Add option to provide signed token to verify key ownership

zeripath · zeripath · commit 33ee7488805d · 2020-12-19T10:25:19.000Z
Currently we will only allow a key to be matched to a user if it matches
an activated email address. This PR provides a different mechanism - if
the user provides a signature for automatically generated token (based
on the timestamp, user creation time, user ID, username and primary
email.

Signed-off-by: Andrew Thornton &lt;art27@cantab.net&gt;
diff --git a/models/error.go b/models/error.go
@@ -408,6 +408,7 @@ func (err ErrKeyNameAlreadyUsed) Error() string {
 // ErrGPGNoEmailFound represents a "ErrGPGNoEmailFound" kind of error.
 type ErrGPGNoEmailFound struct {
 	FailedEmails []string
+	ID           string
 }
 
 // IsErrGPGNoEmailFound checks if an error is a ErrGPGNoEmailFound.
@@ -420,6 +421,22 @@ func (err ErrGPGNoEmailFound) Error() string {
 	return fmt.Sprintf("none of the emails attached to the GPG key could be found: %v", err.FailedEmails)
 }
 
+// ErrGPGInvalidTokenSignature represents a "ErrGPGInvalidTokenSignature" kind of error.
+type ErrGPGInvalidTokenSignature struct {
+	Wrapped error
+	ID      string
+}
+
+// IsErrGPGInvalidTokenSignature checks if an error is a ErrGPGInvalidTokenSignature.
+func IsErrGPGInvalidTokenSignature(err error) bool {
+	_, ok := err.(ErrGPGInvalidTokenSignature)
+	return ok
+}
+
+func (err ErrGPGInvalidTokenSignature) Error() string {
+	return "the provided signature does not sign the token with the provided key"
+}
+
 // ErrGPGKeyParsing represents a "ErrGPGKeyParsing" kind of error.
 type ErrGPGKeyParsing struct {
 	ParseError error
diff --git a/models/gpg_key.go b/models/gpg_key.go
@@ -152,17 +152,40 @@ func addGPGSubKey(e Engine, key *GPGKey) (err error) {
 }
 
 // AddGPGKey adds new public key to database.
-func AddGPGKey(ownerID int64, content string) ([]*GPGKey, error) {
+func AddGPGKey(ownerID int64, content, token, signature string) ([]*GPGKey, error) {
 	ekeys, err := checkArmoredGPGKeyString(content)
 	if err != nil {
 		return nil, err
 	}
+
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return nil, err
 	}
 	keys := make([]*GPGKey, 0, len(ekeys))
+
+	signed := false
+	// Handle provided signature
+	if signature != "" {
+		signer, err := openpgp.CheckArmoredDetachedSignature(ekeys, strings.NewReader(token), strings.NewReader(signature))
+		if err != nil {
+			signer, err = openpgp.CheckArmoredDetachedSignature(ekeys, strings.NewReader(token+"\n"), strings.NewReader(signature))
+		}
+		if err != nil {
+			signer, err = openpgp.CheckArmoredDetachedSignature(ekeys, strings.NewReader(token+"\r\n"), strings.NewReader(signature))
+		}
+		if err != nil {
+			log.Error("Unable to validate token signature. Error: %v", err)
+			return nil, ErrGPGInvalidTokenSignature{
+				ID:      ekeys[0].PrimaryKey.KeyIdString(),
+				Wrapped: err,
+			}
+		}
+		ekeys = []*openpgp.Entity{signer}
+		signed = true
+	}
+
 	for _, ekey := range ekeys {
 		// Key ID cannot be duplicated.
 		has, err := sess.Where("key_id=?", ekey.PrimaryKey.KeyIdString()).
@@ -175,7 +198,7 @@ func AddGPGKey(ownerID int64, content string) ([]*GPGKey, error) {
 
 		//Get DB session
 
-		key, err := parseGPGKey(ownerID, ekey)
+		key, err := parseGPGKey(ownerID, ekey, !signed)
 		if err != nil {
 			return nil, err
 		}
@@ -270,7 +293,7 @@ func getExpiryTime(e *openpgp.Entity) time.Time {
 }
 
 //parseGPGKey parse a PrimaryKey entity (primary key + subs keys + self-signature)
-func parseGPGKey(ownerID int64, e *openpgp.Entity) (*GPGKey, error) {
+func parseGPGKey(ownerID int64, e *openpgp.Entity, checkEmail bool) (*GPGKey, error) {
 	pubkey := e.PrimaryKey
 	expiry := getExpiryTime(e)
 
@@ -304,13 +327,15 @@ func parseGPGKey(ownerID int64, e *openpgp.Entity) (*GPGKey, error) {
 		}
 	}
 
-	//In the case no email as been found
-	if len(emails) == 0 {
-		failedEmails := make([]string, 0, len(e.Identities))
-		for _, ident := range e.Identities {
-			failedEmails = append(failedEmails, ident.UserId.Email)
+	if checkEmail {
+		//In the case no email as been found
+		if len(emails) == 0 {
+			failedEmails := make([]string, 0, len(e.Identities))
+			for _, ident := range e.Identities {
+				failedEmails = append(failedEmails, ident.UserId.Email)
+			}
+			return nil, ErrGPGNoEmailFound{failedEmails, e.PrimaryKey.KeyIdString()}
 		}
-		return nil, ErrGPGNoEmailFound{failedEmails}
 	}
 
 	content, err := base64EncPubKey(pubkey)
diff --git a/models/gpg_key_test.go b/models/gpg_key_test.go
@@ -220,7 +220,7 @@ Q0KHb+QcycSgbDx0ZAvdIacuKvBBcbxrsmFUI4LR+oIup0G9gUc0roPvr014jYQL
 =zHo9
 -----END PGP PUBLIC KEY BLOCK-----`
 
-	keys, err := AddGPGKey(1, testEmailWithUpperCaseLetters)
+	keys, err := AddGPGKey(1, testEmailWithUpperCaseLetters, "", "")
 	assert.NoError(t, err)
 	key := keys[0]
 	if assert.Len(t, key.Emails, 1) {
diff --git a/modules/auth/user_form.go b/modules/auth/user_form.go
@@ -292,6 +292,7 @@ type AddKeyForm struct {
 	Type       string `binding:"OmitEmpty"`
 	Title      string `binding:"Required;MaxSize(50)"`
 	Content    string `binding:"Required"`
+	Signature  string `binding:"OmitEmpty"`
 	IsWritable bool
 }
 
diff --git a/modules/structs/user_gpgkey.go b/modules/structs/user_gpgkey.go
@@ -40,4 +40,5 @@ type CreateGPGKeyOption struct {
 	// required: true
 	// unique: true
 	ArmoredKey string `json:"armored_public_key" binding:"Required"`
+	Signature  string `json:"armored_signature,omitempty"`
 }
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -524,7 +524,12 @@ ssh_key_been_used = This SSH key has already been added to the server.
 ssh_key_name_used = An SSH key with same name already exists on your account.
 ssh_principal_been_used = This principal has already been added to the server.
 gpg_key_id_used = A public GPG key with same ID already exists.
-gpg_no_key_email_found = This GPG key is not usable with any email address associated with your account.
+gpg_no_key_email_found = This GPG key is not usable with any email address associated with your account. It may still be added if you sign the provided token.
+gpg_invalid_token_signature = The provided GPG key, signature and token do not match or token is out-of-date.
+gpg_token = You must provide a signature for the following token: '%s'. You can generate a signature with:
+gpg_token_code = echo "%s" | gpg -a --default-key %s --detach-sig
+gpg_token_signature = Armored GPG signature
+key_signature_gpg_placeholder = Begins with '-----BEGIN PGP SIGNATURE-----'
 subkeys = Subkeys
 key_id = Key ID
 key_name = Key Name
diff --git a/routers/api/v1/user/gpg_key.go b/routers/api/v1/user/gpg_key.go
@@ -5,9 +5,13 @@
 package user
 
 import (
+	"fmt"
 	"net/http"
+	"strconv"
+	"time"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	api "code.gitea.io/gitea/modules/structs"
@@ -118,9 +122,11 @@ func GetGPGKey(ctx *context.APIContext) {
 
 // CreateUserGPGKey creates new GPG key to given user by ID.
 func CreateUserGPGKey(ctx *context.APIContext, form api.CreateGPGKeyOption, uid int64) {
-	keys, err := models.AddGPGKey(uid, form.ArmoredKey)
+	token := base.EncodeSha256(time.Now().Round(5*time.Minute).Format(time.RFC1123Z) + ":" + ctx.User.CreatedUnix.FormatLong() + ":" + ctx.User.Name + ":" + ctx.User.Email + ":" + strconv.FormatInt(ctx.User.ID, 10))
+
+	keys, err := models.AddGPGKey(uid, form.ArmoredKey, token, form.Signature)
 	if err != nil {
-		HandleAddGPGKeyError(ctx, err)
+		HandleAddGPGKeyError(ctx, err, token)
 		return
 	}
 	ctx.JSON(http.StatusCreated, convert.ToGPGKey(keys[0]))
@@ -187,7 +193,7 @@ func DeleteGPGKey(ctx *context.APIContext) {
 }
 
 // HandleAddGPGKeyError handle add GPGKey error
-func HandleAddGPGKeyError(ctx *context.APIContext, err error) {
+func HandleAddGPGKeyError(ctx *context.APIContext, err error, token string) {
 	switch {
 	case models.IsErrGPGKeyAccessDenied(err):
 		ctx.Error(http.StatusUnprocessableEntity, "GPGKeyAccessDenied", "You do not have access to this GPG key")
@@ -196,7 +202,9 @@ func HandleAddGPGKeyError(ctx *context.APIContext, err error) {
 	case models.IsErrGPGKeyParsing(err):
 		ctx.Error(http.StatusUnprocessableEntity, "GPGKeyParsing", err)
 	case models.IsErrGPGNoEmailFound(err):
-		ctx.Error(http.StatusNotFound, "GPGNoEmailFound", err)
+		ctx.Error(http.StatusNotFound, "GPGNoEmailFound", fmt.Sprintf("None of the emails attached to the GPG key could be found. It may still be added if you provide a valid signature for the token: %s", token))
+	case models.IsErrGPGInvalidTokenSignature(err):
+		ctx.Error(http.StatusUnprocessableEntity, "GPGInvalidSignature", fmt.Sprintf("The provided GPG key, signature and token do not match or token is out of date. Provide a valid signature for the token: %s", token))
 	default:
 		ctx.Error(http.StatusInternalServerError, "AddGPGKey", err)
 	}
diff --git a/routers/user/setting/keys.go b/routers/user/setting/keys.go
@@ -6,6 +6,9 @@
 package setting
 
 import (
+	"strconv"
+	"time"
+
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
@@ -72,7 +75,9 @@ func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
 		ctx.Flash.Success(ctx.Tr("settings.add_principal_success", form.Content))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "gpg":
-		keys, err := models.AddGPGKey(ctx.User.ID, form.Content)
+		token := base.EncodeSha256(time.Now().Round(5*time.Minute).Format(time.RFC1123Z) + ":" + ctx.User.CreatedUnix.FormatLong() + ":" + ctx.User.Name + ":" + ctx.User.Email + ":" + strconv.FormatInt(ctx.User.ID, 10))
+
+		keys, err := models.AddGPGKey(ctx.User.ID, form.Content, token, form.Signature)
 		if err != nil {
 			ctx.Data["HasGPGError"] = true
 			switch {
@@ -84,10 +89,18 @@ func KeysPost(ctx *context.Context, form auth.AddKeyForm) {
 
 				ctx.Data["Err_Content"] = true
 				ctx.RenderWithErr(ctx.Tr("settings.gpg_key_id_used"), tplSettingsKeys, &form)
+			case models.IsErrGPGInvalidTokenSignature(err):
+				loadKeysData(ctx)
+				ctx.Data["Err_Content"] = true
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGInvalidTokenSignature).ID
+				ctx.RenderWithErr(ctx.Tr("settings.gpg_invalid_token_signature"), tplSettingsKeys, &form)
 			case models.IsErrGPGNoEmailFound(err):
 				loadKeysData(ctx)
 
 				ctx.Data["Err_Content"] = true
+				ctx.Data["Err_Signature"] = true
+				ctx.Data["KeyID"] = err.(models.ErrGPGNoEmailFound).ID
 				ctx.RenderWithErr(ctx.Tr("settings.gpg_no_key_email_found"), tplSettingsKeys, &form)
 			default:
 				ctx.ServerError("AddPublicKey", err)
@@ -194,6 +207,10 @@ func loadKeysData(ctx *context.Context) {
 		return
 	}
 	ctx.Data["GPGKeys"] = gpgkeys
+	tokenToSign := base.EncodeSha256(time.Now().Round(5*time.Minute).Format(time.RFC1123Z) + ":" + ctx.User.CreatedUnix.FormatLong() + ":" + ctx.User.Name + ":" + ctx.User.Email + ":" + strconv.FormatInt(ctx.User.ID, 10))
+
+	// generate a new aes cipher using the csrfToken
+	ctx.Data["TokenToSign"] = tokenToSign
 
 	principals, err := models.ListPrincipalKeys(ctx.User.ID, models.ListOptions{})
 	if err != nil {
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
@@ -12032,6 +12032,10 @@
           "type": "string",
           "uniqueItems": true,
           "x-go-name": "ArmoredKey"
+        },
+        "armored_signature": {
+          "type": "string",
+          "x-go-name": "Signature"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
diff --git a/templates/user/settings/keys_gpg.tmpl b/templates/user/settings/keys_gpg.tmpl
@@ -42,13 +42,23 @@
 		 {{.i18n.Tr "settings.add_new_gpg_key"}}
 	</h4>
 	<div class="ui attached segment">
-		<form class="ui form" action="{{.Link}}" method="post">
+		<form class="ui form{{if .HasGPGError}} error{{end}}" action="{{.Link}}" method="post">
 			{{.CsrfTokenHtml}}
 			<input type="hidden" name="title" value="none">
 			<div class="field {{if .Err_Content}}error{{end}}">
 				<label for="content">{{.i18n.Tr "settings.key_content"}}</label>
 				<textarea id="gpg-key-content" name="content" placeholder="{{.i18n.Tr "settings.key_content_gpg_placeholder"}}" required>{{.content}}</textarea>
 			</div>
+			{{if .Err_Signature}}
+				<div class="ui error message">
+					<p>{{.i18n.Tr "settings.gpg_token" .TokenToSign}}</p>
+					<code>{{.i18n.Tr "settings.gpg_token_code" .TokenToSign .KeyID}}</code>
+				</div>
+				<div class="field">
+					<label for="signature">{{.i18n.Tr "settings.gpg_token_signature"}}</label>
+					<textarea id="gpg-key-signature" name="signature" placeholder="{{.i18n.Tr "settings.key_signature_gpg_placeholder"}}" required>{{.signature}}</textarea>
+				</div>
+			{{end}}
 			<input name="type" type="hidden" value="gpg">
 			<button class="ui green button">
 				{{.i18n.Tr "settings.add_key"}}

Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,7 @@ type AddKeyForm struct {`
`292`	`292`	Type string `binding:"OmitEmpty"`
`293`	`293`	Title string `binding:"Required;MaxSize(50)"`
`294`	`294`	Content string `binding:"Required"`
	`295`	+ Signature string `binding:"OmitEmpty"`
`295`	`296`	`IsWritable bool`
`296`	`297`	`}`
`297`	`298`
Original file line number	Diff line number	Diff line change
`@@ -40,4 +40,5 @@ type CreateGPGKeyOption struct {`
`40`	`40`	`// required: true`
`41`	`41`	`// unique: true`
`42`	`42`	ArmoredKey string `json:"armored_public_key" binding:"Required"`
	`43`	+ Signature string `json:"armored_signature,omitempty"`
`43`	`44`	`}`