Fix perms for http/ssh clone (#288)

2024-12-22 20:42:40 +00:00 · 2024-05-28 01:30:08 +02:00 · 2024-05-28 01:30:08 +02:00 · 38892d8a4a
commit 38892d8a4a
parent 77d87aeecd
12 changed files with 225 additions and 22 deletions
--- a/internal/actions/actions.go
+++ b/internal/actions/actions.go
@ -74,7 +74,7 @@ func Run(actionType int) {
 	case IndexGists:
 		functionToRun = indexGists
 	default:
-		panic("unhandled default case")
+		log.Error().Msg("Unknown action type")
 	}

 	functionToRun()
--- a/internal/cli/main.go
+++ b/internal/cli/main.go
@ -30,7 +30,7 @@ var CmdStart = cli.Command{
 	Usage: "Start Opengist server",
 	Action: func(ctx *cli.Context) error {
 		Initialize(ctx)
-		go web.NewServer(os.Getenv("OG_DEV") == "1").Start()
+		go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions")).Start()
 		go ssh.Start()
 		select {}
 	},
--- a/internal/db/sshkey.go
+++ b/internal/db/sshkey.go
@ -48,13 +48,12 @@ func GetSSHKeyByID(sshKeyId uint) (*SSHKey, error) {
 	return sshKey, err
 }

-func SSHKeyDoesExists(sshKeyContent string) (*SSHKey, error) {
-	sshKey := new(SSHKey)
-	err := db.
-		Where("content like ?", sshKeyContent+"%").
-		First(&sshKey).Error
-
-	return sshKey, err
+func SSHKeyDoesExists(sshKeyContent string) (bool, error) {
+	var count int64
+	err := db.Model(&SSHKey{}).
+		Where("content = ?", sshKeyContent).
+		Count(&count).Error
+	return count > 0, err
 }

 func (sshKey *SSHKey) Create() error {
--- a/internal/db/user.go
+++ b/internal/db/user.go
@ -118,6 +118,15 @@ func GetUsersFromEmails(emailsSet map[string]struct{}) (map[string]*User, error)
 	return userMap, nil
 }

+func GetUserFromSSHKey(sshKey string) (*User, error) {
+	user := new(User)
+	err := db.
+		Joins("JOIN ssh_keys ON users.id = ssh_keys.user_id").
+		Where("ssh_keys.content = ?", sshKey).
+		First(&user).Error
+	return user, err
+}
+
 func SSHKeyExistsForUser(sshKey string, userId uint) (*SSHKey, error) {
 	key := new(SSHKey)
 	err := db.
--- a/internal/i18n/locales/en-US.yml
+++ b/internal/i18n/locales/en-US.yml
@ -126,6 +126,7 @@ settings.delete-ssh-key-confirm: Confirm deletion of SSH key
 settings.ssh-key-added-at: Added
 settings.ssh-key-never-used: Never used
 settings.ssh-key-last-used: Last used
+settings.ssh-key-exists: SSH key already exists
 settings.change-username: Change username
 settings.create-password: Create password
 settings.create-password-help: Create your password to login to Opengist via HTTP
--- a/internal/ssh/git_ssh.go
+++ b/internal/ssh/git_ssh.go
@ -50,11 +50,18 @@ func runGitCommand(ch ssh.Channel, gitCmd string, key string, ip string) error {
 	// - gist is not found (obfuscation)
 	// - admin setting to require login is set to true
 	if verb == "receive-pack" ||
-		gist.Private == 2 ||
+		gist.Private == db.PrivateVisibility ||
 		gist.ID == 0 ||
 		!allowUnauthenticated {

-		pubKey, err := db.SSHKeyExistsForUser(key, gist.UserID)
+		var userToCheckPermissions *db.User
+		if gist.Private != db.PrivateVisibility && verb == "upload-pack" {
+			userToCheckPermissions, _ = db.GetUserFromSSHKey(key)
+		} else {
+			userToCheckPermissions = &gist.User
+		}
+
+		pubKey, err := db.SSHKeyExistsForUser(key, userToCheckPermissions.ID)
 		if err != nil {
 			if errors.Is(err, gorm.ErrRecordNotFound) {
 				log.Warn().Msg("Invalid SSH authentication attempt from " + ip)
--- a/internal/ssh/run.go
+++ b/internal/ssh/run.go
@ -24,8 +24,8 @@ func Start() {
 	sshConfig := &ssh.ServerConfig{
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			strKey := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))
-			_, err := db.SSHKeyDoesExists(strKey)
-			if err != nil {
+			exists, err := db.SSHKeyDoesExists(strKey)
+			if !exists {
 				if !errors.Is(err, gorm.ErrRecordNotFound) {
 					return nil, err
 				}
--- a/internal/web/git_http.go
+++ b/internal/web/git_http.go
@ -73,7 +73,7 @@ func gitHttp(ctx echo.Context) error {

 			allow, err := auth.ShouldAllowUnauthenticatedGistAccess(ContextAuthInfo{ctx}, true)
 			if err != nil {
-				panic("impossible")
+				log.Fatal().Err(err).Msg("Cannot check if unauthenticated access is allowed")
 			}

 			// Shows basic auth if :
@ -105,7 +105,14 @@ func gitHttp(ctx echo.Context) error {
 					return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
 				}

-				if ok, err := utils.Argon2id.Verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
+				var userToCheckPermissions *db.User
+				if gist.Private != db.PrivateVisibility && isPull {
+					userToCheckPermissions, _ = db.GetUserByUsername(authUsername)
+				} else {
+					userToCheckPermissions = &gist.User
+				}
+
+				if ok, err := utils.Argon2id.Verify(authPassword, userToCheckPermissions.Password); !ok {
 					if err != nil {
 						return errorRes(500, "Cannot verify password", err)
 					}
--- a/internal/web/server.go
+++ b/internal/web/server.go
@ -161,12 +161,12 @@ type Server struct {
 	dev  bool
 }

-func NewServer(isDev bool) *Server {
+func NewServer(isDev bool, sessionsPath string) *Server {
 	dev = isDev
 	flashStore = sessions.NewCookieStore([]byte("opengist"))
-	userStore = sessions.NewFilesystemStore(path.Join(config.GetHomeDir(), "sessions"),
-		utils.ReadKey(path.Join(config.GetHomeDir(), "sessions", "session-auth.key")),
-		utils.ReadKey(path.Join(config.GetHomeDir(), "sessions", "session-encrypt.key")),
+	userStore = sessions.NewFilesystemStore(sessionsPath,
+		utils.ReadKey(path.Join(sessionsPath, "session-auth.key")),
+		utils.ReadKey(path.Join(sessionsPath, "session-encrypt.key")),
 	)
 	userStore.MaxLength(10 * 1024)
 	gothic.Store = userStore
@ -526,7 +526,7 @@ func makeCheckRequireLogin(isSingleGistAccess bool) echo.MiddlewareFunc {

 			allow, err := auth.ShouldAllowUnauthenticatedGistAccess(ContextAuthInfo{ctx}, isSingleGistAccess)
 			if err != nil {
-				panic("impossible")
+				log.Fatal().Err(err).Msg("Failed to check if unauthenticated access is allowed")
 			}

 			if !allow {
--- a/internal/web/settings.go
+++ b/internal/web/settings.go
@ -89,6 +89,14 @@ func sshKeysProcess(ctx echo.Context) error {
 	}
 	key.Content = strings.TrimSpace(string(ssh.MarshalAuthorizedKey(pubKey)))

+	if exists, err := db.SSHKeyDoesExists(key.Content); exists {
+		if err != nil {
+			return errorRes(500, "Cannot check if SSH key exists", err)
+		}
+		addFlash(ctx, tr(ctx, "settings.ssh-key-exists"), "error")
+		return redirect(ctx, "/settings")
+	}
+
 	if err := key.Create(); err != nil {
 		return errorRes(500, "Cannot add SSH key", err)
 	}
--- a/internal/web/test/auth_test.go
+++ b/internal/web/test/auth_test.go
@ -1,8 +1,13 @@
 package test

 import (
+	"fmt"
 	"github.com/stretchr/testify/require"
+	"github.com/thomiceli/opengist/internal/config"
 	"github.com/thomiceli/opengist/internal/db"
+	"os"
+	"os/exec"
+	"path"
 	"testing"
 )

@ -147,3 +152,167 @@ func TestAnonymous(t *testing.T) {
 	require.NoError(t, err)

 }
+
+func TestGitOperations(t *testing.T) {
+	setup(t)
+	s, err := newTestServer()
+	require.NoError(t, err, "Failed to create test server")
+	defer teardown(t, s)
+
+	admin := db.UserDTO{Username: "thomas", Password: "thomas"}
+	register(t, s, admin)
+	s.sessionCookie = ""
+	register(t, s, db.UserDTO{Username: "fujiwara", Password: "fujiwara"})
+	s.sessionCookie = ""
+	register(t, s, db.UserDTO{Username: "kaguya", Password: "kaguya"})
+
+	gist1 := db.GistDTO{
+		Title:       "kaguya-pub-gist",
+		URL:         "kaguya-pub-gist",
+		Description: "kaguya's first gist",
+		VisibilityDTO: db.VisibilityDTO{
+			Private: db.PublicVisibility,
+		},
+		Name: []string{"kaguya-file.txt"},
+		Content: []string{
+			"yeah",
+		},
+	}
+	err = s.request("POST", "/", gist1, 302)
+	require.NoError(t, err)
+
+	gist2 := db.GistDTO{
+		Title:       "kaguya-unl-gist",
+		URL:         "kaguya-unl-gist",
+		Description: "kaguya's second gist",
+		VisibilityDTO: db.VisibilityDTO{
+			Private: db.UnlistedVisibility,
+		},
+		Name: []string{"kaguya-file.txt"},
+		Content: []string{
+			"cool",
+		},
+	}
+	err = s.request("POST", "/", gist2, 302)
+	require.NoError(t, err)
+
+	gist3 := db.GistDTO{
+		Title:       "kaguya-priv-gist",
+		URL:         "kaguya-priv-gist",
+		Description: "kaguya's second gist",
+		VisibilityDTO: db.VisibilityDTO{
+			Private: db.PrivateVisibility,
+		},
+		Name: []string{"kaguya-file.txt"},
+		Content: []string{
+			"super",
+		},
+	}
+	err = s.request("POST", "/", gist3, 302)
+	require.NoError(t, err)
+
+	gitOperations := func(credentials, owner, url, filename string, expectErrorClone, expectErrorCheck, expectErrorPush bool) {
+		fmt.Println("Testing", credentials, url, expectErrorClone, expectErrorCheck, expectErrorPush)
+		err := clientGitClone(credentials, owner, url)
+		if expectErrorClone {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+		err = clientCheckRepo(url, filename)
+		if expectErrorCheck {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+		err = clientGitPush(url)
+		if expectErrorPush {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+	}
+
+	tests := []struct {
+		credentials      string
+		user             string
+		url              string
+		expectErrorClone bool
+		expectErrorCheck bool
+		expectErrorPush  bool
+	}{
+		{":", "kaguya", "kaguya-pub-gist", false, false, true},
+		{":", "kaguya", "kaguya-unl-gist", false, false, true},
+		{":", "kaguya", "kaguya-priv-gist", true, true, true},
+		{"kaguya:kaguya", "kaguya", "kaguya-pub-gist", false, false, false},
+		{"kaguya:kaguya", "kaguya", "kaguya-unl-gist", false, false, false},
+		{"kaguya:kaguya", "kaguya", "kaguya-priv-gist", false, false, false},
+		{"fujiwara:fujiwara", "kaguya", "kaguya-pub-gist", false, false, true},
+		{"fujiwara:fujiwara", "kaguya", "kaguya-unl-gist", false, false, true},
+		{"fujiwara:fujiwara", "kaguya", "kaguya-priv-gist", true, true, true},
+	}
+
+	for _, test := range tests {
+		gitOperations(test.credentials, test.user, test.url, "kaguya-file.txt", test.expectErrorClone, test.expectErrorCheck, test.expectErrorPush)
+	}
+
+	login(t, s, admin)
+	err = s.request("PUT", "/admin-panel/set-config", settingSet{"require-login", "1"}, 200)
+	require.NoError(t, err)
+
+	testsRequireLogin := []struct {
+		credentials      string
+		user             string
+		url              string
+		expectErrorClone bool
+		expectErrorCheck bool
+		expectErrorPush  bool
+	}{
+		{":", "kaguya", "kaguya-pub-gist", true, true, true},
+		{":", "kaguya", "kaguya-unl-gist", true, true, true},
+		{":", "kaguya", "kaguya-priv-gist", true, true, true},
+		{"kaguya:kaguya", "kaguya", "kaguya-pub-gist", false, false, false},
+		{"kaguya:kaguya", "kaguya", "kaguya-unl-gist", false, false, false},
+		{"kaguya:kaguya", "kaguya", "kaguya-priv-gist", false, false, false},
+		{"fujiwara:fujiwara", "kaguya", "kaguya-pub-gist", false, false, true},
+		{"fujiwara:fujiwara", "kaguya", "kaguya-unl-gist", false, false, true},
+		{"fujiwara:fujiwara", "kaguya", "kaguya-priv-gist", true, true, true},
+	}
+
+	for _, test := range testsRequireLogin {
+		gitOperations(test.credentials, test.user, test.url, "kaguya-file.txt", test.expectErrorClone, test.expectErrorCheck, test.expectErrorPush)
+	}
+
+	login(t, s, admin)
+	err = s.request("PUT", "/admin-panel/set-config", settingSet{"allow-gists-without-login", "1"}, 200)
+	require.NoError(t, err)
+
+	for _, test := range tests {
+		gitOperations(test.credentials, test.user, test.url, "kaguya-file.txt", test.expectErrorClone, test.expectErrorCheck, test.expectErrorPush)
+	}
+}
+
+func clientGitClone(creds string, user string, url string) error {
+	return exec.Command("git", "clone", "http://"+creds+"@localhost:6157/"+user+"/"+url, path.Join(config.GetHomeDir(), "tmp", url)).Run()
+}
+
+func clientGitPush(url string) error {
+	f, err := os.Create(path.Join(config.GetHomeDir(), "tmp", url, "newfile.txt"))
+	if err != nil {
+		return err
+	}
+	f.Close()
+
+	_ = exec.Command("git", "-C", path.Join(config.GetHomeDir(), "tmp", url), "add", "newfile.txt").Run()
+	_ = exec.Command("git", "-C", path.Join(config.GetHomeDir(), "tmp", url), "commit", "-m", "new file").Run()
+	err = exec.Command("git", "-C", path.Join(config.GetHomeDir(), "tmp", url), "push", "origin", "master").Run()
+
+	_ = os.RemoveAll(path.Join(config.GetHomeDir(), "tmp", url))
+
+	return err
+}
+
+func clientCheckRepo(url string, file string) error {
+	_, err := os.ReadFile(path.Join(config.GetHomeDir(), "tmp", url, file))
+	return err
+}
--- a/internal/web/test/server.go
+++ b/internal/web/test/server.go
@ -31,7 +31,7 @@ type testServer struct {

 func newTestServer() (*testServer, error) {
 	s := &testServer{
-		server: web.NewServer(true),
+		server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions")),
 	}

 	go s.start()
@ -149,7 +149,7 @@ func setup(t *testing.T) {
 	homePath := config.GetHomeDir()
 	log.Info().Msg("Data directory: " + homePath)

-	err = os.MkdirAll(filepath.Join(homePath, "sessions"), 0755)
+	err = os.MkdirAll(filepath.Join(homePath, "tmp", "sessions"), 0755)
 	require.NoError(t, err, "Could not create sessions directory")

 	err = os.MkdirAll(filepath.Join(homePath, "tmp", "repos"), 0755)
@ -177,6 +177,9 @@ func teardown(t *testing.T, s *testServer) {
 	err = os.RemoveAll(path.Join(config.GetHomeDir(), "tmp", "repos"))
 	require.NoError(t, err, "Could not remove repos directory")

+	err = os.RemoveAll(path.Join(config.GetHomeDir(), "tmp", "sessions"))
+	require.NoError(t, err, "Could not remove repos directory")
+
 	// err = os.RemoveAll(path.Join(config.C.OpengistHome, "testsindex"))
 	// require.NoError(t, err, "Could not remove repos directory")