From 058675f7e51c6b26e91dd864843dcfd8dcedf8d8 Mon Sep 17 00:00:00 2001 From: Jason Song Date: Thu, 22 Dec 2022 14:44:22 +0800 Subject: [PATCH] fix: use new secrets --- go.mod | 2 +- models/migrations/v1_19/v237.go | 1 - modules/setting/setting.go | 2 -- modules/templates/helper.go | 8 ------ routers/api/actions/runner/utils.go | 35 +++++++++++-------------- routers/init.go | 3 --- services/secrets/encryption_aes_test.go | 21 --------------- 7 files changed, 17 insertions(+), 55 deletions(-) delete mode 100644 services/secrets/encryption_aes_test.go diff --git a/go.mod b/go.mod index 0f299e23a0..43c2cce196 100644 --- a/go.mod +++ b/go.mod @@ -17,8 +17,8 @@ require ( github.com/NYTimes/gziphandler v1.1.1 github.com/PuerkitoBio/goquery v1.8.0 github.com/alecthomas/chroma/v2 v2.4.0 - github.com/bufbuild/connect-go v1.3.1 github.com/blevesearch/bleve/v2 v2.3.5 + github.com/bufbuild/connect-go v1.3.1 github.com/buildkite/terminal-to-html/v3 v3.7.0 github.com/caddyserver/certmagic v0.17.2 github.com/chi-middleware/proxy v1.1.1 diff --git a/models/migrations/v1_19/v237.go b/models/migrations/v1_19/v237.go index 5777b8cde0..a6e7ef066e 100644 --- a/models/migrations/v1_19/v237.go +++ b/models/migrations/v1_19/v237.go @@ -174,4 +174,3 @@ func AddActionsTables(x *xorm.Engine) error { new(dbfsData), ) } - diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 68f08eafb8..20be551d47 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -5,7 +5,6 @@ package setting import ( - "crypto/sha1" "encoding/base64" "fmt" "math" @@ -28,7 +27,6 @@ import ( "code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/util" - "golang.org/x/crypto/pbkdf2" gossh "golang.org/x/crypto/ssh" ini "gopkg.in/ini.v1" ) diff --git a/modules/templates/helper.go b/modules/templates/helper.go index 26a60b3f77..a390d94592 100644 --- a/modules/templates/helper.go +++ b/modules/templates/helper.go @@ -46,7 +46,6 @@ import ( "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/services/gitdiff" - secret_service "code.gitea.io/gitea/services/secrets" "github.com/editorconfig/editorconfig-core-go/v2" ) @@ -476,13 +475,6 @@ func NewFuncMap() []template.FuncMap { "RefShortName": func(ref string) string { return git.RefName(ref).ShortName() }, - "Shadow": func(s string) string { - return "******" - }, - "DecryptSecret": func(s string) string { - v, _ := secret_service.DecryptString(s) - return v - }, }} } diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index b479f7565b..80e71941f2 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -8,11 +8,11 @@ import ( "fmt" actions_model "code.gitea.io/gitea/models/actions" - "code.gitea.io/gitea/models/webhook" + secret_model "code.gitea.io/gitea/models/secret" "code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/log" + secret_module "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" - secret_service "code.gitea.io/gitea/services/secrets" runnerv1 "code.gitea.io/actions-proto-go/runner/v1" "google.golang.org/protobuf/types/known/structpb" @@ -37,32 +37,29 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv } func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { - // Returning an error is worse than returning empty secrets. - secrets := map[string]string{} + if task.Job.Run.IsForkPullRequest { + // ignore secrets for fork pull request + return secrets + } - userSecrets, err := secret_service.FindUserSecrets(ctx, task.Job.Run.Repo.OwnerID) + ownerSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID}) if err != nil { - log.Error("find user secrets of %v: %v", task.Job.Run.Repo.OwnerID, err) + log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err) // go on } - repoSecrets, err := secret_service.FindRepoSecrets(ctx, task.Job.Run.RepoID) + repoSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID}) if err != nil { - log.Error("find repo secrets of %v: %v", task.Job.Run.RepoID, err) + log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err) // go on } - // FIXME: Not sure if it's the exact meaning of secret.PullRequest - pullRequest := task.Job.Run.Event == webhook.HookEventPullRequest - - for _, secret := range append(userSecrets, repoSecrets...) { - if !pullRequest || secret.PullRequest { - if v, err := secret_service.DecryptString(secret.Data); err != nil { - log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) - // go on - } else { - secrets[secret.Name] = v - } + for _, secret := range append(ownerSecrets, repoSecrets...) { + if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { + log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) + // go on + } else { + secrets[secret.Name] = v } } diff --git a/routers/init.go b/routers/init.go index a5a6a31600..a13dc13aac 100644 --- a/routers/init.go +++ b/routers/init.go @@ -48,7 +48,6 @@ import ( pull_service "code.gitea.io/gitea/services/pull" repo_service "code.gitea.io/gitea/services/repository" "code.gitea.io/gitea/services/repository/archiver" - secret_service "code.gitea.io/gitea/services/secrets" "code.gitea.io/gitea/services/task" "code.gitea.io/gitea/services/webhook" ) @@ -152,8 +151,6 @@ func GlobalInitInstalled(ctx context.Context) { mustInit(models.Init) mustInit(repo_service.Init) - mustInit(secret_service.Init) - // Booting long running goroutines. issue_indexer.InitIssueIndexer(false) code_indexer.Init() diff --git a/services/secrets/encryption_aes_test.go b/services/secrets/encryption_aes_test.go deleted file mode 100644 index 18e0fd1069..0000000000 --- a/services/secrets/encryption_aes_test.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2022 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package secrets - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestEncryptDecrypt(t *testing.T) { - provider := NewAesEncryptionProvider() - key := []byte("1111111111111111") - pri := "vvvvvvv" - enc, err := provider.EncryptString(pri, key) - assert.NoError(t, err) - v, err := provider.DecryptString(enc, key) - assert.NoError(t, err) - assert.EqualValues(t, pri, v) -}