aboutsummaryrefslogtreecommitdiffstats
path: root/models/asymkey
diff options
context:
space:
mode:
Diffstat (limited to 'models/asymkey')
-rw-r--r--models/asymkey/gpg_key.go13
-rw-r--r--models/asymkey/gpg_key_add.go2
-rw-r--r--models/asymkey/gpg_key_commit_verification.go23
-rw-r--r--models/asymkey/gpg_key_verify.go111
-rw-r--r--models/asymkey/ssh_key.go103
-rw-r--r--models/asymkey/ssh_key_deploy.go56
-rw-r--r--models/asymkey/ssh_key_fingerprint.go4
-rw-r--r--models/asymkey/ssh_key_parse.go2
-rw-r--r--models/asymkey/ssh_key_verify.go58
9 files changed, 150 insertions, 222 deletions
diff --git a/models/asymkey/gpg_key.go b/models/asymkey/gpg_key.go
index 220f46ad1d..38de7cbda6 100644
--- a/models/asymkey/gpg_key.go
+++ b/models/asymkey/gpg_key.go
@@ -228,17 +228,10 @@ func DeleteGPGKey(ctx context.Context, doer *user_model.User, id int64) (err err
return fmt.Errorf("GetPublicKeyByID: %w", err)
}
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return err
- }
- defer committer.Close()
-
- if _, err = deleteGPGKey(ctx, key.KeyID); err != nil {
+ return db.WithTx(ctx, func(ctx context.Context) error {
+ _, err = deleteGPGKey(ctx, key.KeyID)
return err
- }
-
- return committer.Commit()
+ })
}
func FindGPGKeyWithSubKeys(ctx context.Context, keyID string) ([]*GPGKey, error) {
diff --git a/models/asymkey/gpg_key_add.go b/models/asymkey/gpg_key_add.go
index ec2031088a..1c7d2c1da2 100644
--- a/models/asymkey/gpg_key_add.go
+++ b/models/asymkey/gpg_key_add.go
@@ -91,7 +91,7 @@ func AddGPGKey(ctx context.Context, ownerID int64, content, token, signature str
signer, err = openpgp.CheckArmoredDetachedSignature(ekeys, strings.NewReader(token+"\r\n"), strings.NewReader(signature), nil)
}
if err != nil {
- log.Error("Unable to validate token signature. Error: %v", err)
+ log.Debug("AddGPGKey CheckArmoredDetachedSignature failed: %v", err)
return nil, ErrGPGInvalidTokenSignature{
ID: ekeys[0].PrimaryKey.KeyIdString(),
Wrapped: err,
diff --git a/models/asymkey/gpg_key_commit_verification.go b/models/asymkey/gpg_key_commit_verification.go
index 39ec893606..b85374e073 100644
--- a/models/asymkey/gpg_key_commit_verification.go
+++ b/models/asymkey/gpg_key_commit_verification.go
@@ -15,25 +15,6 @@ import (
"github.com/ProtonMail/go-crypto/openpgp/packet"
)
-// __________________ ________ ____ __.
-// / _____/\______ \/ _____/ | |/ _|____ ___.__.
-// / \ ___ | ___/ \ ___ | <_/ __ < | |
-// \ \_\ \| | \ \_\ \ | | \ ___/\___ |
-// \______ /|____| \______ / |____|__ \___ > ____|
-// \/ \/ \/ \/\/
-// _________ .__ __
-// \_ ___ \ ____ _____ _____ |__|/ |_
-// / \ \/ / _ \ / \ / \| \ __\
-// \ \___( <_> ) Y Y \ Y Y \ || |
-// \______ /\____/|__|_| /__|_| /__||__|
-// \/ \/ \/
-// ____ ____ .__ _____.__ __ .__
-// \ \ / /___________|__|/ ____\__| ____ _____ _/ |_|__| ____ ____
-// \ Y // __ \_ __ \ \ __\| |/ ___\\__ \\ __\ |/ _ \ / \
-// \ /\ ___/| | \/ || | | \ \___ / __ \| | | ( <_> ) | \
-// \___/ \___ >__| |__||__| |__|\___ >____ /__| |__|\____/|___| /
-// \/ \/ \/ \/
-
// This file provides functions relating commit verification
// CommitVerification represents a commit validation of signature
@@ -41,8 +22,8 @@ type CommitVerification struct {
Verified bool
Warning bool
Reason string
- SigningUser *user_model.User
- CommittingUser *user_model.User
+ SigningUser *user_model.User // if Verified, then SigningUser is non-nil
+ CommittingUser *user_model.User // if Verified, then CommittingUser is non-nil
SigningEmail string
SigningKey *GPGKey
SigningSSHKey *PublicKey
diff --git a/models/asymkey/gpg_key_verify.go b/models/asymkey/gpg_key_verify.go
index 6eedb5b7ba..55c64973b4 100644
--- a/models/asymkey/gpg_key_verify.go
+++ b/models/asymkey/gpg_key_verify.go
@@ -14,97 +14,76 @@ import (
"code.gitea.io/gitea/modules/log"
)
-// __________________ ________ ____ __.
-// / _____/\______ \/ _____/ | |/ _|____ ___.__.
-// / \ ___ | ___/ \ ___ | <_/ __ < | |
-// \ \_\ \| | \ \_\ \ | | \ ___/\___ |
-// \______ /|____| \______ / |____|__ \___ > ____|
-// \/ \/ \/ \/\/
-// ____ ____ .__ _____
-// \ \ / /___________|__|/ ____\__.__.
-// \ Y // __ \_ __ \ \ __< | |
-// \ /\ ___/| | \/ || | \___ |
-// \___/ \___ >__| |__||__| / ____|
-// \/ \/
-
// This file provides functions relating verifying gpg keys
// VerifyGPGKey marks a GPG key as verified
func VerifyGPGKey(ctx context.Context, ownerID int64, keyID, token, signature string) (string, error) {
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return "", err
- }
- defer committer.Close()
-
- key := new(GPGKey)
-
- has, err := db.GetEngine(ctx).Where("owner_id = ? AND key_id = ?", ownerID, keyID).Get(key)
- if err != nil {
- return "", err
- } else if !has {
- return "", ErrGPGKeyNotExist{}
- }
-
- if err := key.LoadSubKeys(ctx); err != nil {
- return "", err
- }
+ return db.WithTx2(ctx, func(ctx context.Context) (string, error) {
+ key := new(GPGKey)
- sig, err := ExtractSignature(signature)
- if err != nil {
- return "", ErrGPGInvalidTokenSignature{
- ID: key.KeyID,
- Wrapped: err,
+ has, err := db.GetEngine(ctx).Where("owner_id = ? AND key_id = ?", ownerID, keyID).Get(key)
+ if err != nil {
+ return "", err
+ } else if !has {
+ return "", ErrGPGKeyNotExist{}
}
- }
- signer, err := hashAndVerifyWithSubKeys(sig, token, key)
- if err != nil {
- return "", ErrGPGInvalidTokenSignature{
- ID: key.KeyID,
- Wrapped: err,
+ if err := key.LoadSubKeys(ctx); err != nil {
+ return "", err
}
- }
- if signer == nil {
- signer, err = hashAndVerifyWithSubKeys(sig, token+"\n", key)
+
+ sig, err := ExtractSignature(signature)
if err != nil {
return "", ErrGPGInvalidTokenSignature{
ID: key.KeyID,
Wrapped: err,
}
}
- }
- if signer == nil {
- signer, err = hashAndVerifyWithSubKeys(sig, token+"\n\n", key)
+
+ signer, err := hashAndVerifyWithSubKeys(sig, token, key)
if err != nil {
return "", ErrGPGInvalidTokenSignature{
ID: key.KeyID,
Wrapped: err,
}
}
- }
-
- if signer == nil {
- log.Error("Unable to validate token signature. Error: %v", err)
- return "", ErrGPGInvalidTokenSignature{
- ID: key.KeyID,
+ if signer == nil {
+ signer, err = hashAndVerifyWithSubKeys(sig, token+"\n", key)
+ if err != nil {
+ return "", ErrGPGInvalidTokenSignature{
+ ID: key.KeyID,
+ Wrapped: err,
+ }
+ }
+ }
+ if signer == nil {
+ signer, err = hashAndVerifyWithSubKeys(sig, token+"\n\n", key)
+ if err != nil {
+ return "", ErrGPGInvalidTokenSignature{
+ ID: key.KeyID,
+ Wrapped: err,
+ }
+ }
}
- }
- if signer.PrimaryKeyID != key.KeyID && signer.KeyID != key.KeyID {
- return "", ErrGPGKeyNotExist{}
- }
+ if signer == nil {
+ log.Debug("VerifyGPGKey failed: no signer")
+ return "", ErrGPGInvalidTokenSignature{
+ ID: key.KeyID,
+ }
+ }
- key.Verified = true
- if _, err := db.GetEngine(ctx).ID(key.ID).SetExpr("verified", true).Update(new(GPGKey)); err != nil {
- return "", err
- }
+ if signer.PrimaryKeyID != key.KeyID && signer.KeyID != key.KeyID {
+ return "", ErrGPGKeyNotExist{}
+ }
- if err := committer.Commit(); err != nil {
- return "", err
- }
+ key.Verified = true
+ if _, err := db.GetEngine(ctx).ID(key.ID).SetExpr("verified", true).Update(new(GPGKey)); err != nil {
+ return "", err
+ }
- return key.KeyID, nil
+ return key.KeyID, nil
+ })
}
// VerificationToken returns token for the user that will be valid in minutes (time)
diff --git a/models/asymkey/ssh_key.go b/models/asymkey/ssh_key.go
index 7a18732c32..87205f0651 100644
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@@ -99,40 +99,36 @@ func AddPublicKey(ctx context.Context, ownerID int64, name, content string, auth
return nil, err
}
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return nil, err
- }
- defer committer.Close()
-
- if err := checkKeyFingerprint(ctx, fingerprint); err != nil {
- return nil, err
- }
+ return db.WithTx2(ctx, func(ctx context.Context) (*PublicKey, error) {
+ if err := checkKeyFingerprint(ctx, fingerprint); err != nil {
+ return nil, err
+ }
- // Key name of same user cannot be duplicated.
- has, err := db.GetEngine(ctx).
- Where("owner_id = ? AND name = ?", ownerID, name).
- Get(new(PublicKey))
- if err != nil {
- return nil, err
- } else if has {
- return nil, ErrKeyNameAlreadyUsed{ownerID, name}
- }
+ // Key name of same user cannot be duplicated.
+ has, err := db.GetEngine(ctx).
+ Where("owner_id = ? AND name = ?", ownerID, name).
+ Get(new(PublicKey))
+ if err != nil {
+ return nil, err
+ } else if has {
+ return nil, ErrKeyNameAlreadyUsed{ownerID, name}
+ }
- key := &PublicKey{
- OwnerID: ownerID,
- Name: name,
- Fingerprint: fingerprint,
- Content: content,
- Mode: perm.AccessModeWrite,
- Type: KeyTypeUser,
- LoginSourceID: authSourceID,
- }
- if err = addKey(ctx, key); err != nil {
- return nil, fmt.Errorf("addKey: %w", err)
- }
+ key := &PublicKey{
+ OwnerID: ownerID,
+ Name: name,
+ Fingerprint: fingerprint,
+ Content: content,
+ Mode: perm.AccessModeWrite,
+ Type: KeyTypeUser,
+ LoginSourceID: authSourceID,
+ }
+ if err = addKey(ctx, key); err != nil {
+ return nil, fmt.Errorf("addKey: %w", err)
+ }
- return key, committer.Commit()
+ return key, nil
+ })
}
// GetPublicKeyByID returns public key by given ID.
@@ -288,33 +284,24 @@ func PublicKeyIsExternallyManaged(ctx context.Context, id int64) (bool, error) {
// deleteKeysMarkedForDeletion returns true if ssh keys needs update
func deleteKeysMarkedForDeletion(ctx context.Context, keys []string) (bool, error) {
- // Start session
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return false, err
- }
- defer committer.Close()
-
- // Delete keys marked for deletion
- var sshKeysNeedUpdate bool
- for _, KeyToDelete := range keys {
- key, err := SearchPublicKeyByContent(ctx, KeyToDelete)
- if err != nil {
- log.Error("SearchPublicKeyByContent: %v", err)
- continue
- }
- if _, err = db.DeleteByID[PublicKey](ctx, key.ID); err != nil {
- log.Error("DeleteByID[PublicKey]: %v", err)
- continue
+ return db.WithTx2(ctx, func(ctx context.Context) (bool, error) {
+ // Delete keys marked for deletion
+ var sshKeysNeedUpdate bool
+ for _, KeyToDelete := range keys {
+ key, err := SearchPublicKeyByContent(ctx, KeyToDelete)
+ if err != nil {
+ log.Error("SearchPublicKeyByContent: %v", err)
+ continue
+ }
+ if _, err = db.DeleteByID[PublicKey](ctx, key.ID); err != nil {
+ log.Error("DeleteByID[PublicKey]: %v", err)
+ continue
+ }
+ sshKeysNeedUpdate = true
}
- sshKeysNeedUpdate = true
- }
- if err := committer.Commit(); err != nil {
- return false, err
- }
-
- return sshKeysNeedUpdate, nil
+ return sshKeysNeedUpdate, nil
+ })
}
// AddPublicKeysBySource add a users public keys. Returns true if there are changes.
@@ -355,13 +342,13 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
return sshKeysNeedUpdate
}
-// SynchronizePublicKeys updates a users public keys. Returns true if there are changes.
+// SynchronizePublicKeys updates a user's public keys. Returns true if there are changes.
func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
var sshKeysNeedUpdate bool
log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
- // Get Public Keys from DB with current LDAP source
+ // Get Public Keys from DB with the current auth source
var giteaKeys []string
keys, err := db.Find[PublicKey](ctx, FindPublicKeyOptions{
OwnerID: usr.ID,
diff --git a/models/asymkey/ssh_key_deploy.go b/models/asymkey/ssh_key_deploy.go
index 923c5020ed..4ab84eabcf 100644
--- a/models/asymkey/ssh_key_deploy.go
+++ b/models/asymkey/ssh_key_deploy.go
@@ -125,39 +125,35 @@ func AddDeployKey(ctx context.Context, repoID int64, name, content string, readO
accessMode = perm.AccessModeWrite
}
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return nil, err
- }
- defer committer.Close()
-
- pkey, exist, err := db.Get[PublicKey](ctx, builder.Eq{"fingerprint": fingerprint})
- if err != nil {
- return nil, err
- } else if exist {
- if pkey.Type != KeyTypeDeploy {
- return nil, ErrKeyAlreadyExist{0, fingerprint, ""}
- }
- } else {
- // First time use this deploy key.
- pkey = &PublicKey{
- Fingerprint: fingerprint,
- Mode: accessMode,
- Type: KeyTypeDeploy,
- Content: content,
- Name: name,
+ return db.WithTx2(ctx, func(ctx context.Context) (*DeployKey, error) {
+ pkey, exist, err := db.Get[PublicKey](ctx, builder.Eq{"fingerprint": fingerprint})
+ if err != nil {
+ return nil, err
+ } else if exist {
+ if pkey.Type != KeyTypeDeploy {
+ return nil, ErrKeyAlreadyExist{0, fingerprint, ""}
+ }
+ } else {
+ // First time use this deploy key.
+ pkey = &PublicKey{
+ Fingerprint: fingerprint,
+ Mode: accessMode,
+ Type: KeyTypeDeploy,
+ Content: content,
+ Name: name,
+ }
+ if err = addKey(ctx, pkey); err != nil {
+ return nil, fmt.Errorf("addKey: %w", err)
+ }
}
- if err = addKey(ctx, pkey); err != nil {
- return nil, fmt.Errorf("addKey: %w", err)
- }
- }
- key, err := addDeployKey(ctx, pkey.ID, repoID, name, pkey.Fingerprint, accessMode)
- if err != nil {
- return nil, err
- }
+ key, err := addDeployKey(ctx, pkey.ID, repoID, name, pkey.Fingerprint, accessMode)
+ if err != nil {
+ return nil, err
+ }
- return key, committer.Commit()
+ return key, nil
+ })
}
// GetDeployKeyByID returns deploy key by given ID.
diff --git a/models/asymkey/ssh_key_fingerprint.go b/models/asymkey/ssh_key_fingerprint.go
index 4dcfe1f279..b666469ae8 100644
--- a/models/asymkey/ssh_key_fingerprint.go
+++ b/models/asymkey/ssh_key_fingerprint.go
@@ -13,9 +13,9 @@ import (
"xorm.io/builder"
)
-// The database is used in checkKeyFingerprint however most of these functions probably belong in a module
+// The database is used in checkKeyFingerprint. However, most of these functions probably belong in a module
-// checkKeyFingerprint only checks if key fingerprint has been used as public key,
+// checkKeyFingerprint only checks if key fingerprint has been used as a public key,
// it is OK to use same key as deploy key for multiple repositories/users.
func checkKeyFingerprint(ctx context.Context, fingerprint string) error {
has, err := db.Exist[PublicKey](ctx, builder.Eq{"fingerprint": fingerprint})
diff --git a/models/asymkey/ssh_key_parse.go b/models/asymkey/ssh_key_parse.go
index 46dcf4d894..fc39f28624 100644
--- a/models/asymkey/ssh_key_parse.go
+++ b/models/asymkey/ssh_key_parse.go
@@ -208,7 +208,7 @@ func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
// The ssh library can parse the key, so next we find out what key exactly we have.
switch pkey.Type() {
- case ssh.KeyAlgoDSA:
+ case ssh.KeyAlgoDSA: //nolint:staticcheck // it's deprecated
rawPub := struct {
Name string
P, Q, G, Y *big.Int
diff --git a/models/asymkey/ssh_key_verify.go b/models/asymkey/ssh_key_verify.go
index 605ffe9096..04917239ee 100644
--- a/models/asymkey/ssh_key_verify.go
+++ b/models/asymkey/ssh_key_verify.go
@@ -15,41 +15,33 @@ import (
// VerifySSHKey marks a SSH key as verified
func VerifySSHKey(ctx context.Context, ownerID int64, fingerprint, token, signature string) (string, error) {
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return "", err
- }
- defer committer.Close()
-
- key := new(PublicKey)
-
- has, err := db.GetEngine(ctx).Where("owner_id = ? AND fingerprint = ?", ownerID, fingerprint).Get(key)
- if err != nil {
- return "", err
- } else if !has {
- return "", ErrKeyNotExist{}
- }
-
- err = sshsig.Verify(strings.NewReader(token), []byte(signature), []byte(key.Content), "gitea")
- if err != nil {
- // edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
- // see https://github.com/PowerShell/PowerShell/issues/5974
- if sshsig.Verify(strings.NewReader(token+"\r\n"), []byte(signature), []byte(key.Content), "gitea") != nil {
- log.Error("Unable to validate token signature. Error: %v", err)
- return "", ErrSSHInvalidTokenSignature{
- Fingerprint: key.Fingerprint,
- }
+ return db.WithTx2(ctx, func(ctx context.Context) (string, error) {
+ key := new(PublicKey)
+
+ has, err := db.GetEngine(ctx).Where("owner_id = ? AND fingerprint = ?", ownerID, fingerprint).Get(key)
+ if err != nil {
+ return "", err
+ } else if !has {
+ return "", ErrKeyNotExist{}
}
- }
- key.Verified = true
- if _, err := db.GetEngine(ctx).ID(key.ID).Cols("verified").Update(key); err != nil {
- return "", err
- }
+ err = sshsig.Verify(strings.NewReader(token), []byte(signature), []byte(key.Content), "gitea")
+ if err != nil {
+ // edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
+ // see https://github.com/PowerShell/PowerShell/issues/5974
+ if sshsig.Verify(strings.NewReader(token+"\r\n"), []byte(signature), []byte(key.Content), "gitea") != nil {
+ log.Debug("VerifySSHKey sshsig.Verify failed: %v", err)
+ return "", ErrSSHInvalidTokenSignature{
+ Fingerprint: key.Fingerprint,
+ }
+ }
+ }
- if err := committer.Commit(); err != nil {
- return "", err
- }
+ key.Verified = true
+ if _, err := db.GetEngine(ctx).ID(key.ID).Cols("verified").Update(key); err != nil {
+ return "", err
+ }
- return key.Fingerprint, nil
+ return key.Fingerprint, nil
+ })
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-30 19:20:07 +0000