forgejo/modules/ssh/init.go

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package ssh

import (
	"context"
	"fmt"
	"net"
	"os"
	"path/filepath"
	"strconv"
	"strings"

	"forgejo.org/models/asymkey"
	"forgejo.org/modules/log"
	"forgejo.org/modules/setting"
)

var logger = log.GetManager().GetLogger("ssh")

func Init(ctx context.Context) error {
	if setting.SSH.Disabled {
		builtinUnused()
		return nil
	}

	if setting.SSH.StartBuiltinServer {
		Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
		log.Info("SSH server started on %s. Cipher list (%v), key exchange algorithms (%v), MACs (%v)",
			net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)),
			setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs,
		)
		return nil
	}

	builtinUnused()

	// FIXME: why 0o644 for a directory .....
	if err := os.MkdirAll(setting.SSH.KeyTestPath, 0o644); err != nil {
		return fmt.Errorf("failed to create directory %q for ssh key test: %w", setting.SSH.KeyTestPath, err)
	}

	if len(setting.SSH.TrustedUserCAKeys) > 0 && setting.SSH.AuthorizedPrincipalsEnabled {
		caKeysFileName := setting.SSH.TrustedUserCAKeysFile
		caKeysFileDir := filepath.Dir(caKeysFileName)

		err := os.MkdirAll(caKeysFileDir, 0o700) // SSH.RootPath by default (That is `~/.ssh` in most cases)
		if err != nil {
			return fmt.Errorf("failed to create directory %q for ssh trusted ca keys: %w", caKeysFileDir, err)
		}

		if err := os.WriteFile(caKeysFileName, []byte(strings.Join(setting.SSH.TrustedUserCAKeys, "\n")), 0o600); err != nil {
			return fmt.Errorf("failed to write ssh trusted ca keys to %q: %w", caKeysFileName, err)
		}
	}

	if !setting.SSH.AllowUnexpectedAuthorizedKeys {
		findings, err := asymkey.InspectPublicKeys(ctx)
		if err != nil {
			return fmt.Errorf("inspect authorized_keys failed: %w", err)
		}

		unexpectedKeys := []string{}
		for _, finding := range findings {
			switch finding.Type {
			case asymkey.InspectionResultFileMissing:
				err := asymkey.RewriteAllPublicKeys(ctx)
				if err != nil {
					return fmt.Errorf("rewrite authorized_keys failed: %w", err)
				}
			case asymkey.InspectionResultUnexpectedKey:
				unexpectedKeys = append(unexpectedKeys, finding.Comment)

			case asymkey.InspectionResultMissingExpectedKey:
				// MissingExpectingKey can happen at the same time as UnexpectedKey -- so while it might seem to make
				// sense to regenerate the key file automatically in this case, it could overwrite keys that someone
				// wants present there when they want SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=true but haven't set it yet.
				// So, just warn as this isn't an insecure situation.
				log.Warn("authorized_keys is missing a key from the database; regenerate authorized_keys from the admin panel to repair this")
			}
		}

		if len(unexpectedKeys) > 0 {
			detailConcat := strings.Join(unexpectedKeys, "\n\t")
			log.Fatal("An unexpected ssh public key was discovered. Forgejo will shutdown to require this to be fixed. Fix by either:\n"+
				"Option 1: Delete the file %s, and Forgejo will recreate it with only expected ssh public keys.\n"+
				"Option 2: Permit unexpected keys by setting [server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=true in Forgejo's config file.\n\t"+
				detailConcat, filepath.Join(setting.SSH.RootPath, "authorized_keys"))
		}
	}

	return nil
}