tyler.durden/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-10-23 16:44:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Don't block site admin's operation if SECRET_KEY is lost (#35721)

Browse Source 
Related: #24573
This commit is contained in:
wxiaoguang 2025-10-22 12:35:56 +08:00 committed by GitHub
parent c28aab6714
commit 5f0697243c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
models/admin/task.go
View File

@ -11,6 +11,7 @@ import (
repo_model "code.gitea.io/gitea/models/repo" repo_model "code.gitea.io/gitea/models/repo"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/migration" "code.gitea.io/gitea/modules/migration"
"code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/secret"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
@ -123,17 +124,17 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
// decrypt credentials // decrypt credentials
if opts.CloneAddrEncrypted != "" { if opts.CloneAddrEncrypted != "" {
if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil { if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil {
return nil, err log.Error("Unable to decrypt CloneAddr, maybe SECRET_KEY is wrong: %v", err)
} }
} }
if opts.AuthPasswordEncrypted != "" { if opts.AuthPasswordEncrypted != "" {
if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil { if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil {
return nil, err log.Error("Unable to decrypt AuthPassword, maybe SECRET_KEY is wrong: %v", err)
} }
} }
if opts.AuthTokenEncrypted != "" { if opts.AuthTokenEncrypted != "" {
if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil { if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil {
return nil, err log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err)
} }
} }

4
models/auth/twofactor.go
View File

@ -111,11 +111,11 @@ func (t *TwoFactor) SetSecret(secretString string) error {
func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) { func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret) decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
if err != nil { if err != nil {
return false, err return false, fmt.Errorf("ValidateTOTP invalid base64: %w", err)
} }
secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret) secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)
if err != nil { if err != nil {
return false, err return false, fmt.Errorf("ValidateTOTP unable to decrypt (maybe SECRET_KEY is wrong): %w", err)
} }
secretStr := string(secretBytes) secretStr := string(secretBytes)
return totp.Validate(passcode, secretStr), nil return totp.Validate(passcode, secretStr), nil

4
models/secret/secret.go
View File

@ -178,8 +178,8 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[
for _, secret := range append(ownerSecrets, repoSecrets...) { for _, secret := range append(ownerSecrets, repoSecrets...) {
v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data) v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data)
if err != nil { if err != nil {
log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) log.Error("Unable to decrypt Actions secret %v %q, maybe SECRET_KEY is wrong: %v", secret.ID, secret.Name, err)
return nil, err continue
} }
secrets[secret.Name] = v secrets[secret.Name] = v
} }

6
services/auth/source/ldap/source.go
View File

@ -8,6 +8,7 @@ import (
"code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/secret"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
) )
@ -66,9 +67,12 @@ func (source *Source) FromDB(bs []byte) error {
} }
if source.BindPasswordEncrypt != "" { if source.BindPasswordEncrypt != "" {
source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt) source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt)
if err != nil {
log.Error("Unable to decrypt bind password for LDAP source, maybe SECRET_KEY is wrong: %v", err)
}
source.BindPasswordEncrypt = "" source.BindPasswordEncrypt = ""
} }
return err return nil
} }
// ToDB exports a LDAPConfig to a serialized format. // ToDB exports a LDAPConfig to a serialized format.