Add Gitea secrets storage and management

cmd/generate.go

@@ -6,10 +6,14 @@
 package cmd
 
 import (
+	"encoding/base64"
 	"fmt"
 	"os"
 
 	"code.gitea.io/gitea/modules/generate"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/secrets"
 
 	"github.com/mattn/go-isatty"
 	"github.com/urfave/cli"
@@ -32,6 +36,7 @@ var (
 			microcmdGenerateInternalToken,
 			microcmdGenerateLfsJwtSecret,
 			microcmdGenerateSecretKey,
+			microcmdGenerateMasterKey,
 		},
 	}
 
@@ -53,6 +58,12 @@ var (
 		Usage:  "Generate a new SECRET_KEY",
 		Action: runGenerateSecretKey,
 	}
+
+	microcmdGenerateMasterKey = cli.Command{
+		Name:   "MASTER_KEY",
+		Usage:  "Generate a new MASTER_KEY",
+		Action: runGenerateMasterKey,
+	}
 )
 
 func runGenerateInternalToken(c *cli.Context) error {
@@ -99,3 +110,46 @@ func runGenerateSecretKey(c *cli.Context) error {
 
 	return nil
 }
+
+func runGenerateMasterKey(c *cli.Context) error {
+	// Silence the console logger
+	log.DelNamedLogger("console")
+	log.DelNamedLogger(log.DEFAULT)
+
+	// Read configuration file
+	setting.LoadFromExisting()
+
+	providerType := secrets.MasterKeyProviderType(setting.MasterKeyProvider)
+	if providerType == secrets.MasterKeyProviderTypeNone {
+		return fmt.Errorf("configured master key provider does not support key generation")
+	}
+
+	if err := secrets.Init(); err != nil {
+		return err
+	}
+
+	scrts, err := secrets.GenerateMasterKey()
+	if err != nil {
+		return err
+	}
+
+	if len(scrts) > 1 {
+		fmt.Println("Unseal secrets:")
+		for i, secret := range scrts {
+			if i > 0 {
+				fmt.Printf("\n")
+			}
+			fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret))
+		}
+	}
+
+	if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 {
+		fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0]))
+
+		if isatty.IsTerminal(os.Stdout.Fd()) {
+			fmt.Printf("\n")
+		}
+	}
+
+	return nil
+}

models/auth/secret.go

@@ -0,0 +1,60 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"fmt"
+	"regexp"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/timeutil"
+)
+
+type ErrSecretNameInvalid struct {
+	Name string
+}
+
+func (err ErrSecretNameInvalid) Error() string {
+	return fmt.Sprintf("secret name %s is invalid", err.Name)
+}
+
+type ErrSecretDataInvalid struct {
+	Data string
+}
+
+func (err ErrSecretDataInvalid) Error() string {
+	return fmt.Sprintf("secret data %s is invalid", err.Data)
+}
+
+var nameRE = regexp.MustCompile("[^a-zA-Z0-9-_.]+")
+
+// Secret represents a secret
+type Secret struct {
+	ID          int64
+	UserID      int64              `xorm:"index NOTNULL"`
+	RepoID      int64              `xorm:"index NOTNULL"`
+	Name        string             `xorm:"NOTNULL"`
+	Data        string             `xorm:"TEXT"`
+	PullRequest bool               `xorm:"NOTNULL"`
+	CreatedUnix timeutil.TimeStamp `xorm:"created NOTNULL"`
+}
+
+func init() {
+	db.RegisterModel(new(Secret))
+}
+
+// Validate validates the required fields and formats.
+func (s *Secret) Validate() error {
+	switch {
+	case len(s.Name) == 0:
+		return ErrSecretNameInvalid{Name: s.Name}
+	case len(s.Data) == 0:
+		return ErrSecretDataInvalid{Data: s.Data}
+	case nameRE.MatchString(s.Name):
+		return ErrSecretNameInvalid{Name: s.Name}
+	default:
+		return nil
+	}
+}

models/db/search.go

@@ -4,6 +4,12 @@
 
 package db
 
+import (
+	"context"
+
+	"xorm.io/builder"
+)
+
 // SearchOrderBy is used to sort the result
 type SearchOrderBy string
 
@@ -28,3 +34,15 @@ const (
 	SearchOrderByForks                 SearchOrderBy = "num_forks ASC"
 	SearchOrderByForksReverse          SearchOrderBy = "num_forks DESC"
 )
+
+// FindObjects represents a common function to find Objects from database according cond and ListOptions
+func FindObjects[Object any](ctx context.Context, cond builder.Cond, opts *ListOptions, objects *[]*Object) error {
+	sess := GetEngine(ctx).Where(cond)
+	if opts != nil && opts.PageSize > 0 {
+		if opts.Page < 1 {
+			opts.Page = 1
+		}
+		sess.Limit(opts.PageSize, opts.PageSize*(opts.Page-1))
+	}
+	return sess.Find(objects)
+}

models/migrations/migrations.go

@@ -417,6 +417,8 @@ var migrations = []Migration{
 	NewMigration("Conan and generic packages do not need to be semantically versioned", fixPackageSemverField),
 	// v227 -> v228
 	NewMigration("Create key/value table for system settings", createSystemSettingsTable),
+	// v228 -> v229
+	NewMigration("Create secrets table", createSecretsTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v228.go

@@ -0,0 +1,25 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func createSecretsTable(x *xorm.Engine) error {
+	type Secret struct {
+		ID          int64
+		UserID      int64              `xorm:"index NOTNULL"`
+		RepoID      int64              `xorm:"index NOTNULL"`
+		Name        string             `xorm:"NOTNULL"`
+		Data        string             `xorm:"TEXT"`
+		PullRequest bool               `xorm:"NOTNULL"`
+		CreatedUnix timeutil.TimeStamp `xorm:"created NOTNULL"`
+	}
+
+	return x.Sync(new(Secret))
+}

modules/generate/generate.go

@@ -67,3 +67,8 @@ func NewSecretKey() (string, error) {
 
 	return secretKey, nil
 }
+
+// NewMasterKey generate a new value intended to be used by MASTER_KEY.
+func NewMasterKey() ([]byte, error) {
+	return util.CryptoRandomBytes(32)
+}

modules/setting/setting.go

@@ -214,6 +214,8 @@ var (
 		HMACKey   string `ini:"HMAC_KEY"`
 		Allways   bool
 	}{}
+	MasterKeyProvider string
+	MasterKey         []byte
 
 	// UI settings
 	UI = struct {
@@ -961,6 +963,20 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
 
+	// Master key provider configuration
+	MasterKeyProvider = sec.Key("MASTER_KEY_PROVIDER").MustString("plain")
+	switch MasterKeyProvider {
+	case "plain":
+		MasterKey = []byte(sec.Key("MASTER_KEY").MustString(SecretKey))
+		if len(MasterKey) > 32 {
+			MasterKey = MasterKey[:32]
+		}
+	case "none":
+	default:
+		log.Fatal("invalid master key provider type: %v", MasterKeyProvider)
+		return
+	}
+
 	InternalToken = loadSecret(sec, "INTERNAL_TOKEN_URI", "INTERNAL_TOKEN")
 
 	cfgdata := sec.Key("PASSWORD_COMPLEXITY").Strings(",")

modules/templates/helper.go

@@ -46,6 +46,7 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/gitdiff"
+	secret_service "code.gitea.io/gitea/services/secrets"
 
 	"github.com/editorconfig/editorconfig-core-go/v2"
 )
@@ -459,6 +460,13 @@ func NewFuncMap() []template.FuncMap {
 			return items
 		},
 		"HasPrefix": strings.HasPrefix,
+		"Shadow": func(s string) string {
+			return "******"
+		},
+		"DecryptSecret": func(s string) string {
+			v, _ := secret_service.DecryptString(s)
+			return v
+		},
 	}}
 }
 

modules/web/middleware/binding.go

@@ -79,6 +79,11 @@ func GetInclude(field reflect.StructField) string {
 	return getRuleBody(field, "Include(")
 }
 
+// GetIn get allowed values in form tag
+func GetIn(field reflect.StructField) string {
+	return getRuleBody(field, "In(")
+}
+
 // Validate validate TODO:
 func Validate(errs binding.Errors, data map[string]interface{}, f Form, l translation.Locale) binding.Errors {
 	if errs.Len() == 0 {
@@ -131,6 +136,8 @@ func Validate(errs binding.Errors, data map[string]interface{}, f Form, l transl
 				data["ErrorMsg"] = trName + l.Tr("form.url_error", errs[0].Message)
 			case binding.ERR_INCLUDE:
 				data["ErrorMsg"] = trName + l.Tr("form.include_error", GetInclude(field))
+			case binding.ERR_IN:
+				data["ErrorMsg"] = trName + l.Tr("form.in_error", strings.Join(strings.Split(GetIn(field), ","), ", "))
 			case validation.ErrGlobPattern:
 				data["ErrorMsg"] = trName + l.Tr("form.glob_pattern_error", errs[0].Message)
 			case validation.ErrRegexPattern:

options/locale/locale_en-US.ini

@@ -176,6 +176,12 @@ app_url_helper = Base address for HTTP(S) clone URLs and email notifications.
 log_root_path = Log Path
 log_root_path_helper = Log files will be written to this directory.
 
+security_title = Security Settings
+master_key_provider = Master Key Provider
+master_key_provider_none = None
+master_key_provider_plain = Plain
+master_key_provider_helper = Master Key Provider to use to store secret key that will be used for other secret encryption. Use "None" to not encrypt secrets. Use "Plain" to store automatically generated secret in configuration file.
+
 optional_title = Optional Settings
 email_title = Email Settings
 smtp_addr = SMTP Host
@@ -234,6 +240,7 @@ no_reply_address = Hidden Email Domain
 no_reply_address_helper = Domain name for users with a hidden email address. For example, the username 'joe' will be logged in Git as 'joe@noreply.example.org' if the hidden email domain is set to 'noreply.example.org'.
 password_algorithm = Password Hash Algorithm
 password_algorithm_helper = Set the password hashing algorithm. Algorithms have differing requirements and strength. `argon2` whilst having good characteristics uses a lot of memory and may be inappropriate for small systems.
+master_key_failed = Failed to generate master key: %v
 
 [home]
 uname_holder = Username or Email Address
@@ -450,6 +457,7 @@ max_size_error = ` must contain at most %s characters.`
 email_error = ` is not a valid email address.`
 url_error = `'%s' is not a valid URL.`
 include_error = ` must contain substring '%s'.`
+in_error = ` can contain only specific values: %s.`
 glob_pattern_error = ` glob pattern is invalid: %s.`
 regex_pattern_error = ` regex pattern is invalid: %s.`
 unknown_error = Unknown error:
@@ -2036,6 +2044,20 @@ settings.deploy_key_desc = Deploy keys have read-only pull access to the reposit
 settings.is_writable = Enable Write Access
 settings.is_writable_info = Allow this deploy key to <strong>push</strong> to the repository.
 settings.no_deploy_keys = There are no deploy keys yet.
+settings.secrets = Secrets
+settings.pull_request_read = Pull Request Read
+settings.pull_request_read_info = "If allow pull request read the secret, it's security related."
+settings.pull_request_read_hint = Allow pull request read the secret
+settings.add_secret = Add Secret
+settings.add_secret_success = The secret '%s' has been added.
+settings.secret_value_content_placeholder = Input any content
+settings.secret_desc = Secrets could be visited by repository events
+settings.secret_content = Value
+settings.secret_key = Key
+settings.no_secret = There are no secrets yet.
+settings.secret_deletion = Remove secret
+settings.secret_deletion_desc = Removing a secret will revoke its access to this repository. Continue?
+settings.secret_deletion_success = The secret has been removed.
 settings.title = Title
 settings.deploy_key_content = Content
 settings.key_been_used = A deploy key with identical content is already in use.
@@ -2355,6 +2377,7 @@ settings.update_setting_success = Organization settings have been updated.
 settings.change_orgname_prompt = Note: changing the organization name also changes the organization's URL.
 settings.change_orgname_redirect_prompt = The old name will redirect until it is claimed.
 settings.update_avatar_success = The organization's avatar has been updated.
+settings.secrets = Secrets
 settings.delete = Delete Organization
 settings.delete_account = Delete This Organization
 settings.delete_prompt = The organization will be permanently removed. This <strong>CANNOT</strong> be undone!

routers/init.go

@@ -46,6 +46,7 @@ import (
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 	"code.gitea.io/gitea/services/repository/archiver"
+	secret_service "code.gitea.io/gitea/services/secrets"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
 )
@@ -139,6 +140,8 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(models.Init)
 	mustInit(repo_service.Init)
 
+	mustInit(secret_service.Init)
+
 	// Booting long running goroutines.
 	issue_indexer.InitIssueIndexer(false)
 	code_indexer.Init()