gitea/modules/ssh/init.go

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package ssh

import (
	"fmt"
	"net"
	"os"
	"path/filepath"
	"strconv"
	"strings"

	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"
)

func Init() error {
	if setting.SSH.Disabled {
		builtinUnused()
		return nil
	}

	if setting.SSH.StartBuiltinServer {
		Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
		log.Info("SSH server started on %s. Cipher list (%v), key exchange algorithms (%v), MACs (%v)",
			net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)),
			setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs,
		)
		return nil
	}

	builtinUnused()

	// FIXME: why 0o644 for a directory .....
	if err := os.MkdirAll(setting.SSH.KeyTestPath, 0o644); err != nil {
		return fmt.Errorf("failed to create directory %q for ssh key test: %w", setting.SSH.KeyTestPath, err)
	}

	if len(setting.SSH.TrustedUserCAKeys) > 0 && setting.SSH.AuthorizedPrincipalsEnabled {
		caKeysFileName := setting.SSH.TrustedUserCAKeysFile
		caKeysFileDir := filepath.Dir(caKeysFileName)

		err := os.MkdirAll(caKeysFileDir, 0o700) // SSH.RootPath by default (That is `~/.ssh` in most cases)
		if err != nil {
			return fmt.Errorf("failed to create directory %q for ssh trusted ca keys: %w", caKeysFileDir, err)
		}

		if err := os.WriteFile(caKeysFileName, []byte(strings.Join(setting.SSH.TrustedUserCAKeys, "\n")), 0o600); err != nil {
			return fmt.Errorf("failed to write ssh trusted ca keys to %q: %w", caKeysFileName, err)
		}
	}

	return nil
}
Refactor SSH init code, fix directory creation for TrustedUserCAKeys file (#20299) * Refactor SSH init code, fix directory creation for TrustedUserCAKeys file * Update modules/ssh/init.go Co-authored-by: zeripath <art27@cantab.net> * fix lint copyright * Update modules/ssh/init.go Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2022-07-10 14:50:26 +08:00			`// Copyright 2022 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 13:20:29 -05:00			`// SPDX-License-Identifier: MIT`
Refactor SSH init code, fix directory creation for TrustedUserCAKeys file (#20299) * Refactor SSH init code, fix directory creation for TrustedUserCAKeys file * Update modules/ssh/init.go Co-authored-by: zeripath <art27@cantab.net> * fix lint copyright * Update modules/ssh/init.go Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2022-07-10 14:50:26 +08:00
			`package ssh`

			`import (`
			`"fmt"`
			`"net"`
			`"os"`
			`"path/filepath"`
			`"strconv"`
			`"strings"`

			`"code.gitea.io/gitea/modules/log"`
			`"code.gitea.io/gitea/modules/setting"`
			`)`

			`func Init() error {`
			`if setting.SSH.Disabled {`
call builtinUnused() if internal SSH is disabled (#20877) The graceful manager waits for 4 listeners to be created or to be told that they are not needed. If it is not told about them it will indefinitely and timeout. This leads to SVC hosts not being told of being in the readyState but on Unix would lead to the termination of the process. There was an unfortunate regression in #20299 which missed this subtly and in the case whereby SSH is disabled the `builtinUnused()` is not called. This PR adds a call to `builtinUnused()` when not using the builtin ssh to allow `createServerWaitGroup.Done()` to be called. In addition it was noted that the if/else clauses for timeout informing of the SVC host were in the wrong order. These have been swapped. Fix #20609 2022-08-20 22:09:41 +01:00			`builtinUnused()`
Refactor SSH init code, fix directory creation for TrustedUserCAKeys file (#20299) * Refactor SSH init code, fix directory creation for TrustedUserCAKeys file * Update modules/ssh/init.go Co-authored-by: zeripath <art27@cantab.net> * fix lint copyright * Update modules/ssh/init.go Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2022-07-10 14:50:26 +08:00			`return nil`
			`}`

			`if setting.SSH.StartBuiltinServer {`
			`Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)`
			`log.Info("SSH server started on %s. Cipher list (%v), key exchange algorithms (%v), MACs (%v)",`
			`net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)),`
			`setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs,`
			`)`
			`return nil`
			`}`

			`builtinUnused()`

			`// FIXME: why 0o644 for a directory .....`
			`if err := os.MkdirAll(setting.SSH.KeyTestPath, 0o644); err != nil {`
			`return fmt.Errorf("failed to create directory %q for ssh key test: %w", setting.SSH.KeyTestPath, err)`
			`}`

			`if len(setting.SSH.TrustedUserCAKeys) > 0 && setting.SSH.AuthorizedPrincipalsEnabled {`
			`caKeysFileName := setting.SSH.TrustedUserCAKeysFile`
			`caKeysFileDir := filepath.Dir(caKeysFileName)`

			err := os.MkdirAll(caKeysFileDir, 0o700) // SSH.RootPath by default (That is `~/.ssh` in most cases)
			`if err != nil {`
			`return fmt.Errorf("failed to create directory %q for ssh trusted ca keys: %w", caKeysFileDir, err)`
			`}`

			`if err := os.WriteFile(caKeysFileName, []byte(strings.Join(setting.SSH.TrustedUserCAKeys, "\n")), 0o600); err != nil {`
			`return fmt.Errorf("failed to write ssh trusted ca keys to %q: %w", caKeysFileName, err)`
			`}`
			`}`

			`return nil`
			`}`