go-gitea · lafriks · May 24, 2018 · May 31, 2017 · Jun 25, 2017 · May 31, 2017
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
@@ -142,6 +142,8 @@ var migrations = []Migration{
 	NewMigration("remove index column from repo_unit table", removeIndexColumnFromRepoUnitTable),
 	// v46 -> v47
 	NewMigration("remove organization watch repositories", removeOrganizationWatchRepo),
+	// v47 -> v48
+	NewMigration("add field for ldap public public ssh key synchronization", addLoginSourceLdapPublicSSHKeySyncEnabled),
 }
 
 // Migrate database to current version

diff --git a/models/migrations/v47.go b/models/migrations/v47.go
@@ -0,0 +1,23 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"github.com/go-xorm/xorm"
+)
+
+func addLoginSourceLdapPublicSSHKeySyncEnabled(x *xorm.Engine) error {
+	// LoginSource see models/login_source.go
+	type LoginSource struct {
+		IsLdapPublicSSHKeySyncEnabled bool `xorm:"INDEX NOT NULL DEFAULT false"`
+	}
+
+	if err := x.Sync2(new(LoginSource)); err != nil {
+		return fmt.Errorf("Sync2: %v", err)
+	}
+	return nil
+}
diff --git a/models/ssh_key.go b/models/ssh_key.go
@@ -46,13 +46,14 @@ const (
 
 // PublicKey represents a user or deploy SSH public key.
 type PublicKey struct {
-	ID          int64      `xorm:"pk autoincr"`
-	OwnerID     int64      `xorm:"INDEX NOT NULL"`
-	Name        string     `xorm:"NOT NULL"`
-	Fingerprint string     `xorm:"NOT NULL"`
-	Content     string     `xorm:"TEXT NOT NULL"`
-	Mode        AccessMode `xorm:"NOT NULL DEFAULT 2"`
-	Type        KeyType    `xorm:"NOT NULL DEFAULT 1"`
+	ID            int64      `xorm:"pk autoincr"`
+	OwnerID       int64      `xorm:"INDEX NOT NULL"`
+	Name          string     `xorm:"NOT NULL"`
+	Fingerprint   string     `xorm:"NOT NULL"`
+	Content       string     `xorm:"TEXT NOT NULL"`
+	Mode          AccessMode `xorm:"NOT NULL DEFAULT 2"`
+	Type          KeyType    `xorm:"NOT NULL DEFAULT 1"`
+	LoginSourceID int64      `xorm:"NULL DEFAULT NULL"`
 
 	Created           time.Time `xorm:"-"`
 	CreatedUnix       int64     `xorm:"created"`
@@ -393,7 +394,7 @@ func addKey(e Engine, key *PublicKey) (err error) {
 }
 
 // AddPublicKey adds new public key to database and authorized_keys file.
-func AddPublicKey(ownerID int64, name, content string) (*PublicKey, error) {
+func AddPublicKey(ownerID int64, name, content string, LoginSourceID int64) (*PublicKey, error) {
 	log.Trace(content)
 
 	fingerprint, err := calcFingerprint(content)
@@ -422,12 +423,13 @@ func AddPublicKey(ownerID int64, name, content string) (*PublicKey, error) {
 	}
 
 	key := &PublicKey{
-		OwnerID:     ownerID,
-		Name:        name,
-		Fingerprint: fingerprint,
-		Content:     content,
-		Mode:        AccessModeWrite,
-		Type:        KeyTypeUser,
+		OwnerID:       ownerID,
+		Name:          name,
+		Fingerprint:   fingerprint,
+		Content:       content,
+		Mode:          AccessModeWrite,
+		Type:          KeyTypeUser,
+		LoginSourceID: LoginSourceID,
 	}
 	if err = addKey(sess, key); err != nil {
 		return nil, fmt.Errorf("addKey: %v", err)

diff --git a/models/user.go b/models/user.go
@@ -19,6 +19,7 @@ import (
 	"image/png"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 	"unicode/utf8"
@@ -1355,6 +1356,138 @@ func GetWatchedRepos(userID int64, private bool) ([]*Repository, error) {
 	return repos, nil
 }
 
+// existsInSlice returns true if string exists in slice
+func existsInSlice(target string, slice []string) bool {
+	i := sort.Search(len(slice),
+		func(i int) bool { return slice[i] == target })
+	return i < len(slice)
+}
+
+// IsEqualSlice returns true if slices are equal
+func IsEqualSlice(target []string, source []string) bool {
+	if len(target) != len(source) {
+		return false
+	}
+
+	if (target == nil) != (source == nil) {
+		return false
+	}
+
+	sort.Strings(target)
+	sort.Strings(source)
+
+	for i, v := range target {
+		if v != source[i] {
+			return false
+		}
+	}
+
+	return true
+}
+
+// deleteKeysMarkedForDeletion returns true if ssh keys needs update
+func deleteKeysMarkedForDeletion(keys []string) (sshKeysNeedUpdate bool, err error) {
+	// Start session
+	sess := x.NewSession()
+	defer sess.Close()
+	if err = sess.Begin(); err != nil {
+		return false, err
+	}
+
+	// Delete keys marked for deletion
+	for _, KeyToDelete := range keys {
+		key, err := SearchPublicKeyByContent(KeyToDelete)
+		err = deletePublicKeys(sess, key.ID)
+		if err != nil {
+			sshKeysNeedUpdate = false
+			log.Trace("deleteKeysMarkedForDeletion: Error: %v", key)
+		}
+		sshKeysNeedUpdate = true
+	}
+
+	return sshKeysNeedUpdate, sess.Commit()
+}
+
+func addLdapSSHPublicKeys(s *LoginSource, usr *User, SSHPublicKeys []string) (sshKeysNeedUpdate bool, err error) {
+	for _, LDAPPublicSSHKey := range SSHPublicKeys {
+		LDAPPublicSSHKeyName := strings.Join([]string{s.Name, LDAPPublicSSHKey[0:40]}, "-")
+		_, err := AddPublicKey(usr.ID, LDAPPublicSSHKeyName, LDAPPublicSSHKey, s.ID)
+		if err != nil {
+			log.Error(4, "addLdapSSHPublicKeys[%s]: Error adding LDAP Public SSH Key for user %s: %v", s.Name, usr.Name, err)
+		} else {
+			log.Trace("addLdapSSHPublicKeys[%s]: Added LDAP Public SSH Key for user %s: %v", s.Name, usr.Name, LDAPPublicSSHKey)
+			sshKeysNeedUpdate = true
+		}
+
+	}
+	return sshKeysNeedUpdate, err
+}
+
+func synchronizeLdapSSHPublicKeys(s *LoginSource, SSHPublicKeys []string, usr *User) (sshKeysNeedUpdate bool, err error) {
+	log.Trace("synchronizeLdapSSHPublicKeys[%s]: Handling LDAP Public SSH Key synchronization for user %s", s.Name, usr.Name)
+
+	// Get Public Keys from DB with LDAP source
+	var giteaKeys []string
+	keys, err := ListPublicKeys(usr.ID)
+	if err != nil {
+		log.Error(4, "synchronizeLdapSSHPublicKeys[%s]: Error listing LDAP Public SSH Keys for user %s: %v", s.Name, usr.Name, err)
+	}
+
+	// Get Public Keys from DB, which has been synchronized from LDAP
+	for _, v := range keys {
+		// If key was synced from LDAP, add it to list
+		if v.LoginSourceID > 0 {
+			giteaKeys = append(giteaKeys, v.OmitEmail())
+		}
+	}
+	sort.Strings(giteaKeys)
+
+	// Get Public Keys from LDAP and skip duplicate keys
+	var ldapKeys []string
+	for _, v := range SSHPublicKeys {
+		ldapKey := strings.Join(strings.Split(v, " ")[:2], " ")
+		if !existsInSlice(ldapKey, ldapKeys) {
+			ldapKeys = append(ldapKeys, ldapKey)
+		}
+	}
+	sort.Strings(ldapKeys)
+
+	// Check if Public Key sync is needed
+	var giteaKeysToDelete []string
+	if IsEqualSlice(giteaKeys, ldapKeys) {
+		log.Trace("synchronizeLdapSSHPublicKeys[%s]: LDAP Public Keys are already in sync for %s (LDAP:%v/DB:%v)", s.Name, usr.Name, len(ldapKeys), len(giteaKeys))
+	} else {
+		log.Trace("synchronizeLdapSSHPublicKeys[%s]: LDAP Public Key needs update for user %s (LDAP:%v/DB:%v)", s.Name, usr.Name, len(ldapKeys), len(giteaKeys))
+		// Delete giteaKeys that doesn't exist in ldapKeys and has been synced from LDAP earlier
+		for _, giteaKey := range giteaKeys {
+			if !existsInSlice(giteaKey, ldapKeys) {
+				log.Trace("synchronizeLdapSSHPublicKeys[%s]: Marking LDAP Public SSH Key for deletion for user %s: %v", s.Name, usr.Name, giteaKey)
+				giteaKeysToDelete = append(giteaKeysToDelete, giteaKey)
+			}
+		}
+	}
+
+	// Delete LDAP keys from DB that doesn't exist in LDAP
+	sshKeysNeedUpdate, err = deleteKeysMarkedForDeletion(giteaKeysToDelete)
+	if err != nil {
+		log.Error(4, "synchronizeLdapSSHPublicKeys[%s]: Error deleting LDAP Public SSH Keys marked for deletion for user %s: %v", s.Name, usr.Name, err)
+	}
+
+	// Add LDAP Public SSH Keys that doesn't already exist in DB
+	var newLdapSSHKeys []string
+	for _, LDAPPublicSSHKey := range ldapKeys {
+		if !existsInSlice(LDAPPublicSSHKey, giteaKeys) {
+			newLdapSSHKeys = append(newLdapSSHKeys, LDAPPublicSSHKey)
+		}
+	}
+	sshKeysNeedUpdate, err = addLdapSSHPublicKeys(s, usr, newLdapSSHKeys)
+	if err != nil {
+		log.Error(4, "synchronizeLdapSSHPublicKeys[%s]: Error updating LDAP Public SSH Keys for user %s: %v", s.Name, usr.Name, err)
+	}
+
+	return sshKeysNeedUpdate, err
+}
+
 // SyncExternalUsers is used to synchronize users with external authorization source
 func SyncExternalUsers() {
 	if !taskStatusTable.StartIfNotRunning(syncExternalUsers) {
@@ -1376,10 +1509,13 @@ func SyncExternalUsers() {
 		if !s.IsActived || !s.IsSyncEnabled {
 			continue
 		}
+
 		if s.IsLDAP() {
 			log.Trace("Doing: SyncExternalUsers[%s]", s.Name)
 
 			var existingUsers []int64
+			var isAttributeSSHPublicKeySet = len(strings.TrimSpace(s.LDAP().AttributeSSHPublicKey)) > 0
+			var sshKeysNeedUpdate bool
 
 			// Find all users with this login type
 			var users []User
@@ -1388,7 +1524,6 @@ func SyncExternalUsers() {
 				Find(&users)
 
 			sr := s.LDAP().SearchEntries()
-
 			for _, su := range sr {
 				if len(su.Username) == 0 {
 					continue
@@ -1425,11 +1560,28 @@ func SyncExternalUsers() {
 					}
 
 					err = CreateUser(usr)
+
 					if err != nil {
 						log.Error(4, "SyncExternalUsers[%s]: Error creating user %s: %v", s.Name, su.Username, err)
+					} else if isAttributeSSHPublicKeySet {
+						log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", s.Name, usr.Name)
+						sshKeysNeedUpdate, err = addLdapSSHPublicKeys(s, usr, su.SSHPublicKey)
+						if err != nil {
+							log.Error(4, "SyncExternalUsers[%s]: Error adding LDAP Public SSH Keys for user %s: %v", s.Name, su.Username, err)
+						}
 					}
 				} else if updateExisting {
 					existingUsers = append(existingUsers, usr.ID)
+
+					err = UpdateUserCols(usr, "full_name", "email", "is_admin", "is_active")
+					if err != nil {
+						log.Error(4, "SyncExternalUsers[%s]: Error updating user %s: %v", s.Name, usr.Name, err)
+					}
+
+					if isAttributeSSHPublicKeySet {
+						synchronizeLdapSSHPublicKeys(s, su.SSHPublicKey, usr)
+					}
+
 					// Check if user data has changed
 					if (len(s.LDAP().AdminFilter) > 0 && usr.IsAdmin != su.IsAdmin) ||
 						strings.ToLower(usr.Email) != strings.ToLower(su.Mail) ||
@@ -1446,14 +1598,19 @@ func SyncExternalUsers() {
 						}
 						usr.IsActive = true
 
-						err = UpdateUserCols(usr, "full_name", "email", "is_admin", "is_active")
+						err = UpdateUser(usr)
 						if err != nil {
 							log.Error(4, "SyncExternalUsers[%s]: Error updating user %s: %v", s.Name, usr.Name, err)
 						}
 					}
 				}
 			}
 
+			// Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed
+			if isAttributeSSHPublicKeySet && sshKeysNeedUpdate {
+				RewriteAllPublicKeys()
+			}
+
 			// Deactivate users not present in LDAP
 			if updateExisting {
 				for _, usr := range users {

diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go
@@ -24,6 +24,7 @@ type AuthenticationForm struct {
 	AttributeName                 string
 	AttributeSurname              string
 	AttributeMail                 string
+	AttributeSSHPublicKey         string
 	AttributesInBind              bool
 	Filter                        string
 	AdminFilter                   string

diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
@@ -28,32 +28,34 @@ const (
 
 // Source Basic LDAP authentication service
 type Source struct {
-	Name              string // canonical name (ie. corporate.ad)
-	Host              string // LDAP host
-	Port              int    // port number
-	SecurityProtocol  SecurityProtocol
-	SkipVerify        bool
-	BindDN            string // DN to bind with
-	BindPassword      string // Bind DN password
-	UserBase          string // Base search path for users
-	UserDN            string // Template for the DN of the user for simple auth
-	AttributeUsername string // Username attribute
-	AttributeName     string // First name attribute
-	AttributeSurname  string // Surname attribute
-	AttributeMail     string // E-mail attribute
-	AttributesInBind  bool   // fetch attributes in bind context (not user)
-	Filter            string // Query filter to validate entry
-	AdminFilter       string // Query filter to check if user is admin
-	Enabled           bool   // if this source is disabled
+	Name                  string // canonical name (ie. corporate.ad)
+	Host                  string // LDAP host
+	Port                  int    // port number
+	SecurityProtocol      SecurityProtocol
+	SkipVerify            bool
+	BindDN                string // DN to bind with
+	BindPassword          string // Bind DN password
+	UserBase              string // Base search path for users
+	UserDN                string // Template for the DN of the user for simple auth
+	AttributeUsername     string // Username attribute
+	AttributeName         string // First name attribute
+	AttributeSurname      string // Surname attribute
+	AttributeMail         string // E-mail attribute
+	AttributeSSHPublicKey string // LDAP SSH Public Key attribute
+	AttributesInBind      bool   // fetch attributes in bind context (not user)
+	Filter                string // Query filter to validate entry
+	AdminFilter           string // Query filter to check if user is admin
+	Enabled               bool   // if this source is disabled
 }
 
 // SearchResult : user data
 type SearchResult struct {
-	Username string // Username
-	Name     string // Name
-	Surname  string // Surname
-	Mail     string // E-mail address
-	IsAdmin  bool   // if user is administrator
+	Username     string   // Username
+	Name         string   // Name
+	Surname      string   // Surname
+	Mail         string   // E-mail address
+	SSHPublicKey []string // SSH Public Key
+	IsAdmin      bool     // if user is administrator
 }
 
 func (ls *Source) sanitizedUserQuery(username string) (string, bool) {
@@ -292,10 +294,10 @@ func (ls *Source) SearchEntries() []*SearchResult {
 
 	userFilter := fmt.Sprintf(ls.Filter, "*")
 
-	log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, ls.UserBase)
+	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, ls.UserBase)
 	search := ldap.NewSearchRequest(
 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
-		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
+		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey},
 		nil)
 
 	sr, err := l.Search(search)
@@ -308,11 +310,12 @@ func (ls *Source) SearchEntries() []*SearchResult {
 
 	for i, v := range sr.Entries {
 		result[i] = &SearchResult{
-			Username: v.GetAttributeValue(ls.AttributeUsername),
-			Name:     v.GetAttributeValue(ls.AttributeName),
-			Surname:  v.GetAttributeValue(ls.AttributeSurname),
-			Mail:     v.GetAttributeValue(ls.AttributeMail),
-			IsAdmin:  checkAdmin(l, ls, v.DN),
+			Username:     v.GetAttributeValue(ls.AttributeUsername),
+			Name:         v.GetAttributeValue(ls.AttributeName),
+			Surname:      v.GetAttributeValue(ls.AttributeSurname),
+			Mail:         v.GetAttributeValue(ls.AttributeMail),
+			SSHPublicKey: v.GetAttributeValues(ls.AttributeSSHPublicKey),
+			IsAdmin:      checkAdmin(l, ls, v.DN),
 		}
 	}