mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-26 01:16:23 +02:00 
			
		
		
		
	Don't block site admin's operation if SECRET_KEY is lost (#35721)
Related: #24573
This commit is contained in:
		| @@ -11,6 +11,7 @@ import ( | ||||
| 	repo_model "code.gitea.io/gitea/models/repo" | ||||
| 	user_model "code.gitea.io/gitea/models/user" | ||||
| 	"code.gitea.io/gitea/modules/json" | ||||
| 	"code.gitea.io/gitea/modules/log" | ||||
| 	"code.gitea.io/gitea/modules/migration" | ||||
| 	"code.gitea.io/gitea/modules/secret" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| @@ -123,17 +124,17 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) { | ||||
| 		// decrypt credentials | ||||
| 		if opts.CloneAddrEncrypted != "" { | ||||
| 			if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil { | ||||
| 				return nil, err | ||||
| 				log.Error("Unable to decrypt CloneAddr, maybe SECRET_KEY is wrong: %v", err) | ||||
| 			} | ||||
| 		} | ||||
| 		if opts.AuthPasswordEncrypted != "" { | ||||
| 			if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil { | ||||
| 				return nil, err | ||||
| 				log.Error("Unable to decrypt AuthPassword, maybe SECRET_KEY is wrong: %v", err) | ||||
| 			} | ||||
| 		} | ||||
| 		if opts.AuthTokenEncrypted != "" { | ||||
| 			if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil { | ||||
| 				return nil, err | ||||
| 				log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err) | ||||
| 			} | ||||
| 		} | ||||
|  | ||||
|   | ||||
| @@ -111,11 +111,11 @@ func (t *TwoFactor) SetSecret(secretString string) error { | ||||
| func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) { | ||||
| 	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret) | ||||
| 	if err != nil { | ||||
| 		return false, err | ||||
| 		return false, fmt.Errorf("ValidateTOTP invalid base64: %w", err) | ||||
| 	} | ||||
| 	secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret) | ||||
| 	if err != nil { | ||||
| 		return false, err | ||||
| 		return false, fmt.Errorf("ValidateTOTP unable to decrypt (maybe SECRET_KEY is wrong): %w", err) | ||||
| 	} | ||||
| 	secretStr := string(secretBytes) | ||||
| 	return totp.Validate(passcode, secretStr), nil | ||||
|   | ||||
| @@ -178,8 +178,8 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[ | ||||
| 	for _, secret := range append(ownerSecrets, repoSecrets...) { | ||||
| 		v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data) | ||||
| 		if err != nil { | ||||
| 			log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) | ||||
| 			return nil, err | ||||
| 			log.Error("Unable to decrypt Actions secret %v %q, maybe SECRET_KEY is wrong: %v", secret.ID, secret.Name, err) | ||||
| 			continue | ||||
| 		} | ||||
| 		secrets[secret.Name] = v | ||||
| 	} | ||||
|   | ||||
| @@ -8,6 +8,7 @@ import ( | ||||
|  | ||||
| 	"code.gitea.io/gitea/models/auth" | ||||
| 	"code.gitea.io/gitea/modules/json" | ||||
| 	"code.gitea.io/gitea/modules/log" | ||||
| 	"code.gitea.io/gitea/modules/secret" | ||||
| 	"code.gitea.io/gitea/modules/setting" | ||||
| ) | ||||
| @@ -66,9 +67,12 @@ func (source *Source) FromDB(bs []byte) error { | ||||
| 	} | ||||
| 	if source.BindPasswordEncrypt != "" { | ||||
| 		source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt) | ||||
| 		if err != nil { | ||||
| 			log.Error("Unable to decrypt bind password for LDAP source, maybe SECRET_KEY is wrong: %v", err) | ||||
| 		} | ||||
| 		source.BindPasswordEncrypt = "" | ||||
| 	} | ||||
| 	return err | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // ToDB exports a LDAPConfig to a serialized format. | ||||
|   | ||||
		Reference in New Issue
	
	Block a user