diff --git a/cmd/generate.go b/cmd/generate.go index 44dfce5700..81e04b1894 100644 --- a/cmd/generate.go +++ b/cmd/generate.go @@ -141,13 +141,10 @@ func runGenerateMasterKey(c *cli.Context) error { fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret)) } } - + fmt.Println("Setting changes required:") + fmt.Println("[secrets]") if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 { - fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0])) - - if isatty.IsTerminal(os.Stdout.Fd()) { - fmt.Printf("\n") - } + fmt.Printf("MASTER_KEY = %s\n", base64.StdEncoding.EncodeToString(scrts[0])) } return nil diff --git a/services/secrets/encryption.go b/services/secrets/encryption.go deleted file mode 100644 index 2f07d05df9..0000000000 --- a/services/secrets/encryption.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2021 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package secrets - -// EncryptionProvider encrypts and decrypts secrets -type EncryptionProvider interface { - Encrypt(secret, key []byte) ([]byte, error) - - EncryptString(secret string, key []byte) (string, error) - - Decrypt(enc, key []byte) ([]byte, error) - - DecryptString(enc string, key []byte) (string, error) -} diff --git a/services/secrets/encryption_aes.go b/services/secrets/encryption_aes.go deleted file mode 100644 index 790fe3f320..0000000000 --- a/services/secrets/encryption_aes.go +++ /dev/null @@ -1,87 +0,0 @@ -// Copyright 2021 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package secrets - -import ( - "crypto/aes" - "crypto/cipher" - "crypto/rand" - "encoding/base64" - "fmt" - "io" -) - -type aesEncryptionProvider struct{} - -func NewAesEncryptionProvider() EncryptionProvider { - return &aesEncryptionProvider{} -} - -func (e *aesEncryptionProvider) Encrypt(secret, key []byte) ([]byte, error) { - block, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - - c, err := cipher.NewGCM(block) - if err != nil { - return nil, err - } - - nonce := make([]byte, c.NonceSize(), c.NonceSize()+c.Overhead()+len(secret)) - if _, err = io.ReadFull(rand.Reader, nonce); err != nil { - return nil, err - } - out := c.Seal(nil, nonce, secret, nil) - - return append(nonce, out...), nil -} - -func (e *aesEncryptionProvider) EncryptString(secret string, key []byte) (string, error) { - out, err := e.Encrypt([]byte(secret), key) - if err != nil { - return "", err - } - return base64.StdEncoding.EncodeToString(out), nil -} - -func (e *aesEncryptionProvider) Decrypt(enc, key []byte) ([]byte, error) { - block, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - - c, err := cipher.NewGCM(block) - if err != nil { - return nil, err - } - - if len(enc) < c.NonceSize() { - return nil, fmt.Errorf("encrypted value too short") - } - - nonce := enc[:c.NonceSize()] - ciphertext := enc[c.NonceSize():] - - out, err := c.Open(nil, nonce, ciphertext, nil) - if err != nil { - return nil, err - } - - return out, nil -} - -func (e *aesEncryptionProvider) DecryptString(enc string, key []byte) (string, error) { - encb, err := base64.StdEncoding.DecodeString(enc) - if err != nil { - return "", err - } - - out, err := e.Decrypt(encb, key) - if err != nil { - return "", err - } - - return string(out), nil -} diff --git a/services/secrets/masterkey_nop_test.go b/services/secrets/masterkey_nop_test.go deleted file mode 100644 index 330ecf9919..0000000000 --- a/services/secrets/masterkey_nop_test.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package secrets - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestNopMasterKey_IsSealed(t *testing.T) { - k := NewNopMasterKeyProvider() - assert.False(t, k.IsSealed()) -} diff --git a/services/secrets/secrets.go b/services/secrets/secrets.go index 36bd147191..accaabea2c 100644 --- a/services/secrets/secrets.go +++ b/services/secrets/secrets.go @@ -1,17 +1,13 @@ // Copyright 2021 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. package secrets import ( - "context" "fmt" - auth_model "code.gitea.io/gitea/models/auth" - "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/modules/setting" - - "xorm.io/builder" ) // MasterKeyProviderType is the type of master key provider @@ -24,8 +20,7 @@ const ( ) var ( - masterKey MasterKeyProvider - encProvider EncryptionProvider + masterKey MasterKeyProvider ) // Init initializes master key provider based on settings @@ -38,13 +33,6 @@ func Init() error { default: return fmt.Errorf("invalid master key provider %v", setting.MasterKeyProvider) } - - if err := masterKey.Init(); err != nil { - return err - } - - encProvider = NewAesEncryptionProvider() - return nil } @@ -52,96 +40,3 @@ func Init() error { func GenerateMasterKey() ([][]byte, error) { return masterKey.GenerateMasterKey() } - -func Encrypt(secret []byte) ([]byte, error) { - key, err := masterKey.GetMasterKey() - if err != nil { - return nil, err - } - - if len(key) == 0 { - return secret, nil - } - - return encProvider.Encrypt(secret, key) -} - -func EncryptString(secret string) (string, error) { - key, err := masterKey.GetMasterKey() - if err != nil { - return "", err - } - - if len(key) == 0 { - return secret, nil - } - - return encProvider.EncryptString(secret, key) -} - -func Decrypt(enc []byte) ([]byte, error) { - key, err := masterKey.GetMasterKey() - if err != nil { - return nil, err - } - - if len(key) == 0 { - return enc, nil - } - - return encProvider.Decrypt(enc, key) -} - -func DecryptString(enc string) (string, error) { - key, err := masterKey.GetMasterKey() - if err != nil { - return "", err - } - - if len(key) == 0 { - return enc, nil - } - - return encProvider.DecryptString(enc, key) -} - -func InsertRepoSecret(ctx context.Context, repoID int64, key, data string, pullRequest bool) error { - v, err := EncryptString(data) - if err != nil { - return err - } - return db.Insert(ctx, &auth_model.Secret{ - RepoID: repoID, - Name: key, - Data: v, - PullRequest: pullRequest, - }) -} - -func InsertOrgSecret(ctx context.Context, userID int64, key, data string, pullRequest bool) error { - v, err := EncryptString(data) - if err != nil { - return err - } - return db.Insert(ctx, &auth_model.Secret{ - UserID: userID, - Name: key, - Data: v, - PullRequest: pullRequest, - }) -} - -func DeleteSecretByID(ctx context.Context, id int64) error { - _, err := db.DeleteByBean(ctx, &auth_model.Secret{ID: id}) - return err -} - -func FindRepoSecrets(ctx context.Context, repoID int64) ([]*auth_model.Secret, error) { - var res []*auth_model.Secret - return res, db.FindObjects(ctx, builder.Eq{"repo_id": repoID}, nil, &res) -} - -func FindUserSecrets(ctx context.Context, userID int64) ([]*auth_model.Secret, error) { - var res []*auth_model.Secret - return res, db.FindObjects(ctx, builder.Eq{"user_id": userID}, nil, &res) -}