Add support for authentication via ssh certificates and pub/privatekey (#442)

This adds support for authentication using a SSH certificate and normal public keys when you've got an ssh-agent running that has this certificate or your public key loaded. First question when creating a new login is to ask about the ssh certificates or public keys, when the answer is yes, we don't need to ask about tokens/usernames anymore. Co-authored-by: Wim <wim@42.be> Reviewed-on: https://gitea.com/gitea/tea/pulls/442 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: Wim <42wim@noreply.gitea.io> Co-committed-by: Wim <42wim@noreply.gitea.io>
2025-09-05 19:32:53 +02:00 · 2022-09-15 03:00:08 +08:00
parent 4ee5ce4b52
commit 6a4ba6a689
6 changed files with 262 additions and 40 deletions
--- a/modules/task/login_create.go
+++ b/modules/task/login_create.go
@ -16,7 +16,7 @@ import (
 )

 // CreateLogin create a login to be stored in config
-func CreateLogin(name, token, user, passwd, sshKey, giteaURL string, insecure bool) error {
+func CreateLogin(name, token, user, passwd, sshKey, giteaURL, sshCertPrincipal, sshKeyFingerprint string, insecure, sshAgent bool) error {
 	// checks ...
 	// ... if we have a url
 	if len(giteaURL) == 0 {
@ -32,13 +32,15 @@ func CreateLogin(name, token, user, passwd, sshKey, giteaURL string, insecure bo
 		return fmt.Errorf("token already been used, delete login '%s' first", login.Name)
 	}

-	// .. if we have enough information to authenticate
-	if len(token) == 0 && (len(user)+len(passwd)) == 0 {
-		return fmt.Errorf("No token set")
-	} else if len(user) != 0 && len(passwd) == 0 {
-		return fmt.Errorf("No password set")
-	} else if len(user) == 0 && len(passwd) != 0 {
-		return fmt.Errorf("No user set")
+	if !sshAgent && sshCertPrincipal == "" && sshKey == "" {
+		// .. if we have enough information to authenticate
+		if len(token) == 0 && (len(user)+len(passwd)) == 0 {
+			return fmt.Errorf("No token set")
+		} else if len(user) != 0 && len(passwd) == 0 {
+			return fmt.Errorf("No password set")
+		} else if len(user) == 0 && len(passwd) != 0 {
+			return fmt.Errorf("No user set")
+		}
 	}

 	// Normalize URL
@ -47,16 +49,25 @@ func CreateLogin(name, token, user, passwd, sshKey, giteaURL string, insecure bo
 		return fmt.Errorf("Unable to parse URL: %s", err)
 	}

-	login := config.Login{
-		Name:     name,
-		URL:      serverURL.String(),
-		Token:    token,
-		Insecure: insecure,
-		SSHKey:   sshKey,
-		Created:  time.Now().Unix(),
+	// check if it's a certificate the principal doesn't matter as the user
+	// has explicitly selected this private key
+	if _, err := os.Stat(sshKey + "-cert.pub"); err == nil {
+		sshCertPrincipal = "yes"
 	}

-	if len(token) == 0 {
+	login := config.Login{
+		Name:              name,
+		URL:               serverURL.String(),
+		Token:             token,
+		Insecure:          insecure,
+		SSHKey:            sshKey,
+		SSHCertPrincipal:  sshCertPrincipal,
+		SSHKeyFingerprint: sshKeyFingerprint,
+		SSHAgent:          sshAgent,
+		Created:           time.Now().Unix(),
+	}
+
+	if len(token) == 0 && sshCertPrincipal == "" && !sshAgent && sshKey == "" {
 		if login.Token, err = generateToken(login, user, passwd); err != nil {
 			return err
 		}