[FEAT] Allow pushmirror to use publickey authentication

- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by @Gusted, so it's fine to change copyright holder to Forgejo). - Add the option to use SSH for push mirrors, this would allow for the deploy keys feature to be used and not require tokens to be used which cannot be limited to a specific repository. The private key is stored encrypted (via the `keying` module) on the database and NEVER given to the user, to avoid accidental exposure and misuse. - CAVEAT: This does require the `ssh` binary to be present, which may not be available in containerized environments, this could be solved by adding a SSH client into forgejo itself and use the forgejo binary as SSH command, but should be done in another PR. - CAVEAT: Mirroring of LFS content is not supported, this would require the previous stated problem to be solved due to LFS authentication (an attempt was made at forgejo/forgejo#2544). - Integration test added. - Resolves #4416
2024-08-04 14:46:05 -04:00 · 2024-08-04 14:46:05 -04:00 · 03508b33a8
commit 03508b33a8
parent 61e018f8b4
24 changed files with 648 additions and 66 deletions
--- a/models/forgejo_migrations/migrate.go
+++ b/models/forgejo_migrations/migrate.go
@ -78,6 +78,8 @@ var migrations = []*Migration{
 	NewMigration("Add external_url to attachment table", AddExternalURLColumnToAttachmentTable),
 	// v20 -> v21
 	NewMigration("Creating Quota-related tables", CreateQuotaTables),
+	// v21 -> v22
+	NewMigration("Add SSH keypair to `pull_mirror` table", AddSSHKeypairToPushMirror),
 }

 // GetCurrentDBVersion returns the current Forgejo database version.
--- a/models/forgejo_migrations/v21.go
+++ b/models/forgejo_migrations/v21.go
@ -0,0 +1,16 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgejo_migrations //nolint:revive
+
+import "xorm.io/xorm"
+
+func AddSSHKeypairToPushMirror(x *xorm.Engine) error {
+	type PushMirror struct {
+		ID         int64  `xorm:"pk autoincr"`
+		PublicKey  string `xorm:"VARCHAR(100)"`
+		PrivateKey []byte `xorm:"BLOB"`
+	}
+
+	return x.Sync(&PushMirror{})
+}
--- a/models/repo/pushmirror.go
+++ b/models/repo/pushmirror.go
@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/git"
 	giturl "code.gitea.io/gitea/modules/git/url"
+	"code.gitea.io/gitea/modules/keying"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
@ -32,6 +33,10 @@ type PushMirror struct {
 	RemoteName    string
 	RemoteAddress string `xorm:"VARCHAR(2048)"`

+	// A keypair formatted in OpenSSH format.
+	PublicKey  string `xorm:"VARCHAR(100)"`
+	PrivateKey []byte `xorm:"BLOB"`
+
 	SyncOnCommit   bool `xorm:"NOT NULL DEFAULT true"`
 	Interval       time.Duration
 	CreatedUnix    timeutil.TimeStamp `xorm:"created"`
@ -82,6 +87,29 @@ func (m *PushMirror) GetRemoteName() string {
 	return m.RemoteName
 }

+// GetPublicKey returns a sanitized version of the public key.
+// This should only be used when displaying the public key to the user, not for actual code.
+func (m *PushMirror) GetPublicKey() string {
+	return strings.TrimSuffix(m.PublicKey, "\n")
+}
+
+// SetPrivatekey encrypts the given private key and store it in the database.
+// The ID of the push mirror must be known, so this should be done after the
+// push mirror is inserted.
+func (m *PushMirror) SetPrivatekey(ctx context.Context, privateKey []byte) error {
+	key := keying.DeriveKey(keying.ContextPushMirror)
+	m.PrivateKey = key.Encrypt(privateKey, keying.ColumnAndID("private_key", m.ID))
+
+	_, err := db.GetEngine(ctx).ID(m.ID).Cols("private_key").Update(m)
+	return err
+}
+
+// Privatekey retrieves the encrypted private key and decrypts it.
+func (m *PushMirror) Privatekey() ([]byte, error) {
+	key := keying.DeriveKey(keying.ContextPushMirror)
+	return key.Decrypt(m.PrivateKey, keying.ColumnAndID("private_key", m.ID))
+}
+
 // UpdatePushMirror updates the push-mirror
 func UpdatePushMirror(ctx context.Context, m *PushMirror) error {
 	_, err := db.GetEngine(ctx).ID(m.ID).AllCols().Update(m)
--- a/models/repo/pushmirror_test.go
+++ b/models/repo/pushmirror_test.go
@ -50,3 +50,30 @@ func TestPushMirrorsIterate(t *testing.T) {
 		return nil
 	})
 }
+
+func TestPushMirrorPrivatekey(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	m := &repo_model.PushMirror{
+		RemoteName: "test-privatekey",
+	}
+	require.NoError(t, db.Insert(db.DefaultContext, m))
+
+	privateKey := []byte{0x00, 0x01, 0x02, 0x04, 0x08, 0x10}
+	t.Run("Set privatekey", func(t *testing.T) {
+		require.NoError(t, m.SetPrivatekey(db.DefaultContext, privateKey))
+	})
+
+	t.Run("Normal retrieval", func(t *testing.T) {
+		actualPrivateKey, err := m.Privatekey()
+		require.NoError(t, err)
+		assert.EqualValues(t, privateKey, actualPrivateKey)
+	})
+
+	t.Run("Incorrect retrieval", func(t *testing.T) {
+		m.ID++
+		actualPrivateKey, err := m.Privatekey()
+		require.Error(t, err)
+		assert.Empty(t, actualPrivateKey)
+	})
+}