Skip to content

SSH Push/Pull Mirroring & Migrations #35089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

SSH Push/Pull Mirroring & Migrations #35089

wants to merge 19 commits into from

Conversation

techknowlogick
Copy link
Member

@techknowlogick techknowlogick commented Jul 15, 2025
edited
Loading

Add SSH for push/pull mirrors and repo migrations.

Each User/Org gets their own public/private key, and they can rotate/regen it as they please. Users can now use ssh://[email protected]/go-gitea/gitea.git as a clone source.

Fixes: #26321

@techknowlogick techknowlogick added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label Jul 15, 2025
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 15, 2025
@github-actions github-actions bot added modifies/translation modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/migrations modifies/frontend labels Jul 15, 2025
This was referenced Jul 19, 2025
Open
Open
Open
@lunny
Copy link
Member

lunny commented Aug 4, 2025

Could the table mirror_ssh_keypair be a standalone one and a part of secrets? So that it could be used by other places when possible.

@techknowlogick
Copy link
Member Author

Could the table mirror_ssh_keypair be a standalone one and a part of secrets? So that it could be used by other places when possible.

As-in, have the data be duplicated in two tables? I'm not sure what your suggestion is, could you give more details?

@lunny
Copy link
Member

lunny commented Aug 6, 2025

I mean the table mirror_ssh_keypair could be used in other features rather than only mirrors. So that the table name could be user_ssh_keypair.

@techknowlogick techknowlogick requested a review from lunny August 8, 2025 16:37
wxiaoguang
wxiaoguang reviewed Aug 8, 2025
View reviewed changes
lunny
lunny reviewed Aug 8, 2025
View reviewed changes
models/repo/mirror_ssh_keypair.go
// RegenerateUserSSHKeypair regenerates an SSH keypair for the given owner
func RegenerateUserSSHKeypair(ctx context.Context, ownerID int64) (*UserSSHKeypair, error) {
var keypair *UserSSHKeypair
err := db.WithTx(ctx, func(ctx context.Context) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use db.WithTx2 instead now.

lunny
lunny reviewed Aug 8, 2025
View reviewed changes
models/migrations/migrations.go
@@ -384,7 +384,7 @@ func prepareMigrationTasks() []*migration {
newMigration(319, "Add ExclusiveOrder to Label table", v1_24.AddExclusiveOrderColumnToLabelTable),
newMigration(320, "Migrate two_factor_policy to login_source table", v1_24.MigrateSkipTwoFactor),

// Gitea 1.24.0 ends at database version 321
// Gitea 1.24.0 ends at migration ID number 320 (database version 321)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unrelated change now.

lunny
lunny reviewed Aug 8, 2025
View reviewed changes
routers/api/v1/api.go
@@ -1687,6 +1692,11 @@ func Routes() *web.Router {
m.Delete("", org.UnblockUser)
})
}, reqToken(), reqOrgOwnership())

m.Group("/mirror-ssh-key", func() {
m.Get("", reqToken(), reqOrgMembership(), org.GetMirrorSSHKey)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Permissions to create repository is necessary?

lunny
lunny reviewed Aug 8, 2025
View reviewed changes
services/mirror/ssh_keypair.go
// RegenerateSSHKeypairForUser regenerates the SSH keypair for a user
func RegenerateSSHKeypairForUser(ctx context.Context, userID int64) (*repo_model.UserSSHKeypair, error) {
log.Info("Regenerating SSH keypair for user %d", userID)
return repo_model.RegenerateUserSSHKeypair(ctx, userID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wrap seems unnecessary.

lunny
lunny reviewed Aug 8, 2025
View reviewed changes
services/mirror/ssh_keypair.go
}

// RegenerateSSHKeypairForOrg regenerates the SSH keypair for an organization
func RegenerateSSHKeypairForOrg(ctx context.Context, orgID int64) (*repo_model.UserSSHKeypair, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same as above

lunny
lunny reviewed Aug 8, 2025
View reviewed changes
services/mirror/ssh_keypair.go

// GetOrCreateSSHKeypairForUser gets or creates an SSH keypair for the given user
func GetOrCreateSSHKeypairForUser(ctx context.Context, userID int64) (*repo_model.UserSSHKeypair, error) {
return ssh_module.GetOrCreateSSHKeypairForUser(ctx, userID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all these functions could be moved from ssh_module to this package.

@lunny
Copy link
Member

lunny commented Aug 8, 2025

And maybe it's better to put all these SSH keys into the same table and manage them together. So that some SSH keys could be used in multiple places with a permission setting. And it will also be easier to invoke them if necessary.

@wxiaoguang
Copy link
Contributor

And maybe it's better to put all these SSH keys into the same table and manage them together. So that some SSH keys could be used in multiple places with a permission setting. And it will also be easier to invoke them if necessary.

Why and how? Can you show a real world example that how these keys would be managed and used together in the future?

The auto-generated keys are managed by Gitea itself, they are not the same as user's SSH keys for SSH access or sign.

If no real world case, then it is an over-design.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny left review comments

@wxiaoguang wxiaoguang wxiaoguang left review comments

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/api This PR adds API routes or modifies them modifies/frontend modifies/go Pull requests that update Go code modifies/migrations modifies/templates This PR modifies the template files modifies/translation type/feature Completely new functionality. Can only be merged if feature freeze is not active.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Can repositories migration and mirrored repositories support SSH authentication?
4 participants
@techknowlogick @lunny @wxiaoguang @GiteaBot