* Disable SSH key addition and deletion when externally managed When a user has a login source which has SSH key management key addition and deletion using the UI should be disabled. Fix #13983 Signed-off-by: Andrew Thornton <art27@cantab.net> * Make only externally managed keys disabled Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>tags/v1.15.0-dev
@@ -665,6 +665,82 @@ func deletePublicKeys(e Engine, keyIDs ...int64) error { | |||
return err | |||
} | |||
// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key | |||
func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) { | |||
sources := make([]*LoginSource, 0, 5) | |||
externals := make([]bool, len(keys)) | |||
keyloop: | |||
for i, key := range keys { | |||
if key.LoginSourceID == 0 { | |||
externals[i] = false | |||
continue keyloop | |||
} | |||
var source *LoginSource | |||
sourceloop: | |||
for _, s := range sources { | |||
if s.ID == key.LoginSourceID { | |||
source = s | |||
break sourceloop | |||
} | |||
} | |||
if source == nil { | |||
var err error | |||
source, err = GetLoginSourceByID(key.LoginSourceID) | |||
if err != nil { | |||
if IsErrLoginSourceNotExist(err) { | |||
externals[i] = false | |||
sources[i] = &LoginSource{ | |||
ID: key.LoginSourceID, | |||
} | |||
continue keyloop | |||
} | |||
return nil, err | |||
} | |||
} | |||
ldapSource := source.LDAP() | |||
if ldapSource != nil && | |||
source.IsSyncEnabled && | |||
(source.Type == LoginLDAP || source.Type == LoginDLDAP) && | |||
len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 { | |||
// Disable setting SSH keys for this user | |||
externals[i] = true | |||
} | |||
} | |||
return externals, nil | |||
} | |||
// PublicKeyIsExternallyManaged returns whether the provided KeyID represents an externally managed Key | |||
func PublicKeyIsExternallyManaged(id int64) (bool, error) { | |||
key, err := GetPublicKeyByID(id) | |||
if err != nil { | |||
return false, err | |||
} | |||
if key.LoginSourceID == 0 { | |||
return false, nil | |||
} | |||
source, err := GetLoginSourceByID(key.LoginSourceID) | |||
if err != nil { | |||
if IsErrLoginSourceNotExist(err) { | |||
return false, nil | |||
} | |||
return false, err | |||
} | |||
ldapSource := source.LDAP() | |||
if ldapSource != nil && | |||
source.IsSyncEnabled && | |||
(source.Type == LoginLDAP || source.Type == LoginDLDAP) && | |||
len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 { | |||
// Disable setting SSH keys for this user | |||
return true, nil | |||
} | |||
return false, nil | |||
} | |||
// DeletePublicKey deletes SSH key information both in database and authorized_keys file. | |||
func DeletePublicKey(doer *User, id int64) (err error) { | |||
key, err := GetPublicKeyByID(id) |
@@ -556,6 +556,7 @@ principal_state_desc = This principal has been used in the last 7 days | |||
show_openid = Show on profile | |||
hide_openid = Hide from profile | |||
ssh_disabled = SSH Disabled | |||
ssh_externally_managed = This SSH key is externally managed for this user | |||
manage_social = Manage Associated Social Accounts | |||
social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account. | |||
unbind = Unlink |
@@ -267,7 +267,16 @@ func DeletePublicKey(ctx *context.APIContext) { | |||
// "404": | |||
// "$ref": "#/responses/notFound" | |||
if err := models.DeletePublicKey(ctx.User, ctx.ParamsInt64(":id")); err != nil { | |||
id := ctx.ParamsInt64(":id") | |||
externallyManaged, err := models.PublicKeyIsExternallyManaged(id) | |||
if err != nil { | |||
ctx.Error(http.StatusInternalServerError, "PublicKeyIsExternallyManaged", err) | |||
} | |||
if externallyManaged { | |||
ctx.Error(http.StatusForbidden, "", "SSH Key is externally managed for this user") | |||
} | |||
if err := models.DeletePublicKey(ctx.User, id); err != nil { | |||
if models.IsErrKeyNotExist(err) { | |||
ctx.NotFound() | |||
} else if models.IsErrKeyAccessDenied(err) { |
@@ -160,7 +160,18 @@ func DeleteKey(ctx *context.Context) { | |||
ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success")) | |||
} | |||
case "ssh": | |||
if err := models.DeletePublicKey(ctx.User, ctx.QueryInt64("id")); err != nil { | |||
keyID := ctx.QueryInt64("id") | |||
external, err := models.PublicKeyIsExternallyManaged(keyID) | |||
if err != nil { | |||
ctx.ServerError("sshKeysExternalManaged", err) | |||
return | |||
} | |||
if external { | |||
ctx.Flash.Error(ctx.Tr("setting.ssh_externally_managed")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/keys") | |||
return | |||
} | |||
if err := models.DeletePublicKey(ctx.User, keyID); err != nil { | |||
ctx.Flash.Error("DeletePublicKey: " + err.Error()) | |||
} else { | |||
ctx.Flash.Success(ctx.Tr("settings.ssh_key_deletion_success")) | |||
@@ -188,6 +199,13 @@ func loadKeysData(ctx *context.Context) { | |||
} | |||
ctx.Data["Keys"] = keys | |||
externalKeys, err := models.PublicKeysAreExternallyManaged(keys) | |||
if err != nil { | |||
ctx.ServerError("ListPublicKeys", err) | |||
return | |||
} | |||
ctx.Data["ExternalKeys"] = externalKeys | |||
gpgkeys, err := models.ListGPGKeys(ctx.User.ID, models.ListOptions{}) | |||
if err != nil { | |||
ctx.ServerError("ListGPGKeys", err) |
@@ -1,7 +1,7 @@ | |||
<h4 class="ui top attached header"> | |||
{{.i18n.Tr "settings.manage_ssh_keys"}} | |||
<div class="ui right"> | |||
{{if not .DisableSSH}} | |||
{{if not .DisableSSH }} | |||
<div class="ui blue tiny show-panel button" data-panel="#add-ssh-key-panel">{{.i18n.Tr "settings.add_key"}}</div> | |||
{{else}} | |||
<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_disabled"}}</div> | |||
@@ -13,25 +13,25 @@ | |||
<div class="item"> | |||
{{.i18n.Tr "settings.ssh_desc"}} | |||
</div> | |||
{{range .Keys}} | |||
{{range $index, $key := .Keys}} | |||
<div class="item"> | |||
<div class="right floated content"> | |||
<button class="ui red tiny button delete-button" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}"> | |||
{{$.i18n.Tr "settings.delete_key"}} | |||
</button> | |||
</div> | |||
<div class="left floated content"> | |||
<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span> | |||
</div> | |||
<div class="content"> | |||
<strong>{{.Name}}</strong> | |||
<div class="print meta"> | |||
{{.Fingerprint}} | |||
</div> | |||
<div class="activity meta"> | |||
<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i> | |||
</div> | |||
</div> | |||
<div class="right floated content"> | |||
<button class="ui red tiny button delete-button{{if index $.ExternalKeys $index}} disabled{{end}}" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}"{{if index $.ExternalKeys $index}} title="{{$.i18n.Tr "settings.ssh_externally_managed"}}"{{end}}> | |||
{{$.i18n.Tr "settings.delete_key"}} | |||
</button> | |||
</div> | |||
<div class="left floated content"> | |||
<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span> | |||
</div> | |||
<div class="content"> | |||
<strong>{{.Name}}</strong> | |||
<div class="print meta"> | |||
{{.Fingerprint}} | |||
</div> | |||
<div class="activity meta"> | |||
<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i> | |||
</div> | |||
</div> | |||
</div> | |||
{{end}} | |||
</div> |