feat(ssh-keys): add ssh-keys command to manage SSH public keys (#940)

## Summary - Adds `tea ssh-keys` command group (aliases: `ssh-key`, `keys`) under the SETUP category - Mirrors the interface of `gh ssh-key add/list/delete` - Three subcommands: `add <keyfile>`, `list`, `delete <id>` ## Commands \`\`\`sh tea ssh-keys add ~/.ssh/id_ed25519.pub # title defaults to filename stem tea ssh-keys add ~/.ssh/id_rsa.pub --title "work laptop" tea ssh-keys add ~/.ssh/deploy.pub --read-only # authentication-only key tea ssh-keys list tea ssh-keys list --output json tea ssh-keys delete 42 # prompts for confirmation tea ssh-keys delete 42 --force # skip prompt \`\`\` ## Test plan - [x] `make lint` — 0 issues - [x] `make fmt-check` — passes - [x] `go test ./cmd/sshkeys/... -run TestKeyTitle` — unit tests pass (no server needed) - [ ] Integration tests with live Gitea instance: \`\`\`sh GITEA_TEA_TEST_URL=https://your-gitea \ GITEA_TEA_TEST_TOKEN=<token> \ go test ./cmd/sshkeys/... -v -run TestSSHKey \`\`\` Exercises full add → SDK-verify → delete → 404-verify lifecycle. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Brandon Fryslie <530235+brandon-fryslie@users.noreply.github.com> Reviewed-on: https://gitea.com/gitea/tea/pulls/940 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Brandon Fryslie <186614+brandroid@noreply.gitea.com> Co-committed-by: Brandon Fryslie <186614+brandroid@noreply.gitea.com>
2026-05-15 20:29:22 +02:00 · 2026-05-02 18:24:08 +00:00
parent 2985824ab0
commit 9d6ae4bf02
11 changed files with 572 additions and 41 deletions
--- a/tests/integration/helpers_test.go
+++ b/tests/integration/helpers_test.go
@@ -0,0 +1,104 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+	"code.gitea.io/tea/modules/config"
+	"code.gitea.io/tea/modules/task"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	integrationGiteaURL string
+	integrationUsername string
+	integrationPassword string
+	integrationToken    string
+	integrationTokenID  int64
+	integrationSetupErr error
+	integrationClient   *gitea.Client
+)
+
+func TestMain(m *testing.M) {
+	integrationGiteaURL = os.Getenv("GITEA_TEA_TEST_URL")
+	integrationUsername = os.Getenv("GITEA_TEA_TEST_USERNAME")
+	integrationPassword = os.Getenv("GITEA_TEA_TEST_PASSWORD")
+
+	if integrationGiteaURL != "" {
+		if integrationUsername == "" || integrationPassword == "" {
+			integrationSetupErr = fmt.Errorf("GITEA_TEA_TEST_USERNAME and GITEA_TEA_TEST_PASSWORD are required for integration tests")
+		} else {
+			integrationClient, integrationSetupErr = gitea.NewClient(
+				integrationGiteaURL,
+				gitea.SetBasicAuth(integrationUsername, integrationPassword),
+				gitea.SetGiteaVersion(""),
+			)
+			if integrationSetupErr == nil {
+				tokenName := fmt.Sprintf("tea-integration-%d", time.Now().UnixNano())
+				var token *gitea.AccessToken
+				token, _, integrationSetupErr = integrationClient.CreateAccessToken(gitea.CreateAccessTokenOption{
+					Name:   tokenName,
+					Scopes: []gitea.AccessTokenScope{gitea.AccessTokenScopeAll},
+				})
+				if integrationSetupErr == nil {
+					integrationToken = token.Token
+					integrationTokenID = token.ID
+				}
+			}
+		}
+	}
+
+	exitCode := m.Run()
+
+	if integrationClient != nil && integrationTokenID != 0 {
+		if _, err := integrationClient.DeleteAccessToken(integrationTokenID); err != nil {
+			fmt.Fprintf(os.Stderr, "failed to delete integration token %d: %v\n", integrationTokenID, err)
+			if exitCode == 0 {
+				exitCode = 1
+			}
+		}
+	}
+
+	os.Exit(exitCode)
+}
+
+func useTempConfigPath(t *testing.T) string {
+	t.Helper()
+
+	configPath := filepath.Join(t.TempDir(), "config.yml")
+	config.SetConfigPathForTesting(configPath)
+	config.SetConfigForTesting(config.LocalConfig{})
+	t.Cleanup(func() {
+		config.SetConfigForTesting(config.LocalConfig{})
+		config.SetConfigPathForTesting("")
+	})
+
+	return configPath
+}
+
+func createIntegrationLogin(t *testing.T) *config.Login {
+	t.Helper()
+
+	_ = useTempConfigPath(t)
+	if integrationGiteaURL == "" {
+		t.Skip("GITEA_TEA_TEST_URL is not set, skipping integration test")
+	}
+	require.NoError(t, integrationSetupErr)
+
+	require.NotEmpty(t, integrationToken, "integration token setup failed")
+
+	require.NoError(t, task.CreateLogin("integration", integrationToken, "", "", "", "", "", integrationGiteaURL, "", "", true, false, false, false))
+
+	login, err := config.GetLoginByName("integration")
+	require.NoError(t, err)
+	require.NotNil(t, login)
+
+	return login
+}
--- a/tests/integration/repos_create_test.go
+++ b/tests/integration/repos_create_test.go
@@ -6,58 +6,18 @@ package integration
 import (
 	"context"
 	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 	"time"

 	"code.gitea.io/sdk/gitea"
 	"code.gitea.io/tea/cmd/repos"
-	"code.gitea.io/tea/modules/config"
-	"code.gitea.io/tea/modules/task"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/urfave/cli/v3"
 )

-func useTempConfigPath(t *testing.T) string {
-	t.Helper()
-
-	configPath := filepath.Join(t.TempDir(), "config.yml")
-	config.SetConfigPathForTesting(configPath)
-	t.Cleanup(func() {
-		config.SetConfigPathForTesting("")
-	})
-
-	return configPath
-}
-
-func createIntegrationLogin(t *testing.T, giteaURL string) *config.Login {
-	t.Helper()
-
-	_ = useTempConfigPath(t)
-
-	username := os.Getenv("GITEA_TEA_TEST_USERNAME")
-	password := os.Getenv("GITEA_TEA_TEST_PASSWORD")
-	require.NotEmpty(t, username, "GITEA_TEA_TEST_USERNAME is required for integration tests")
-	require.NotEmpty(t, password, "GITEA_TEA_TEST_PASSWORD is required for integration tests")
-
-	require.NoError(t, task.CreateLogin("integration", "", username, password, "", "", "", giteaURL, "", "", true, false, false, false))
-
-	login, err := config.GetLoginByName("integration")
-	require.NoError(t, err)
-	require.NotNil(t, login)
-
-	return login
-}
-
 func TestCreateRepoObjectFormat(t *testing.T) {
-	giteaURL := os.Getenv("GITEA_TEA_TEST_URL")
-	if giteaURL == "" {
-		t.Skip("GITEA_TEA_TEST_URL is not set, skipping test")
-	}
-
-	login := createIntegrationLogin(t, giteaURL)
+	login := createIntegrationLogin(t)
 	client := login.Client()
 	timestamp := time.Now().Unix()

--- a/tests/integration/sshkeys_test.go
+++ b/tests/integration/sshkeys_test.go
@@ -0,0 +1,115 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strconv"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+	sshkeyscmd "code.gitea.io/tea/cmd/sshkeys"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli/v3"
+	"golang.org/x/crypto/ssh"
+)
+
+// generateTestPublicKey creates a fresh ed25519 keypair and returns a temp
+// file path containing the public key in authorized_keys format.
+func generateTestPublicKey(t *testing.T) string {
+	t.Helper()
+
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+
+	sshPub, err := ssh.NewPublicKey(priv.Public())
+	require.NoError(t, err)
+
+	pubKeyStr := fmt.Sprintf("ssh-ed25519 %s tea-test-key", base64.StdEncoding.EncodeToString(sshPub.Marshal()))
+
+	f, err := os.CreateTemp(t.TempDir(), "test-*.pub")
+	require.NoError(t, err)
+	_, err = f.WriteString(pubKeyStr)
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+
+	return f.Name()
+}
+
+func sshKeysCmd() *cli.Command {
+	return &cli.Command{
+		Name: "ssh-keys",
+		Commands: []*cli.Command{
+			&sshkeyscmd.CmdSSHKeyList,
+			&sshkeyscmd.CmdSSHKeyAdd,
+			&sshkeyscmd.CmdSSHKeyDelete,
+		},
+	}
+}
+
+func TestSSHKeyAddAndDelete(t *testing.T) {
+	login := createIntegrationLogin(t)
+	pubKeyFile := generateTestPublicKey(t)
+	keyTitle := fmt.Sprintf("tea-test-%d", time.Now().Unix())
+
+	cmd := sshKeysCmd()
+	client := login.Client()
+
+	err := cmd.Run(context.Background(), []string{
+		"ssh-keys", "add", pubKeyFile,
+		"--title", keyTitle,
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	keys, _, err := client.ListMyPublicKeys(gitea.ListPublicKeysOptions{
+		ListOptions: gitea.ListOptions{Page: -1},
+	})
+	require.NoError(t, err)
+
+	var addedKey *gitea.PublicKey
+	for _, key := range keys {
+		if key.Title == keyTitle {
+			addedKey = key
+			break
+		}
+	}
+	require.NotNil(t, addedKey, "added key not found in key list")
+
+	t.Cleanup(func() {
+		client.DeletePublicKey(addedKey.ID) //nolint:errcheck
+	})
+
+	err = cmd.Run(context.Background(), []string{
+		"ssh-keys", "delete", strconv.FormatInt(addedKey.ID, 10),
+		"--confirm",
+		"--login", login.Name,
+	})
+	assert.NoError(t, err)
+
+	_, resp, err := client.GetPublicKey(addedKey.ID)
+	assert.Error(t, err)
+	if assert.NotNil(t, resp) {
+		assert.Equal(t, 404, resp.StatusCode)
+	}
+}
+
+func TestSSHKeyList(t *testing.T) {
+	login := createIntegrationLogin(t)
+
+	cmd := sshKeysCmd()
+	err := cmd.Run(context.Background(), []string{
+		"ssh-keys", "list",
+		"--login", login.Name,
+	})
+	assert.NoError(t, err)
+}