Add Gitea secrets storage and management

cmd/generate.go

@@ -5,10 +5,14 @@
 package cmd
 
 import (
+	"encoding/base64"
 	"fmt"
 	"os"
 
 	"code.gitea.io/gitea/modules/generate"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/secrets"
 
 	"github.com/mattn/go-isatty"
 	"github.com/urfave/cli"
@@ -31,6 +35,7 @@ var (
 			microcmdGenerateInternalToken,
 			microcmdGenerateLfsJwtSecret,
 			microcmdGenerateSecretKey,
+			microcmdGenerateMasterKey,
 		},
 	}
 
@@ -52,6 +57,12 @@ var (
 		Usage:  "Generate a new SECRET_KEY",
 		Action: runGenerateSecretKey,
 	}
+
+	microcmdGenerateMasterKey = cli.Command{
+		Name:   "MASTER_KEY",
+		Usage:  "Generate a new MASTER_KEY",
+		Action: runGenerateMasterKey,
+	}
 )
 
 func runGenerateInternalToken(c *cli.Context) error {
@@ -98,3 +109,46 @@ func runGenerateSecretKey(c *cli.Context) error {
 
 	return nil
 }
+
+func runGenerateMasterKey(c *cli.Context) error {
+	// Silence the console logger
+	log.DelNamedLogger("console")
+	log.DelNamedLogger(log.DEFAULT)
+
+	// Read configuration file
+	setting.LoadFromExisting()
+
+	providerType := secrets.MasterKeyProviderType(setting.MasterKeyProvider)
+	if providerType == secrets.MasterKeyProviderTypeNone {
+		return fmt.Errorf("configured master key provider does not support key generation")
+	}
+
+	if err := secrets.Init(); err != nil {
+		return err
+	}
+
+	scrts, err := secrets.GenerateMasterKey()
+	if err != nil {
+		return err
+	}
+
+	if len(scrts) > 1 {
+		fmt.Println("Unseal secrets:")
+		for i, secret := range scrts {
+			if i > 0 {
+				fmt.Printf("\n")
+			}
+			fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret))
+		}
+	}
+
+	if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 {
+		fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0]))
+
+		if isatty.IsTerminal(os.Stdout.Fd()) {
+			fmt.Printf("\n")
+		}
+	}
+
+	return nil
+}

models/auth/secret.go

@@ -0,0 +1,62 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"fmt"
+	"regexp"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
+)
+
+type ErrSecretInvalidValue struct {
+	Name *string
+	Data *string
+}
+
+func (err ErrSecretInvalidValue) Error() string {
+	if err.Name != nil {
+		return fmt.Sprintf("secret name %q is invalid", *err.Name)
+	}
+	if err.Data != nil {
+		return fmt.Sprintf("secret data %q is invalid", *err.Data)
+	}
+	return util.ErrInvalidArgument.Error()
+}
+
+func (err ErrSecretInvalidValue) Unwrap() error {
+	return util.ErrInvalidArgument
+}
+
+var nameRE = regexp.MustCompile("^[a-zA-Z_][a-zA-Z0-9-_.]*$")
+
+// Secret represents a secret
+type Secret struct {
+	ID          int64
+	UserID      int64              `xorm:"index NOTNULL"`
+	RepoID      int64              `xorm:"index NOTNULL"`
+	Name        string             `xorm:"NOTNULL"`
+	Data        string             `xorm:"LONGTEXT"` // encrypted data, or plaintext data if there's no master key
+	CreatedUnix timeutil.TimeStamp `xorm:"created NOTNULL"`
+}
+
+func init() {
+	db.RegisterModel(new(Secret))
+}
+
+// Validate validates the required fields and formats.
+func (s *Secret) Validate() error {
+	switch {
+	case len(s.Name) == 0:
+		return ErrSecretInvalidValue{Name: &s.Name}
+	case len(s.Data) == 0:
+		return ErrSecretInvalidValue{Data: &s.Data}
+	case nameRE.MatchString(s.Name):
+		return ErrSecretInvalidValue{Name: &s.Name}
+	default:
+		return nil
+	}
+}

models/db/search.go

@@ -3,6 +3,12 @@
 
 package db
 
+import (
+	"context"
+
+	"xorm.io/builder"
+)
+
 // SearchOrderBy is used to sort the result
 type SearchOrderBy string
 
@@ -27,3 +33,15 @@ const (
 	SearchOrderByForks                 SearchOrderBy = "num_forks ASC"
 	SearchOrderByForksReverse          SearchOrderBy = "num_forks DESC"
 )
+
+// FindObjects represents a common function to find Objects from database according cond and ListOptions
+func FindObjects[Object any](ctx context.Context, cond builder.Cond, opts *ListOptions, objects *[]*Object) error {
+	sess := GetEngine(ctx).Where(cond)
+	if opts != nil && opts.PageSize > 0 {
+		if opts.Page < 1 {
+			opts.Page = 1
+		}
+		sess.Limit(opts.PageSize, opts.PageSize*(opts.Page-1))
+	}
+	return sess.Find(objects)
+}

models/migrations/migrations.go

@@ -442,6 +442,8 @@ var migrations = []Migration{
 	NewMigration("Add package cleanup rule table", v1_19.CreatePackageCleanupRuleTable),
 	// v235 -> v236
 	NewMigration("Add index for access_token", v1_19.AddIndexForAccessToken),
+	// v236 -> v237
+	NewMigration("Create secrets table", v1_19.CreateSecretsTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v1_19/v236.go

@@ -0,0 +1,23 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_19 //nolint
+
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func CreateSecretsTable(x *xorm.Engine) error {
+	type Secret struct {
+		ID          int64
+		UserID      int64              `xorm:"index NOTNULL"`
+		RepoID      int64              `xorm:"index NOTNULL"`
+		Name        string             `xorm:"NOTNULL"`
+		Data        string             `xorm:"LONGTEXT"`
+		CreatedUnix timeutil.TimeStamp `xorm:"created NOTNULL"`
+	}
+
+	return x.Sync(new(Secret))
+}

modules/generate/generate.go

@@ -66,3 +66,8 @@ func NewSecretKey() (string, error) {
 
 	return secretKey, nil
 }
+
+// NewMasterKey generate a new value intended to be used by MASTER_KEY.
+func NewMasterKey() ([]byte, error) {
+	return util.CryptoRandomBytes(32)
+}

modules/setting/setting.go

@@ -5,6 +5,7 @@
 package setting
 
 import (
+	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
 	"math"
@@ -27,6 +28,7 @@ import (
 	"code.gitea.io/gitea/modules/user"
 	"code.gitea.io/gitea/modules/util"
 
+	"golang.org/x/crypto/pbkdf2"
 	gossh "golang.org/x/crypto/ssh"
 	ini "gopkg.in/ini.v1"
 )
@@ -214,6 +216,8 @@ var (
 		HMACKey   string `ini:"HMAC_KEY"`
 		Allways   bool
 	}{}
+	MasterKeyProvider string
+	MasterKey         []byte
 
 	// UI settings
 	UI = struct {
@@ -966,6 +970,19 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
 
+	// Master key provider configuration
+	MasterKeyProvider = sec.Key("MASTER_KEY_PROVIDER").MustString("plain")
+	switch MasterKeyProvider {
+	case "plain":
+		tempSalt := []byte{'g', 'i', 't', 'e', 'a'}
+		MasterKey = []byte(sec.Key("MASTER_KEY").MustString(SecretKey))
+		MasterKey = pbkdf2.Key(MasterKey, tempSalt, 4096, 32, sha1.New)
+	case "none":
+	default:
+		log.Fatal("invalid master key provider type: %v", MasterKeyProvider)
+		return
+	}
+
 	InternalToken = loadSecret(sec, "INTERNAL_TOKEN_URI", "INTERNAL_TOKEN")
 	if InstallLock && InternalToken == "" {
 		// if Gitea has been installed but the InternalToken hasn't been generated (upgrade from an old release), we should generate

modules/templates/helper.go

@@ -46,6 +46,7 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/gitdiff"
+	secret_service "code.gitea.io/gitea/services/secrets"
 
 	"github.com/editorconfig/editorconfig-core-go/v2"
 )
@@ -459,6 +460,13 @@ func NewFuncMap() []template.FuncMap {
 			return items
 		},
 		"HasPrefix": strings.HasPrefix,
+		"Shadow": func(s string) string {
+			return "******"
+		},
+		"DecryptSecret": func(s string) string {
+			v, _ := secret_service.DecryptString(s)
+			return v
+		},
 		"CompareLink": func(baseRepo, repo *repo_model.Repository, branchName string) string {
 			var curBranch string
 			if repo.ID != baseRepo.ID {

modules/web/middleware/binding.go

@@ -78,6 +78,11 @@ func GetInclude(field reflect.StructField) string {
 	return getRuleBody(field, "Include(")
 }
 
+// GetIn get allowed values in form tag
+func GetIn(field reflect.StructField) string {
+	return getRuleBody(field, "In(")
+}
+
 // Validate validate TODO:
 func Validate(errs binding.Errors, data map[string]interface{}, f Form, l translation.Locale) binding.Errors {
 	if errs.Len() == 0 {
@@ -130,6 +135,8 @@ func Validate(errs binding.Errors, data map[string]interface{}, f Form, l transl
 				data["ErrorMsg"] = trName + l.Tr("form.url_error", errs[0].Message)
 			case binding.ERR_INCLUDE:
 				data["ErrorMsg"] = trName + l.Tr("form.include_error", GetInclude(field))
+			case binding.ERR_IN:
+				data["ErrorMsg"] = trName + l.Tr("form.in_error", strings.Join(strings.Split(GetIn(field), ","), ", "))
 			case validation.ErrGlobPattern:
 				data["ErrorMsg"] = trName + l.Tr("form.glob_pattern_error", errs[0].Message)
 			case validation.ErrRegexPattern:

options/locale/locale_en-US.ini

@@ -185,6 +185,12 @@ app_url_helper = Base address for HTTP(S) clone URLs and email notifications.
 log_root_path = Log Path
 log_root_path_helper = Log files will be written to this directory.
 
+security_title = Security Settings
+master_key_provider = Master Key Provider
+master_key_provider_none = None
+master_key_provider_plain = Plain
+master_key_provider_helper = Master Key Provider to use to store secret key that will be used for other secret encryption. Use "None" to not encrypt secrets. Use "Plain" to store automatically generated secret in configuration file.
+
 optional_title = Optional Settings
 email_title = Email Settings
 smtp_addr = SMTP Host
@@ -243,6 +249,7 @@ no_reply_address = Hidden Email Domain
 no_reply_address_helper = Domain name for users with a hidden email address. For example, the username 'joe' will be logged in Git as 'joe@noreply.example.org' if the hidden email domain is set to 'noreply.example.org'.
 password_algorithm = Password Hash Algorithm
 password_algorithm_helper = Set the password hashing algorithm. Algorithms have differing requirements and strength. `argon2` whilst having good characteristics uses a lot of memory and may be inappropriate for small systems.
+master_key_failed = Failed to generate master key: %v
 enable_update_checker = Enable Update Checker
 enable_update_checker_helper = Checks for new version releases periodically by connecting to gitea.io.
 
@@ -466,6 +473,7 @@ max_size_error = ` must contain at most %s characters.`
 email_error = ` is not a valid email address.`
 url_error = `'%s' is not a valid URL.`
 include_error = ` must contain substring '%s'.`
+in_error = ` can only contain specific values: %s.`
 glob_pattern_error = ` glob pattern is invalid: %s.`
 regex_pattern_error = ` regex pattern is invalid: %s.`
 username_error = ` can only contain alphanumeric chars ('0-9','a-z','A-Z'), dash ('-'), underscore ('_') and dot ('.'). It cannot begin or end with non-alphanumeric chars, and consecutive non-alphanumeric chars are also forbidden.`
@@ -2059,6 +2067,18 @@ settings.deploy_key_desc = Deploy keys have read-only pull access to the reposit
 settings.is_writable = Enable Write Access
 settings.is_writable_info = Allow this deploy key to <strong>push</strong> to the repository.
 settings.no_deploy_keys = There are no deploy keys yet.
+settings.secrets = Secrets
+settings.add_secret = Add Secret
+settings.add_secret_success = The secret '%s' has been added.
+settings.secret_value_content_placeholder = Input any content
+settings.secret_desc = Secrets will be passed to certain actions and cannot be read otherwise. 
+settings.secret_content = Value
+settings.secret_name = Name
+settings.no_secret = There are no secrets yet.
+settings.secret_deletion = Remove secret
+settings.secret_deletion_desc = Removing a secret will revoke its access to this repository. Continue?
+settings.secret_deletion_success = The secret has been removed.
+settings.secret_deletion_failed = Failed to remove secret.
 settings.title = Title
 settings.deploy_key_content = Content
 settings.key_been_used = A deploy key with identical content is already in use.
@@ -2377,6 +2397,7 @@ settings.update_setting_success = Organization settings have been updated.
 settings.change_orgname_prompt = Note: changing the organization name also changes the organization's URL.
 settings.change_orgname_redirect_prompt = The old name will redirect until it is claimed.
 settings.update_avatar_success = The organization's avatar has been updated.
+settings.secrets = Secrets
 settings.delete = Delete Organization
 settings.delete_account = Delete This Organization
 settings.delete_prompt = The organization will be permanently removed. This <strong>CANNOT</strong> be undone!

routers/init.go

@@ -46,6 +46,7 @@ import (
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 	"code.gitea.io/gitea/services/repository/archiver"
+	secret_service "code.gitea.io/gitea/services/secrets"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
 )
@@ -149,6 +150,8 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(models.Init)
 	mustInit(repo_service.Init)
 
+	mustInit(secret_service.Init)
+
 	// Booting long running goroutines.
 	issue_indexer.InitIssueIndexer(false)
 	code_indexer.Init()