tea/modules/task/login_httpsign.go

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package task

import (
	"os"
	"path/filepath"
	"strings"

	"code.gitea.io/sdk/gitea"
	"code.gitea.io/tea/modules/utils"
	"golang.org/x/crypto/ssh"
)

// ListSSHPubkey lists all the ssh keys in the ssh agent and the ~/.ssh/*.pub files
// It returns a list of SSH keys in the format of:
// "fingerprint keytype comment - principals: principals (ssh-agent or path to pubkey file)"
func ListSSHPubkey() []string {
	var keys []string

	keys = append(keys, getAgentKeys()...)
	keys = append(keys, getLocalKeys()...)

	return keys
}

func getAgentKeys() []string {
	ag, err := gitea.GetAgent()
	if err != nil {
		return []string{}
	}

	akeys, err := ag.List()
	if err != nil {
		return nil
	}

	var keys []string

	for _, akey := range akeys {
		if key := parseKeys([]byte(akey.String()), "ssh-agent"); key != "" {
			keys = append(keys, key)
		}
	}

	return keys
}

func getLocalKeys() []string {
	var keys []string

	// enumerate ~/.ssh/*.pub files
	glob, err := utils.AbsPathWithExpansion("~/.ssh/*.pub")
	if err != nil {
		return []string{}
	}
	localPubkeyPaths, err := filepath.Glob(glob)
	if err != nil {
		return []string{}
	}

	// parse each local key with present privkey & compare fingerprints to online keys
	for _, pubkeyPath := range localPubkeyPaths {
		var pubkeyFile []byte
		pubkeyFile, err = os.ReadFile(pubkeyPath)
		if err != nil {
			continue
		}

		if key := parseKeys(pubkeyFile, pubkeyPath); key != "" {
			keys = append(keys, key)
		}
	}

	return keys
}

func parseKeys(pkinput []byte, sshPath string) string {
	pkey, comment, _, _, err := ssh.ParseAuthorizedKey(pkinput)
	if err != nil {
		return ""
	}

	if strings.Contains(pkey.Type(), "cert-v01@openssh.com") {
		principals := pkey.(*ssh.Certificate).ValidPrincipals
		return ssh.FingerprintSHA256(pkey) + " " + pkey.Type() + " " + comment +
			" - principals: " + strings.Join(principals, ",") + " (" + sshPath + ")"
	}

	return ssh.FingerprintSHA256(pkey) + " " + pkey.Type() + " " + comment + " (" + sshPath + ")"
}
Add support for authentication via ssh certificates and pub/privatekey (#442) This adds support for authentication using a SSH certificate and normal public keys when you've got an ssh-agent running that has this certificate or your public key loaded. First question when creating a new login is to ask about the ssh certificates or public keys, when the answer is yes, we don't need to ask about tokens/usernames anymore. Co-authored-by: Wim <wim@42.be> Reviewed-on: https://gitea.com/gitea/tea/pulls/442 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Wim <42wim@noreply.gitea.io> Co-committed-by: Wim <42wim@noreply.gitea.io> 2022-09-14 15:00:08 -04:00			`// Copyright 2022 The Gitea Authors. All rights reserved.`
spdx (#581) Co-authored-by: techknowlogick <hello@techknowlogick.com> Co-committed-by: techknowlogick <hello@techknowlogick.com> 2023-09-07 21:40:02 -04:00			`// SPDX-License-Identifier: MIT`
Add support for authentication via ssh certificates and pub/privatekey (#442) This adds support for authentication using a SSH certificate and normal public keys when you've got an ssh-agent running that has this certificate or your public key loaded. First question when creating a new login is to ask about the ssh certificates or public keys, when the answer is yes, we don't need to ask about tokens/usernames anymore. Co-authored-by: Wim <wim@42.be> Reviewed-on: https://gitea.com/gitea/tea/pulls/442 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Wim <42wim@noreply.gitea.io> Co-committed-by: Wim <42wim@noreply.gitea.io> 2022-09-14 15:00:08 -04:00
			`package task`

			`import (`
spdx (#581) Co-authored-by: techknowlogick <hello@techknowlogick.com> Co-committed-by: techknowlogick <hello@techknowlogick.com> 2023-09-07 21:40:02 -04:00			`"os"`
Add support for authentication via ssh certificates and pub/privatekey (#442) This adds support for authentication using a SSH certificate and normal public keys when you've got an ssh-agent running that has this certificate or your public key loaded. First question when creating a new login is to ask about the ssh certificates or public keys, when the answer is yes, we don't need to ask about tokens/usernames anymore. Co-authored-by: Wim <wim@42.be> Reviewed-on: https://gitea.com/gitea/tea/pulls/442 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Wim <42wim@noreply.gitea.io> Co-committed-by: Wim <42wim@noreply.gitea.io> 2022-09-14 15:00:08 -04:00			`"path/filepath"`
			`"strings"`

			`"code.gitea.io/sdk/gitea"`
			`"code.gitea.io/tea/modules/utils"`
			`"golang.org/x/crypto/ssh"`
			`)`

			`// ListSSHPubkey lists all the ssh keys in the ssh agent and the ~/.ssh/*.pub files`
			`// It returns a list of SSH keys in the format of:`
			`// "fingerprint keytype comment - principals: principals (ssh-agent or path to pubkey file)"`
			`func ListSSHPubkey() []string {`
			`var keys []string`

			`keys = append(keys, getAgentKeys()...)`
			`keys = append(keys, getLocalKeys()...)`

			`return keys`
			`}`

			`func getAgentKeys() []string {`
			`ag, err := gitea.GetAgent()`
			`if err != nil {`
			`return []string{}`
			`}`

			`akeys, err := ag.List()`
			`if err != nil {`
			`return nil`
			`}`

			`var keys []string`

			`for _, akey := range akeys {`
			`if key := parseKeys([]byte(akey.String()), "ssh-agent"); key != "" {`
			`keys = append(keys, key)`
			`}`
			`}`

			`return keys`
			`}`

			`func getLocalKeys() []string {`
			`var keys []string`

			`// enumerate ~/.ssh/*.pub files`
			`glob, err := utils.AbsPathWithExpansion("~/.ssh/*.pub")`
			`if err != nil {`
			`return []string{}`
			`}`
			`localPubkeyPaths, err := filepath.Glob(glob)`
			`if err != nil {`
			`return []string{}`
			`}`

			`// parse each local key with present privkey & compare fingerprints to online keys`
			`for _, pubkeyPath := range localPubkeyPaths {`
			`var pubkeyFile []byte`
spdx (#581) Co-authored-by: techknowlogick <hello@techknowlogick.com> Co-committed-by: techknowlogick <hello@techknowlogick.com> 2023-09-07 21:40:02 -04:00			`pubkeyFile, err = os.ReadFile(pubkeyPath)`
Add support for authentication via ssh certificates and pub/privatekey (#442) This adds support for authentication using a SSH certificate and normal public keys when you've got an ssh-agent running that has this certificate or your public key loaded. First question when creating a new login is to ask about the ssh certificates or public keys, when the answer is yes, we don't need to ask about tokens/usernames anymore. Co-authored-by: Wim <wim@42.be> Reviewed-on: https://gitea.com/gitea/tea/pulls/442 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Wim <42wim@noreply.gitea.io> Co-committed-by: Wim <42wim@noreply.gitea.io> 2022-09-14 15:00:08 -04:00			`if err != nil {`
			`continue`
			`}`

			`if key := parseKeys(pubkeyFile, pubkeyPath); key != "" {`
			`keys = append(keys, key)`
			`}`
			`}`

			`return keys`
			`}`

			`func parseKeys(pkinput []byte, sshPath string) string {`
			`pkey, comment, _, _, err := ssh.ParseAuthorizedKey(pkinput)`
			`if err != nil {`
			`return ""`
			`}`

			`if strings.Contains(pkey.Type(), "cert-v01@openssh.com") {`
			`principals := pkey.(*ssh.Certificate).ValidPrincipals`
			`return ssh.FingerprintSHA256(pkey) + " " + pkey.Type() + " " + comment +`
			`" - principals: " + strings.Join(principals, ",") + " (" + sshPath + ")"`
			`}`

			`return ssh.FingerprintSHA256(pkey) + " " + pkey.Type() + " " + comment + " (" + sshPath + ")"`
			`}`