Setting to disable authorized_keys backup (#1856)

* Add setting to disable authorized_keys backup when rewriting public keys

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Update default value to comply with documentation

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Use tmp-file instead of bak-file for saving manually added keys.

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Change casing

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Change casing and build bakpath with sprintf only

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Only close file once

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Do not modify calcFingerprint

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Fix casing

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Change style from disable to enable

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Change name, just SSH_BACKUP_AUTHORIZED_KEYS

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Do not check for directory existence if backup is disabled

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>
This commit is contained in:
Dan Magnus Lindvall 2017-06-28 03:35:35 +02:00 committed by Lunny Xiao
parent a037cd81ff
commit 79daf31058
3 changed files with 35 additions and 31 deletions

2
conf/app.ini vendored
View file

@ -124,6 +124,8 @@ SSH_ROOT_PATH =
SSH_KEY_TEST_PATH = SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call. ; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call.
SSH_KEYGEN_PATH = ssh-keygen SSH_KEYGEN_PATH = ssh-keygen
; Enable SSH Authorized Key Backup when rewriting all keys, default is true
SSH_BACKUP_AUTHORIZED_KEYS = true
; Indicate whether to check minimum key size with corresponding type ; Indicate whether to check minimum key size with corresponding type
MINIMUM_KEY_SIZE_CHECK = false MINIMUM_KEY_SIZE_CHECK = false
; Disable CDN even in "prod" mode ; Disable CDN even in "prod" mode

View file

@ -324,8 +324,8 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
sshOpLocker.Lock() sshOpLocker.Lock()
defer sshOpLocker.Unlock() defer sshOpLocker.Unlock()
fpath := filepath.Join(setting.SSH.RootPath, "authorized_keys") fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
f, err := os.OpenFile(fpath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600) f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
if err != nil { if err != nil {
return err return err
} }
@ -558,53 +558,53 @@ func RewriteAllPublicKeys() error {
sshOpLocker.Lock() sshOpLocker.Lock()
defer sshOpLocker.Unlock() defer sshOpLocker.Unlock()
fpath := filepath.Join(setting.SSH.RootPath, "authorized_keys") fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
tmpPath := fpath + ".tmp" tmpPath := fPath + ".tmp"
f, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600) t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil { if err != nil {
return err return err
} }
defer func() { defer func() {
f.Close() t.Close()
os.Remove(tmpPath) os.Remove(tmpPath)
}() }()
if setting.SSH.AuthorizedKeysBackup && com.IsExist(fPath) {
bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix())
if err = com.Copy(fPath, bakPath); err != nil {
return err
}
}
err = x.Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) { err = x.Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) {
_, err = f.WriteString((bean.(*PublicKey)).AuthorizedString()) _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString())
return err return err
}) })
if err != nil { if err != nil {
return err return err
} }
if com.IsExist(fpath) { if com.IsExist(fPath) {
bakPath := fpath + fmt.Sprintf("_%d.gitea_bak", time.Now().Unix()) f, err := os.Open(fPath)
if err = com.Copy(fpath, bakPath); err != nil {
return err
}
p, err := os.Open(bakPath)
if err != nil { if err != nil {
return err return err
} }
defer p.Close() scanner := bufio.NewScanner(f)
scanner := bufio.NewScanner(p)
for scanner.Scan() { for scanner.Scan() {
line := scanner.Text() line := scanner.Text()
if strings.HasPrefix(line, tplCommentPrefix) { if strings.HasPrefix(line, tplCommentPrefix) {
scanner.Scan() scanner.Scan()
continue continue
} }
_, err = f.WriteString(line + "\n") _, err = t.WriteString(line + "\n")
if err != nil { if err != nil {
return err return err
} }
} }
defer f.Close()
} }
f.Close() if err = os.Rename(tmpPath, fPath); err != nil {
if err = os.Rename(tmpPath, fpath); err != nil {
return err return err
} }

View file

@ -96,6 +96,7 @@ var (
RootPath string `ini:"SSH_ROOT_PATH"` RootPath string `ini:"SSH_ROOT_PATH"`
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"` KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
KeygenPath string `ini:"SSH_KEYGEN_PATH"` KeygenPath string `ini:"SSH_KEYGEN_PATH"`
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
MinimumKeySizeCheck bool `ini:"-"` MinimumKeySizeCheck bool `ini:"-"`
MinimumKeySizes map[string]int `ini:"-"` MinimumKeySizes map[string]int `ini:"-"`
}{ }{
@ -703,6 +704,7 @@ func NewContext() {
SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt() SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
} }
} }
SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
if err = Cfg.Section("server").MapTo(&LFS); err != nil { if err = Cfg.Section("server").MapTo(&LFS); err != nil {
log.Fatal(4, "Failed to map LFS settings: %v", err) log.Fatal(4, "Failed to map LFS settings: %v", err)