forgejo/modules/doctor/authorizedkeys.go

// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package doctor

import (
	"bufio"
	"bytes"
	"context"
	"fmt"
	"os"
	"path/filepath"
	"strings"

	asymkey_model "code.gitea.io/gitea/models/asymkey"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"
)

const tplCommentPrefix = `# gitea public key`

func checkAuthorizedKeys(ctx context.Context, logger log.Logger, autofix bool) error {
	if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile {
		return nil
	}

	fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
	f, err := os.Open(fPath)
	if err != nil {
		if !autofix {
			logger.Critical("Unable to open authorized_keys file. ERROR: %v", err)
			return fmt.Errorf("Unable to open authorized_keys file. ERROR: %v", err)
		}
		logger.Warn("Unable to open authorized_keys. (ERROR: %v). Attempting to rewrite...", err)
		if err = asymkey_model.RewriteAllPublicKeys(); err != nil {
			logger.Critical("Unable to rewrite authorized_keys file. ERROR: %v", err)
			return fmt.Errorf("Unable to rewrite authorized_keys file. ERROR: %v", err)
		}
	}
	defer f.Close()

	linesInAuthorizedKeys := map[string]bool{}

	scanner := bufio.NewScanner(f)
	for scanner.Scan() {
		line := scanner.Text()
		if strings.HasPrefix(line, tplCommentPrefix) {
			continue
		}
		linesInAuthorizedKeys[line] = true
	}
	f.Close()

	// now we regenerate and check if there are any lines missing
	regenerated := &bytes.Buffer{}
	if err := asymkey_model.RegeneratePublicKeys(ctx, regenerated); err != nil {
		logger.Critical("Unable to regenerate authorized_keys file. ERROR: %v", err)
		return fmt.Errorf("Unable to regenerate authorized_keys file. ERROR: %v", err)
	}
	scanner = bufio.NewScanner(regenerated)
	for scanner.Scan() {
		line := scanner.Text()
		if strings.HasPrefix(line, tplCommentPrefix) {
			continue
		}
		if ok := linesInAuthorizedKeys[line]; ok {
			continue
		}
		if !autofix {
			logger.Critical(
				"authorized_keys file %q is out of date.\nRegenerate it with:\n\t\"%s\"\nor\n\t\"%s\"",
				fPath,
				"gitea admin regenerate keys",
				"gitea doctor --run authorized-keys --fix")
			return fmt.Errorf(`authorized_keys is out of date and should be regenerated with "gitea admin regenerate keys" or "gitea doctor --run authorized-keys --fix"`)
		}
		logger.Warn("authorized_keys is out of date. Attempting rewrite...")
		err = asymkey_model.RewriteAllPublicKeys()
		if err != nil {
			logger.Critical("Unable to rewrite authorized_keys file. ERROR: %v", err)
			return fmt.Errorf("Unable to rewrite authorized_keys file. ERROR: %v", err)
		}
	}
	return nil
}

func init() {
	Register(&Check{
		Title:     "Check if OpenSSH authorized_keys file is up-to-date",
		Name:      "authorized-keys",
		IsDefault: true,
		Run:       checkAuthorizedKeys,
		Priority:  4,
	})
}
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`// Copyright 2020 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package doctor`

			`import (`
			`"bufio"`
			`"bytes"`
Propagate context and ensure git commands run in request context (#17868) This PR continues the work in #17125 by progressively ensuring that git commands run within the request context. This now means that the if there is a git repo already open in the context it will be used instead of reopening it. Signed-off-by: Andrew Thornton <art27@cantab.net> 2022-01-20 00:26:57 +01:00			`"context"`
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`"fmt"`
			`"os"`
			`"path/filepath"`
			`"strings"`

Move keys to models/asymkey (#17917) * Move keys to models/keys * Rename models/keys -> models/asymkey * change the missed package name * Fix package alias * Fix test * Fix docs * Fix test * Fix test * merge 2021-12-10 09:14:24 +01:00			`asymkey_model "code.gitea.io/gitea/models/asymkey"`
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`"code.gitea.io/gitea/modules/log"`
			`"code.gitea.io/gitea/modules/setting"`
			`)`

			const tplCommentPrefix = `# gitea public key`

Propagate context and ensure git commands run in request context (#17868) This PR continues the work in #17125 by progressively ensuring that git commands run within the request context. This now means that the if there is a git repo already open in the context it will be used instead of reopening it. Signed-off-by: Andrew Thornton <art27@cantab.net> 2022-01-20 00:26:57 +01:00			`func checkAuthorizedKeys(ctx context.Context, logger log.Logger, autofix bool) error {`
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`if setting.SSH.StartBuiltinServer \|\| !setting.SSH.CreateAuthorizedKeysFile {`
			`return nil`
			`}`

			`fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")`
			`f, err := os.Open(fPath)`
			`if err != nil {`
			`if !autofix {`
			`logger.Critical("Unable to open authorized_keys file. ERROR: %v", err)`
			`return fmt.Errorf("Unable to open authorized_keys file. ERROR: %v", err)`
			`}`
			`logger.Warn("Unable to open authorized_keys. (ERROR: %v). Attempting to rewrite...", err)`
Move keys to models/asymkey (#17917) * Move keys to models/keys * Rename models/keys -> models/asymkey * change the missed package name * Fix package alias * Fix test * Fix docs * Fix test * Fix test * merge 2021-12-10 09:14:24 +01:00			`if err = asymkey_model.RewriteAllPublicKeys(); err != nil {`
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`logger.Critical("Unable to rewrite authorized_keys file. ERROR: %v", err)`
			`return fmt.Errorf("Unable to rewrite authorized_keys file. ERROR: %v", err)`
			`}`
			`}`
			`defer f.Close()`

			`linesInAuthorizedKeys := map[string]bool{}`

			`scanner := bufio.NewScanner(f)`
			`for scanner.Scan() {`
			`line := scanner.Text()`
			`if strings.HasPrefix(line, tplCommentPrefix) {`
			`continue`
			`}`
			`linesInAuthorizedKeys[line] = true`
			`}`
			`f.Close()`

			`// now we regenerate and check if there are any lines missing`
			`regenerated := &bytes.Buffer{}`
Move almost all functions' parameter db.Engine to context.Context (#19748) * Move almost all functions' parameter db.Engine to context.Context * remove some unnecessary wrap functions 2022-05-20 16:08:52 +02:00			`if err := asymkey_model.RegeneratePublicKeys(ctx, regenerated); err != nil {`
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`logger.Critical("Unable to regenerate authorized_keys file. ERROR: %v", err)`
			`return fmt.Errorf("Unable to regenerate authorized_keys file. ERROR: %v", err)`
			`}`
			`scanner = bufio.NewScanner(regenerated)`
			`for scanner.Scan() {`
			`line := scanner.Text()`
			`if strings.HasPrefix(line, tplCommentPrefix) {`
			`continue`
			`}`
			`if ok := linesInAuthorizedKeys[line]; ok {`
			`continue`
			`}`
			`if !autofix {`
			`logger.Critical(`
			`"authorized_keys file %q is out of date.\nRegenerate it with:\n\t\"%s\"\nor\n\t\"%s\"",`
			`fPath,`
			`"gitea admin regenerate keys",`
[doctor] authorized-keys: fix displayed check name (#19464) The registered check name is authorized-keys, not authorized_keys. 2022-04-24 20:06:33 +02:00			`"gitea doctor --run authorized-keys --fix")`
			return fmt.Errorf(`authorized_keys is out of date and should be regenerated with "gitea admin regenerate keys" or "gitea doctor --run authorized-keys --fix"`)
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`}`
			`logger.Warn("authorized_keys is out of date. Attempting rewrite...")`
Move keys to models/asymkey (#17917) * Move keys to models/keys * Rename models/keys -> models/asymkey * change the missed package name * Fix package alias * Fix test * Fix docs * Fix test * Fix test * merge 2021-12-10 09:14:24 +01:00			`err = asymkey_model.RewriteAllPublicKeys()`
Refactor doctor (#12264) * Refactor Logger Refactor Logger to make a logger interface and make it possible to wrap loggers for specific purposes. * Refactor Doctor Move the gitea doctor functions into its own module. Use a logger for its messages instead of returning a results string[] Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> * Update modules/doctor/misc.go Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2020-12-02 05:56:04 +01:00			`if err != nil {`
			`logger.Critical("Unable to rewrite authorized_keys file. ERROR: %v", err)`
			`return fmt.Errorf("Unable to rewrite authorized_keys file. ERROR: %v", err)`
			`}`
			`}`
			`return nil`
			`}`

			`func init() {`
			`Register(&Check{`
			`Title: "Check if OpenSSH authorized_keys file is up-to-date",`
			`Name: "authorized-keys",`
			`IsDefault: true,`
			`Run: checkAuthorizedKeys,`
			`Priority: 4,`
			`})`
			`}`