Make only externally managed keys disabled

Signed-off-by: Andrew Thornton <[email protected]>

Author: zeripath

models/ssh_key.go

@@ -661,6 +661,82 @@ func deletePublicKeys(e Engine, keyIDs ...int64) error {
 	return err
 }
 
+// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key
+func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) {
+	sources := make([]*LoginSource, 0, 5)
+	externals := make([]bool, len(keys))
+keyloop:
+	for i, key := range keys {
+		if key.LoginSourceID == 0 {
+			externals[i] = false
+			continue keyloop
+		}
+
+		var source *LoginSource
+
+	sourceloop:
+		for _, s := range sources {
+			if s.ID == key.LoginSourceID {
+				source = s
+				break sourceloop
+			}
+		}
+
+		if source == nil {
+			var err error
+			source, err = GetLoginSourceByID(key.LoginSourceID)
+			if err != nil {
+				if IsErrLoginSourceNotExist(err) {
+					externals[i] = false
+					sources[i] = &LoginSource{
+						ID: key.LoginSourceID,
+					}
+					continue keyloop
+				}
+				return nil, err
+			}
+		}
+
+		ldapSource := source.LDAP()
+		if ldapSource != nil &&
+			source.IsSyncEnabled &&
+			(source.Type == LoginLDAP || source.Type == LoginDLDAP) &&
+			len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
+			// Disable setting SSH keys for this user
+			externals[i] = true
+		}
+	}
+
+	return externals, nil
+}
+
+// PublicKeyIsExternallyManaged returns whether the provided KeyID represents an externally managed Key
+func PublicKeyIsExternallyManaged(id int64) (bool, error) {
+	key, err := GetPublicKeyByID(id)
+	if err != nil {
+		return false, err
+	}
+	if key.LoginSourceID == 0 {
+		return false, nil
+	}
+	source, err := GetLoginSourceByID(key.LoginSourceID)
+	if err != nil {
+		if IsErrLoginSourceNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	ldapSource := source.LDAP()
+	if ldapSource != nil &&
+		source.IsSyncEnabled &&
+		(source.Type == LoginLDAP || source.Type == LoginDLDAP) &&
+		len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
+		// Disable setting SSH keys for this user
+		return true, nil
+	}
+	return false, nil
+}
+
 // DeletePublicKey deletes SSH key information both in database and authorized_keys file.
 func DeletePublicKey(doer *User, id int64) (err error) {
 	key, err := GetPublicKeyByID(id)

options/locale/locale_en-US.ini

@@ -556,7 +556,7 @@ principal_state_desc = This principal has been used in the last 7 days
 show_openid = Show on profile
 hide_openid = Hide from profile
 ssh_disabled = SSH Disabled
-ssh_externally_managed = SSH keys are externally managed for this user
+ssh_externally_managed = This SSH key is externally managed for this user
 manage_social = Manage Associated Social Accounts
 social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account.
 unbind = Unlink

routers/api/v1/user/key.go

@@ -6,7 +6,6 @@ package user
 
 import (
 	"net/http"
-	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/context"
@@ -202,25 +201,6 @@ func GetPublicKey(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, apiKey)
 }
 
-func sshKeysExternallyManaged(user *models.User) (bool, error) {
-	if user.LoginSource == 0 {
-		return false, nil
-	}
-	source, err := models.GetLoginSourceByID(user.LoginSource)
-	if err != nil {
-		return false, err
-	}
-	ldapSource := source.LDAP()
-	if ldapSource != nil &&
-		source.IsSyncEnabled &&
-		(source.Type == models.LoginLDAP || source.Type == models.LoginDLDAP) &&
-		len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
-		// Disable setting SSH keys for this user
-		return true, nil
-	}
-	return false, nil
-}
-
 // CreateUserPublicKey creates new public key to given user by ID.
 func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid int64) {
 	content, err := models.CheckPublicKeyString(form.Key)
@@ -229,18 +209,6 @@ func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid
 		return
 	}
 
-	user, err := models.GetUserByID(uid)
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "GetUserByID", err)
-	}
-	externallyManaged, err := sshKeysExternallyManaged(user)
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "sshKeysExternallyManaged", err)
-	}
-	if externallyManaged {
-		ctx.Error(http.StatusForbidden, "", "SSH Keys are externally managed for this user")
-	}
-
 	key, err := models.AddPublicKey(uid, form.Title, content, 0)
 	if err != nil {
 		repo.HandleAddKeyError(ctx, err)
@@ -298,15 +266,17 @@ func DeletePublicKey(ctx *context.APIContext) {
 	//     "$ref": "#/responses/forbidden"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
-	externallyManaged, err := sshKeysExternallyManaged(ctx.User)
+
+	id := ctx.ParamsInt64(":id")
+	externallyManaged, err := models.PublicKeyIsExternallyManaged(id)
 	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "sshKeysExternallyManaged", err)
+		ctx.Error(http.StatusInternalServerError, "PublicKeyIsExternallyManaged", err)
 	}
 	if externallyManaged {
-		ctx.Error(http.StatusForbidden, "", "SSH Keys are externally managed for this user")
+		ctx.Error(http.StatusForbidden, "", "SSH Key is externally managed for this user")
 	}
 
-	if err := models.DeletePublicKey(ctx.User, ctx.ParamsInt64(":id")); err != nil {
+	if err := models.DeletePublicKey(ctx.User, id); err != nil {
 		if models.IsErrKeyNotExist(err) {
 			ctx.NotFound()
 		} else if models.IsErrKeyAccessDenied(err) {

routers/user/setting/keys.go

@@ -6,8 +6,6 @@
 package setting
 
 import (
-	"strings"
-
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
@@ -32,25 +30,6 @@ func Keys(ctx *context.Context) {
 	ctx.HTML(200, tplSettingsKeys)
 }
 
-func sshKeysExternallyManaged(user *models.User) (bool, error) {
-	if user.LoginSource == 0 {
-		return false, nil
-	}
-	source, err := models.GetLoginSourceByID(user.LoginSource)
-	if err != nil {
-		return false, err
-	}
-	ldapSource := source.LDAP()
-	if ldapSource != nil &&
-		source.IsSyncEnabled &&
-		(source.Type == models.LoginLDAP || source.Type == models.LoginDLDAP) &&
-		len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
-		// Disable setting SSH keys for this user
-		return true, nil
-	}
-	return false, nil
-}
-
 // KeysPost response for change user's SSH/GPG keys
 func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
 	ctx.Data["Title"] = ctx.Tr("settings")
@@ -126,16 +105,6 @@ func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
 		ctx.Flash.Success(ctx.Tr("settings.add_gpg_key_success", keyIDs))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "ssh":
-		external, err := sshKeysExternallyManaged(ctx.User)
-		if err != nil {
-			ctx.ServerError("sshKeysExternalManaged", err)
-			return
-		}
-		if external {
-			ctx.Flash.Error(ctx.Tr("setting.ssh_externally_managed"))
-			ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
-			return
-		}
 		content, err := models.CheckPublicKeyString(form.Content)
 		if err != nil {
 			if models.IsErrSSHDisabled(err) {
@@ -191,7 +160,8 @@ func DeleteKey(ctx *context.Context) {
 			ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success"))
 		}
 	case "ssh":
-		external, err := sshKeysExternallyManaged(ctx.User)
+		keyID := ctx.QueryInt64("id")
+		external, err := models.PublicKeyIsExternallyManaged(keyID)
 		if err != nil {
 			ctx.ServerError("sshKeysExternalManaged", err)
 			return
@@ -201,7 +171,7 @@ func DeleteKey(ctx *context.Context) {
 			ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 			return
 		}
-		if err := models.DeletePublicKey(ctx.User, ctx.QueryInt64("id")); err != nil {
+		if err := models.DeletePublicKey(ctx.User, keyID); err != nil {
 			ctx.Flash.Error("DeletePublicKey: " + err.Error())
 		} else {
 			ctx.Flash.Success(ctx.Tr("settings.ssh_key_deletion_success"))
@@ -222,21 +192,19 @@ func DeleteKey(ctx *context.Context) {
 }
 
 func loadKeysData(ctx *context.Context) {
-	external, err := sshKeysExternallyManaged(ctx.User)
+	keys, err := models.ListPublicKeys(ctx.User.ID, models.ListOptions{})
 	if err != nil {
-		ctx.ServerError("sshKeysExternalManaged", err)
+		ctx.ServerError("ListPublicKeys", err)
 		return
 	}
-	if external {
-		ctx.Data["SSHKeysExternalManaged"] = true
-	}
+	ctx.Data["Keys"] = keys
 
-	keys, err := models.ListPublicKeys(ctx.User.ID, models.ListOptions{})
+	externalKeys, err := models.PublicKeysAreExternallyManaged(keys)
 	if err != nil {
 		ctx.ServerError("ListPublicKeys", err)
 		return
 	}
-	ctx.Data["Keys"] = keys
+	ctx.Data["ExternalKeys"] = externalKeys
 
 	gpgkeys, err := models.ListGPGKeys(ctx.User.ID, models.ListOptions{})
 	if err != nil {

templates/user/settings/keys_ssh.tmpl

@@ -1,10 +1,8 @@
 <h4 class="ui top attached header">
 	{{.i18n.Tr "settings.manage_ssh_keys"}}
 	<div class="ui right">
-	{{if not ( or .DisableSSH .SSHKeysExternalManaged ) }}
+	{{if not .DisableSSH }}
 		<div class="ui blue tiny show-panel button" data-panel="#add-ssh-key-panel">{{.i18n.Tr "settings.add_key"}}</div>
-	{{else if .SSHKeysExternalManaged}}
-		<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_externally_managed"}}</div>
 	{{else}}
 		<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_disabled"}}</div>
 	{{end}}
@@ -15,15 +13,13 @@
 		<div class="item">
 			{{.i18n.Tr "settings.ssh_desc"}}
 		</div>
-		{{range .Keys}}
+		{{range $index, $key := .Keys}}
 			<div class="item">
-				{{if not $.SSHKeysExternalManaged}}
-					<div class="right floated content">
-						<button class="ui red tiny button delete-button" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}">
-							{{$.i18n.Tr "settings.delete_key"}}
-						</button>
-					</div>
-				{{end}}
+				<div class="right floated content">
+					<button class="ui red tiny button delete-button{{if index $.ExternalKeys $index}} disabled{{end}}" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}"{{if index $.ExternalKeys $index}} title="{{$.i18n.Tr "settings.ssh_externally_managed"}}"{{end}}>
+						{{$.i18n.Tr "settings.delete_key"}}
+					</button>
+				</div>
 				<div class="left floated content">
 					<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
 				</div>