mirror of
https://github.com/go-gitea/gitea.git
synced 2025-12-09 00:21:31 +01:00
Add an option to automatically verify SSH keys from LDAP
This commit is contained in:
Ivan Tkachev
parent
e31f224ad2
commit
1228de7ce3
@ -94,6 +94,10 @@ func commonLdapCLIFlags() []cli.Flag {
|
||||
Name: "public-ssh-key-attribute",
|
||||
Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
|
||||
},
|
||||
&cli.BoolFlag{
|
||||
Name: "ssh-keys-are-verified",
|
||||
Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
|
||||
},
|
||||
&cli.BoolFlag{
|
||||
Name: "skip-local-2fa",
|
||||
Usage: "Set to true to skip local 2fa for users authenticated by this source",
|
||||
@ -294,6 +298,9 @@ func parseLdapConfig(c *cli.Command, config *ldap.Source) error {
|
||||
if c.IsSet("public-ssh-key-attribute") {
|
||||
config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
|
||||
}
|
||||
if c.IsSet("ssh-keys-are-verified") {
|
||||
config.SSHKeysAreVerified = c.Bool("ssh-keys-are-verified")
|
||||
}
|
||||
if c.IsSet("avatar-attribute") {
|
||||
config.AttributeAvatar = c.String("avatar-attribute")
|
||||
}
|
||||
|
||||
@ -84,7 +84,7 @@ func addKey(ctx context.Context, key *PublicKey) (err error) {
|
||||
}
|
||||
|
||||
// AddPublicKey adds new public key to database and authorized_keys file.
|
||||
func AddPublicKey(ctx context.Context, ownerID int64, name, content string, authSourceID int64) (*PublicKey, error) {
|
||||
func AddPublicKey(ctx context.Context, ownerID int64, name, content string, authSourceID int64, verified bool) (*PublicKey, error) {
|
||||
log.Trace(content)
|
||||
|
||||
fingerprint, err := CalcFingerprint(content)
|
||||
@ -115,6 +115,7 @@ func AddPublicKey(ctx context.Context, ownerID int64, name, content string, auth
|
||||
Mode: perm.AccessModeWrite,
|
||||
Type: KeyTypeUser,
|
||||
LoginSourceID: authSourceID,
|
||||
Verified: verified,
|
||||
}
|
||||
if err = addKey(ctx, key); err != nil {
|
||||
return nil, fmt.Errorf("addKey: %w", err)
|
||||
@ -298,7 +299,7 @@ func deleteKeysMarkedForDeletion(ctx context.Context, keys []string) (bool, erro
|
||||
}
|
||||
|
||||
// AddPublicKeysBySource add a users public keys. Returns true if there are changes.
|
||||
func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
|
||||
func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string, verified bool) bool {
|
||||
var sshKeysNeedUpdate bool
|
||||
for _, sshKey := range sshPublicKeys {
|
||||
var err error
|
||||
@ -317,7 +318,7 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
|
||||
marshalled = marshalled[:len(marshalled)-1]
|
||||
sshKeyName := fmt.Sprintf("%s-%s", s.Name, ssh.FingerprintSHA256(out))
|
||||
|
||||
if _, err := AddPublicKey(ctx, usr.ID, sshKeyName, marshalled, s.ID); err != nil {
|
||||
if _, err := AddPublicKey(ctx, usr.ID, sshKeyName, marshalled, s.ID, verified); err != nil {
|
||||
if IsErrKeyAlreadyExist(err) {
|
||||
log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name)
|
||||
} else {
|
||||
@ -336,7 +337,7 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
|
||||
}
|
||||
|
||||
// SynchronizePublicKeys updates a user's public keys. Returns true if there are changes.
|
||||
func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
|
||||
func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string, verified bool) bool {
|
||||
var sshKeysNeedUpdate bool
|
||||
|
||||
log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
|
||||
@ -381,7 +382,7 @@ func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.So
|
||||
newKeys = append(newKeys, key)
|
||||
}
|
||||
}
|
||||
if AddPublicKeysBySource(ctx, usr, s, newKeys) {
|
||||
if AddPublicKeysBySource(ctx, usr, s, newKeys, verified) {
|
||||
sshKeysNeedUpdate = true
|
||||
}
|
||||
|
||||
|
||||
@ -2950,6 +2950,7 @@ auths.attribute_surname=Atribut příjmení
|
||||
auths.attribute_mail=Atribut e-mailové adresy
|
||||
auths.attribute_ssh_public_key=Atribut veřejného SSH klíče
|
||||
auths.attribute_avatar=Atributy avataru
|
||||
auths.ssh_keys_are_verified=SSH klíče v LDAP jsou automaticky ověřovány.
|
||||
auths.attributes_in_bind=Získat atributy v kontextu Bind DN
|
||||
auths.allow_deactivate_all=Povolit prázdný výsledek hledání pro deaktivaci všech uživatelů
|
||||
auths.use_paged_search=Použijte vyhledávání ve stránce
|
||||
|
||||
@ -3000,6 +3000,7 @@ auths.attribute_surname=Nachnamensattribut
|
||||
auths.attribute_mail=E-Mail-Attribut
|
||||
auths.attribute_ssh_public_key=Öffentlicher-SSH-Schlüssel-Attribut
|
||||
auths.attribute_avatar=Avatar-Attribut
|
||||
auths.ssh_keys_are_verified=SSH-Schlüssel in LDAP werden automatisch überprüft
|
||||
auths.attributes_in_bind=Hole Attribute im Bind-Kontext
|
||||
auths.allow_deactivate_all=Erlaube ein leeres Suchergebnis, um alle Benutzer zu deaktivieren
|
||||
auths.use_paged_search=Seitensuche verwenden
|
||||
|
||||
@ -2692,6 +2692,7 @@ auths.attribute_surname=Χαρακτηριστικό Επωνύμου
|
||||
auths.attribute_mail=Χαρακτηριστικό Email
|
||||
auths.attribute_ssh_public_key=Χαρακτηριστικό Δημόσιου Κλειδιού SSH
|
||||
auths.attribute_avatar=Χαρακτηριστικό Εικόνας
|
||||
auths.ssh_keys_are_verified=Οι κλειδιά SSH στο LDAP ελέγχονται αυτόματα
|
||||
auths.attributes_in_bind=Λήψη χαρακτηριστικών μέσα στο πλαίσιο του Bind DN
|
||||
auths.allow_deactivate_all=Επιτρέψτε σε ένα κενό αποτέλεσμα αναζήτησης να απενεργοποιήσει όλους τους χρήστες
|
||||
auths.use_paged_search=Χρήση Σελιδοποιημένης Αναζήτησης
|
||||
|
||||
@ -3226,6 +3226,7 @@ auths.attribute_surname = Surname Attribute
|
||||
auths.attribute_mail = Email Attribute
|
||||
auths.attribute_ssh_public_key = Public SSH Key Attribute
|
||||
auths.attribute_avatar = Avatar Attribute
|
||||
auths.ssh_keys_are_verified = SSH keys in LDAP are automatically verified
|
||||
auths.attributes_in_bind = Fetch Attributes in Bind DN Context
|
||||
auths.allow_deactivate_all = Allow an empty search result to deactivate all users
|
||||
auths.use_paged_search = Use Paged Search
|
||||
|
||||
@ -2672,6 +2672,7 @@ auths.attribute_surname=Atributo apellido
|
||||
auths.attribute_mail=Atributo correo electrónico
|
||||
auths.attribute_ssh_public_key=Atributo Clave Pública SSH
|
||||
auths.attribute_avatar=Atributo del avatar
|
||||
auths.ssh_keys_are_verified=Las claves SSH en LDAP se verifican automáticamente
|
||||
auths.attributes_in_bind=Obtener atributos en el contexto de Bind DN
|
||||
auths.allow_deactivate_all=Permitir un resultado de búsqueda vacío para desactivar todos los usuarios
|
||||
auths.use_paged_search=Usar búsqueda paginada
|
||||
|
||||
@ -2111,6 +2111,7 @@ auths.attribute_surname=ویژگی نام خانوادگی
|
||||
auths.attribute_mail=ویژگی ایمیل
|
||||
auths.attribute_ssh_public_key=ویژگی های کلید SSH عمومی
|
||||
auths.attribute_avatar=ویژگی آواتار
|
||||
auths.ssh_keys_are_verified=کلیدهای SSH در LDAP به صورت خودکار تأیید میشوند.
|
||||
auths.attributes_in_bind=واکشی ویژگی های DN متصل شده در متن زمینه
|
||||
auths.allow_deactivate_all=به یک نتیجه جستجوی خالی اجازه دهید تا همه کاربران را غیرفعال کند
|
||||
auths.use_paged_search=استفاده از جستجو ثبت شده
|
||||
|
||||
@ -3226,6 +3226,7 @@ auths.attribute_surname=Attribut nom de famille
|
||||
auths.attribute_mail=Attribut courriel
|
||||
auths.attribute_ssh_public_key=Attribut clé SSH publique
|
||||
auths.attribute_avatar=Attribut de l'avatar
|
||||
auths.ssh_keys_are_verified=Les clés SSH dans LDAP sont vérifiées automatiquement
|
||||
auths.attributes_in_bind=Aller chercher les attributs dans le contexte de liaison DN
|
||||
auths.allow_deactivate_all=Permettre à un résultat de recherche vide de désactiver tous les utilisateurs
|
||||
auths.use_paged_search=Utiliser la recherche paginée
|
||||
|
||||
@ -3226,6 +3226,7 @@ auths.attribute_surname=Tréith Sloinne
|
||||
auths.attribute_mail=Tréith ríomhphoist
|
||||
auths.attribute_ssh_public_key=Tréith Eochair SSH Phoiblí
|
||||
auths.attribute_avatar=Tréith Avatar
|
||||
auths.ssh_keys_are_verified=Tá eochracha SSH i LDAP agus déantar díriú orthu go huathoibríoch
|
||||
auths.attributes_in_bind=Faigh tréithe i gComhthéacs Bind DN
|
||||
auths.allow_deactivate_all=Lig do thoradh cuardaigh folamh gach úsáideoir a dhíghníomhachtú
|
||||
auths.use_paged_search=Úsáid Cuardach Leathanaigh
|
||||
|
||||
@ -2278,6 +2278,7 @@ auths.attribute_surname=Attributo cognome
|
||||
auths.attribute_mail=Attributo email
|
||||
auths.attribute_ssh_public_key=Attributo chiave SSH pubblica
|
||||
auths.attribute_avatar=Attributo Avatar
|
||||
auths.ssh_keys_are_verified=Le chiavi SSH in LDAP vengono verificate automaticamente
|
||||
auths.attributes_in_bind=Estrai Attributi dal Contesto Bind DN
|
||||
auths.allow_deactivate_all=Consenti un risultato di ricerca vuoto per disattivare tutti gli utenti
|
||||
auths.use_paged_search=Utilizza ricerca per pagina
|
||||
|
||||
@ -3226,6 +3226,7 @@ auths.attribute_surname=姓
|
||||
auths.attribute_mail=メールアドレス
|
||||
auths.attribute_ssh_public_key=SSH公開鍵
|
||||
auths.attribute_avatar=アバター
|
||||
auths.ssh_keys_are_verified=LDAP内のSSHキーは自動的に検証されます
|
||||
auths.attributes_in_bind=バインドDNのコンテクストから属性を取得する
|
||||
auths.allow_deactivate_all=サーチ結果が空のときは全ユーザーを非アクティブ化
|
||||
auths.use_paged_search=ページ分割検索を使用
|
||||
|
||||
@ -1306,6 +1306,7 @@ auths.attribute_name=이름 속성
|
||||
auths.attribute_surname=성 속성
|
||||
auths.attribute_mail=이메일 속성
|
||||
auths.attribute_ssh_public_key=SSH 공개 키 속성
|
||||
auths.ssh_keys_are_verified=LDAP의 SSH 키는 자동으로 검증됩니다
|
||||
auths.use_paged_search=페이지 검색 사용
|
||||
auths.search_page_size=페이지 크기
|
||||
auths.filter=사용자 필터
|
||||
|
||||
@ -2693,6 +2693,7 @@ auths.attribute_surname=Uzvārda atribūts
|
||||
auths.attribute_mail=E-pasta atribūts
|
||||
auths.attribute_ssh_public_key=Publiskās SSH atslēgas atribūts
|
||||
auths.attribute_avatar=Profila attēla atribūts
|
||||
auths.ssh_keys_are_verified=SSH atslēgas LDAP tiek automātiski pārbaudītas
|
||||
auths.attributes_in_bind=Nolasīt atribūtus no saistīšanas DN konteksta
|
||||
auths.allow_deactivate_all=Atļaut tukšam datu izgūšanas rezultātam deaktivizēt visus lietotājus
|
||||
auths.use_paged_search=Izmantot, dalīto pa lapām, meklēšanu
|
||||
|
||||
@ -2160,6 +2160,7 @@ auths.attribute_name=Voornaam attribuut
|
||||
auths.attribute_surname=Achternaam attribuut
|
||||
auths.attribute_mail=E-mail attribuut
|
||||
auths.attribute_ssh_public_key=Publieke SSH sleutel attribuut
|
||||
auths.ssh_keys_are_verified=SSH-sleutels in LDAP worden automatisch geverifieerd
|
||||
auths.attributes_in_bind=Verkrijg attributes van de Bind DN context
|
||||
auths.allow_deactivate_all=Laat een leeg zoekresultaat toe om alle gebruikers te deactiveren
|
||||
auths.use_paged_search=Gebruik Paged Search
|
||||
|
||||
@ -2044,6 +2044,7 @@ auths.attribute_name=Atrybut imienia
|
||||
auths.attribute_surname=Atrybut nazwiska
|
||||
auths.attribute_mail=Atrybut adresu e-mail
|
||||
auths.attribute_ssh_public_key=Atrybut publicznego klucza SSH
|
||||
auths.ssh_keys_are_verified=Klucze SSH w LDAP są automatycznie weryfikowane
|
||||
auths.attributes_in_bind=Pobierz atrybuty w kontekście Bind DN
|
||||
auths.allow_deactivate_all=Zezwól na pusty wynik wyszukiwania, aby zdezaktywować wszystkich użytkowników
|
||||
auths.use_paged_search=Użyj wyszukiwania paginowanego
|
||||
|
||||
@ -2992,6 +2992,7 @@ auths.attribute_mail=Atributo do E-mail
|
||||
auths.attribute_ssh_public_key=Atributo da Chave SSH Pública
|
||||
auths.attribute_avatar=Atributo do Avatar
|
||||
auths.attributes_in_bind=Buscar os atributos no contexto de Bind DN
|
||||
auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
|
||||
auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio para desativar todos os usuários
|
||||
auths.use_paged_search=Usar a Pesquisa Paginada
|
||||
auths.search_page_size=Tamanho da Página
|
||||
|
||||
@ -3226,6 +3226,7 @@ auths.attribute_surname=Atributo do Sobrenome
|
||||
auths.attribute_mail=Atributo do email
|
||||
auths.attribute_ssh_public_key=Atributo da chave pública SSH
|
||||
auths.attribute_avatar=Atributo do avatar
|
||||
auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
|
||||
auths.attributes_in_bind=Buscar atributos no contexto do Bind DN
|
||||
auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio desabilite todos os utilizadores
|
||||
auths.use_paged_search=Usar pesquisa paginada
|
||||
|
||||
@ -2646,6 +2646,7 @@ auths.attribute_surname=Атрибут Surname
|
||||
auths.attribute_mail=Атрибут электронной почты
|
||||
auths.attribute_ssh_public_key=Атрибут Открытый ключ SSH
|
||||
auths.attribute_avatar=Характеристики аватара
|
||||
auths.ssh_keys_are_verified=Ключи SSH автоматически верифицированы
|
||||
auths.attributes_in_bind=Извлекать атрибуты в контексте Bind DN
|
||||
auths.allow_deactivate_all=Разрешить пустой результат поиска для отключения всех пользователей
|
||||
auths.use_paged_search=Использовать постраничный поиск
|
||||
|
||||
@ -2074,6 +2074,7 @@ auths.attribute_surname=වාසගම ගුණාංග
|
||||
auths.attribute_mail=ඊ-තැපැල් ගුණාංග
|
||||
auths.attribute_ssh_public_key=රාජ්ය SSH කී ගුණාංගය
|
||||
auths.attribute_avatar=අවතාර් ගුණාංග
|
||||
auths.ssh_keys_are_verified=LDAP හි SSH යතුරු ස්වයංක්රීයව සත්යාපනය කරනු ලැබේ
|
||||
auths.attributes_in_bind=ඩී. එන් සන්දර්භය තුළ ඇති ගුණාංග
|
||||
auths.allow_deactivate_all=සියලුම පරිශීලකයින් අක්රිය කිරීමට හිස් සෙවුම් ප්රති result ලයකට ඉඩ දෙන්න
|
||||
auths.use_paged_search=භාවිතා කරන්න paged සොයන්න
|
||||
|
||||
@ -1697,6 +1697,7 @@ auths.attribute_name=Förnamnsattribut
|
||||
auths.attribute_surname=Efternamnsattribut
|
||||
auths.attribute_mail=Mejlattribut
|
||||
auths.attribute_ssh_public_key=Attribut för offentlig SSH-nyckel
|
||||
auths.ssh_keys_are_verified=SSH-nycklar i LDAP verifieras automatiskt
|
||||
auths.attributes_in_bind=Hämta attribut ur Bind DN Context
|
||||
auths.use_paged_search=Använd paginerad sökning
|
||||
auths.search_page_size=Sidstorlek
|
||||
|
||||
@ -3220,6 +3220,7 @@ auths.attribute_surname=Soyad Özelliği
|
||||
auths.attribute_mail=E-posta Özelliği
|
||||
auths.attribute_ssh_public_key=Açık SSH Anahtarı Özelliği
|
||||
auths.attribute_avatar=Avatar Özelliği
|
||||
auths.ssh_keys_are_verified=LDAP'teki SSH anahtarları otomatik olarak doğrulanır.
|
||||
auths.attributes_in_bind=Bağlı DN tabanındaki özellikleri çek
|
||||
auths.allow_deactivate_all=Boş bir arama sonucunun tüm kullanıcıları devre dışı bırakmasına izin ver
|
||||
auths.use_paged_search=Sayfalı Aramayı Kullan
|
||||
|
||||
@ -2842,6 +2842,7 @@ auths.attribute_surname=Властивості прізвища
|
||||
auths.attribute_mail=Властивості електронної пошти
|
||||
auths.attribute_ssh_public_key=Властивості публічного ключа SSH
|
||||
auths.attribute_avatar=Властивості аватару
|
||||
auths.ssh_keys_are_verified=SSH-ключі в LDAP автоматично перевіряються
|
||||
auths.attributes_in_bind=Витягувати атрибути в контексті Bind DN
|
||||
auths.allow_deactivate_all=Дозволити порожній результат пошуку, щоб деактивувати всіх користувачів
|
||||
auths.use_paged_search=Використовувати посторінковий пошук
|
||||
|
||||
@ -3224,6 +3224,7 @@ auths.attribute_surname=姓氏属性
|
||||
auths.attribute_mail=电子邮箱属性
|
||||
auths.attribute_ssh_public_key=SSH公钥属性
|
||||
auths.attribute_avatar=头像属性
|
||||
auths.ssh_keys_are_verified=LDAP 中的 SSH 密钥会自动验证
|
||||
auths.attributes_in_bind=从 Bind DN 中拉取属性信息
|
||||
auths.allow_deactivate_all=允许在搜索结果为空时停用所有用户
|
||||
auths.use_paged_search=使用分页搜索
|
||||
|
||||
@ -2927,6 +2927,7 @@ auths.attribute_surname=姓氏屬性
|
||||
auths.attribute_mail=電子郵件屬性
|
||||
auths.attribute_ssh_public_key=SSH 公鑰屬性
|
||||
auths.attribute_avatar=大頭貼屬性
|
||||
auths.ssh_keys_are_verified=LDAP 中的 SSH 密鑰會自動驗證
|
||||
auths.attributes_in_bind=從 Bind DN 中取得屬性資訊
|
||||
auths.allow_deactivate_all=允許在搜尋結果為空白時停用所有使用者帳戶
|
||||
auths.use_paged_search=使用分頁查詢
|
||||
|
||||
@ -211,7 +211,7 @@ func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid
|
||||
return
|
||||
}
|
||||
|
||||
key, err := asymkey_model.AddPublicKey(ctx, uid, form.Title, content, 0)
|
||||
key, err := asymkey_model.AddPublicKey(ctx, uid, form.Title, content, 0, false)
|
||||
if err != nil {
|
||||
repo.HandleAddKeyError(ctx, err)
|
||||
return
|
||||
|
||||
@ -136,6 +136,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
|
||||
AttributesInBind: form.AttributesInBind,
|
||||
AttributeSSHPublicKey: form.AttributeSSHPublicKey,
|
||||
AttributeAvatar: form.AttributeAvatar,
|
||||
SSHKeysAreVerified: form.SSHKeysAreVerified,
|
||||
SearchPageSize: pageSize,
|
||||
Filter: form.Filter,
|
||||
GroupsEnabled: form.GroupsEnabled,
|
||||
|
||||
@ -86,7 +86,7 @@ func oauth2UpdateSSHPubIfNeed(ctx *context.Context, authSource *auth.Source, got
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !asymkey_model.SynchronizePublicKeys(ctx, user, authSource, sshKeys) {
|
||||
if !asymkey_model.SynchronizePublicKeys(ctx, user, authSource, sshKeys, false) {
|
||||
return nil
|
||||
}
|
||||
return asymkey_service.RewriteAllPublicKeys(ctx)
|
||||
|
||||
@ -187,7 +187,7 @@ func KeysPost(ctx *context.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
if _, err = asymkey_model.AddPublicKey(ctx, ctx.Doer.ID, form.Title, content, 0); err != nil {
|
||||
if _, err = asymkey_model.AddPublicKey(ctx, ctx.Doer.ID, form.Title, content, 0, false); err != nil {
|
||||
ctx.Data["HasSSHError"] = true
|
||||
switch {
|
||||
case asymkey_model.IsErrKeyAlreadyExist(err):
|
||||
|
||||
@ -31,7 +31,7 @@ func TestParseCommitWithSSHSignature(t *testing.T) {
|
||||
// AAAEDWqPHTH51xb4hy1y1f1VeWL/2A9Q0b6atOyv5fx8x5prpPrMXSg9qTx04jPNPWRcHs
|
||||
// utyxWjThIpzcaO68yWVnAAAAEXVzZXIyQGV4YW1wbGUuY29tAQIDBA==
|
||||
// -----END OPENSSH PRIVATE KEY-----
|
||||
sshPubKey, err := asymkey_model.AddPublicKey(t.Context(), 999, "user-ssh-key-any-name", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpPrMXSg9qTx04jPNPWRcHsutyxWjThIpzcaO68yWVn", 0)
|
||||
sshPubKey, err := asymkey_model.AddPublicKey(t.Context(), 999, "user-ssh-key-any-name", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpPrMXSg9qTx04jPNPWRcHsutyxWjThIpzcaO68yWVn", 0, false)
|
||||
require.NoError(t, err)
|
||||
_, err = db.GetEngine(t.Context()).ID(sshPubKey.ID).Cols("verified").Update(&asymkey_model.PublicKey{Verified: true})
|
||||
require.NoError(t, err)
|
||||
|
||||
@ -66,7 +66,7 @@ ssh-dss AAAAB3NzaC1kc3MAAACBAOChCC7lf6Uo9n7BmZ6M8St19PZf4Tn59NriyboW2x/DZuYAz3ib
|
||||
|
||||
for i, kase := range testCases {
|
||||
s.ID = int64(i) + 20
|
||||
asymkey_model.AddPublicKeysBySource(t.Context(), user, s, []string{kase.keyString})
|
||||
asymkey_model.AddPublicKeysBySource(t.Context(), user, s, []string{kase.keyString}, false)
|
||||
keys, err := db.Find[asymkey_model.PublicKey](t.Context(), asymkey_model.FindPublicKeyOptions{
|
||||
OwnerID: user.ID,
|
||||
LoginSourceID: s.ID,
|
||||
|
||||
@ -44,6 +44,7 @@ type Source struct {
|
||||
AttributesInBind bool // fetch attributes in bind context (not user)
|
||||
AttributeSSHPublicKey string // LDAP SSH Public Key attribute
|
||||
AttributeAvatar string
|
||||
SSHKeysAreVerified bool // true if SSH keys in LDAP are verified
|
||||
SearchPageSize uint32 // Search with paging page size
|
||||
Filter string // Query filter to validate entry
|
||||
AdminFilter string // Query filter to check if user is admin
|
||||
|
||||
@ -73,7 +73,7 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
|
||||
}
|
||||
|
||||
if user != nil {
|
||||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, user, source.AuthSource, sr.SSHPublicKey) {
|
||||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, user, source.AuthSource, sr.SSHPublicKey, source.SSHKeysAreVerified) {
|
||||
if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {
|
||||
return user, err
|
||||
}
|
||||
@ -99,7 +99,7 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
|
||||
return user, err
|
||||
}
|
||||
|
||||
if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(ctx, user, source.AuthSource, sr.SSHPublicKey) {
|
||||
if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(ctx, user, source.AuthSource, sr.SSHPublicKey, source.SSHKeysAreVerified) {
|
||||
if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {
|
||||
return user, err
|
||||
}
|
||||
|
||||
@ -135,7 +135,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
|
||||
|
||||
if err == nil && isAttributeSSHPublicKeySet {
|
||||
log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.AuthSource.Name, usr.Name)
|
||||
if asymkey_model.AddPublicKeysBySource(ctx, usr, source.AuthSource, su.SSHPublicKey) {
|
||||
if asymkey_model.AddPublicKeysBySource(ctx, usr, source.AuthSource, su.SSHPublicKey, source.SSHKeysAreVerified) {
|
||||
sshKeysNeedUpdate = true
|
||||
}
|
||||
}
|
||||
@ -145,7 +145,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
|
||||
}
|
||||
} else if updateExisting {
|
||||
// Synchronize SSH Public Key if that attribute is set
|
||||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, usr, source.AuthSource, su.SSHPublicKey) {
|
||||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, usr, source.AuthSource, su.SSHPublicKey, source.SSHKeysAreVerified) {
|
||||
sshKeysNeedUpdate = true
|
||||
}
|
||||
|
||||
|
||||
@ -34,6 +34,7 @@ type AuthenticationForm struct {
|
||||
AttributeMail string
|
||||
AttributeSSHPublicKey string
|
||||
AttributeAvatar string
|
||||
SSHKeysAreVerified bool
|
||||
AttributesInBind bool
|
||||
UsePagedSearch bool
|
||||
SearchPageSize int
|
||||
|
||||
@ -113,6 +113,12 @@
|
||||
<input id="attribute_avatar" name="attribute_avatar" value="{{$cfg.AttributeAvatar}}" placeholder="jpegPhoto">
|
||||
</div>
|
||||
|
||||
<div class="inline field">
|
||||
<div class="ui checkbox">
|
||||
<label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
|
||||
<input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if $cfg.SSHKeysAreVerified}}checked{{end}}>
|
||||
</div>
|
||||
</div>
|
||||
<!-- ldap group begin -->
|
||||
<div class="inline field">
|
||||
<div class="ui checkbox">
|
||||
|
||||
@ -80,6 +80,12 @@
|
||||
<input id="attribute_avatar" name="attribute_avatar" value="{{.attribute_avatar}}" placeholder="jpegPhoto">
|
||||
</div>
|
||||
|
||||
<div class="inline field">
|
||||
<div class="ui checkbox">
|
||||
<label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
|
||||
<input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if .ssh_keys_are_verified}}checked{{end}}>
|
||||
</div>
|
||||
</div>
|
||||
<!-- ldap group begin -->
|
||||
<div class="inline field">
|
||||
<div class="ui checkbox">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user