mirrors
/
gitea
镜像自地址 https://github.com/go-gitea/gitea.git
关注 1
点赞 0
派生 0
代码 工单 0 版本发布 211 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
14191 提交
17 分支
目录树: e81ccc406b
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'e81ccc406b'
${ noResults }
gitea/tests/integration/api_httpsig_test.go

api_httpsig_test.go 6.8KB
原始文件 Blame 文件历史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 
  1. // Copyright 2022 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"encoding/base64"

  8. 	"fmt"

  9. 	"net/http"

  10. 	"net/url"

  11. 	"testing"

  12. 

  13. 	api "code.gitea.io/gitea/modules/structs"

  14. 	"code.gitea.io/gitea/tests"

  15. 

  16. 	"github.com/go-fed/httpsig"

  17. 	"golang.org/x/crypto/ssh"

  18. )

  19. 

  20. const (

  21. 	httpsigPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----

  22. b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn

  23. NhAAAAAwEAAQAAAQEAqjmQeb5Eb1xV7qbNf9ErQ0XRvKZWzUsLFhJzZz+Ab7q8WtPs91vQ

  24. fBiypw4i8OTG6WzDcgZaV8Ndxn7iHnIstdA1k89MVG4stydymmwmk9+mrCMNsu5OmdIy9F

  25. AZ61RDcKuf5VG2WKkmeK0VO+OMJIYfE1C6czNeJ6UAmcIOmhGxvjMI83XUO9n0ftwTwayp

  26. +XU5prvKx/fTvlPjbraPNU4OzwPjVLqXBzpoXYhBquPaZYFRVyvfFZLObYsmy+BrsxcloM

  27. l+9w4P0ATJ9njB7dRDL+RrN4uhhYSihqOK4w4vaiOj1+aA0eC0zXunEfLXfGIVQ/FhWcCy

  28. 5f72mMiKnQAAA9AxSmzFMUpsxQAAAAdzc2gtcnNhAAABAQCqOZB5vkRvXFXups1/0StDRd

  29. G8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xU

  30. biy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQ

  31. CZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq

  32. 49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6

  33. PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqdAAAAAwEAAQAAAQBz+nyBNi2SYir6SxPA

  34. flcnoq5gBkUl4ndPNosCUbXEakpi5/mQHzJRGtK+F1efIYCVEdGoIsPy/90onNKbQ9dKmO

  35. 2oI5kx/U7iCzJ+HCm8nqkEp21x+AP9scWdx+Wg/OxmG8j5iU7f4X+gwOyyvTqCuA78Lgia

  36. 7Oi9wiJCoIEqXr6dRYGJzfASwKA2dj995HzATexleLSD5fQCmZTF+Vh5OQ5WmE+c53JdZS

  37. T3Plie/P/smgSWBtf1fWr6JL2+EBsqQsIK1Jo7r/7rxsz+ILoVfnneNQY4QSa9W+t6ZAI+

  38. caSA0Guv7vC92ewjlMVlwKa3XaEjMJb5sFlg1r6TYMwBAAAAgQDQwXvgSXNaSHIeH53/Ab

  39. t4BlNibtxK8vY8CZFloAKXkjrivKSlDAmQCM0twXOweX2ScPjE+XlSMV4AUsv/J6XHGHci

  40. W3+PGIBfc/fQRBpiyhzkoXYDVrlkSKHffCnAqTUQlYkhr0s7NkZpEeqPE0doAUs4dK3Iqb

  41. zdtz8e5BPXZwAAAIEA4U/JskIu5Oge8Is2OLOhlol0EJGw5JGodpFyhbMC+QYK9nYqy7wI

  42. a6mZ2EfOjjwIZD/+wYyulw6cRve4zXwgzUEXLIKp8/H3sYvJK2UMeP7y68sQFqGxbm6Rnh

  43. tyBBSaJQnOXVOFf9gqZGCyO/J0Illg3AXTuC8KS/cxwasC38EAAACBAMFo/6XQoR6E3ynj

  44. VBaz2SilWqQBixUyvcNz8LY73IIDCecoccRMFSEKhWtvlJijxvFbF9M8g9oKAVPuub4V5r

  45. CGmwVPEd5yt4C2iyV0PhLp1PA2/i42FpCSnHaz/EXSz6ncTZcOMMuDqUbgUUpQg4VSUDl9

  46. fhTNAzWwZoQ91aHdAAAAFHUwMDIyMTQ2QGljdHMtcC1ueC03AQIDBAUG

  47. -----END OPENSSH PRIVATE KEY-----`

  48. 	httpsigCertificate = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgiR7SU8gmZLhopx4Y03nOXVuAb+4fyMcJYjMGcE1Z2oEAAAADAQABAAABAQCqOZB5vkRvXFXups1/0StDRdG8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xUbiy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQCZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqdAAAAAAAAAAEAAAABAAAABXVzZXIxAAAACQAAAAV1c2VyMQAAAABimoIOAAAAAMCWkRMAAAAAAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAm+AwtXTBZyeqV1qOxjMU3Ibc5iR2M3zerGfRQDxUeIozC3xpIvqJbzjDuRapdf8hpxn2xC0GtUusuLIUr4/+Svs1BUnJhF2H9xnK/O0aopS5MpNekUvnBzQdbvO8Ux2xE2mt58giXhkEaXeCEODSqG++OZsA2e40AR/AGRJ4OdDofMvH4vLJAQQc2mKdYpYL8xu+NC+7nsenx1etpsqtEl3gmvqCVI6t9uhVPMvlbGt9h/AN3u7ToF2T3bdk1TZbcdkvR9ljvETIuy32ksAETX8tc7vm30edK+nn/GMeWCgjM+MFm9Uh1NRkvNNJozo5SJy0DkWETTJUsEdfry5VQ3IjqhWqQ0m4/mDlTmsEdEdWqpUiqWZLd9w7jgT8fanuglZyIu2fj8fyqjPjiws5S2P0Uvi28UKQ1nH01UYj/kuakU3BNzN1IqDf3tARP9fjKV/dCBqb1ZAOtyC2GyhGuGzNwEi+woUwq+sTeV0/hqVSb3hSitXHzcfRMRyOK82BAAABlAAAAAxyc2Etc2hhMi01MTIAAAGAMBfgZFvz4BdxriGKYd6eRhMo6hf+I8S9uzNRsflJXHuA+HR9ExIm/Q9JjKmfThQzNyGGBOBILaDU205SAJuG+kk3SieSQDd75ZQd8YmNlCc+516AriOsTiyVCupnf3I2euTjMZqEZbJcBbkBljppTOWQVN7xxE8QakDfGhg0+RjJE9wYOTmkKpDBfII5Nw8V5DoOD7kNEpXYqHdy/8lVxpqUYNIP1J0dNP4f6qBcZcM1PDA12q8zwIGqSNNjf2UXY/Nr8nv9CnK4fB8NDOPKTBa4cm48BGbvM/X0l6dYKswuZ9Np8lw+y6+GxTgznGCrkzMmuEV4FzSq4xHp41H2L2MTwUkwYaeyG1VP6aWkvn6zPkSxaaJDfQX7CAFe17IhIGXR0UPLjKjh35nDLzMWb/W6/W1lK9YkZNHXSf7Z9m9MUAZN7yQgOggGsuYEW4imZxvZizMd+fdDu9mbhr0FDis89I7MSJDnyYRE9FXS7p3QpppBwGcss/9yV3JV3Bjc`

  49. )

  50. 

  51. func TestHTTPSigPubKey(t *testing.T) {

  52. 	// Add our public key to user1

  53. 	defer tests.PrepareTestEnv(t)()

  54. 	session := loginUser(t, "user1")

  55. 	token := url.QueryEscape(getTokenForLoggedInUser(t, session))

  56. 	keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)

  57. 	keyType := "ssh-rsa"

  58. 	keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABAQCqOZB5vkRvXFXups1/0StDRdG8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xUbiy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQCZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqd"

  59. 	rawKeyBody := api.CreateKeyOption{

  60. 		Title: "test-key",

  61. 		Key:   keyType + " " + keyContent,

  62. 	}

  63. 	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)

  64. 	session.MakeRequest(t, req, http.StatusCreated)

  65. 

  66. 	// parse our private key and create the httpsig request

  67. 	sshSigner, _ := ssh.ParsePrivateKey([]byte(httpsigPrivateKey))

  68. 	keyID := ssh.FingerprintSHA256(sshSigner.PublicKey())

  69. 

  70. 	// create the request

  71. 	req = NewRequest(t, "GET", "/api/v1/admin/users")

  72. 

  73. 	signer, _, err := httpsig.NewSSHSigner(sshSigner, httpsig.DigestSha512, []string{httpsig.RequestTarget, "(created)", "(expires)"}, httpsig.Signature, 10)

  74. 	if err != nil {

  75. 		t.Fatal(err)

  76. 	}

  77. 

  78. 	// sign the request

  79. 	err = signer.SignRequest(keyID, req, nil)

  80. 	if err != nil {

  81. 		t.Fatal(err)

  82. 	}

  83. 

  84. 	// make the request

  85. 	MakeRequest(t, req, http.StatusOK)

  86. }

  87. 

  88. func TestHTTPSigCert(t *testing.T) {

  89. 	// Add our public key to user1

  90. 	defer tests.PrepareTestEnv(t)()

  91. 	session := loginUser(t, "user1")

  92. 

  93. 	csrf := GetCSRF(t, session, "/user/settings/keys")

  94. 	req := NewRequestWithValues(t, "POST", "/user/settings/keys", map[string]string{

  95. 		"_csrf":   csrf,

  96. 		"content": "user1",

  97. 		"title":   "principal",

  98. 		"type":    "principal",

  99. 	})

  100. 

  101. 	session.MakeRequest(t, req, http.StatusSeeOther)

  102. 	pkcert, _, _, _, err := ssh.ParseAuthorizedKey([]byte(httpsigCertificate))

  103. 	if err != nil {

  104. 		t.Fatal(err)

  105. 	}

  106. 

  107. 	// parse our private key and create the httpsig request

  108. 	sshSigner, _ := ssh.ParsePrivateKey([]byte(httpsigPrivateKey))

  109. 	keyID := "gitea"

  110. 

  111. 	// create our certificate signer using the ssh signer and our certificate

  112. 	certSigner, err := ssh.NewCertSigner(pkcert.(*ssh.Certificate), sshSigner)

  113. 	if err != nil {

  114. 		t.Fatal(err)

  115. 	}

  116. 

  117. 	// create the request

  118. 	req = NewRequest(t, "GET", "/api/v1/admin/users")

  119. 

  120. 	// add our cert to the request

  121. 	certString := base64.RawStdEncoding.EncodeToString(pkcert.(*ssh.Certificate).Marshal())

  122. 	req.Header.Add("x-ssh-certificate", certString)

  123. 

  124. 	signer, _, err := httpsig.NewSSHSigner(certSigner, httpsig.DigestSha512, []string{httpsig.RequestTarget, "(created)", "(expires)", "x-ssh-certificate"}, httpsig.Signature, 10)

  125. 	if err != nil {

  126. 		t.Fatal(err)

  127. 	}

  128. 

  129. 	// sign the request

  130. 	err = signer.SignRequest(keyID, req, nil)

  131. 	if err != nil {

  132. 		t.Fatal(err)

  133. 	}

  134. 

  135. 	// make the request

  136. 	MakeRequest(t, req, http.StatusOK)

  137. }