[FEAT] Allow pushmirror to use publickey authentication

oppi.li / perf-test

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

loading up the forgejo repo on tangled to test page performance

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

[FEAT] Allow pushmirror to use publickey authentication

- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by
@Gusted, so it's fine to change copyright holder to Forgejo).
- Add the option to use SSH for push mirrors, this would allow for the
deploy keys feature to be used and not require tokens to be used which
cannot be limited to a specific repository. The private key is stored
encrypted (via the `keying` module) on the database and NEVER given to
the user, to avoid accidental exposure and misuse.
- CAVEAT: This does require the `ssh` binary to be present, which may
not be available in containerized environments, this could be solved by
adding a SSH client into forgejo itself and use the forgejo binary as
SSH command, but should be done in another PR.
- CAVEAT: Mirroring of LFS content is not supported, this would require
the previous stated problem to be solved due to LFS authentication (an
attempt was made at forgejo/forgejo#2544).
- Integration test added.
- Resolves #4416

authored by

Philip Peterson and committed by

Gusted 2 years ago 03508b33 61e018f8

+648 -66

24 changed files

expand all collapse all

.deadcode-out

models

forgejo_migrations

migrate.go

v21.go

repo

pushmirror.go

pushmirror_test.go

modules

git

repo.go

keying

keying.go

keying_test.go

lfs

endpoint.go

structs

mirror.go

util

util.go

util_test.go

options

locale

locale_en-US.ini

release-notes

4819.md

routers

api

repo

mirror.go

web

repo

setting

setting.go

services

convert

mirror.go

forms

repo_form.go

migrations

migrate.go

mirror

mirror_push.go

templates

repo

settings

options.tmpl

swagger

v1_json.tmpl

tests

integration

api_push_mirror_test.go

mirror_push_test.go

-5

.deadcode-out

reviewed

··· 170 170 StdJSON.NewDecoder 171 171 StdJSON.Indent 172 172 173 173 - code.gitea.io/gitea/modules/keying 174 174 - DeriveKey 175 175 - Key.Encrypt 176 176 - Key.Decrypt 177 177 - 178 173 code.gitea.io/gitea/modules/markup 179 174 GetRendererByType 180 175 RenderString

models/forgejo_migrations/migrate.go

reviewed

··· 78 78 NewMigration("Add external_url to attachment table", AddExternalURLColumnToAttachmentTable), 79 79 // v20 -> v21 80 80 NewMigration("Creating Quota-related tables", CreateQuotaTables), 81 81 + // v21 -> v22 82 82 + NewMigration("Add SSH keypair to `pull_mirror` table", AddSSHKeypairToPushMirror), 81 83 } 82 84 83 85 // GetCurrentDBVersion returns the current Forgejo database version.

+16

models/forgejo_migrations/v21.go

reviewed

··· 1 1 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 2 + // SPDX-License-Identifier: MIT 3 3 + 4 4 + package forgejo_migrations //nolint:revive 5 5 + 6 6 + import "xorm.io/xorm" 7 7 + 8 8 + func AddSSHKeypairToPushMirror(x *xorm.Engine) error { 9 9 + type PushMirror struct { 10 10 + ID int64 `xorm:"pk autoincr"` 11 11 + PublicKey string `xorm:"VARCHAR(100)"` 12 12 + PrivateKey []byte `xorm:"BLOB"` 13 13 + } 14 14 + 15 15 + return x.Sync(&PushMirror{}) 16 16 + }

+28

models/repo/pushmirror.go

reviewed

··· 13 13 "code.gitea.io/gitea/models/db" 14 14 "code.gitea.io/gitea/modules/git" 15 15 giturl "code.gitea.io/gitea/modules/git/url" 16 16 + "code.gitea.io/gitea/modules/keying" 16 17 "code.gitea.io/gitea/modules/log" 17 18 "code.gitea.io/gitea/modules/setting" 18 19 "code.gitea.io/gitea/modules/timeutil" ··· 31 32 Repo *Repository `xorm:"-"` 32 33 RemoteName string 33 34 RemoteAddress string `xorm:"VARCHAR(2048)"` 35 35 + 36 36 + // A keypair formatted in OpenSSH format. 37 37 + PublicKey string `xorm:"VARCHAR(100)"` 38 38 + PrivateKey []byte `xorm:"BLOB"` 34 39 35 40 SyncOnCommit bool `xorm:"NOT NULL DEFAULT true"` 36 41 Interval time.Duration ··· 80 85 // GetRemoteName returns the name of the remote. 81 86 func (m *PushMirror) GetRemoteName() string { 82 87 return m.RemoteName 88 88 + } 89 89 + 90 90 + // GetPublicKey returns a sanitized version of the public key. 91 91 + // This should only be used when displaying the public key to the user, not for actual code. 92 92 + func (m *PushMirror) GetPublicKey() string { 93 93 + return strings.TrimSuffix(m.PublicKey, "\n") 94 94 + } 95 95 + 96 96 + // SetPrivatekey encrypts the given private key and store it in the database. 97 97 + // The ID of the push mirror must be known, so this should be done after the 98 98 + // push mirror is inserted. 99 99 + func (m *PushMirror) SetPrivatekey(ctx context.Context, privateKey []byte) error { 100 100 + key := keying.DeriveKey(keying.ContextPushMirror) 101 101 + m.PrivateKey = key.Encrypt(privateKey, keying.ColumnAndID("private_key", m.ID)) 102 102 + 103 103 + _, err := db.GetEngine(ctx).ID(m.ID).Cols("private_key").Update(m) 104 104 + return err 105 105 + } 106 106 + 107 107 + // Privatekey retrieves the encrypted private key and decrypts it. 108 108 + func (m *PushMirror) Privatekey() ([]byte, error) { 109 109 + key := keying.DeriveKey(keying.ContextPushMirror) 110 110 + return key.Decrypt(m.PrivateKey, keying.ColumnAndID("private_key", m.ID)) 83 111 } 84 112 85 113 // UpdatePushMirror updates the push-mirror

+27

models/repo/pushmirror_test.go

reviewed

··· 50 50 return nil 51 51 }) 52 52 } 53 53 + 54 54 + func TestPushMirrorPrivatekey(t *testing.T) { 55 55 + require.NoError(t, unittest.PrepareTestDatabase()) 56 56 + 57 57 + m := &repo_model.PushMirror{ 58 58 + RemoteName: "test-privatekey", 59 59 + } 60 60 + require.NoError(t, db.Insert(db.DefaultContext, m)) 61 61 + 62 62 + privateKey := []byte{0x00, 0x01, 0x02, 0x04, 0x08, 0x10} 63 63 + t.Run("Set privatekey", func(t *testing.T) { 64 64 + require.NoError(t, m.SetPrivatekey(db.DefaultContext, privateKey)) 65 65 + }) 66 66 + 67 67 + t.Run("Normal retrieval", func(t *testing.T) { 68 68 + actualPrivateKey, err := m.Privatekey() 69 69 + require.NoError(t, err) 70 70 + assert.EqualValues(t, privateKey, actualPrivateKey) 71 71 + }) 72 72 + 73 73 + t.Run("Incorrect retrieval", func(t *testing.T) { 74 74 + m.ID++ 75 75 + actualPrivateKey, err := m.Privatekey() 76 76 + require.Error(t, err) 77 77 + assert.Empty(t, actualPrivateKey) 78 78 + }) 79 79 + }

+30 -6

modules/git/repo.go

reviewed

··· 1 1 // Copyright 2015 The Gogs Authors. All rights reserved. 2 2 // Copyright 2017 The Gitea Authors. All rights reserved. 3 3 + // Copyright 2024 The Forgejo Authors. All rights reserved. 3 4 // SPDX-License-Identifier: MIT 4 5 5 6 package git ··· 18 19 "time" 19 20 20 21 "code.gitea.io/gitea/modules/proxy" 22 22 + "code.gitea.io/gitea/modules/setting" 21 23 "code.gitea.io/gitea/modules/util" 22 24 ) 23 25 ··· 190 192 191 193 // PushOptions options when push to remote 192 194 type PushOptions struct { 193 193 - Remote string 194 194 - Branch string 195 195 - Force bool 196 196 - Mirror bool 197 197 - Env []string 198 198 - Timeout time.Duration 195 195 + Remote string 196 196 + Branch string 197 197 + Force bool 198 198 + Mirror bool 199 199 + Env []string 200 200 + Timeout time.Duration 201 201 + PrivateKeyPath string 199 202 } 200 203 201 204 // Push pushs local commits to given remote branch. 202 205 func Push(ctx context.Context, repoPath string, opts PushOptions) error { 203 206 cmd := NewCommand(ctx, "push") 207 207 + 208 208 + if opts.PrivateKeyPath != "" { 209 209 + // Preserve the behavior that existing environments are used if no 210 210 + // environments are passed. 211 211 + if len(opts.Env) == 0 { 212 212 + opts.Env = os.Environ() 213 213 + } 214 214 + 215 215 + // Use environment because it takes precedence over using -c core.sshcommand 216 216 + // and it's possible that a system might have an existing GIT_SSH_COMMAND 217 217 + // environment set. 218 218 + opts.Env = append(opts.Env, "GIT_SSH_COMMAND=ssh"+ 219 219 + fmt.Sprintf(` -i %s`, opts.PrivateKeyPath)+ 220 220 + " -o IdentitiesOnly=yes"+ 221 221 + // This will store new SSH host keys and verify connections to existing 222 222 + // host keys, but it doesn't allow replacement of existing host keys. This 223 223 + // means TOFU is used for Git over SSH pushes. 224 224 + " -o StrictHostKeyChecking=accept-new"+ 225 225 + " -o UserKnownHostsFile="+filepath.Join(setting.SSH.RootPath, "known_hosts")) 226 226 + } 227 227 + 204 228 if opts.Force { 205 229 cmd.AddArguments("-f") 206 230 }

+14

modules/keying/keying.go

reviewed

··· 18 18 import ( 19 19 "crypto/rand" 20 20 "crypto/sha256" 21 21 + "encoding/binary" 21 22 22 23 "golang.org/x/crypto/chacha20poly1305" 23 24 "golang.org/x/crypto/hkdf" ··· 43 44 // Specifies the context for which a subkey should be derived for. 44 45 // This must be a hardcoded string and must not be arbitrarily constructed. 45 46 type Context string 47 47 + 48 48 + // Used for the `push_mirror` table. 49 49 + var ContextPushMirror Context = "pushmirror" 46 50 47 51 // Derive *the* key for a given context, this is a determistic function. The 48 52 // same key will be provided for the same context. ··· 109 113 110 114 return e.Open(nil, nonce, ciphertext, additionalData) 111 115 } 116 116 + 117 117 + // ColumnAndID generates a context that can be used as additional context for 118 118 + // encrypting and decrypting data. It requires the column name and the row ID 119 119 + // (this requires to be known beforehand). Be careful when using this, as the 120 120 + // table name isn't part of this context. This means it's not bound to a 121 121 + // particular table. The table should be part of the context that the key was 122 122 + // derived for, in which case it binds through that. 123 123 + func ColumnAndID(column string, id int64) []byte { 124 124 + return binary.BigEndian.AppendUint64(append([]byte(column), ':'), uint64(id)) 125 125 + }

+15

modules/keying/keying_test.go

reviewed

··· 4 4 package keying_test 5 5 6 6 import ( 7 7 + "math" 7 8 "testing" 8 9 9 10 "code.gitea.io/gitea/modules/keying" ··· 94 95 }) 95 96 }) 96 97 } 98 98 + 99 99 + func TestKeyingColumnAndID(t *testing.T) { 100 100 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table", math.MinInt64)) 101 101 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table", -1)) 102 102 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table", 0)) 103 103 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, keying.ColumnAndID("table", 1)) 104 104 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table", math.MaxInt64)) 105 105 + 106 106 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table2", math.MinInt64)) 107 107 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table2", -1)) 108 108 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table2", 0)) 109 109 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, keying.ColumnAndID("table2", 1)) 110 110 + assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table2", math.MaxInt64)) 111 111 + }

modules/lfs/endpoint.go

reviewed

··· 60 60 case "git": 61 61 u.Scheme = "https" 62 62 return u 63 63 + case "ssh": 64 64 + u.Scheme = "https" 65 65 + u.User = nil 66 66 + return u 63 67 case "file": 64 68 return u 65 69 default:

modules/structs/mirror.go

reviewed

··· 12 12 RemotePassword string `json:"remote_password"` 13 13 Interval string `json:"interval"` 14 14 SyncOnCommit bool `json:"sync_on_commit"` 15 15 + UseSSH bool `json:"use_ssh"` 15 16 } 16 17 17 18 // PushMirror represents information of a push mirror ··· 27 28 LastError string `json:"last_error"` 28 29 Interval string `json:"interval"` 29 30 SyncOnCommit bool `json:"sync_on_commit"` 31 31 + PublicKey string `json:"public_key"` 30 32 }

+24

modules/util/util.go

reviewed

··· 1 1 // Copyright 2017 The Gitea Authors. All rights reserved. 2 2 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 3 // SPDX-License-Identifier: MIT 3 4 4 5 package util 5 6 6 7 import ( 7 8 "bytes" 9 9 + "crypto/ed25519" 8 10 "crypto/rand" 11 11 + "encoding/pem" 9 12 "fmt" 10 13 "math/big" 11 14 "strconv" ··· 13 16 14 17 "code.gitea.io/gitea/modules/optional" 15 18 19 19 + "golang.org/x/crypto/ssh" 16 20 "golang.org/x/text/cases" 17 21 "golang.org/x/text/language" 18 22 ) ··· 229 233 // Other than this, we should respect the original content, even leading or trailing spaces. 230 234 return strings.ReplaceAll(input, "\r\n", "\n") 231 235 } 236 236 + 237 237 + // GenerateSSHKeypair generates a ed25519 SSH-compatible keypair. 238 238 + func GenerateSSHKeypair() (publicKey, privateKey []byte, err error) { 239 239 + public, private, err := ed25519.GenerateKey(nil) 240 240 + if err != nil { 241 241 + return nil, nil, fmt.Errorf("ed25519.GenerateKey: %w", err) 242 242 + } 243 243 + 244 244 + privPEM, err := ssh.MarshalPrivateKey(private, "") 245 245 + if err != nil { 246 246 + return nil, nil, fmt.Errorf("ssh.MarshalPrivateKey: %w", err) 247 247 + } 248 248 + 249 249 + sshPublicKey, err := ssh.NewPublicKey(public) 250 250 + if err != nil { 251 251 + return nil, nil, fmt.Errorf("ssh.NewPublicKey: %w", err) 252 252 + } 253 253 + 254 254 + return ssh.MarshalAuthorizedKey(sshPublicKey), pem.EncodeToMemory(privPEM), nil 255 255 + }

+76 -42

modules/util/util_test.go

reviewed

··· 1 1 // Copyright 2018 The Gitea Authors. All rights reserved. 2 2 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 3 // SPDX-License-Identifier: MIT 3 4 4 4 - package util 5 5 + package util_test 5 6 6 7 import ( 8 8 + "bytes" 9 9 + "crypto/rand" 7 10 "regexp" 8 11 "strings" 9 12 "testing" 10 13 11 14 "code.gitea.io/gitea/modules/optional" 15 15 + "code.gitea.io/gitea/modules/test" 16 16 + "code.gitea.io/gitea/modules/util" 12 17 13 18 "github.com/stretchr/testify/assert" 14 19 "github.com/stretchr/testify/require" ··· 43 48 newTest("/a/b/c#hash", 44 49 "/a", "b/c#hash"), 45 50 } { 46 46 - assert.Equal(t, test.Expected, URLJoin(test.Base, test.Elements...)) 51 51 + assert.Equal(t, test.Expected, util.URLJoin(test.Base, test.Elements...)) 47 52 } 48 53 } 49 54 ··· 59 64 } 60 65 61 66 for _, v := range cases { 62 62 - assert.Equal(t, v.expected, IsEmptyString(v.s)) 67 67 + assert.Equal(t, v.expected, util.IsEmptyString(v.s)) 63 68 } 64 69 } 65 70 ··· 100 105 unix := buildEOLData(data1, "\n") 101 106 mac := buildEOLData(data1, "\r") 102 107 103 103 - assert.Equal(t, unix, NormalizeEOL(dos)) 104 104 - assert.Equal(t, unix, NormalizeEOL(mac)) 105 105 - assert.Equal(t, unix, NormalizeEOL(unix)) 108 108 + assert.Equal(t, unix, util.NormalizeEOL(dos)) 109 109 + assert.Equal(t, unix, util.NormalizeEOL(mac)) 110 110 + assert.Equal(t, unix, util.NormalizeEOL(unix)) 106 111 107 112 dos = buildEOLData(data2, "\r\n") 108 113 unix = buildEOLData(data2, "\n") 109 114 mac = buildEOLData(data2, "\r") 110 115 111 111 - assert.Equal(t, unix, NormalizeEOL(dos)) 112 112 - assert.Equal(t, unix, NormalizeEOL(mac)) 113 113 - assert.Equal(t, unix, NormalizeEOL(unix)) 116 116 + assert.Equal(t, unix, util.NormalizeEOL(dos)) 117 117 + assert.Equal(t, unix, util.NormalizeEOL(mac)) 118 118 + assert.Equal(t, unix, util.NormalizeEOL(unix)) 114 119 115 115 - assert.Equal(t, []byte("one liner"), NormalizeEOL([]byte("one liner"))) 116 116 - assert.Equal(t, []byte("\n"), NormalizeEOL([]byte("\n"))) 117 117 - assert.Equal(t, []byte("\ntwo liner"), NormalizeEOL([]byte("\ntwo liner"))) 118 118 - assert.Equal(t, []byte("two liner\n"), NormalizeEOL([]byte("two liner\n"))) 119 119 - assert.Equal(t, []byte{}, NormalizeEOL([]byte{})) 120 120 + assert.Equal(t, []byte("one liner"), util.NormalizeEOL([]byte("one liner"))) 121 121 + assert.Equal(t, []byte("\n"), util.NormalizeEOL([]byte("\n"))) 122 122 + assert.Equal(t, []byte("\ntwo liner"), util.NormalizeEOL([]byte("\ntwo liner"))) 123 123 + assert.Equal(t, []byte("two liner\n"), util.NormalizeEOL([]byte("two liner\n"))) 124 124 + assert.Equal(t, []byte{}, util.NormalizeEOL([]byte{})) 120 125 121 121 - assert.Equal(t, []byte("mix\nand\nmatch\n."), NormalizeEOL([]byte("mix\r\nand\rmatch\n."))) 126 126 + assert.Equal(t, []byte("mix\nand\nmatch\n."), util.NormalizeEOL([]byte("mix\r\nand\rmatch\n."))) 122 127 } 123 128 124 129 func Test_RandomInt(t *testing.T) { 125 125 - randInt, err := CryptoRandomInt(255) 130 130 + randInt, err := util.CryptoRandomInt(255) 126 131 assert.GreaterOrEqual(t, randInt, int64(0)) 127 132 assert.LessOrEqual(t, randInt, int64(255)) 128 133 require.NoError(t, err) 129 134 } 130 135 131 136 func Test_RandomString(t *testing.T) { 132 132 - str1, err := CryptoRandomString(32) 137 137 + str1, err := util.CryptoRandomString(32) 133 138 require.NoError(t, err) 134 139 matches, err := regexp.MatchString(`^[a-zA-Z0-9]{32}$`, str1) 135 140 require.NoError(t, err) 136 141 assert.True(t, matches) 137 142 138 138 - str2, err := CryptoRandomString(32) 143 143 + str2, err := util.CryptoRandomString(32) 139 144 require.NoError(t, err) 140 145 matches, err = regexp.MatchString(`^[a-zA-Z0-9]{32}$`, str1) 141 146 require.NoError(t, err) ··· 143 148 144 149 assert.NotEqual(t, str1, str2) 145 150 146 146 - str3, err := CryptoRandomString(256) 151 151 + str3, err := util.CryptoRandomString(256) 147 152 require.NoError(t, err) 148 153 matches, err = regexp.MatchString(`^[a-zA-Z0-9]{256}$`, str3) 149 154 require.NoError(t, err) 150 155 assert.True(t, matches) 151 156 152 152 - str4, err := CryptoRandomString(256) 157 157 + str4, err := util.CryptoRandomString(256) 153 158 require.NoError(t, err) 154 159 matches, err = regexp.MatchString(`^[a-zA-Z0-9]{256}$`, str4) 155 160 require.NoError(t, err) ··· 159 164 } 160 165 161 166 func Test_RandomBytes(t *testing.T) { 162 162 - bytes1, err := CryptoRandomBytes(32) 167 167 + bytes1, err := util.CryptoRandomBytes(32) 163 168 require.NoError(t, err) 164 169 165 165 - bytes2, err := CryptoRandomBytes(32) 170 170 + bytes2, err := util.CryptoRandomBytes(32) 166 171 require.NoError(t, err) 167 172 168 173 assert.NotEqual(t, bytes1, bytes2) 169 174 170 170 - bytes3, err := CryptoRandomBytes(256) 175 175 + bytes3, err := util.CryptoRandomBytes(256) 171 176 require.NoError(t, err) 172 177 173 173 - bytes4, err := CryptoRandomBytes(256) 178 178 + bytes4, err := util.CryptoRandomBytes(256) 174 179 require.NoError(t, err) 175 180 176 181 assert.NotEqual(t, bytes3, bytes4) 177 182 } 178 183 179 184 func TestOptionalBoolParse(t *testing.T) { 180 180 - assert.Equal(t, optional.None[bool](), OptionalBoolParse("")) 181 181 - assert.Equal(t, optional.None[bool](), OptionalBoolParse("x")) 185 185 + assert.Equal(t, optional.None[bool](), util.OptionalBoolParse("")) 186 186 + assert.Equal(t, optional.None[bool](), util.OptionalBoolParse("x")) 182 187 183 183 - assert.Equal(t, optional.Some(false), OptionalBoolParse("0")) 184 184 - assert.Equal(t, optional.Some(false), OptionalBoolParse("f")) 185 185 - assert.Equal(t, optional.Some(false), OptionalBoolParse("False")) 188 188 + assert.Equal(t, optional.Some(false), util.OptionalBoolParse("0")) 189 189 + assert.Equal(t, optional.Some(false), util.OptionalBoolParse("f")) 190 190 + assert.Equal(t, optional.Some(false), util.OptionalBoolParse("False")) 186 191 187 187 - assert.Equal(t, optional.Some(true), OptionalBoolParse("1")) 188 188 - assert.Equal(t, optional.Some(true), OptionalBoolParse("t")) 189 189 - assert.Equal(t, optional.Some(true), OptionalBoolParse("True")) 192 192 + assert.Equal(t, optional.Some(true), util.OptionalBoolParse("1")) 193 193 + assert.Equal(t, optional.Some(true), util.OptionalBoolParse("t")) 194 194 + assert.Equal(t, optional.Some(true), util.OptionalBoolParse("True")) 190 195 } 191 196 192 197 // Test case for any function which accepts and returns a single string. ··· 209 214 210 215 func TestToUpperASCII(t *testing.T) { 211 216 for _, tc := range upperTests { 212 212 - assert.Equal(t, ToUpperASCII(tc.in), tc.out) 217 217 + assert.Equal(t, util.ToUpperASCII(tc.in), tc.out) 213 218 } 214 219 } 215 220 ··· 217 222 for _, tc := range upperTests { 218 223 b.Run(tc.in, func(b *testing.B) { 219 224 for i := 0; i < b.N; i++ { 220 220 - ToUpperASCII(tc.in) 225 225 + util.ToUpperASCII(tc.in) 221 226 } 222 227 }) 223 228 } 224 229 } 225 230 226 231 func TestToTitleCase(t *testing.T) { 227 227 - assert.Equal(t, `Foo Bar Baz`, ToTitleCase(`foo bar baz`)) 228 228 - assert.Equal(t, `Foo Bar Baz`, ToTitleCase(`FOO BAR BAZ`)) 232 232 + assert.Equal(t, `Foo Bar Baz`, util.ToTitleCase(`foo bar baz`)) 233 233 + assert.Equal(t, `Foo Bar Baz`, util.ToTitleCase(`FOO BAR BAZ`)) 229 234 } 230 235 231 236 func TestToPointer(t *testing.T) { 232 232 - assert.Equal(t, "abc", *ToPointer("abc")) 233 233 - assert.Equal(t, 123, *ToPointer(123)) 237 237 + assert.Equal(t, "abc", *util.ToPointer("abc")) 238 238 + assert.Equal(t, 123, *util.ToPointer(123)) 234 239 abc := "abc" 235 235 - assert.NotSame(t, &abc, ToPointer(abc)) 240 240 + assert.NotSame(t, &abc, util.ToPointer(abc)) 236 241 val123 := 123 237 237 - assert.NotSame(t, &val123, ToPointer(val123)) 242 242 + assert.NotSame(t, &val123, util.ToPointer(val123)) 238 243 } 239 244 240 245 func TestReserveLineBreakForTextarea(t *testing.T) { 241 241 - assert.Equal(t, "test\ndata", ReserveLineBreakForTextarea("test\r\ndata")) 242 242 - assert.Equal(t, "test\ndata\n", ReserveLineBreakForTextarea("test\r\ndata\r\n")) 246 246 + assert.Equal(t, "test\ndata", util.ReserveLineBreakForTextarea("test\r\ndata")) 247 247 + assert.Equal(t, "test\ndata\n", util.ReserveLineBreakForTextarea("test\r\ndata\r\n")) 248 248 + } 249 249 + 250 250 + const ( 251 251 + testPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOhB7/zzhC+HXDdGOdLwJln5NYwm6UNXx3chmQSVTG4\n" 252 252 + testPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY----- 253 253 + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz 254 254 + c2gtZWQyNTUxOQAAACADoQe/884Qvh1w3RjnS8CZZ+TWMJulDV8d3IZkElUxuAAA 255 255 + AIggISIjICEiIwAAAAtzc2gtZWQyNTUxOQAAACADoQe/884Qvh1w3RjnS8CZZ+TW 256 256 + MJulDV8d3IZkElUxuAAAAEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0e 257 257 + HwOhB7/zzhC+HXDdGOdLwJln5NYwm6UNXx3chmQSVTG4AAAAAAECAwQF 258 258 + -----END OPENSSH PRIVATE KEY-----` + "\n" 259 259 + ) 260 260 + 261 261 + func TestGeneratingEd25519Keypair(t *testing.T) { 262 262 + defer test.MockProtect(&rand.Reader)() 263 263 + 264 264 + // Only 32 bytes needs to be provided to generate a ed25519 keypair. 265 265 + // And another 32 bytes are required, which is included as random value 266 266 + // in the OpenSSH format. 267 267 + b := make([]byte, 64) 268 268 + for i := 0; i < 64; i++ { 269 269 + b[i] = byte(i) 270 270 + } 271 271 + rand.Reader = bytes.NewReader(b) 272 272 + 273 273 + publicKey, privateKey, err := util.GenerateSSHKeypair() 274 274 + require.NoError(t, err) 275 275 + assert.EqualValues(t, testPublicKey, string(publicKey)) 276 276 + assert.EqualValues(t, testPrivateKey, string(privateKey)) 243 277 }

options/locale/locale_en-US.ini

reviewed

··· 1102 1102 mirror_prune_desc = Remove obsolete remote-tracking references 1103 1103 mirror_interval = Mirror interval (valid time units are "h", "m", "s"). 0 to disable periodic sync. (Minimum interval: %s) 1104 1104 mirror_interval_invalid = The mirror interval is not valid. 1105 1105 + mirror_public_key = Public SSH key 1106 1106 + mirror_use_ssh.text = Use SSH authentication 1107 1107 + mirror_use_ssh.helper = Forgejo will mirror the repository via Git over SSH and create a keypair for you when you select this option. You must ensure that the generated public key is authorized to push to the destination repository. You cannot use password-based authorization when selecting this. 1108 1108 + mirror_denied_combination = Cannot use public key and password based authentication in combination. 1105 1109 mirror_sync = synced 1106 1110 mirror_sync_on_commit = Sync when commits are pushed 1107 1111 mirror_address = Clone from URL ··· 2177 2181 settings.mirror_settings.push_mirror.remote_url = Git remote repository URL 2178 2182 settings.mirror_settings.push_mirror.add = Add push mirror 2179 2183 settings.mirror_settings.push_mirror.edit_sync_time = Edit mirror sync interval 2184 2184 + settings.mirror_settings.push_mirror.none = None 2180 2185 2181 2186 settings.units.units = Repository units 2182 2187 settings.units.overview = Overview 2183 2188 settings.units.add_more = Add more... 2184 2189 2185 2190 settings.sync_mirror = Synchronize now 2191 2191 + settings.mirror_settings.push_mirror.copy_public_key = Copy public key 2186 2192 settings.pull_mirror_sync_in_progress = Pulling changes from the remote %s at the moment. 2187 2193 settings.pull_mirror_sync_quota_exceeded = Quota exceeded, not pulling changes. 2188 2194 settings.push_mirror_sync_in_progress = Pushing changes to the remote %s at the moment.

release-notes/4819.md

reviewed

··· 1 1 + Allow push mirrors to use a SSH key as the authentication method for the mirroring action instead of using user:password authentication. The SSH keypair is created by Forgejo and the destination repository must be configured with the public key to allow for push over SSH.

+24 -1

routers/api/v1/repo/mirror.go

reviewed

··· 350 350 return 351 351 } 352 352 353 353 + if mirrorOption.UseSSH && (mirrorOption.RemoteUsername != "" || mirrorOption.RemotePassword != "") { 354 354 + ctx.Error(http.StatusBadRequest, "CreatePushMirror", "'use_ssh' is mutually exclusive with 'remote_username' and 'remote_passoword'") 355 355 + return 356 356 + } 357 357 + 353 358 address, err := forms.ParseRemoteAddr(mirrorOption.RemoteAddress, mirrorOption.RemoteUsername, mirrorOption.RemotePassword) 354 359 if err == nil { 355 360 err = migrations.IsMigrateURLAllowed(address, ctx.ContextUser) ··· 365 370 return 366 371 } 367 372 368 368 - remoteAddress, err := util.SanitizeURL(mirrorOption.RemoteAddress) 373 373 + remoteAddress, err := util.SanitizeURL(address) 369 374 if err != nil { 370 375 ctx.ServerError("SanitizeURL", err) 371 376 return ··· 380 385 RemoteAddress: remoteAddress, 381 386 } 382 387 388 388 + var plainPrivateKey []byte 389 389 + if mirrorOption.UseSSH { 390 390 + publicKey, privateKey, err := util.GenerateSSHKeypair() 391 391 + if err != nil { 392 392 + ctx.ServerError("GenerateSSHKeypair", err) 393 393 + return 394 394 + } 395 395 + plainPrivateKey = privateKey 396 396 + pushMirror.PublicKey = string(publicKey) 397 397 + } 398 398 + 383 399 if err = db.Insert(ctx, pushMirror); err != nil { 384 400 ctx.ServerError("InsertPushMirror", err) 385 401 return 402 402 + } 403 403 + 404 404 + if mirrorOption.UseSSH { 405 405 + if err = pushMirror.SetPrivatekey(ctx, plainPrivateKey); err != nil { 406 406 + ctx.ServerError("SetPrivatekey", err) 407 407 + return 408 408 + } 386 409 } 387 410 388 411 // if the registration of the push mirrorOption fails remove it from the database

+27 -3

routers/web/repo/setting/setting.go

reviewed

··· 478 478 ctx.ServerError("UpdateAddress", err) 479 479 return 480 480 } 481 481 - 482 482 - remoteAddress, err := util.SanitizeURL(form.MirrorAddress) 481 481 + remoteAddress, err := util.SanitizeURL(address) 483 482 if err != nil { 484 483 ctx.ServerError("SanitizeURL", err) 485 484 return ··· 638 637 return 639 638 } 640 639 640 640 + if form.PushMirrorUseSSH && (form.PushMirrorUsername != "" || form.PushMirrorPassword != "") { 641 641 + ctx.Data["Err_PushMirrorUseSSH"] = true 642 642 + ctx.RenderWithErr(ctx.Tr("repo.mirror_denied_combination"), tplSettingsOptions, &form) 643 643 + return 644 644 + } 645 645 + 641 646 address, err := forms.ParseRemoteAddr(form.PushMirrorAddress, form.PushMirrorUsername, form.PushMirrorPassword) 642 647 if err == nil { 643 648 err = migrations.IsMigrateURLAllowed(address, ctx.Doer) ··· 654 659 return 655 660 } 656 661 657 657 - remoteAddress, err := util.SanitizeURL(form.PushMirrorAddress) 662 662 + remoteAddress, err := util.SanitizeURL(address) 658 663 if err != nil { 659 664 ctx.ServerError("SanitizeURL", err) 660 665 return ··· 668 673 Interval: interval, 669 674 RemoteAddress: remoteAddress, 670 675 } 676 676 + 677 677 + var plainPrivateKey []byte 678 678 + if form.PushMirrorUseSSH { 679 679 + publicKey, privateKey, err := util.GenerateSSHKeypair() 680 680 + if err != nil { 681 681 + ctx.ServerError("GenerateSSHKeypair", err) 682 682 + return 683 683 + } 684 684 + plainPrivateKey = privateKey 685 685 + m.PublicKey = string(publicKey) 686 686 + } 687 687 + 671 688 if err := db.Insert(ctx, m); err != nil { 672 689 ctx.ServerError("InsertPushMirror", err) 673 690 return 691 691 + } 692 692 + 693 693 + if form.PushMirrorUseSSH { 694 694 + if err := m.SetPrivatekey(ctx, plainPrivateKey); err != nil { 695 695 + ctx.ServerError("SetPrivatekey", err) 696 696 + return 697 697 + } 674 698 } 675 699 676 700 if err := mirror_service.AddPushMirrorRemote(ctx, m, address); err != nil {

services/convert/mirror.go

reviewed

··· 22 22 LastError: pm.LastError, 23 23 Interval: pm.Interval.String(), 24 24 SyncOnCommit: pm.SyncOnCommit, 25 25 + PublicKey: pm.GetPublicKey(), 25 26 }, nil 26 27 }

+15 -1

services/forms/repo_form.go

reviewed

··· 6 6 package forms 7 7 8 8 import ( 9 9 + "fmt" 9 10 "net/http" 10 11 "net/url" 12 12 + "regexp" 11 13 "strings" 12 14 13 15 "code.gitea.io/gitea/models" ··· 88 90 return middleware.Validate(errs, ctx.Data, f, ctx.Locale) 89 91 } 90 92 93 93 + // scpRegex matches the SCP-like addresses used by Git to access repositories over SSH. 94 94 + var scpRegex = regexp.MustCompile(`^([a-zA-Z0-9_]+)@([a-zA-Z0-9._-]+):(.*)$`) 95 95 + 91 96 // ParseRemoteAddr checks if given remote address is valid, 92 97 // and returns composed URL with needed username and password. 93 98 func ParseRemoteAddr(remoteAddr, authUsername, authPassword string) (string, error) { ··· 103 108 if len(authUsername)+len(authPassword) > 0 { 104 109 u.User = url.UserPassword(authUsername, authPassword) 105 110 } 106 106 - remoteAddr = u.String() 111 111 + return u.String(), nil 112 112 + } 113 113 + 114 114 + // Detect SCP-like remote addresses and return host. 115 115 + if m := scpRegex.FindStringSubmatch(remoteAddr); m != nil { 116 116 + // Match SCP-like syntax and convert it to a URL. 117 117 + // Eg, "git@forgejo.org:user/repo" becomes 118 118 + // "ssh://git@forgejo.org/user/repo". 119 119 + return fmt.Sprintf("ssh://%s@%s/%s", url.User(m[1]), m[2], m[3]), nil 107 120 } 108 121 109 122 return remoteAddr, nil ··· 127 140 PushMirrorPassword string 128 141 PushMirrorSyncOnCommit bool 129 142 PushMirrorInterval string 143 143 + PushMirrorUseSSH bool 130 144 Private bool 131 145 Template bool 132 146 EnablePrune bool

+1 -1

services/migrations/migrate.go

reviewed

··· 71 71 return &models.ErrInvalidCloneAddr{Host: u.Host, IsURLError: true} 72 72 } 73 73 74 74 - if u.Opaque != "" || u.Scheme != "" && u.Scheme != "http" && u.Scheme != "https" && u.Scheme != "git" { 74 74 + if u.Opaque != "" || u.Scheme != "" && u.Scheme != "http" && u.Scheme != "https" && u.Scheme != "git" && u.Scheme != "ssh" { 75 75 return &models.ErrInvalidCloneAddr{Host: u.Host, IsProtocolInvalid: true, IsPermissionDenied: true, IsURLError: true} 76 76 } 77 77

+37 -4

services/mirror/mirror_push.go

reviewed

··· 8 8 "errors" 9 9 "fmt" 10 10 "io" 11 11 + "os" 11 12 "regexp" 12 13 "strings" 13 14 "time" ··· 169 170 170 171 log.Trace("Pushing %s mirror[%d] remote %s", path, m.ID, m.RemoteName) 171 172 173 173 + // OpenSSH isn't very intuitive when you want to specify a specific keypair. 174 174 + // Therefore, we need to create a temporary file that stores the private key, so that OpenSSH can use it. 175 175 + // We delete the the temporary file afterwards. 176 176 + privateKeyPath := "" 177 177 + if m.PublicKey != "" { 178 178 + f, err := os.CreateTemp(os.TempDir(), m.RemoteName) 179 179 + if err != nil { 180 180 + log.Error("os.CreateTemp: %v", err) 181 181 + return errors.New("unexpected error") 182 182 + } 183 183 + 184 184 + defer func() { 185 185 + f.Close() 186 186 + if err := os.Remove(f.Name()); err != nil { 187 187 + log.Error("os.Remove: %v", err) 188 188 + } 189 189 + }() 190 190 + 191 191 + privateKey, err := m.Privatekey() 192 192 + if err != nil { 193 193 + log.Error("Privatekey: %v", err) 194 194 + return errors.New("unexpected error") 195 195 + } 196 196 + 197 197 + if _, err := f.Write(privateKey); err != nil { 198 198 + log.Error("f.Write: %v", err) 199 199 + return errors.New("unexpected error") 200 200 + } 201 201 + 202 202 + privateKeyPath = f.Name() 203 203 + } 172 204 if err := git.Push(ctx, path, git.PushOptions{ 173 173 - Remote: m.RemoteName, 174 174 - Force: true, 175 175 - Mirror: true, 176 176 - Timeout: timeout, 205 205 + Remote: m.RemoteName, 206 206 + Force: true, 207 207 + Mirror: true, 208 208 + Timeout: timeout, 209 209 + PrivateKeyPath: privateKeyPath, 177 210 }); err != nil { 178 211 log.Error("Error pushing %s mirror[%d] remote %s: %v", path, m.ID, m.RemoteName, err) 179 212

+12 -2

templates/repo/settings/options.tmpl

reviewed

··· 136 136 <th class="tw-w-2/5">{{ctx.Locale.Tr "repo.settings.mirror_settings.mirrored_repository"}}</th> 137 137 <th>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction"}}</th> 138 138 <th>{{ctx.Locale.Tr "repo.settings.mirror_settings.last_update"}}</th> 139 139 + <th>{{ctx.Locale.Tr "repo.mirror_public_key"}}</th> 139 140 <th></th> 140 141 </tr> 141 142 </thead> ··· 233 234 <th class="tw-w-2/5">{{ctx.Locale.Tr "repo.settings.mirror_settings.pushed_repository"}}</th> 234 235 <th>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction"}}</th> 235 236 <th>{{ctx.Locale.Tr "repo.settings.mirror_settings.last_update"}}</th> 237 237 + <th>{{ctx.Locale.Tr "repo.mirror_public_key"}}</th> 236 238 <th></th> 237 239 </tr> 238 240 </thead> ··· 242 244 <td class="tw-break-anywhere">{{.RemoteAddress}}</td> 243 245 <td>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction.push"}}</td> 244 246 <td>{{if .LastUpdateUnix}}{{DateTime "full" .LastUpdateUnix}}{{else}}{{ctx.Locale.Tr "never"}}{{end}} {{if .LastError}}<div class="ui red label" data-tooltip-content="{{.LastError}}">{{ctx.Locale.Tr "error"}}</div>{{end}}</td> 245 245 - <td class="right aligned"> 247 247 + <td>{{if not (eq (len .GetPublicKey) 0)}}<a data-clipboard-text="{{.GetPublicKey}}">{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.copy_public_key"}}</a>{{else}}{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.none"}}{{end}}</td> 248 248 + <td class="right aligned df"> 246 249 <button 247 250 class="ui tiny button show-modal" 248 251 data-modal="#push-mirror-edit-modal" ··· 274 277 {{end}} 275 278 {{if (not .DisableNewPushMirrors)}} 276 279 <tr> 277 277 - <td colspan="4"> 280 280 + <td colspan="5"> 278 281 <form class="ui form" method="post"> 279 282 {{template "base/disable_form_autofill"}} 280 283 {{.CsrfTokenHtml}} ··· 296 299 <div class="inline field {{if .Err_PushMirrorAuth}}error{{end}}"> 297 300 <label for="push_mirror_password">{{ctx.Locale.Tr "password"}}</label> 298 301 <input id="push_mirror_password" name="push_mirror_password" type="password" value="{{.push_mirror_password}}" autocomplete="off"> 302 302 + </div> 303 303 + <div class="inline field {{if .Err_PushMirrorUseSSH}}error{{end}}"> 304 304 + <div class="ui checkbox df ac"> 305 305 + <input id="push_mirror_use_ssh" name="push_mirror_use_ssh" type="checkbox" {{if .push_mirror_use_ssh}}checked{{end}}> 306 306 + <label for="push_mirror_use_ssh" class="inline">{{ctx.Locale.Tr "repo.mirror_use_ssh.text"}}</label> 307 307 + <span class="help tw-block">{{ctx.Locale.Tr "repo.mirror_use_ssh.helper"}} 308 308 + </div> 299 309 </div> 300 310 </div> 301 311 </details>

templates/swagger/v1_json.tmpl

reviewed

··· 21529 21529 "sync_on_commit": { 21530 21530 "type": "boolean", 21531 21531 "x-go-name": "SyncOnCommit" 21532 21532 + }, 21533 21533 + "use_ssh": { 21534 21534 + "type": "boolean", 21535 21535 + "x-go-name": "UseSSH" 21532 21536 } 21533 21537 }, 21534 21538 "x-go-package": "code.gitea.io/gitea/modules/structs" ··· 25324 25328 "type": "string", 25325 25329 "format": "date-time", 25326 25330 "x-go-name": "LastUpdateUnix" 25331 25331 + }, 25332 25332 + "public_key": { 25333 25333 + "type": "string", 25334 25334 + "x-go-name": "PublicKey" 25327 25335 }, 25328 25336 "remote_address": { 25329 25337 "type": "string",

+136

tests/integration/api_push_mirror_test.go

reviewed

··· 7 7 "context" 8 8 "errors" 9 9 "fmt" 10 10 + "net" 10 11 "net/http" 11 12 "net/url" 13 13 + "os" 14 14 + "path/filepath" 15 15 + "strconv" 12 16 "testing" 17 17 + "time" 13 18 19 19 + asymkey_model "code.gitea.io/gitea/models/asymkey" 14 20 auth_model "code.gitea.io/gitea/models/auth" 15 21 "code.gitea.io/gitea/models/db" 16 22 repo_model "code.gitea.io/gitea/models/repo" 23 23 + "code.gitea.io/gitea/models/unit" 17 24 "code.gitea.io/gitea/models/unittest" 18 25 user_model "code.gitea.io/gitea/models/user" 26 26 + "code.gitea.io/gitea/modules/optional" 19 27 "code.gitea.io/gitea/modules/setting" 20 28 api "code.gitea.io/gitea/modules/structs" 21 29 "code.gitea.io/gitea/modules/test" 22 30 "code.gitea.io/gitea/services/migrations" 23 31 mirror_service "code.gitea.io/gitea/services/mirror" 24 32 repo_service "code.gitea.io/gitea/services/repository" 33 33 + "code.gitea.io/gitea/tests" 25 34 26 35 "github.com/stretchr/testify/assert" 27 36 "github.com/stretchr/testify/require" ··· 130 139 }) 131 140 } 132 141 } 142 142 + 143 143 + func TestAPIPushMirrorSSH(t *testing.T) { 144 144 + onGiteaRun(t, func(t *testing.T, _ *url.URL) { 145 145 + defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)() 146 146 + defer test.MockVariableValue(&setting.Mirror.Enabled, true)() 147 147 + defer test.MockVariableValue(&setting.SSH.RootPath, t.TempDir())() 148 148 + require.NoError(t, migrations.Init()) 149 149 + 150 150 + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) 151 151 + srcRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) 152 152 + assert.False(t, srcRepo.HasWiki()) 153 153 + session := loginUser(t, user.Name) 154 154 + token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository) 155 155 + pushToRepo, _, f := CreateDeclarativeRepoWithOptions(t, user, DeclarativeRepoOptions{ 156 156 + Name: optional.Some("push-mirror-test"), 157 157 + AutoInit: optional.Some(false), 158 158 + EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}), 159 159 + }) 160 160 + defer f() 161 161 + 162 162 + sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName()) 163 163 + 164 164 + t.Run("Mutual exclusive", func(t *testing.T) { 165 165 + defer tests.PrintCurrentTest(t)() 166 166 + 167 167 + req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/push_mirrors", srcRepo.FullName()), &api.CreatePushMirrorOption{ 168 168 + RemoteAddress: sshURL, 169 169 + Interval: "8h", 170 170 + UseSSH: true, 171 171 + RemoteUsername: "user", 172 172 + RemotePassword: "password", 173 173 + }).AddTokenAuth(token) 174 174 + resp := MakeRequest(t, req, http.StatusBadRequest) 175 175 + 176 176 + var apiError api.APIError 177 177 + DecodeJSON(t, resp, &apiError) 178 178 + assert.EqualValues(t, "'use_ssh' is mutually exclusive with 'remote_username' and 'remote_passoword'", apiError.Message) 179 179 + }) 180 180 + 181 181 + t.Run("Normal", func(t *testing.T) { 182 182 + var pushMirror *repo_model.PushMirror 183 183 + t.Run("Adding", func(t *testing.T) { 184 184 + defer tests.PrintCurrentTest(t)() 185 185 + 186 186 + req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/push_mirrors", srcRepo.FullName()), &api.CreatePushMirrorOption{ 187 187 + RemoteAddress: sshURL, 188 188 + Interval: "8h", 189 189 + UseSSH: true, 190 190 + }).AddTokenAuth(token) 191 191 + MakeRequest(t, req, http.StatusOK) 192 192 + 193 193 + pushMirror = unittest.AssertExistsAndLoadBean(t, &repo_model.PushMirror{RepoID: srcRepo.ID}) 194 194 + assert.NotEmpty(t, pushMirror.PrivateKey) 195 195 + assert.NotEmpty(t, pushMirror.PublicKey) 196 196 + }) 197 197 + 198 198 + publickey := pushMirror.GetPublicKey() 199 199 + t.Run("Publickey", func(t *testing.T) { 200 200 + defer tests.PrintCurrentTest(t)() 201 201 + 202 202 + req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/push_mirrors", srcRepo.FullName())).AddTokenAuth(token) 203 203 + resp := MakeRequest(t, req, http.StatusOK) 204 204 + 205 205 + var pushMirrors []*api.PushMirror 206 206 + DecodeJSON(t, resp, &pushMirrors) 207 207 + assert.Len(t, pushMirrors, 1) 208 208 + assert.EqualValues(t, publickey, pushMirrors[0].PublicKey) 209 209 + }) 210 210 + 211 211 + t.Run("Add deploy key", func(t *testing.T) { 212 212 + defer tests.PrintCurrentTest(t)() 213 213 + 214 214 + req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/keys", pushToRepo.FullName()), &api.CreateKeyOption{ 215 215 + Title: "push mirror key", 216 216 + Key: publickey, 217 217 + ReadOnly: false, 218 218 + }).AddTokenAuth(token) 219 219 + MakeRequest(t, req, http.StatusCreated) 220 220 + 221 221 + unittest.AssertExistsAndLoadBean(t, &asymkey_model.DeployKey{Name: "push mirror key", RepoID: pushToRepo.ID}) 222 222 + }) 223 223 + 224 224 + t.Run("Synchronize", func(t *testing.T) { 225 225 + defer tests.PrintCurrentTest(t)() 226 226 + 227 227 + req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/push_mirrors-sync", srcRepo.FullName())).AddTokenAuth(token) 228 228 + MakeRequest(t, req, http.StatusOK) 229 229 + }) 230 230 + 231 231 + t.Run("Check mirrored content", func(t *testing.T) { 232 232 + defer tests.PrintCurrentTest(t)() 233 233 + sha := "1032bbf17fbc0d9c95bb5418dabe8f8c99278700" 234 234 + 235 235 + req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/commits?limit=1", srcRepo.FullName())).AddTokenAuth(token) 236 236 + resp := MakeRequest(t, req, http.StatusOK) 237 237 + 238 238 + var commitList []*api.Commit 239 239 + DecodeJSON(t, resp, &commitList) 240 240 + 241 241 + assert.Len(t, commitList, 1) 242 242 + assert.EqualValues(t, sha, commitList[0].SHA) 243 243 + 244 244 + assert.Eventually(t, func() bool { 245 245 + req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/commits?limit=1", srcRepo.FullName())).AddTokenAuth(token) 246 246 + resp := MakeRequest(t, req, http.StatusOK) 247 247 + 248 248 + var commitList []*api.Commit 249 249 + DecodeJSON(t, resp, &commitList) 250 250 + 251 251 + return len(commitList) != 0 && commitList[0].SHA == sha 252 252 + }, time.Second*30, time.Second) 253 253 + }) 254 254 + 255 255 + t.Run("Check known host keys", func(t *testing.T) { 256 256 + defer tests.PrintCurrentTest(t)() 257 257 + 258 258 + knownHosts, err := os.ReadFile(filepath.Join(setting.SSH.RootPath, "known_hosts")) 259 259 + require.NoError(t, err) 260 260 + 261 261 + publicKey, err := os.ReadFile(setting.SSH.ServerHostKeys[0] + ".pub") 262 262 + require.NoError(t, err) 263 263 + 264 264 + assert.Contains(t, string(knownHosts), string(publicKey)) 265 265 + }) 266 266 + }) 267 267 + }) 268 268 + }

+142 -1

tests/integration/mirror_push_test.go

reviewed

··· 1 1 // Copyright 2021 The Gitea Authors. All rights reserved. 2 2 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 3 // SPDX-License-Identifier: MIT 3 4 4 5 package integration ··· 6 7 import ( 7 8 "context" 8 9 "fmt" 10 10 + "net" 9 11 "net/http" 10 12 "net/url" 13 13 + "os" 14 14 + "path/filepath" 11 15 "strconv" 12 16 "testing" 17 17 + "time" 13 18 19 19 + asymkey_model "code.gitea.io/gitea/models/asymkey" 14 20 "code.gitea.io/gitea/models/db" 15 21 repo_model "code.gitea.io/gitea/models/repo" 22 22 + "code.gitea.io/gitea/models/unit" 16 23 "code.gitea.io/gitea/models/unittest" 17 24 user_model "code.gitea.io/gitea/models/user" 18 25 "code.gitea.io/gitea/modules/git" 19 26 "code.gitea.io/gitea/modules/gitrepo" 27 27 + "code.gitea.io/gitea/modules/optional" 20 28 "code.gitea.io/gitea/modules/setting" 29 29 + "code.gitea.io/gitea/modules/test" 21 30 gitea_context "code.gitea.io/gitea/services/context" 22 31 doctor "code.gitea.io/gitea/services/doctor" 23 32 "code.gitea.io/gitea/services/migrations" ··· 35 44 36 45 func testMirrorPush(t *testing.T, u *url.URL) { 37 46 defer tests.PrepareTestEnv(t)() 47 47 + defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)() 38 48 39 39 - setting.Migrations.AllowLocalNetworks = true 40 49 require.NoError(t, migrations.Init()) 41 50 42 51 user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) ··· 146 155 assert.Contains(t, flashCookie.Value, "success") 147 156 } 148 157 } 158 158 + 159 159 + func TestSSHPushMirror(t *testing.T) { 160 160 + onGiteaRun(t, func(t *testing.T, _ *url.URL) { 161 161 + defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)() 162 162 + defer test.MockVariableValue(&setting.Mirror.Enabled, true)() 163 163 + defer test.MockVariableValue(&setting.SSH.RootPath, t.TempDir())() 164 164 + require.NoError(t, migrations.Init()) 165 165 + 166 166 + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) 167 167 + srcRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) 168 168 + assert.False(t, srcRepo.HasWiki()) 169 169 + sess := loginUser(t, user.Name) 170 170 + pushToRepo, _, f := CreateDeclarativeRepoWithOptions(t, user, DeclarativeRepoOptions{ 171 171 + Name: optional.Some("push-mirror-test"), 172 172 + AutoInit: optional.Some(false), 173 173 + EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}), 174 174 + }) 175 175 + defer f() 176 176 + 177 177 + sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName()) 178 178 + t.Run("Mutual exclusive", func(t *testing.T) { 179 179 + defer tests.PrintCurrentTest(t)() 180 180 + 181 181 + req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{ 182 182 + "_csrf": GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())), 183 183 + "action": "push-mirror-add", 184 184 + "push_mirror_address": sshURL, 185 185 + "push_mirror_username": "username", 186 186 + "push_mirror_password": "password", 187 187 + "push_mirror_use_ssh": "true", 188 188 + "push_mirror_interval": "0", 189 189 + }) 190 190 + resp := sess.MakeRequest(t, req, http.StatusOK) 191 191 + htmlDoc := NewHTMLParser(t, resp.Body) 192 192 + 193 193 + errMsg := htmlDoc.Find(".ui.negative.message").Text() 194 194 + assert.Contains(t, errMsg, "Cannot use public key and password based authentication in combination.") 195 195 + }) 196 196 + 197 197 + t.Run("Normal", func(t *testing.T) { 198 198 + var pushMirror *repo_model.PushMirror 199 199 + t.Run("Adding", func(t *testing.T) { 200 200 + defer tests.PrintCurrentTest(t)() 201 201 + 202 202 + req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{ 203 203 + "_csrf": GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())), 204 204 + "action": "push-mirror-add", 205 205 + "push_mirror_address": sshURL, 206 206 + "push_mirror_use_ssh": "true", 207 207 + "push_mirror_interval": "0", 208 208 + }) 209 209 + sess.MakeRequest(t, req, http.StatusSeeOther) 210 210 + 211 211 + flashCookie := sess.GetCookie(gitea_context.CookieNameFlash) 212 212 + assert.NotNil(t, flashCookie) 213 213 + assert.Contains(t, flashCookie.Value, "success") 214 214 + 215 215 + pushMirror = unittest.AssertExistsAndLoadBean(t, &repo_model.PushMirror{RepoID: srcRepo.ID}) 216 216 + assert.NotEmpty(t, pushMirror.PrivateKey) 217 217 + assert.NotEmpty(t, pushMirror.PublicKey) 218 218 + }) 219 219 + 220 220 + publickey := "" 221 221 + t.Run("Publickey", func(t *testing.T) { 222 222 + defer tests.PrintCurrentTest(t)() 223 223 + 224 224 + req := NewRequest(t, "GET", fmt.Sprintf("/%s/settings", srcRepo.FullName())) 225 225 + resp := sess.MakeRequest(t, req, http.StatusOK) 226 226 + htmlDoc := NewHTMLParser(t, resp.Body) 227 227 + 228 228 + publickey = htmlDoc.Find(".ui.table td a[data-clipboard-text]").AttrOr("data-clipboard-text", "") 229 229 + assert.EqualValues(t, publickey, pushMirror.GetPublicKey()) 230 230 + }) 231 231 + 232 232 + t.Run("Add deploy key", func(t *testing.T) { 233 233 + defer tests.PrintCurrentTest(t)() 234 234 + 235 235 + req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings/keys", pushToRepo.FullName()), map[string]string{ 236 236 + "_csrf": GetCSRF(t, sess, fmt.Sprintf("/%s/settings/keys", pushToRepo.FullName())), 237 237 + "title": "push mirror key", 238 238 + "content": publickey, 239 239 + "is_writable": "true", 240 240 + }) 241 241 + sess.MakeRequest(t, req, http.StatusSeeOther) 242 242 + 243 243 + unittest.AssertExistsAndLoadBean(t, &asymkey_model.DeployKey{Name: "push mirror key", RepoID: pushToRepo.ID}) 244 244 + }) 245 245 + 246 246 + t.Run("Synchronize", func(t *testing.T) { 247 247 + defer tests.PrintCurrentTest(t)() 248 248 + 249 249 + req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{ 250 250 + "_csrf": GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())), 251 251 + "action": "push-mirror-sync", 252 252 + "push_mirror_id": strconv.FormatInt(pushMirror.ID, 10), 253 253 + }) 254 254 + sess.MakeRequest(t, req, http.StatusSeeOther) 255 255 + }) 256 256 + 257 257 + t.Run("Check mirrored content", func(t *testing.T) { 258 258 + defer tests.PrintCurrentTest(t)() 259 259 + shortSHA := "1032bbf17f" 260 260 + 261 261 + req := NewRequest(t, "GET", fmt.Sprintf("/%s", srcRepo.FullName())) 262 262 + resp := sess.MakeRequest(t, req, http.StatusOK) 263 263 + htmlDoc := NewHTMLParser(t, resp.Body) 264 264 + 265 265 + assert.Contains(t, htmlDoc.Find(".shortsha").Text(), shortSHA) 266 266 + 267 267 + assert.Eventually(t, func() bool { 268 268 + req = NewRequest(t, "GET", fmt.Sprintf("/%s", pushToRepo.FullName())) 269 269 + resp = sess.MakeRequest(t, req, http.StatusOK) 270 270 + htmlDoc = NewHTMLParser(t, resp.Body) 271 271 + 272 272 + return htmlDoc.Find(".shortsha").Text() == shortSHA 273 273 + }, time.Second*30, time.Second) 274 274 + }) 275 275 + 276 276 + t.Run("Check known host keys", func(t *testing.T) { 277 277 + defer tests.PrintCurrentTest(t)() 278 278 + 279 279 + knownHosts, err := os.ReadFile(filepath.Join(setting.SSH.RootPath, "known_hosts")) 280 280 + require.NoError(t, err) 281 281 + 282 282 + publicKey, err := os.ReadFile(setting.SSH.ServerHostKeys[0] + ".pub") 283 283 + require.NoError(t, err) 284 284 + 285 285 + assert.Contains(t, string(knownHosts), string(publicKey)) 286 286 + }) 287 287 + }) 288 288 + }) 289 289 + }