diff --git a/integrations/api_keys_test.go b/integrations/api_keys_test.go
index 8e2b6d3fbf..b2ae1035ce 100644
--- a/integrations/api_keys_test.go
+++ b/integrations/api_keys_test.go
@@ -5,9 +5,11 @@
package integrations
import (
+ "fmt"
"net/http"
"testing"
+ "code.gitea.io/gitea/models"
api "code.gitea.io/sdk/gitea"
)
@@ -37,3 +39,54 @@ func TestDeleteDeployKeyNoLogin(t *testing.T) {
req := NewRequest(t, "DELETE", "/api/v1/repos/user2/repo1/keys/1")
MakeRequest(t, req, http.StatusUnauthorized)
}
+
+func TestCreateReadOnlyDeployKey(t *testing.T) {
+ prepareTestEnv(t)
+ repo := models.AssertExistsAndLoadBean(t, &models.Repository{Name: "repo1"}).(*models.Repository)
+ repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+
+ session := loginUser(t, repoOwner.Name)
+
+ keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys", repoOwner.Name, repo.Name)
+ rawKeyBody := api.CreateKeyOption{
+ Title: "read-only",
+ Key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
+ ReadOnly: true,
+ }
+ req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+ resp := session.MakeRequest(t, req, http.StatusCreated)
+
+ var newDeployKey api.DeployKey
+ DecodeJSON(t, resp, &newDeployKey)
+ models.AssertExistsAndLoadBean(t, &models.DeployKey{
+ ID: newDeployKey.ID,
+ Name: rawKeyBody.Title,
+ Content: rawKeyBody.Key,
+ Mode: models.AccessModeRead,
+ })
+}
+
+func TestCreateReadWriteDeployKey(t *testing.T) {
+ prepareTestEnv(t)
+ repo := models.AssertExistsAndLoadBean(t, &models.Repository{Name: "repo1"}).(*models.Repository)
+ repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+
+ session := loginUser(t, repoOwner.Name)
+
+ keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys", repoOwner.Name, repo.Name)
+ rawKeyBody := api.CreateKeyOption{
+ Title: "read-write",
+ Key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsufOCrDDlT8DLkodnnJtbq7uGflcPae7euTfM+Laq4So+v4WeSV362Rg0O/+Sje1UthrhN6lQkfRkdWIlCRQEXg+LMqr6RhvDfZquE2Xwqv/itlz7LjbdAUdYoO1iH7rMSmYvQh4WEnC/DAacKGbhdGIM/ZBz0z6tHm7bPgbI9ykEKekTmPwQFP1Qebvf5NYOFMWqQ2sCEAI9dBMVLoojsIpV+KADf+BotiIi8yNfTG2rzmzpxBpW9fYjd1Sy1yd4NSUpoPbEJJYJ1TrjiSWlYOVq9Ar8xW1O87i6gBjL/3zN7ANeoYhaAXupdOS6YL22YOK/yC0tJtXwwdh/eSrh",
+ }
+ req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+ resp := session.MakeRequest(t, req, http.StatusCreated)
+
+ var newDeployKey api.DeployKey
+ DecodeJSON(t, resp, &newDeployKey)
+ models.AssertExistsAndLoadBean(t, &models.DeployKey{
+ ID: newDeployKey.ID,
+ Name: rawKeyBody.Title,
+ Content: rawKeyBody.Key,
+ Mode: models.AccessModeWrite,
+ })
+}
diff --git a/models/fixtures/deploy_key.yml b/models/fixtures/deploy_key.yml
new file mode 100644
index 0000000000..ca780a73aa
--- /dev/null
+++ b/models/fixtures/deploy_key.yml
@@ -0,0 +1 @@
+[] # empty
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 90f286056f..37f3717ff4 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -162,6 +162,8 @@ var migrations = []Migration{
NewMigration("add reactions", addReactions),
// v54 -> v55
NewMigration("add pull request options", addPullRequestOptions),
+ // v55 -> v56
+ NewMigration("add writable deploy keys", addModeToDeploKeys),
}
// Migrate database to current version
diff --git a/models/migrations/v55.go b/models/migrations/v55.go
new file mode 100644
index 0000000000..32f4e8ac04
--- /dev/null
+++ b/models/migrations/v55.go
@@ -0,0 +1,23 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+ "fmt"
+
+ "code.gitea.io/gitea/models"
+ "github.com/go-xorm/xorm"
+)
+
+func addModeToDeploKeys(x *xorm.Engine) error {
+ type DeployKey struct {
+ Mode models.AccessMode `xorm:"NOT NULL DEFAULT 1"`
+ }
+
+ if err := x.Sync2(new(DeployKey)); err != nil {
+ return fmt.Errorf("Sync2: %v", err)
+ }
+ return nil
+}
diff --git a/models/ssh_key.go b/models/ssh_key.go
index 4d276ebeb7..2878177d44 100644
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -600,6 +600,8 @@ type DeployKey struct {
Fingerprint string
Content string `xorm:"-"`
+ Mode AccessMode `xorm:"NOT NULL DEFAULT 1"`
+
CreatedUnix util.TimeStamp `xorm:"created"`
UpdatedUnix util.TimeStamp `xorm:"updated"`
HasRecentActivity bool `xorm:"-"`
@@ -622,6 +624,11 @@ func (key *DeployKey) GetContent() error {
return nil
}
+// IsReadOnly checks if the key can only be used for read operations
+func (key *DeployKey) IsReadOnly() bool {
+ return key.Mode == AccessModeRead
+}
+
func checkDeployKey(e Engine, keyID, repoID int64, name string) error {
// Note: We want error detail, not just true or false here.
has, err := e.
@@ -646,7 +653,7 @@ func checkDeployKey(e Engine, keyID, repoID int64, name string) error {
}
// addDeployKey adds new key-repo relation.
-func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string) (*DeployKey, error) {
+func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string, mode AccessMode) (*DeployKey, error) {
if err := checkDeployKey(e, keyID, repoID, name); err != nil {
return nil, err
}
@@ -656,6 +663,7 @@ func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string
RepoID: repoID,
Name: name,
Fingerprint: fingerprint,
+ Mode: mode,
}
_, err := e.Insert(key)
return key, err
@@ -670,15 +678,20 @@ func HasDeployKey(keyID, repoID int64) bool {
}
// AddDeployKey add new deploy key to database and authorized_keys file.
-func AddDeployKey(repoID int64, name, content string) (*DeployKey, error) {
+func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey, error) {
fingerprint, err := calcFingerprint(content)
if err != nil {
return nil, err
}
+ accessMode := AccessModeRead
+ if !readOnly {
+ accessMode = AccessModeWrite
+ }
+
pkey := &PublicKey{
Fingerprint: fingerprint,
- Mode: AccessModeRead,
+ Mode: accessMode,
Type: KeyTypeDeploy,
}
has, err := x.Get(pkey)
@@ -701,7 +714,7 @@ func AddDeployKey(repoID int64, name, content string) (*DeployKey, error) {
}
}
- key, err := addDeployKey(sess, pkey.ID, repoID, name, pkey.Fingerprint)
+ key, err := addDeployKey(sess, pkey.ID, repoID, name, pkey.Fingerprint, accessMode)
if err != nil {
return nil, fmt.Errorf("addDeployKey: %v", err)
}
diff --git a/modules/auth/user_form.go b/modules/auth/user_form.go
index ab0bb1e7dd..d913822a8d 100644
--- a/modules/auth/user_form.go
+++ b/modules/auth/user_form.go
@@ -169,9 +169,10 @@ func (f *AddOpenIDForm) Validate(ctx *macaron.Context, errs binding.Errors) bind
// AddKeyForm form for adding SSH/GPG key
type AddKeyForm struct {
- Type string `binding:"OmitEmpty"`
- Title string `binding:"Required;MaxSize(50)"`
- Content string `binding:"Required"`
+ Type string `binding:"OmitEmpty"`
+ Title string `binding:"Required;MaxSize(50)"`
+ Content string `binding:"Required"`
+ IsWritable bool
}
// Validate validates the fields
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 4344a65774..a1cb077599 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -401,6 +401,8 @@ valid_until = Valid until
valid_forever = Valid forever
last_used = Last used on
no_activity = No recent activity
+can_read_info = Read
+can_write_info = Write
key_state_desc = This key has been used in the last 7 days
token_state_desc = This token has been used in the last 7 days
show_openid = Show on profile
@@ -995,6 +997,8 @@ settings.add_dingtalk_hook_desc = Add Dingtalk integration to y
settings.deploy_keys = Deploy Keys
settings.add_deploy_key = Add Deploy Key
settings.deploy_key_desc = Deploy keys have read-only access. They are not the same as personal account SSH keys.
+settings.is_writable = Allow write access
+settings.is_writable_info = Can this key be used to push to this repository? Deploy keys always have pull access.
settings.no_deploy_keys = You haven't added any deploy keys.
settings.title = Title
settings.deploy_key_content = Content
diff --git a/routers/api/v1/repo/key.go b/routers/api/v1/repo/key.go
index 42082c3561..a3586d2552 100644
--- a/routers/api/v1/repo/key.go
+++ b/routers/api/v1/repo/key.go
@@ -160,7 +160,7 @@ func CreateDeployKey(ctx *context.APIContext, form api.CreateKeyOption) {
return
}
- key, err := models.AddDeployKey(ctx.Repo.Repository.ID, form.Title, content)
+ key, err := models.AddDeployKey(ctx.Repo.Repository.ID, form.Title, content, form.ReadOnly)
if err != nil {
HandleAddKeyError(ctx, err)
return
diff --git a/routers/repo/setting.go b/routers/repo/setting.go
index 342451b8ad..d7a61ba268 100644
--- a/routers/repo/setting.go
+++ b/routers/repo/setting.go
@@ -544,7 +544,7 @@ func DeployKeysPost(ctx *context.Context, form auth.AddKeyForm) {
return
}
- key, err := models.AddDeployKey(ctx.Repo.Repository.ID, form.Title, content)
+ key, err := models.AddDeployKey(ctx.Repo.Repository.ID, form.Title, content, !form.IsWritable)
if err != nil {
ctx.Data["HasError"] = true
switch {
diff --git a/routers/repo/settings_test.go b/routers/repo/settings_test.go
new file mode 100644
index 0000000000..392c05f773
--- /dev/null
+++ b/routers/repo/settings_test.go
@@ -0,0 +1,61 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package repo
+
+import (
+ "net/http"
+ "testing"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/auth"
+ "code.gitea.io/gitea/modules/test"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestAddReadOnlyDeployKey(t *testing.T) {
+ models.PrepareTestEnv(t)
+
+ ctx := test.MockContext(t, "user2/repo1/settings/keys")
+
+ test.LoadUser(t, ctx, 2)
+ test.LoadRepo(t, ctx, 2)
+
+ addKeyForm := auth.AddKeyForm{
+ Title: "read-only",
+ Content: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
+ }
+ DeployKeysPost(ctx, addKeyForm)
+ assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
+
+ models.AssertExistsAndLoadBean(t, &models.DeployKey{
+ Name: addKeyForm.Title,
+ Content: addKeyForm.Content,
+ Mode: models.AccessModeRead,
+ })
+}
+
+func TestAddReadWriteOnlyDeployKey(t *testing.T) {
+ models.PrepareTestEnv(t)
+
+ ctx := test.MockContext(t, "user2/repo1/settings/keys")
+
+ test.LoadUser(t, ctx, 2)
+ test.LoadRepo(t, ctx, 2)
+
+ addKeyForm := auth.AddKeyForm{
+ Title: "read-write",
+ Content: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
+ IsWritable: true,
+ }
+ DeployKeysPost(ctx, addKeyForm)
+ assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
+
+ models.AssertExistsAndLoadBean(t, &models.DeployKey{
+ Name: addKeyForm.Title,
+ Content: addKeyForm.Content,
+ Mode: models.AccessModeWrite,
+ })
+}
diff --git a/templates/repo/settings/deploy_keys.tmpl b/templates/repo/settings/deploy_keys.tmpl
index 3b22be532b..f19055f2b5 100644
--- a/templates/repo/settings/deploy_keys.tmpl
+++ b/templates/repo/settings/deploy_keys.tmpl
@@ -31,7 +31,7 @@
{{.Fingerprint}}
- {{$.i18n.Tr "settings.add_on"}} {{.CreatedUnix.FormatShort}} — {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} {{.UpdatedUnix.FormatShort}}{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}
+ {{$.i18n.Tr "settings.add_on"}} {{.CreatedUnix.FormatShort}} — {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} {{.UpdatedUnix.FormatShort}}{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}} - {{$.i18n.Tr "settings.can_read_info"}}{{if not .IsReadOnly}} / {{$.i18n.Tr "settings.can_write_info"}} {{end}}
@@ -60,6 +60,15 @@
+
+
+
+
+ {{$.i18n.Tr "repo.settings.is_writable_info" | Str2html}}
+
+