4 +264,6 @@ func loadKeysData(ctx *context.Context) {
 		return
 	}
 	ctx.Data["Principals"] = principals
+
+	ctx.Data["VerifyingID"] = ctx.Query("verify_gpg")
 }