Disable SSH key deletion of externally managed Keys (#13985)
* Disable SSH key addition and deletion when externally managed When a user has a login source which has SSH key management key addition and deletion using the UI should be disabled. Fix #13983 Signed-off-by: Andrew Thornton <art27@cantab.net> * Make only externally managed keys disabled Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
parent
a19447aed1
commit
ad1164f73b
5 changed files with 125 additions and 21 deletions
|
@ -665,6 +665,82 @@ func deletePublicKeys(e Engine, keyIDs ...int64) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key
|
||||||
|
func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) {
|
||||||
|
sources := make([]*LoginSource, 0, 5)
|
||||||
|
externals := make([]bool, len(keys))
|
||||||
|
keyloop:
|
||||||
|
for i, key := range keys {
|
||||||
|
if key.LoginSourceID == 0 {
|
||||||
|
externals[i] = false
|
||||||
|
continue keyloop
|
||||||
|
}
|
||||||
|
|
||||||
|
var source *LoginSource
|
||||||
|
|
||||||
|
sourceloop:
|
||||||
|
for _, s := range sources {
|
||||||
|
if s.ID == key.LoginSourceID {
|
||||||
|
source = s
|
||||||
|
break sourceloop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if source == nil {
|
||||||
|
var err error
|
||||||
|
source, err = GetLoginSourceByID(key.LoginSourceID)
|
||||||
|
if err != nil {
|
||||||
|
if IsErrLoginSourceNotExist(err) {
|
||||||
|
externals[i] = false
|
||||||
|
sources[i] = &LoginSource{
|
||||||
|
ID: key.LoginSourceID,
|
||||||
|
}
|
||||||
|
continue keyloop
|
||||||
|
}
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ldapSource := source.LDAP()
|
||||||
|
if ldapSource != nil &&
|
||||||
|
source.IsSyncEnabled &&
|
||||||
|
(source.Type == LoginLDAP || source.Type == LoginDLDAP) &&
|
||||||
|
len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
|
||||||
|
// Disable setting SSH keys for this user
|
||||||
|
externals[i] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return externals, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// PublicKeyIsExternallyManaged returns whether the provided KeyID represents an externally managed Key
|
||||||
|
func PublicKeyIsExternallyManaged(id int64) (bool, error) {
|
||||||
|
key, err := GetPublicKeyByID(id)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if key.LoginSourceID == 0 {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
source, err := GetLoginSourceByID(key.LoginSourceID)
|
||||||
|
if err != nil {
|
||||||
|
if IsErrLoginSourceNotExist(err) {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
ldapSource := source.LDAP()
|
||||||
|
if ldapSource != nil &&
|
||||||
|
source.IsSyncEnabled &&
|
||||||
|
(source.Type == LoginLDAP || source.Type == LoginDLDAP) &&
|
||||||
|
len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
|
||||||
|
// Disable setting SSH keys for this user
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
// DeletePublicKey deletes SSH key information both in database and authorized_keys file.
|
// DeletePublicKey deletes SSH key information both in database and authorized_keys file.
|
||||||
func DeletePublicKey(doer *User, id int64) (err error) {
|
func DeletePublicKey(doer *User, id int64) (err error) {
|
||||||
key, err := GetPublicKeyByID(id)
|
key, err := GetPublicKeyByID(id)
|
||||||
|
|
|
@ -556,6 +556,7 @@ principal_state_desc = This principal has been used in the last 7 days
|
||||||
show_openid = Show on profile
|
show_openid = Show on profile
|
||||||
hide_openid = Hide from profile
|
hide_openid = Hide from profile
|
||||||
ssh_disabled = SSH Disabled
|
ssh_disabled = SSH Disabled
|
||||||
|
ssh_externally_managed = This SSH key is externally managed for this user
|
||||||
manage_social = Manage Associated Social Accounts
|
manage_social = Manage Associated Social Accounts
|
||||||
social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account.
|
social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account.
|
||||||
unbind = Unlink
|
unbind = Unlink
|
||||||
|
|
|
@ -267,7 +267,16 @@ func DeletePublicKey(ctx *context.APIContext) {
|
||||||
// "404":
|
// "404":
|
||||||
// "$ref": "#/responses/notFound"
|
// "$ref": "#/responses/notFound"
|
||||||
|
|
||||||
if err := models.DeletePublicKey(ctx.User, ctx.ParamsInt64(":id")); err != nil {
|
id := ctx.ParamsInt64(":id")
|
||||||
|
externallyManaged, err := models.PublicKeyIsExternallyManaged(id)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "PublicKeyIsExternallyManaged", err)
|
||||||
|
}
|
||||||
|
if externallyManaged {
|
||||||
|
ctx.Error(http.StatusForbidden, "", "SSH Key is externally managed for this user")
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := models.DeletePublicKey(ctx.User, id); err != nil {
|
||||||
if models.IsErrKeyNotExist(err) {
|
if models.IsErrKeyNotExist(err) {
|
||||||
ctx.NotFound()
|
ctx.NotFound()
|
||||||
} else if models.IsErrKeyAccessDenied(err) {
|
} else if models.IsErrKeyAccessDenied(err) {
|
||||||
|
|
|
@ -160,7 +160,18 @@ func DeleteKey(ctx *context.Context) {
|
||||||
ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success"))
|
ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success"))
|
||||||
}
|
}
|
||||||
case "ssh":
|
case "ssh":
|
||||||
if err := models.DeletePublicKey(ctx.User, ctx.QueryInt64("id")); err != nil {
|
keyID := ctx.QueryInt64("id")
|
||||||
|
external, err := models.PublicKeyIsExternallyManaged(keyID)
|
||||||
|
if err != nil {
|
||||||
|
ctx.ServerError("sshKeysExternalManaged", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if external {
|
||||||
|
ctx.Flash.Error(ctx.Tr("setting.ssh_externally_managed"))
|
||||||
|
ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err := models.DeletePublicKey(ctx.User, keyID); err != nil {
|
||||||
ctx.Flash.Error("DeletePublicKey: " + err.Error())
|
ctx.Flash.Error("DeletePublicKey: " + err.Error())
|
||||||
} else {
|
} else {
|
||||||
ctx.Flash.Success(ctx.Tr("settings.ssh_key_deletion_success"))
|
ctx.Flash.Success(ctx.Tr("settings.ssh_key_deletion_success"))
|
||||||
|
@ -188,6 +199,13 @@ func loadKeysData(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
ctx.Data["Keys"] = keys
|
ctx.Data["Keys"] = keys
|
||||||
|
|
||||||
|
externalKeys, err := models.PublicKeysAreExternallyManaged(keys)
|
||||||
|
if err != nil {
|
||||||
|
ctx.ServerError("ListPublicKeys", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ctx.Data["ExternalKeys"] = externalKeys
|
||||||
|
|
||||||
gpgkeys, err := models.ListGPGKeys(ctx.User.ID, models.ListOptions{})
|
gpgkeys, err := models.ListGPGKeys(ctx.User.ID, models.ListOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.ServerError("ListGPGKeys", err)
|
ctx.ServerError("ListGPGKeys", err)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<h4 class="ui top attached header">
|
<h4 class="ui top attached header">
|
||||||
{{.i18n.Tr "settings.manage_ssh_keys"}}
|
{{.i18n.Tr "settings.manage_ssh_keys"}}
|
||||||
<div class="ui right">
|
<div class="ui right">
|
||||||
{{if not .DisableSSH}}
|
{{if not .DisableSSH }}
|
||||||
<div class="ui blue tiny show-panel button" data-panel="#add-ssh-key-panel">{{.i18n.Tr "settings.add_key"}}</div>
|
<div class="ui blue tiny show-panel button" data-panel="#add-ssh-key-panel">{{.i18n.Tr "settings.add_key"}}</div>
|
||||||
{{else}}
|
{{else}}
|
||||||
<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_disabled"}}</div>
|
<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_disabled"}}</div>
|
||||||
|
@ -13,25 +13,25 @@
|
||||||
<div class="item">
|
<div class="item">
|
||||||
{{.i18n.Tr "settings.ssh_desc"}}
|
{{.i18n.Tr "settings.ssh_desc"}}
|
||||||
</div>
|
</div>
|
||||||
{{range .Keys}}
|
{{range $index, $key := .Keys}}
|
||||||
<div class="item">
|
<div class="item">
|
||||||
<div class="right floated content">
|
<div class="right floated content">
|
||||||
<button class="ui red tiny button delete-button" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}">
|
<button class="ui red tiny button delete-button{{if index $.ExternalKeys $index}} disabled{{end}}" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}"{{if index $.ExternalKeys $index}} title="{{$.i18n.Tr "settings.ssh_externally_managed"}}"{{end}}>
|
||||||
{{$.i18n.Tr "settings.delete_key"}}
|
{{$.i18n.Tr "settings.delete_key"}}
|
||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
<div class="left floated content">
|
<div class="left floated content">
|
||||||
<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
|
<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
|
||||||
</div>
|
</div>
|
||||||
<div class="content">
|
<div class="content">
|
||||||
<strong>{{.Name}}</strong>
|
<strong>{{.Name}}</strong>
|
||||||
<div class="print meta">
|
<div class="print meta">
|
||||||
{{.Fingerprint}}
|
{{.Fingerprint}}
|
||||||
</div>
|
</div>
|
||||||
<div class="activity meta">
|
<div class="activity meta">
|
||||||
<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i>
|
<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
|
|
Reference in a new issue