#334: Add Deployment Key Support

2015-08-06 22:48:11 +08:00 · 2015-08-06 22:48:11 +08:00 · 39a3b768bc
commit 39a3b768bc
parent 9f12ab0e88
26 changed files with 693 additions and 149 deletions
--- a/models/publickey.go
+++ b/models/publickey.go
@ -21,6 +21,7 @@ import (
 	"time"

 	"github.com/Unknwon/com"
+	"github.com/go-xorm/xorm"

 	"github.com/gogits/gogs/modules/log"
 	"github.com/gogits/gogs/modules/process"
@ -33,8 +34,6 @@ const (
 )

 var (
-	ErrKeyAlreadyExist = errors.New("Public key already exists")
-	ErrKeyNotExist     = errors.New("Public key does not exist")
 	ErrKeyUnableVerify = errors.New("Unable to verify public key")
 )

@ -78,17 +77,34 @@ func init() {
 	}
 }

-// PublicKey represents a SSH key.
+type KeyType int
+
+const (
+	KEY_TYPE_USER = iota + 1
+	KEY_TYPE_DEPLOY
+)
+
+// PublicKey represents a SSH or deploy key.
 type PublicKey struct {
-	Id                int64
-	OwnerId           int64     `xorm:"UNIQUE(s) INDEX NOT NULL"`
-	Name              string    `xorm:"UNIQUE(s) NOT NULL"`
-	Fingerprint       string    `xorm:"INDEX NOT NULL"`
-	Content           string    `xorm:"TEXT NOT NULL"`
-	Created           time.Time `xorm:"CREATED"`
-	Updated           time.Time
-	HasRecentActivity bool `xorm:"-"`
-	HasUsed           bool `xorm:"-"`
+	ID                int64      `xorm:"pk autoincr"`
+	OwnerID           int64      `xorm:"INDEX NOT NULL"`
+	Name              string     `xorm:"NOT NULL"`
+	Fingerprint       string     `xorm:"NOT NULL"`
+	Content           string     `xorm:"UNIQUE TEXT NOT NULL"`
+	Mode              AccessMode `xorm:"NOT NULL DEFAULT 2"`
+	Type              KeyType    `xorm:"NOT NULL DEFAULT 1"`
+	Created           time.Time  `xorm:"CREATED"`
+	Updated           time.Time  // Note: Updated must below Created for AfterSet.
+	HasRecentActivity bool       `xorm:"-"`
+	HasUsed           bool       `xorm:"-"`
+}
+
+func (k *PublicKey) AfterSet(colName string, _ xorm.Cell) {
+	switch colName {
+	case "created":
+		k.HasUsed = k.Updated.After(k.Created)
+		k.HasRecentActivity = k.Updated.Add(7 * 24 * time.Hour).After(time.Now())
+	}
 }

 // OmitEmail returns content of public key but without e-mail address.
@ -98,7 +114,7 @@ func (k *PublicKey) OmitEmail() string {

 // GetAuthorizedString generates and returns formatted public key string for authorized_keys file.
 func (key *PublicKey) GetAuthorizedString() string {
-	return fmt.Sprintf(_TPL_PUBLICK_KEY, appPath, key.Id, setting.CustomConf, key.Content)
+	return fmt.Sprintf(_TPL_PUBLICK_KEY, appPath, key.ID, setting.CustomConf, key.Content)
 }

 var minimumKeySizes = map[string]int{
@ -126,8 +142,8 @@ func extractTypeFromBase64Key(key string) (string, error) {
 	return string(b[4 : 4+keyLength]), nil
 }

-// Parse any key string in openssh or ssh2 format to clean openssh string (rfc4253)
-func ParseKeyString(content string) (string, error) {
+// parseKeyString parses any key string in openssh or ssh2 format to clean openssh string (rfc4253)
+func parseKeyString(content string) (string, error) {
 	// Transform all legal line endings to a single "\n"
 	s := strings.Replace(strings.Replace(strings.TrimSpace(content), "\r\n", "\n", -1), "\r", "\n", -1)

@ -190,16 +206,21 @@ func ParseKeyString(content string) (string, error) {
 }

 // CheckPublicKeyString checks if the given public key string is recognized by SSH.
-func CheckPublicKeyString(content string) (bool, error) {
+func CheckPublicKeyString(content string) (_ string, err error) {
+	content, err = parseKeyString(content)
+	if err != nil {
+		return "", err
+	}
+
 	content = strings.TrimRight(content, "\n\r")
 	if strings.ContainsAny(content, "\n\r") {
-		return false, errors.New("only a single line with a single key please")
+		return "", errors.New("only a single line with a single key please")
 	}

 	// write the key to a file…
 	tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest")
 	if err != nil {
-		return false, err
+		return "", err
 	}
 	tmpPath := tmpFile.Name()
 	defer os.Remove(tmpPath)
@ -209,37 +230,36 @@ func CheckPublicKeyString(content string) (bool, error) {
 	// Check if ssh-keygen recognizes its contents.
 	stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-l", "-f", tmpPath)
 	if err != nil {
-		return false, errors.New("ssh-keygen -l -f: " + stderr)
+		return "", errors.New("ssh-keygen -l -f: " + stderr)
 	} else if len(stdout) < 2 {
-		return false, errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
+		return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
 	}

 	// The ssh-keygen in Windows does not print key type, so no need go further.
 	if setting.IsWindows {
-		return true, nil
+		return content, nil
 	}

-	fmt.Println(stdout)
 	sshKeygenOutput := strings.Split(stdout, " ")
 	if len(sshKeygenOutput) < 4 {
-		return false, ErrKeyUnableVerify
+		return content, ErrKeyUnableVerify
 	}

 	// Check if key type and key size match.
 	if !setting.Service.DisableMinimumKeySizeCheck {
 		keySize := com.StrTo(sshKeygenOutput[0]).MustInt()
 		if keySize == 0 {
-			return false, errors.New("cannot get key size of the given key")
+			return "", errors.New("cannot get key size of the given key")
 		}
 		keyType := strings.TrimSpace(sshKeygenOutput[len(sshKeygenOutput)-1])
 		if minimumKeySize := minimumKeySizes[keyType]; minimumKeySize == 0 {
-			return false, errors.New("sorry, unrecognized public key type")
+			return "", errors.New("sorry, unrecognized public key type")
 		} else if keySize < minimumKeySize {
-			return false, fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
+			return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
 		}
 	}

-	return true, nil
+	return content, nil
 }

 // saveAuthorizedKeyFile writes SSH key content to authorized_keys file.
@ -278,20 +298,23 @@ func saveAuthorizedKeyFile(keys ...*PublicKey) error {
 	return nil
 }

-// AddPublicKey adds new public key to database and authorized_keys file.
-func AddPublicKey(key *PublicKey) (err error) {
-	has, err := x.Get(key)
+func checkKeyContent(content string) error {
+	// Same key can only be added once.
+	has, err := x.Where("content=?", content).Get(new(PublicKey))
 	if err != nil {
 		return err
 	} else if has {
-		return ErrKeyAlreadyExist
+		return ErrKeyAlreadyExist{0, content}
 	}
+	return nil
+}

+func addKey(e Engine, key *PublicKey) (err error) {
 	// Calculate fingerprint.
 	tmpPath := strings.Replace(path.Join(os.TempDir(), fmt.Sprintf("%d", time.Now().Nanosecond()),
 		"id_rsa.pub"), "\\", "/", -1)
 	os.MkdirAll(path.Dir(tmpPath), os.ModePerm)
-	if err = ioutil.WriteFile(tmpPath, []byte(key.Content), os.ModePerm); err != nil {
+	if err = ioutil.WriteFile(tmpPath, []byte(key.Content), 0644); err != nil {
 		return err
 	}
 	stdout, stderr, err := process.Exec("AddPublicKey", "ssh-keygen", "-l", "-f", tmpPath)
@ -301,32 +324,56 @@ func AddPublicKey(key *PublicKey) (err error) {
 		return errors.New("not enough output for calculating fingerprint: " + stdout)
 	}
 	key.Fingerprint = strings.Split(stdout, " ")[1]
-	if has, err := x.Get(&PublicKey{Fingerprint: key.Fingerprint}); err == nil && has {
-		return ErrKeyAlreadyExist
-	}

 	// Save SSH key.
-	if _, err = x.Insert(key); err != nil {
+	if _, err = e.Insert(key); err != nil {
 		return err
-	} else if err = saveAuthorizedKeyFile(key); err != nil {
-		// Roll back.
-		if _, err2 := x.Delete(key); err2 != nil {
-			return err2
-		}
+	}
+	return saveAuthorizedKeyFile(key)
+}
+
+// AddPublicKey adds new public key to database and authorized_keys file.
+func AddPublicKey(ownerID int64, name, content string) (err error) {
+	if err = checkKeyContent(content); err != nil {
 		return err
 	}

-	return nil
+	// Key name of same user cannot be duplicated.
+	has, err := x.Where("owner_id=? AND name=?", ownerID, name).Get(new(PublicKey))
+	if err != nil {
+		return err
+	} else if has {
+		return ErrKeyNameAlreadyUsed{ownerID, name}
+	}
+
+	sess := x.NewSession()
+	defer sessionRelease(sess)
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	key := &PublicKey{
+		OwnerID: ownerID,
+		Name:    name,
+		Content: content,
+		Mode:    ACCESS_MODE_WRITE,
+		Type:    KEY_TYPE_USER,
+	}
+	if err = addKey(sess, key); err != nil {
+		return fmt.Errorf("addKey: %v", err)
+	}
+
+	return sess.Commit()
 }

-// GetPublicKeyById returns public key by given ID.
-func GetPublicKeyById(keyId int64) (*PublicKey, error) {
+// GetPublicKeyByID returns public key by given ID.
+func GetPublicKeyByID(keyID int64) (*PublicKey, error) {
 	key := new(PublicKey)
-	has, err := x.Id(keyId).Get(key)
+	has, err := x.Id(keyID).Get(key)
 	if err != nil {
 		return nil, err
 	} else if !has {
-		return nil, ErrKeyNotExist
+		return nil, ErrKeyNotExist{keyID}
 	}
 	return key, nil
 }
@ -334,16 +381,7 @@ func GetPublicKeyById(keyId int64) (*PublicKey, error) {
 // ListPublicKeys returns a list of public keys belongs to given user.
 func ListPublicKeys(uid int64) ([]*PublicKey, error) {
 	keys := make([]*PublicKey, 0, 5)
-	err := x.Where("owner_id=?", uid).Find(&keys)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, key := range keys {
-		key.HasUsed = key.Updated.After(key.Created)
-		key.HasRecentActivity = key.Updated.Add(7 * 24 * time.Hour).After(time.Now())
-	}
-	return keys, nil
+	return keys, x.Where("owner_id=?", uid).Find(&keys)
 }

 // rewriteAuthorizedKeys finds and deletes corresponding line in authorized_keys file.
@ -364,7 +402,7 @@ func rewriteAuthorizedKeys(key *PublicKey, p, tmpP string) error {
 	defer fw.Close()

 	isFound := false
-	keyword := fmt.Sprintf("key-%d", key.Id)
+	keyword := fmt.Sprintf("key-%d", key.ID)
 	buf := bufio.NewReader(fr)
 	for {
 		line, errRead := buf.ReadString('\n')
@ -401,20 +439,19 @@ func rewriteAuthorizedKeys(key *PublicKey, p, tmpP string) error {

 // UpdatePublicKey updates given public key.
 func UpdatePublicKey(key *PublicKey) error {
-	_, err := x.Id(key.Id).AllCols().Update(key)
+	_, err := x.Id(key.ID).AllCols().Update(key)
 	return err
 }

-// DeletePublicKey deletes SSH key information both in database and authorized_keys file.
-func DeletePublicKey(key *PublicKey) error {
-	has, err := x.Get(key)
+func deletePublicKey(e *xorm.Session, key *PublicKey) error {
+	has, err := e.Get(key)
 	if err != nil {
 		return err
 	} else if !has {
-		return ErrKeyNotExist
+		return nil
 	}

-	if _, err = x.Delete(key); err != nil {
+	if _, err = e.Id(key.ID).Delete(key); err != nil {
 		return err
 	}

@ -428,6 +465,21 @@ func DeletePublicKey(key *PublicKey) error {
 	return os.Rename(tmpPath, fpath)
 }

+// DeletePublicKey deletes SSH key information both in database and authorized_keys file.
+func DeletePublicKey(key *PublicKey) (err error) {
+	sess := x.NewSession()
+	defer sessionRelease(sess)
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	if err = deletePublicKey(sess, key); err != nil {
+		return err
+	}
+
+	return sess.Commit()
+}
+
 // RewriteAllPublicKeys removes any authorized key and rewrite all keys from database again.
 func RewriteAllPublicKeys() error {
 	sshOpLocker.Lock()
@ -461,3 +513,162 @@ func RewriteAllPublicKeys() error {

 	return nil
 }
+
+// ________                .__                 ____  __.
+// \______ \   ____ ______ |  |   ____ ___.__.|    |/ _|____ ___.__.
+//  |    |  \_/ __ \\____ \|  |  /  _ <   |  ||      <_/ __ <   |  |
+//  |    `   \  ___/|  |_> >  |_(  <_> )___  ||    |  \  ___/\___  |
+// /_______  /\___  >   __/|____/\____// ____||____|__ \___  > ____|
+//         \/     \/|__|               \/             \/   \/\/
+
+// DeployKey represents deploy key information and its relation with repository.
+type DeployKey struct {
+	ID                int64 `xorm:"pk autoincr"`
+	KeyID             int64 `xorm:"UNIQUE(s) INDEX"`
+	RepoID            int64 `xorm:"UNIQUE(s) INDEX"`
+	Name              string
+	Fingerprint       string
+	Created           time.Time `xorm:"CREATED"`
+	Updated           time.Time // Note: Updated must below Created for AfterSet.
+	HasRecentActivity bool      `xorm:"-"`
+	HasUsed           bool      `xorm:"-"`
+}
+
+func (k *DeployKey) AfterSet(colName string, _ xorm.Cell) {
+	switch colName {
+	case "created":
+		k.HasUsed = k.Updated.After(k.Created)
+		k.HasRecentActivity = k.Updated.Add(7 * 24 * time.Hour).After(time.Now())
+	}
+}
+
+func checkDeployKey(e Engine, keyID, repoID int64, name string) error {
+	// Note: We want error detail, not just true or false here.
+	has, err := e.Where("key_id=? AND repo_id=?", keyID, repoID).Get(new(DeployKey))
+	if err != nil {
+		return err
+	} else if has {
+		return ErrDeployKeyAlreadyExist{keyID, repoID}
+	}
+
+	has, err = e.Where("repo_id=? AND name=?", repoID, name).Get(new(DeployKey))
+	if err != nil {
+		return err
+	} else if has {
+		return ErrDeployKeyNameAlreadyUsed{repoID, name}
+	}
+
+	return nil
+}
+
+// addDeployKey adds new key-repo relation.
+func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string) (err error) {
+	if err = checkDeployKey(e, keyID, repoID, name); err != nil {
+		return err
+	}
+
+	_, err = e.Insert(&DeployKey{
+		KeyID:       keyID,
+		RepoID:      repoID,
+		Name:        name,
+		Fingerprint: fingerprint,
+	})
+	return err
+}
+
+// HasDeployKey returns true if public key is a deploy key of given repository.
+func HasDeployKey(keyID, repoID int64) bool {
+	has, _ := x.Where("key_id=? AND repo_id=?", keyID, repoID).Get(new(DeployKey))
+	return has
+}
+
+// AddDeployKey add new deploy key to database and authorized_keys file.
+func AddDeployKey(repoID int64, name, content string) (err error) {
+	if err = checkKeyContent(content); err != nil {
+		return err
+	}
+
+	key := &PublicKey{
+		Content: content,
+		Mode:    ACCESS_MODE_READ,
+		Type:    KEY_TYPE_DEPLOY,
+	}
+	has, err := x.Get(key)
+	if err != nil {
+		return err
+	}
+
+	sess := x.NewSession()
+	defer sessionRelease(sess)
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	// First time use this deploy key.
+	if !has {
+		if err = addKey(sess, key); err != nil {
+			return nil
+		}
+	}
+
+	if err = addDeployKey(sess, key.ID, repoID, name, key.Fingerprint); err != nil {
+		return err
+	}
+
+	return sess.Commit()
+}
+
+// GetDeployKeyByRepo returns deploy key by given public key ID and repository ID.
+func GetDeployKeyByRepo(keyID, repoID int64) (*DeployKey, error) {
+	key := &DeployKey{
+		KeyID:  keyID,
+		RepoID: repoID,
+	}
+	_, err := x.Get(key)
+	return key, err
+}
+
+// UpdateDeployKey updates deploy key information.
+func UpdateDeployKey(key *DeployKey) error {
+	_, err := x.Id(key.ID).AllCols().Update(key)
+	return err
+}
+
+// DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed.
+func DeleteDeployKey(id int64) error {
+	key := &DeployKey{ID: id}
+	has, err := x.Id(key.ID).Get(key)
+	if err != nil {
+		return err
+	} else if !has {
+		return nil
+	}
+
+	sess := x.NewSession()
+	defer sessionRelease(sess)
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	if _, err = sess.Id(key.ID).Delete(key); err != nil {
+		return fmt.Errorf("delete deploy key[%d]: %v", key.ID, err)
+	}
+
+	// Check if this is the last reference to same key content.
+	has, err = sess.Where("key_id=?", key.KeyID).Get(new(DeployKey))
+	if err != nil {
+		return err
+	} else if !has {
+		if err = deletePublicKey(sess, &PublicKey{ID: key.KeyID}); err != nil {
+			return err
+		}
+	}
+
+	return sess.Commit()
+}
+
+// ListDeployKeys returns all deploy keys by given repository ID.
+func ListDeployKeys(repoID int64) ([]*DeployKey, error) {
+	keys := make([]*DeployKey, 0, 5)
+	return keys, x.Where("repo_id=?", repoID).Find(&keys)
+}