Disable SSH key addition and deletion when externally managed

When a user has a login source which has SSH key management
key addition and deletion using the UI should be disabled.

Fix #13983

Signed-off-by: Andrew Thornton <[email protected]>

Author: zeripath

options/locale/locale_en-US.ini

@@ -556,6 +556,7 @@ principal_state_desc = This principal has been used in the last 7 days
 show_openid = Show on profile
 hide_openid = Hide from profile
 ssh_disabled = SSH Disabled
+ssh_externally_managed = SSH keys are externally managed for this user
 manage_social = Manage Associated Social Accounts
 social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account.
 unbind = Unlink

routers/api/v1/user/key.go

@@ -6,6 +6,7 @@ package user
 
 import (
 	"net/http"
+	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/context"
@@ -201,6 +202,25 @@ func GetPublicKey(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, apiKey)
 }
 
+func sshKeysExternallyManaged(user *models.User) (bool, error) {
+	if user.LoginSource == 0 {
+		return false, nil
+	}
+	source, err := models.GetLoginSourceByID(user.LoginSource)
+	if err != nil {
+		return false, err
+	}
+	ldapSource := source.LDAP()
+	if ldapSource != nil &&
+		source.IsSyncEnabled &&
+		(source.Type == models.LoginLDAP || source.Type == models.LoginDLDAP) &&
+		len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
+		// Disable setting SSH keys for this user
+		return true, nil
+	}
+	return false, nil
+}
+
 // CreateUserPublicKey creates new public key to given user by ID.
 func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid int64) {
 	content, err := models.CheckPublicKeyString(form.Key)
@@ -209,6 +229,18 @@ func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid
 		return
 	}
 
+	user, err := models.GetUserByID(uid)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "GetUserByID", err)
+	}
+	externallyManaged, err := sshKeysExternallyManaged(user)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "sshKeysExternallyManaged", err)
+	}
+	if externallyManaged {
+		ctx.Error(http.StatusForbidden, "", "SSH Keys are externally managed for this user")
+	}
+
 	key, err := models.AddPublicKey(uid, form.Title, content, 0)
 	if err != nil {
 		repo.HandleAddKeyError(ctx, err)
@@ -266,6 +298,13 @@ func DeletePublicKey(ctx *context.APIContext) {
 	//     "$ref": "#/responses/forbidden"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	externallyManaged, err := sshKeysExternallyManaged(ctx.User)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "sshKeysExternallyManaged", err)
+	}
+	if externallyManaged {
+		ctx.Error(http.StatusForbidden, "", "SSH Keys are externally managed for this user")
+	}
 
 	if err := models.DeletePublicKey(ctx.User, ctx.ParamsInt64(":id")); err != nil {
 		if models.IsErrKeyNotExist(err) {

routers/user/setting/keys.go

@@ -6,6 +6,8 @@
 package setting
 
 import (
+	"strings"
+
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
@@ -30,6 +32,25 @@ func Keys(ctx *context.Context) {
 	ctx.HTML(200, tplSettingsKeys)
 }
 
+func sshKeysExternallyManaged(user *models.User) (bool, error) {
+	if user.LoginSource == 0 {
+		return false, nil
+	}
+	source, err := models.GetLoginSourceByID(user.LoginSource)
+	if err != nil {
+		return false, err
+	}
+	ldapSource := source.LDAP()
+	if ldapSource != nil &&
+		source.IsSyncEnabled &&
+		(source.Type == models.LoginLDAP || source.Type == models.LoginDLDAP) &&
+		len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
+		// Disable setting SSH keys for this user
+		return true, nil
+	}
+	return false, nil
+}
+
 // KeysPost response for change user's SSH/GPG keys
 func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
 	ctx.Data["Title"] = ctx.Tr("settings")
@@ -105,6 +126,16 @@ func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
 		ctx.Flash.Success(ctx.Tr("settings.add_gpg_key_success", keyIDs))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "ssh":
+		external, err := sshKeysExternallyManaged(ctx.User)
+		if err != nil {
+			ctx.ServerError("sshKeysExternalManaged", err)
+			return
+		}
+		if external {
+			ctx.Flash.Error(ctx.Tr("setting.ssh_externally_managed"))
+			ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
+			return
+		}
 		content, err := models.CheckPublicKeyString(form.Content)
 		if err != nil {
 			if models.IsErrSSHDisabled(err) {
@@ -160,6 +191,16 @@ func DeleteKey(ctx *context.Context) {
 			ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success"))
 		}
 	case "ssh":
+		external, err := sshKeysExternallyManaged(ctx.User)
+		if err != nil {
+			ctx.ServerError("sshKeysExternalManaged", err)
+			return
+		}
+		if external {
+			ctx.Flash.Error(ctx.Tr("setting.ssh_externally_managed"))
+			ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
+			return
+		}
 		if err := models.DeletePublicKey(ctx.User, ctx.QueryInt64("id")); err != nil {
 			ctx.Flash.Error("DeletePublicKey: " + err.Error())
 		} else {
@@ -181,6 +222,15 @@ func DeleteKey(ctx *context.Context) {
 }
 
 func loadKeysData(ctx *context.Context) {
+	external, err := sshKeysExternallyManaged(ctx.User)
+	if err != nil {
+		ctx.ServerError("sshKeysExternalManaged", err)
+		return
+	}
+	if external {
+		ctx.Data["SSHKeysExternalManaged"] = true
+	}
+
 	keys, err := models.ListPublicKeys(ctx.User.ID, models.ListOptions{})
 	if err != nil {
 		ctx.ServerError("ListPublicKeys", err)

templates/user/settings/keys_ssh.tmpl

@@ -1,8 +1,10 @@
 <h4 class="ui top attached header">
 	{{.i18n.Tr "settings.manage_ssh_keys"}}
 	<div class="ui right">
-	{{if not .DisableSSH}}
+	{{if not ( or .DisableSSH .SSHKeysExternalManaged ) }}
 		<div class="ui blue tiny show-panel button" data-panel="#add-ssh-key-panel">{{.i18n.Tr "settings.add_key"}}</div>
+	{{else if .SSHKeysExternalManaged}}
+		<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_externally_managed"}}</div>
 	{{else}}
 		<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_disabled"}}</div>
 	{{end}}
@@ -15,23 +17,25 @@
 		</div>
 		{{range .Keys}}
 			<div class="item">
-                <div class="right floated content">
-                    <button class="ui red tiny button delete-button" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}">
-                        {{$.i18n.Tr "settings.delete_key"}}
-                    </button>
-                </div>
-                <div class="left floated content">
-                	<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
-                </div>
-                <div class="content">
-                    <strong>{{.Name}}</strong>
-                    <div class="print meta">
-                        {{.Fingerprint}}
-                    </div>
-                    <div class="activity meta">
-                        <i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> —	{{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i>
-                    </div>
-                </div>
+				{{if not $.SSHKeysExternalManaged}}
+					<div class="right floated content">
+						<button class="ui red tiny button delete-button" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}">
+							{{$.i18n.Tr "settings.delete_key"}}
+						</button>
+					</div>
+				{{end}}
+				<div class="left floated content">
+					<span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
+				</div>
+				<div class="content">
+						<strong>{{.Name}}</strong>
+						<div class="print meta">
+								{{.Fingerprint}}
+						</div>
+						<div class="activity meta">
+								<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> —	{{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i>
+						</div>
+				</div>
 			</div>
 		{{end}}
 	</div>