fix: use new secrets

2025-04-08 17:05:45 +02:00 · 2022-12-22 14:44:22 +08:00 · 2022-12-22 14:44:22 +08:00 · 058675f7e5
commit 058675f7e5
parent d183b32aa8
7 changed files with 17 additions and 55 deletions
--- a/go.mod
+++ b/go.mod
@ -17,8 +17,8 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/PuerkitoBio/goquery v1.8.0
 	github.com/alecthomas/chroma/v2 v2.4.0
-	github.com/bufbuild/connect-go v1.3.1
 	github.com/blevesearch/bleve/v2 v2.3.5
+	github.com/bufbuild/connect-go v1.3.1
 	github.com/buildkite/terminal-to-html/v3 v3.7.0
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/chi-middleware/proxy v1.1.1
--- a/models/migrations/v1_19/v237.go
+++ b/models/migrations/v1_19/v237.go
@ -174,4 +174,3 @@ func AddActionsTables(x *xorm.Engine) error {
 		new(dbfsData),
 	)
 }
-
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -5,7 +5,6 @@
 package setting

 import (
-	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
 	"math"
@ -28,7 +27,6 @@ import (
 	"code.gitea.io/gitea/modules/user"
 	"code.gitea.io/gitea/modules/util"

-	"golang.org/x/crypto/pbkdf2"
 	gossh "golang.org/x/crypto/ssh"
 	ini "gopkg.in/ini.v1"
 )
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@ -46,7 +46,6 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/gitdiff"
-	secret_service "code.gitea.io/gitea/services/secrets"

 	"github.com/editorconfig/editorconfig-core-go/v2"
 )
@ -476,13 +475,6 @@ func NewFuncMap() []template.FuncMap {
 		"RefShortName": func(ref string) string {
 			return git.RefName(ref).ShortName()
 		},
-		"Shadow": func(s string) string {
-			return "******"
-		},
-		"DecryptSecret": func(s string) string {
-			v, _ := secret_service.DecryptString(s)
-			return v
-		},
 	}}
 }

--- a/routers/api/actions/runner/utils.go
+++ b/routers/api/actions/runner/utils.go
@ -8,11 +8,11 @@ import (
 	"fmt"

 	actions_model "code.gitea.io/gitea/models/actions"
-	"code.gitea.io/gitea/models/webhook"
+	secret_model "code.gitea.io/gitea/models/secret"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
+	secret_module "code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
-	secret_service "code.gitea.io/gitea/services/secrets"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
 	"google.golang.org/protobuf/types/known/structpb"
@ -37,32 +37,29 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 }

 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
-	// Returning an error is worse than returning empty secrets.
-
 	secrets := map[string]string{}
+	if task.Job.Run.IsForkPullRequest {
+		// ignore secrets for fork pull request
+		return secrets
+	}

-	userSecrets, err := secret_service.FindUserSecrets(ctx, task.Job.Run.Repo.OwnerID)
+	ownerSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID})
 	if err != nil {
-		log.Error("find user secrets of %v: %v", task.Job.Run.Repo.OwnerID, err)
+		log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err)
 		// go on
 	}
-	repoSecrets, err := secret_service.FindRepoSecrets(ctx, task.Job.Run.RepoID)
+	repoSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID})
 	if err != nil {
-		log.Error("find repo secrets of %v: %v", task.Job.Run.RepoID, err)
+		log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err)
 		// go on
 	}

-	// FIXME: Not sure if it's the exact meaning of secret.PullRequest
-	pullRequest := task.Job.Run.Event == webhook.HookEventPullRequest
-
-	for _, secret := range append(userSecrets, repoSecrets...) {
-		if !pullRequest || secret.PullRequest {
-			if v, err := secret_service.DecryptString(secret.Data); err != nil {
-				log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
-				// go on
-			} else {
-				secrets[secret.Name] = v
-			}
+	for _, secret := range append(ownerSecrets, repoSecrets...) {
+		if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil {
+			log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
+			// go on
+		} else {
+			secrets[secret.Name] = v
 		}
 	}

--- a/routers/init.go
+++ b/routers/init.go
@ -48,7 +48,6 @@ import (
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 	"code.gitea.io/gitea/services/repository/archiver"
-	secret_service "code.gitea.io/gitea/services/secrets"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
 )
@ -152,8 +151,6 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(models.Init)
 	mustInit(repo_service.Init)

-	mustInit(secret_service.Init)
-
 	// Booting long running goroutines.
 	issue_indexer.InitIssueIndexer(false)
 	code_indexer.Init()
--- a/services/secrets/encryption_aes_test.go
+++ b/services/secrets/encryption_aes_test.go
@ -1,21 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package secrets
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestEncryptDecrypt(t *testing.T) {
-	provider := NewAesEncryptionProvider()
-	key := []byte("1111111111111111")
-	pri := "vvvvvvv"
-	enc, err := provider.EncryptString(pri, key)
-	assert.NoError(t, err)
-	v, err := provider.DecryptString(enc, key)
-	assert.NoError(t, err)
-	assert.EqualValues(t, pri, v)
-}