From 7c9e1cf83baf7dec65d12215b32ebe783a97e312 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 27 Feb 2024 18:18:03 +0800 Subject: [PATCH 1/4] Allow options to disable user ssh keys configuration from the interface on app.ini --- custom/conf/app.example.ini | 3 ++- .../administration/config-cheat-sheet.en-us.md | 3 ++- .../administration/config-cheat-sheet.zh-cn.md | 3 ++- modules/setting/admin.go | 1 + routers/web/user/setting/keys.go | 17 +++++++++++++++++ templates/user/settings/keys.tmpl | 4 +++- 6 files changed, 27 insertions(+), 4 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 5451537d02cc..c70caa39fb85 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1474,8 +1474,9 @@ LEVEL = Info ;; ;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled ;DEFAULT_EMAIL_NOTIFICATIONS = enabled -;; Disabled features for users, could be "deletion", more features can be disabled in future +;; Disabled features for users, could be "deletion", "ssh_keys" more features can be disabled in future ;; - deletion: a user cannot delete their own account +;; - ssh_keys: a user cannot configuration ssh keys ;USER_DISABLED_FEATURES = ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 643932de6c1b..e9baa763785c 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -518,8 +518,9 @@ And the following unique queues: - `DEFAULT_EMAIL_NOTIFICATIONS`: **enabled**: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled - `DISABLE_REGULAR_ORG_CREATION`: **false**: Disallow regular (non-admin) users from creating organizations. -- `USER_DISABLED_FEATURES`: **_empty_** Disabled features for users, could be `deletion` and more features can be added in future. +- `USER_DISABLED_FEATURES`: **_empty_** Disabled features for users, could be `deletion`, `ssh_keys` and more features can be added in future. - `deletion`: User cannot delete their own account. + - `ssh_keys`: User cannot configuration ssh keys. ## Security (`security`) diff --git a/docs/content/administration/config-cheat-sheet.zh-cn.md b/docs/content/administration/config-cheat-sheet.zh-cn.md index 5fe0a62215f5..49d82698545b 100644 --- a/docs/content/administration/config-cheat-sheet.zh-cn.md +++ b/docs/content/administration/config-cheat-sheet.zh-cn.md @@ -497,8 +497,9 @@ Gitea 创建以下非唯一队列: - `DEFAULT_EMAIL_NOTIFICATIONS`: **enabled**:用户电子邮件通知的默认配置(用户可配置)。选项:enabled、onmention、disabled - `DISABLE_REGULAR_ORG_CREATION`: **false**:禁止普通(非管理员)用户创建组织。 -- `USER_DISABLED_FEATURES`:**_empty_** 禁用的用户特性,当前允许为空或者 `deletion`, 未来可以增加更多设置。 +- `USER_DISABLED_FEATURES`:**_empty_** 禁用的用户特性,当前允许为空或者 `deletion`,`ssh_keys` 未来可以增加更多设置。 - `deletion`: 用户不能通过界面或者API删除他自己。 + - `ssh_keys`: 用户不能通过界面配置SSH Keys。 ## 安全性 (`security`) diff --git a/modules/setting/admin.go b/modules/setting/admin.go index 48a2ea974455..26f11d5c2388 100644 --- a/modules/setting/admin.go +++ b/modules/setting/admin.go @@ -21,4 +21,5 @@ func loadAdminFrom(rootCfg ConfigProvider) { const ( UserFeatureDeletion = "deletion" + UserFeatureSSHKeys = "ssh_keys" ) diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go index 0a12777e5e8d..f29c5bdda91c 100644 --- a/routers/web/user/setting/keys.go +++ b/routers/web/user/setting/keys.go @@ -5,6 +5,7 @@ package setting import ( + "fmt" "net/http" asymkey_model "code.gitea.io/gitea/models/asymkey" @@ -153,6 +154,11 @@ func KeysPost(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.verify_gpg_key_success", keyID)) ctx.Redirect(setting.AppSubURL + "/user/settings/keys") case "ssh": + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) + return + } + content, err := asymkey_model.CheckPublicKeyString(form.Content) if err != nil { if db.IsErrSSHDisabled(err) { @@ -192,6 +198,11 @@ func KeysPost(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.add_key_success", form.Title)) ctx.Redirect(setting.AppSubURL + "/user/settings/keys") case "verify_ssh": + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) + return + } + token := asymkey_model.VerificationToken(ctx.Doer, 1) lastToken := asymkey_model.VerificationToken(ctx.Doer, 0) @@ -230,6 +241,11 @@ func DeleteKey(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success")) } case "ssh": + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) + return + } + keyID := ctx.FormInt64("id") external, err := asymkey_model.PublicKeyIsExternallyManaged(ctx, keyID) if err != nil { @@ -308,4 +324,5 @@ func loadKeysData(ctx *context.Context) { ctx.Data["VerifyingID"] = ctx.FormString("verify_gpg") ctx.Data["VerifyingFingerprint"] = ctx.FormString("verify_ssh") + ctx.Data["UserDisabledFeatures"] = &setting.Admin.UserDisabledFeatures } diff --git a/templates/user/settings/keys.tmpl b/templates/user/settings/keys.tmpl index 93037e7e282b..59c336125719 100644 --- a/templates/user/settings/keys.tmpl +++ b/templates/user/settings/keys.tmpl @@ -1,6 +1,8 @@ {{template "user/settings/layout_head" (dict "ctxData" . "pageClass" "user settings sshkeys")}}
- {{template "user/settings/keys_ssh" .}} + {{if not ($.UserDisabledFeatures.Contains "ssh_keys")}} + {{template "user/settings/keys_ssh" .}} + {{end}} {{template "user/settings/keys_principal" .}} {{template "user/settings/keys_gpg" .}}
From 10dd4f456a0617916f7ae5f2aa4affd2ad41d2fa Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 27 Feb 2024 18:37:18 +0800 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: delvh --- custom/conf/app.example.ini | 2 +- docs/content/administration/config-cheat-sheet.en-us.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index c70caa39fb85..f8702fa33246 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1476,7 +1476,7 @@ LEVEL = Info ;DEFAULT_EMAIL_NOTIFICATIONS = enabled ;; Disabled features for users, could be "deletion", "ssh_keys" more features can be disabled in future ;; - deletion: a user cannot delete their own account -;; - ssh_keys: a user cannot configuration ssh keys +;; - ssh_keys: a user cannot configure ssh keys ;USER_DISABLED_FEATURES = ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index e9baa763785c..1dfc4ed8265b 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -520,7 +520,7 @@ And the following unique queues: - `DISABLE_REGULAR_ORG_CREATION`: **false**: Disallow regular (non-admin) users from creating organizations. - `USER_DISABLED_FEATURES`: **_empty_** Disabled features for users, could be `deletion`, `ssh_keys` and more features can be added in future. - `deletion`: User cannot delete their own account. - - `ssh_keys`: User cannot configuration ssh keys. + - `ssh_keys`: User cannot configure ssh keys. ## Security (`security`) From 7ff7f604c85a91351f12d68a36292ddc763d49c7 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 27 Feb 2024 19:03:12 +0800 Subject: [PATCH 3/4] Fix bug --- docs/content/administration/config-cheat-sheet.zh-cn.md | 2 +- routers/api/v1/user/key.go | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/content/administration/config-cheat-sheet.zh-cn.md b/docs/content/administration/config-cheat-sheet.zh-cn.md index 49d82698545b..0f9a436f2015 100644 --- a/docs/content/administration/config-cheat-sheet.zh-cn.md +++ b/docs/content/administration/config-cheat-sheet.zh-cn.md @@ -499,7 +499,7 @@ Gitea 创建以下非唯一队列: - `DISABLE_REGULAR_ORG_CREATION`: **false**:禁止普通(非管理员)用户创建组织。 - `USER_DISABLED_FEATURES`:**_empty_** 禁用的用户特性,当前允许为空或者 `deletion`,`ssh_keys` 未来可以增加更多设置。 - `deletion`: 用户不能通过界面或者API删除他自己。 - - `ssh_keys`: 用户不能通过界面配置SSH Keys。 + - `ssh_keys`: 用户不能通过界面或者API配置SSH Keys。 ## 安全性 (`security`) diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go index ada6759f8e6c..915eef8451ad 100644 --- a/routers/api/v1/user/key.go +++ b/routers/api/v1/user/key.go @@ -5,6 +5,7 @@ package user import ( std_ctx "context" + "fmt" "net/http" asymkey_model "code.gitea.io/gitea/models/asymkey" @@ -198,6 +199,11 @@ func GetPublicKey(ctx *context.APIContext) { // CreateUserPublicKey creates new public key to given user by ID. func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid int64) { + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) + return + } + content, err := asymkey_model.CheckPublicKeyString(form.Key) if err != nil { repo.HandleCheckKeyStringError(ctx, err) From e835a27772da13c69cd6f8af6c8dd78369355252 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Wed, 28 Feb 2024 07:18:14 +0800 Subject: [PATCH 4/4] Use manage_ssh_keys and add missing delete keys check --- docs/content/administration/config-cheat-sheet.en-us.md | 4 ++-- docs/content/administration/config-cheat-sheet.zh-cn.md | 4 ++-- modules/setting/admin.go | 4 ++-- routers/api/v1/user/key.go | 7 ++++++- routers/web/user/setting/keys.go | 6 +++--- templates/user/settings/keys.tmpl | 2 +- 6 files changed, 16 insertions(+), 11 deletions(-) diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 1dfc4ed8265b..f9d222af2cab 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -518,9 +518,9 @@ And the following unique queues: - `DEFAULT_EMAIL_NOTIFICATIONS`: **enabled**: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled - `DISABLE_REGULAR_ORG_CREATION`: **false**: Disallow regular (non-admin) users from creating organizations. -- `USER_DISABLED_FEATURES`: **_empty_** Disabled features for users, could be `deletion`, `ssh_keys` and more features can be added in future. +- `USER_DISABLED_FEATURES`: **_empty_** Disabled features for users, could be `deletion`, `manage_ssh_keys` and more features can be added in future. - `deletion`: User cannot delete their own account. - - `ssh_keys`: User cannot configure ssh keys. + - `manage_ssh_keys`: User cannot configure ssh keys. ## Security (`security`) diff --git a/docs/content/administration/config-cheat-sheet.zh-cn.md b/docs/content/administration/config-cheat-sheet.zh-cn.md index 0f9a436f2015..0ffbc7003ab1 100644 --- a/docs/content/administration/config-cheat-sheet.zh-cn.md +++ b/docs/content/administration/config-cheat-sheet.zh-cn.md @@ -497,9 +497,9 @@ Gitea 创建以下非唯一队列: - `DEFAULT_EMAIL_NOTIFICATIONS`: **enabled**:用户电子邮件通知的默认配置(用户可配置)。选项:enabled、onmention、disabled - `DISABLE_REGULAR_ORG_CREATION`: **false**:禁止普通(非管理员)用户创建组织。 -- `USER_DISABLED_FEATURES`:**_empty_** 禁用的用户特性,当前允许为空或者 `deletion`,`ssh_keys` 未来可以增加更多设置。 +- `USER_DISABLED_FEATURES`:**_empty_** 禁用的用户特性,当前允许为空或者 `deletion`,`manage_ssh_keys` 未来可以增加更多设置。 - `deletion`: 用户不能通过界面或者API删除他自己。 - - `ssh_keys`: 用户不能通过界面或者API配置SSH Keys。 + - `manage_ssh_keys`: 用户不能通过界面或者API配置SSH Keys。 ## 安全性 (`security`) diff --git a/modules/setting/admin.go b/modules/setting/admin.go index 26f11d5c2388..fda315727ac2 100644 --- a/modules/setting/admin.go +++ b/modules/setting/admin.go @@ -20,6 +20,6 @@ func loadAdminFrom(rootCfg ConfigProvider) { } const ( - UserFeatureDeletion = "deletion" - UserFeatureSSHKeys = "ssh_keys" + UserFeatureDeletion = "deletion" + UserFeatureManageSSHKeys = "manage_ssh_keys" ) diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go index 915eef8451ad..bcbfd93bd3ed 100644 --- a/routers/api/v1/user/key.go +++ b/routers/api/v1/user/key.go @@ -199,7 +199,7 @@ func GetPublicKey(ctx *context.APIContext) { // CreateUserPublicKey creates new public key to given user by ID. func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid int64) { - if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) { ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) return } @@ -269,6 +269,11 @@ func DeletePublicKey(ctx *context.APIContext) { // "404": // "$ref": "#/responses/notFound" + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) { + ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) + return + } + id := ctx.ParamsInt64(":id") externallyManaged, err := asymkey_model.PublicKeyIsExternallyManaged(ctx, id) if err != nil { diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go index f29c5bdda91c..14408ec0a83d 100644 --- a/routers/web/user/setting/keys.go +++ b/routers/web/user/setting/keys.go @@ -154,7 +154,7 @@ func KeysPost(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.verify_gpg_key_success", keyID)) ctx.Redirect(setting.AppSubURL + "/user/settings/keys") case "ssh": - if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) { ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) return } @@ -198,7 +198,7 @@ func KeysPost(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.add_key_success", form.Title)) ctx.Redirect(setting.AppSubURL + "/user/settings/keys") case "verify_ssh": - if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) { ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) return } @@ -241,7 +241,7 @@ func DeleteKey(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success")) } case "ssh": - if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureSSHKeys) { + if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) { ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited")) return } diff --git a/templates/user/settings/keys.tmpl b/templates/user/settings/keys.tmpl index 59c336125719..6456cc62ae6d 100644 --- a/templates/user/settings/keys.tmpl +++ b/templates/user/settings/keys.tmpl @@ -1,6 +1,6 @@ {{template "user/settings/layout_head" (dict "ctxData" . "pageClass" "user settings sshkeys")}}
- {{if not ($.UserDisabledFeatures.Contains "ssh_keys")}} + {{if not ($.UserDisabledFeatures.Contains "manage_ssh_keys")}} {{template "user/settings/keys_ssh" .}} {{end}} {{template "user/settings/keys_principal" .}}