fix build

Implement support for TPM-backed signing keys (#953 )
2026-06-04 05:10:40 +00:00 · 2025-02-15 23:48:12 +01:00 · 2025-02-15 23:48:12 +01:00
16 changed files with 159 additions and 386 deletions
@@ -68,4 +68,4 @@ List of contributors, in chronological order:
 * Blake Kostner (https://github.com/btkostner)
 * Leigh London (https://github.com/leighlondon)
 * Gordian Schoenherr (https://github.com/schoenherrg)
-* Brett Hawn (https://github.com/bpiraeus)
+* Charles Duffy (https://github.com/charles-dyfis-net)
@@ -1,118 +0,0 @@
-package api
-
-import (
-	"crypto/tls"
-	"fmt"
-	"strings"
-
-	"github.com/gin-contrib/sessions"
-	"github.com/gin-gonic/gin"
-	"github.com/go-ldap/ldap/v3"
-)
-
-func Authorize(username string, password string) (ok bool) {
-	config := context.Config()
-
-	if config.Auth.Type != "" {
-		switch strings.ToLower(config.Auth.Type) {
-		case "ldap":
-			ok = doLdapAuth(username, password)
-		default:
-			return false
-		}
-		if !ok  {
-			return false
-		}
-	}
-	return true
-}
-
-func doLdapAuth(username string, password string) bool {
-	config := context.Config()
-	attributes := []string{"DN", "CN"}
-
-	server := config.Auth.Server
-	dn := config.Auth.LdapDN
-	filter := fmt.Sprintf(config.Auth.LdapFilter, username)
-
-	// connect to ldap server
-	conn, err := ldap.Dial("tcp", server)
-	if err != nil {
-		return false
-	}
-	defer conn.Close()
-
-	// reconnect via tls
-	err = conn.StartTLS(&tls.Config{InsecureSkipVerify: config.Auth.SecureTLS})
-	if err != nil {
-		return false
-	}
-
-	// format our request and then fire it off
-	request := ldap.NewSearchRequest(dn, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, attributes, nil)
-	search, err := conn.Search(request)
-	if err != nil {
-		return false
-	}
-	// get our modified dn and then check our user for auth
-	udn := search.Entries[0].DN
-	err = conn.Bind(udn, password)
-	if err != nil {
-		return false
-	}
-	return true
-}
-
-func getGroups(c *gin.Context, username string) {
-
-	var groups []string
-	config := context.Config()
-	dn := config.Auth.LdapDN
-	session := sessions.Default(c)
-	// connect to ldap server
-	server := fmt.Sprintf("%s", config.Auth.Server)
-	conn, err := ldap.Dial("tcp", server)
-	if err != nil {
-		return
-	}
-	// reconnect via tls
-	err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
-	if err != nil {
-		return
-	}
-	filter := fmt.Sprintf("(|(member=uid=%s,ou=people,dc=llnw,dc=com)(member=uid=%s,ou=people,dc=llnw,dc=com))", username, username)
-	request := ldap.NewSearchRequest(dn, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"dn", "cn"}, nil)
-	search, err := conn.Search(request)
-	if err != nil {
-		return
-	}
-	if len(search.Entries) < 1 {
-		return
-	}
-	for _, v := range search.Entries {
-		value := strings.Split(strings.TrimLeft(v.DN, "cn="), ",")[0]
-		groups = append(groups, fmt.Sprintf("%s,", value))
-	}
-	session.Set("Groups", groups)
-}
-
-func checkGroup(c *gin.Context, ldgroup string) bool {
-	session := sessions.Default(c)
-	groups := session.Get("Groups")
-	if ldgroup == "" {
-		return true
-	}
-	for _, v := range groups.([]string) {
-		if strings.Contains(v, ldgroup) {
-			return true
-		}
-	}
-	return false
-}
-
-func CheckGroup(c *gin.Context, ldgroup string) (err error) {
-	if !checkGroup(c, ldgroup) {
-		err = fmt.Errorf("Authorisation Failred")
-	}
-	return err
-}
@@ -267,13 +267,7 @@ func apiPublishRepoOrSnapshot(c *gin.Context) {
 				return
 			}

-			err = CheckGroup(c, localRepo.LdapGroup)
-			if err != nil {
-				c.AbortWithError(403, err)
-			}
-
 			resources = append(resources, string(localRepo.Key()))
-
 			sources = append(sources, localRepo)
 		}
 	} else {
@@ -95,8 +95,6 @@ type repoCreateParams struct {
 	DefaultComponent string `        json:"DefaultComponent"     example:"main"`
 	// Snapshot name to create repoitory from (optional)
 	FromSnapshot string `            json:"FromSnapshot"         example:""`
-        //
-	LdapGroup           string
 }

 // @Summary Create Repository
@@ -127,7 +125,6 @@ func apiReposCreate(c *gin.Context) {
 	repo := deb.NewLocalRepo(b.Name, b.Comment)
 	repo.DefaultComponent = b.DefaultComponent
 	repo.DefaultDistribution = b.DefaultDistribution
-	repo.LdapGroup = b.LdapGroup

 	collectionFactory := context.NewCollectionFactory()

@@ -176,8 +173,6 @@ type reposEditParams struct {
 	DefaultDistribution *string `        json:"DefaultDistribution"  example:""`
 	// Change Devault Component for publishing
 	DefaultComponent *string `        json:"DefaultComponent"     example:""`
-        //
-	LdapGroup           *string
 }

 // @Summary Update Repository
@@ -204,12 +199,6 @@ func apiReposEdit(c *gin.Context) {
 		return
 	}

-	err = CheckGroup(c, repo.LdapGroup)
-	if err != nil {
-		c.AbortWithError(403, err)
-		return
-	}
-
 	if b.Name != nil {
 		_, err := collection.ByName(*b.Name)
 		if err == nil {
@@ -228,9 +217,6 @@ func apiReposEdit(c *gin.Context) {
 	if b.DefaultComponent != nil {
 		repo.DefaultComponent = *b.DefaultComponent
 	}
-	if b.LdapGroup != nil {
-		repo.LdapGroup = *b.LdapGroup
-	}

 	err = collection.Update(repo)
 	if err != nil {
@@ -290,12 +276,6 @@ func apiReposDrop(c *gin.Context) {
 		return
 	}

-	err = CheckGroup(c, repo.LdapGroup)
-	if err != nil {
-		c.AbortWithError(403, err)
-		return
-	}
-
 	resources := []string{string(repo.Key())}
 	taskName := fmt.Sprintf("Delete repo %s", name)
 	maybeRunTaskInBackground(c, taskName, resources, func(_ aptly.Progress, _ *task.Detail) (*task.ProcessReturnValue, error) {
@@ -385,11 +365,6 @@ func apiReposPackagesAddDelete(c *gin.Context, taskNamePrefix string, cb func(li
 			return &task.ProcessReturnValue{Code: http.StatusInternalServerError, Value: nil}, err
 		}

-		err = CheckGroup(c, repo.LdapGroup)
-		if err != nil {
-			return &task.ProcessReturnValue{Code: 403, Value: nil}, err
-		}
-
 		out.Printf("Loading packages...\n")
 		list, err := deb.NewPackageListFromRefList(repo.RefList(), collectionFactory.PackageCollection(), nil)
 		if err != nil {
@@ -547,11 +522,6 @@ func apiReposPackageFromDir(c *gin.Context) {
 			return &task.ProcessReturnValue{Code: http.StatusInternalServerError, Value: nil}, err
 		}

-		err = CheckGroup(c, repo.LdapGroup)
-		if err != nil {
-			return &task.ProcessReturnValue{Code: 403, Value: nil}, err
-		}
-
 		verifier := context.GetVerifier()

 		var (
@@ -875,11 +845,6 @@ func apiReposIncludePackageFromDir(c *gin.Context) {
 			AbortWithJSONError(c, 404, err)
 			return
 		}
-		err = CheckGroup(c, repo.LdapGroup)
-		if err != nil {
-			c.AbortWithError(403, err)
-			return
-		}

 		resources = append(resources, string(repo.Key()))
 	}
@@ -1,12 +1,9 @@
 package api

 import (
-	"fmt"
-	"log"
 	"net/http"
 	"os"
 	"sync/atomic"
-	"time"

 	"github.com/aptly-dev/aptly/aptly"
 	ctx "github.com/aptly-dev/aptly/context"
@@ -18,10 +15,6 @@ import (
 	"github.com/aptly-dev/aptly/docs"
 	swaggerFiles "github.com/swaggo/files"
 	ginSwagger "github.com/swaggo/gin-swagger"
-	"github.com/gin-contrib/sessions"
-	"github.com/gin-contrib/sessions/cookie"
-	"github.com/gin-gonic/gin"
-	uuid "github.com/nu7hatch/gouuid"
 )

 var context *ctx.AptlyContext
@@ -140,167 +133,105 @@ func Router(c *ctx.AptlyContext) http.Handler {
 		api.GET("/healthy", apiHealthy)
 	}

-	// set up cookies and sessions
-	token, err := uuid.NewV4()
-	if err != nil {
-		panic(err)
-	}
-
-	store := cookie.NewStore([]byte(token.String()))
-	router.Use(sessions.Sessions(token.String(), store))
-	// prep our config fetcher ahead of need
-	config := context.Config()
-
-	// prep a logfile if we've set one
-	if config.LogFile != "" {
-		file, err := os.OpenFile(config.LogFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
-		if err != nil {
-			panic(err)
-		}
-		defer file.Close()
-		log.SetOutput(file)
-	}
-
-	router.GET("/version", apiVersion)
-
-	var username string
-	var password string
-	router.POST("/login", func(c *gin.Context) {
-		session := sessions.Default(c)
-		session.Options(sessions.Options{MaxAge: 30})
-		if config.UseAuth {
-			log.Printf("UseAuth is enabled\n")
-			username = c.PostForm("username")
-			password = c.PostForm("password")
-			if !Authorize(username, password) {
-				c.AbortWithError(403, fmt.Errorf("Authorization Failure"))
-			}
-			log.Printf("%s authorized from %s\n", username, c.ClientIP())
-		}
-		session.Set(token.String(), time.Now().Unix())
-		session.Save()
-		getGroups(c, username)
-		c.String(200, "Authorized!")
-	})
-
-	router.POST("/logout", func(c *gin.Context) {
-		session := sessions.Default(c)
-		session.Options(sessions.Options{MaxAge: -1})
-		session.Save()
-		c.String(200, "Deauthorized")
-	})
-
-	authorize := router.Group("/api", func(c *gin.Context) {
-		session := sessions.Default(c)
-		if config.UseAuth {
-			if session.Get(token.String()) == nil {
-				c.AbortWithError(403, fmt.Errorf("not authorized"))
-			}
-			session.Options(sessions.Options{MaxAge: 30})
-			session.Set(token.String(), time.Now().Unix())
-			session.Save()
-		}
-	})
-
 	{
-		authorize.GET("/repos", apiReposList)
-		authorize.POST("/repos", apiReposCreate)
-		authorize.GET("/repos/:name", apiReposShow)
-		authorize.PUT("/repos/:name", apiReposEdit)
-		authorize.DELETE("/repos/:name", apiReposDrop)
+		api.GET("/repos", apiReposList)
+		api.POST("/repos", apiReposCreate)
+		api.GET("/repos/:name", apiReposShow)
+		api.PUT("/repos/:name", apiReposEdit)
+		api.DELETE("/repos/:name", apiReposDrop)

-		authorize.GET("/repos/:name/packages", apiReposPackagesShow)
-		authorize.POST("/repos/:name/packages", apiReposPackagesAdd)
-		authorize.DELETE("/repos/:name/packages", apiReposPackagesDelete)
+		api.GET("/repos/:name/packages", apiReposPackagesShow)
+		api.POST("/repos/:name/packages", apiReposPackagesAdd)
+		api.DELETE("/repos/:name/packages", apiReposPackagesDelete)

-		authorize.POST("/repos/:name/file/:dir/:file", apiReposPackageFromFile)
-		authorize.POST("/repos/:name/file/:dir", apiReposPackageFromDir)
-		authorize.POST("/repos/:name/copy/:src/:file", apiReposCopyPackage)
+		api.POST("/repos/:name/file/:dir/:file", apiReposPackageFromFile)
+		api.POST("/repos/:name/file/:dir", apiReposPackageFromDir)
+		api.POST("/repos/:name/copy/:src/:file", apiReposCopyPackage)

-		authorize.POST("/repos/:name/include/:dir/:file", apiReposIncludePackageFromFile)
-		authorize.POST("/repos/:name/include/:dir", apiReposIncludePackageFromDir)
+		api.POST("/repos/:name/include/:dir/:file", apiReposIncludePackageFromFile)
+		api.POST("/repos/:name/include/:dir", apiReposIncludePackageFromDir)

-		authorize.POST("/repos/:name/snapshots", apiSnapshotsCreateFromRepository)
+		api.POST("/repos/:name/snapshots", apiSnapshotsCreateFromRepository)
 	}

 	{
-		authorize.POST("/mirrors/:name/snapshots", apiSnapshotsCreateFromMirror)
+		api.POST("/mirrors/:name/snapshots", apiSnapshotsCreateFromMirror)
 	}

 	{
-		authorize.GET("/mirrors", apiMirrorsList)
-		authorize.GET("/mirrors/:name", apiMirrorsShow)
-		authorize.GET("/mirrors/:name/packages", apiMirrorsPackages)
-		authorize.POST("/mirrors", apiMirrorsCreate)
-		authorize.PUT("/mirrors/:name", apiMirrorsUpdate)
-		authorize.DELETE("/mirrors/:name", apiMirrorsDrop)
+		api.GET("/mirrors", apiMirrorsList)
+		api.GET("/mirrors/:name", apiMirrorsShow)
+		api.GET("/mirrors/:name/packages", apiMirrorsPackages)
+		api.POST("/mirrors", apiMirrorsCreate)
+		api.PUT("/mirrors/:name", apiMirrorsUpdate)
+		api.DELETE("/mirrors/:name", apiMirrorsDrop)
 	}

 	{
-		authorize.POST("/gpg/key", apiGPGAddKey)
+		api.POST("/gpg/key", apiGPGAddKey)
 	}

 	{
-		authorize.GET("/s3", apiS3List)
+		api.GET("/s3", apiS3List)
 	}

 	{
-		authorize.GET("/files", apiFilesListDirs)
-		authorize.POST("/files/:dir", apiFilesUpload)
-		authorize.GET("/files/:dir", apiFilesListFiles)
-		authorize.DELETE("/files/:dir", apiFilesDeleteDir)
-		authorize.DELETE("/files/:dir/:name", apiFilesDeleteFile)
+		api.GET("/files", apiFilesListDirs)
+		api.POST("/files/:dir", apiFilesUpload)
+		api.GET("/files/:dir", apiFilesListFiles)
+		api.DELETE("/files/:dir", apiFilesDeleteDir)
+		api.DELETE("/files/:dir/:name", apiFilesDeleteFile)
 	}

 	{
-		authorize.GET("/publish", apiPublishList)
-		authorize.GET("/publish/:prefix/:distribution", apiPublishShow)
-		authorize.POST("/publish", apiPublishRepoOrSnapshot)
-		authorize.POST("/publish/:prefix", apiPublishRepoOrSnapshot)
-		authorize.PUT("/publish/:prefix/:distribution", apiPublishUpdateSwitch)
-		authorize.DELETE("/publish/:prefix/:distribution", apiPublishDrop)
-		authorize.POST("/publish/:prefix/:distribution/sources", apiPublishAddSource)
-		authorize.GET("/publish/:prefix/:distribution/sources", apiPublishListChanges)
-		authorize.PUT("/publish/:prefix/:distribution/sources", apiPublishSetSources)
-		authorize.DELETE("/publish/:prefix/:distribution/sources", apiPublishDropChanges)
-		authorize.PUT("/publish/:prefix/:distribution/sources/:component", apiPublishUpdateSource)
-		authorize.DELETE("/publish/:prefix/:distribution/sources/:component", apiPublishRemoveSource)
-		authorize.POST("/publish/:prefix/:distribution/update", apiPublishUpdate)
+		api.GET("/publish", apiPublishList)
+		api.GET("/publish/:prefix/:distribution", apiPublishShow)
+		api.POST("/publish", apiPublishRepoOrSnapshot)
+		api.POST("/publish/:prefix", apiPublishRepoOrSnapshot)
+		api.PUT("/publish/:prefix/:distribution", apiPublishUpdateSwitch)
+		api.DELETE("/publish/:prefix/:distribution", apiPublishDrop)
+		api.POST("/publish/:prefix/:distribution/sources", apiPublishAddSource)
+		api.GET("/publish/:prefix/:distribution/sources", apiPublishListChanges)
+		api.PUT("/publish/:prefix/:distribution/sources", apiPublishSetSources)
+		api.DELETE("/publish/:prefix/:distribution/sources", apiPublishDropChanges)
+		api.PUT("/publish/:prefix/:distribution/sources/:component", apiPublishUpdateSource)
+		api.DELETE("/publish/:prefix/:distribution/sources/:component", apiPublishRemoveSource)
+		api.POST("/publish/:prefix/:distribution/update", apiPublishUpdate)
 	}

 	{
-		authorize.GET("/snapshots", apiSnapshotsList)
-		authorize.POST("/snapshots", apiSnapshotsCreate)
-		authorize.PUT("/snapshots/:name", apiSnapshotsUpdate)
-		authorize.GET("/snapshots/:name", apiSnapshotsShow)
-		authorize.GET("/snapshots/:name/packages", apiSnapshotsSearchPackages)
-		authorize.DELETE("/snapshots/:name", apiSnapshotsDrop)
-		authorize.GET("/snapshots/:name/diff/:withSnapshot", apiSnapshotsDiff)
-		authorize.POST("/snapshots/:name/merge", apiSnapshotsMerge)
-		authorize.POST("/snapshots/:name/pull", apiSnapshotsPull)
+		api.GET("/snapshots", apiSnapshotsList)
+		api.POST("/snapshots", apiSnapshotsCreate)
+		api.PUT("/snapshots/:name", apiSnapshotsUpdate)
+		api.GET("/snapshots/:name", apiSnapshotsShow)
+		api.GET("/snapshots/:name/packages", apiSnapshotsSearchPackages)
+		api.DELETE("/snapshots/:name", apiSnapshotsDrop)
+		api.GET("/snapshots/:name/diff/:withSnapshot", apiSnapshotsDiff)
+		api.POST("/snapshots/:name/merge", apiSnapshotsMerge)
+		api.POST("/snapshots/:name/pull", apiSnapshotsPull)
 	}

 	{
-		authorize.GET("/packages/:key", apiPackagesShow)
-		authorize.GET("/packages", apiPackages)
+		api.GET("/packages/:key", apiPackagesShow)
+		api.GET("/packages", apiPackages)
 	}

 	{
-		authorize.GET("/graph.:ext", apiGraph)
+		api.GET("/graph.:ext", apiGraph)
 	}
 	{
-		authorize.POST("/db/cleanup", apiDbCleanup)
+		api.POST("/db/cleanup", apiDbCleanup)
 	}
 	{
-		authorize.GET("/tasks", apiTasksList)
-		authorize.POST("/tasks-clear", apiTasksClear)
-		authorize.GET("/tasks-wait", apiTasksWait)
-		authorize.GET("/tasks/:id/wait", apiTasksWaitForTaskByID)
-		authorize.GET("/tasks/:id/output", apiTasksOutputShow)
-		authorize.GET("/tasks/:id/detail", apiTasksDetailShow)
-		authorize.GET("/tasks/:id/return_value", apiTasksReturnValueShow)
-		authorize.GET("/tasks/:id", apiTasksShow)
-		authorize.DELETE("/tasks/:id", apiTasksDelete)
+		api.GET("/tasks", apiTasksList)
+		api.POST("/tasks-clear", apiTasksClear)
+		api.GET("/tasks-wait", apiTasksWait)
+		api.GET("/tasks/:id/wait", apiTasksWaitForTaskByID)
+		api.GET("/tasks/:id/output", apiTasksOutputShow)
+		api.GET("/tasks/:id/detail", apiTasksDetailShow)
+		api.GET("/tasks/:id/return_value", apiTasksReturnValueShow)
+		api.GET("/tasks/:id", apiTasksShow)
+		api.DELETE("/tasks/:id", apiTasksDelete)
 	}

 	return router
@@ -251,12 +251,6 @@ func apiSnapshotsCreateFromRepository(c *gin.Context) {
 		return
 	}

-	err = CheckGroup(c, repo.LdapGroup)
-	if err != nil {
-		c.AbortWithError(403, err)
-		return
-	}
-
 	// including snapshot resource key
 	resources := []string{string(repo.Key()), "S" + b.Name}
 	taskName := fmt.Sprintf("Create snapshot of repo %s", name)
@@ -18,7 +18,6 @@ func aptlyRepoCreate(cmd *commander.Command, args []string) error {
 	repo := deb.NewLocalRepo(args[0], context.Flags().Lookup("comment").Value.String())
 	repo.DefaultDistribution = context.Flags().Lookup("distribution").Value.String()
 	repo.DefaultComponent = context.Flags().Lookup("component").Value.String()
-	repo.LdapGroup = context.Flags().Lookup("ldap-group").Value.String()

 	uploadersFile := context.Flags().Lookup("uploaders-file").Value.Get().(string)
 	if uploadersFile != "" {
@@ -80,7 +79,6 @@ Example:
 	cmd.Flag.String("distribution", "", "default distribution when publishing")
 	cmd.Flag.String("component", "main", "default component when publishing")
 	cmd.Flag.String("uploaders-file", "", "uploaders.json to be used when including .changes into this repository")
-	cmd.Flag.String("ldap-group", "", "ldap group that owns the repo, leave empty to allow ALL")

 	return cmd
 }
@@ -39,8 +39,6 @@ func aptlyRepoEdit(cmd *commander.Command, args []string) error {
 			repo.DefaultComponent = flag.Value.String()
 		case "uploaders-file":
 			uploadersFile = pointer.ToString(flag.Value.String())
-		case "ldap-group":
-			repo.LdapGroup = flag.Value.String()
 		}
 	})

@@ -84,7 +82,6 @@ Example:
 	cmd.Flag.String("distribution", "", "default distribution when publishing")
 	cmd.Flag.String("component", "", "default component when publishing")
 	cmd.Flag.String("uploaders-file", "", "uploaders.json to be used when including .changes into this repository")
-	cmd.Flag.String("ldap-group", "", "ldap group that owns the repo, leave empty to allow ALL")

 	return cmd
 }
@@ -45,7 +45,6 @@ func aptlyRepoShowTxt(_ *commander.Command, args []string) error {
 	fmt.Printf("Comment: %s\n", repo.Comment)
 	fmt.Printf("Default Distribution: %s\n", repo.DefaultDistribution)
 	fmt.Printf("Default Component: %s\n", repo.DefaultComponent)
-	fmt.Printf("Ldap Group: %s\n", repo.LdapGroup)
 	if repo.Uploaders != nil {
 		fmt.Printf("Uploaders: %s\n", repo.Uploaders)
 	}
@@ -242,7 +242,6 @@ local keyring="*-keyring=[gpg keyring to use when verifying Release file (could
                local create_edit=("-comment=[any text that would be used to described local repository]:comment: "
                            "-component=[default component when publishing]:component:($components)"
                            "-distribution=[default distribution when publishing]:distribution:($dists)"
-                            "-ldap-group=[ldap group for repo actions, empty by default]:ldap-group"
                            $aptly_uploaders
                            )

@@ -27,8 +27,6 @@ type LocalRepo struct {
 	Uploaders *Uploaders `codec:"Uploaders,omitempty" json:"-"`
 	// "Snapshot" of current list of packages
 	packageRefs *PackageRefList
-	// ldap group for repos
-	LdapGroup string `codec:",ldap-group"`
 }

 // NewLocalRepo creates new instance of Debian local repository
@@ -56,14 +54,6 @@ func (repo *LocalRepo) NumPackages() int {
 	return repo.packageRefs.Len()
 }

-// LdapGroup returns the ldapgroup if any for the repo
-func (repo *LocalRepo) GetLDGroup() string {
-	if repo.LdapGroup != "" {
-		return fmt.Sprintf("[%s]", repo.LdapGroup)
-	}
-	return ""
-}
-
 // RefList returns package list for repo
 func (repo *LocalRepo) RefList() *PackageRefList {
 	return repo.packageRefs
@@ -1622,7 +1622,7 @@ GPG passphrase\-file for the key (warning: could be insecure)
 .
 .TP
 \-\fBsecret\-keyring\fR=
-GPG secret keyring to use (instead of default)
+GPG secret keyring to use (instead of default); may be of the form \fBtpm://HANDLE?dev=DEVICE\fR to use a TPM-backed key if the selected \fBgpgProvider\fR is \fBinternal\fR, where \fBHANDLE\fR is of the form \fB0x81000003\fR, and \fBdev\fR is a (URL-escaped) value similar to \fB/dev/tpmrm0\fR (which happens to be the default if not given).
 .
 .TP
 \-\fBskip\-bz2\fR
@@ -341,7 +341,6 @@ The legacy json configuration is still supported (and also supports comments):
      // Storage. First, publishing endpoints should be described in the aptly
      // configuration file. Each endpoint has its name and associated settings.
      "AzurePublishEndpoints": {
-<<<<<<< HEAD
        // // Endpoint Name
        // "test": {

@@ -393,26 +392,12 @@ The legacy json configuration is still supported (and also supports comments):
        // // See: Azure documentation https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string
        // // defaults to "https://<accountName>.blob.core.windows.net"
        // "endpoint": ""
-      },
-
-      // Authorization for repos may be configured for ldap groups (and is extensible for others),
-      // default is no authorization.
-      "Auth": {
-        // // auth type, only supports ldap currently
-        // "authType: "",
-        // // auth server to use (eg. ldaps://ldap.example.com)
-        // "server\": "",
-        // // DN for ldap searches
-        // "ldapDN\": "",
-        // // ldap filter
-        // "ldapFilter": "",
-        // // enable secureTLS, default is off
-        // "secureTLS": false
-       }
+      }

    // End of config
    }

+
 ## PACKAGE QUERY

 Some commands accept package queries to identify list of packages to process.
@@ -4,17 +4,22 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"net/url"
 	"os"
 	"path/filepath"
 	"sort"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"

+	"github.com/folbricht/tpmk"
+	"github.com/google/go-tpm/tpmutil"
 	"github.com/pkg/errors"

 	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/ProtonMail/go-crypto/openpgp/clearsign"
+	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	openpgp_errors "github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"golang.org/x/term"
@@ -38,12 +43,33 @@ type GoSigner struct {
 	passphrase, passphraseFile     string
 	batch                          bool

+	tpmPrivateKey *tpmk.RSAPrivateKey
 	publicKeyring openpgp.EntityList
 	secretKeyring openpgp.EntityList
 	signer        *openpgp.Entity
 	signerConfig  *packet.Config
 }

+func findKey(keyRef string, keyring openpgp.EntityList) *openpgp.Entity {
+	for _, signer := range keyring {
+		key := KeyFromUint64(signer.PrimaryKey.KeyId)
+		if key.Matches(Key(keyRef)) {
+			return signer
+		}
+
+		if !validEntity(signer) {
+			continue
+		}
+
+		for name := range signer.Identities {
+			if strings.Contains(name, keyRef) {
+				return signer
+			}
+		}
+	}
+	return nil
+}
+
 // SetBatch controls whether we allowed to interact with user, for example
 // for getting the passphrase from stdin.
 func (g *GoSigner) SetBatch(batch bool) {
@@ -104,12 +130,56 @@ func (g *GoSigner) Init() error {
 		return errors.Wrap(err, "error loading public keyring")
 	}

-	g.secretKeyring, err = loadKeyRing(g.secretKeyringFile, false)
-	if err != nil {
-		return errors.Wrap(err, "error load secret keyring")
+	if strings.HasPrefix(g.secretKeyringFile, "tpm://") {
+		// Expected form of tpm://0x81000002 -- optionally with query parameters holding extra values
+		// f/e, ?dev=%2Fdev%2Ftpmrm1 to specify the device as /dev/tpmrm1; or ?dev=sim for simulator
+		tpmSecretURL, err := url.Parse(g.secretKeyringFile)
+		if err != nil {
+			return errors.Wrap(err, "parsing TPM URI")
+		}
+		tpmQueryArgs := tpmSecretURL.Query()
+		devStrings, hasDev := tpmQueryArgs["dev"]
+		tpmDevFilename := "/dev/tpmrm0"
+		if hasDev && len(devStrings) != 0 {
+			if len(devStrings) > 1 {
+				return errors.Errorf("Parsing TPM address, more than one device name found")
+			}
+			tpmDevFilename = devStrings[0]
+		}
+		tpmDev, err := tpmk.OpenDevice(tpmDevFilename)
+		if err != nil {
+			return errors.Wrap(err, "opening TPM device")
+		}
+		tpmHandleInt, err := strconv.ParseUint(tpmSecretURL.Host, 0, 32)
+		if err != nil {
+			return errors.Wrap(err, "parsing TPM URI host as integer handle")
+		}
+		tpmHandle := tpmutil.Handle(tpmHandleInt)
+		privKey, err := tpmk.NewRSAPrivateKey(tpmDev, tpmHandle, g.passphrase)
+		if err != nil {
+			return errors.Wrap(err, "opening TPM key handle")
+		}
+		g.tpmPrivateKey = &privKey
+	} else {
+		g.secretKeyring, err = loadKeyRing(g.secretKeyringFile, false)
+		if err != nil {
+			return errors.Wrap(err, "error load secret keyring")
+		}
 	}

-	if g.keyRef == "" {
+	if g.secretKeyring == nil {
+		// Happens if our private key is TPM-backed; means we only have a public key
+		if g.keyRef == "" && len(g.publicKeyring) == 1 {
+			g.signer = g.publicKeyring[0]
+		} else if g.keyRef != "" {
+			g.signer = findKey(g.keyRef, g.publicKeyring)
+			if g.signer == nil {
+				return errors.Errorf("couldn't find key for key reference %+v in public keyring", g.keyRef)
+			}
+		} else {
+			return errors.Errorf("must either only have our signing key in the public keyring, or provide the identity of the signing key when in tpm mode")
+		}
+	} else if g.keyRef == "" {
 		// no key reference, pick the first key
 		for _, signer := range g.secretKeyring {
 			if !validEntity(signer) {
@@ -124,28 +194,9 @@ func (g *GoSigner) Init() error {
 			return fmt.Errorf("looks like there are no keys in gpg, please create one (official manual: http://www.gnupg.org/gph/en/manual.html)")
 		}
 	} else {
-	pickKeyLoop:
-		for _, signer := range g.secretKeyring {
-			key := KeyFromUint64(signer.PrimaryKey.KeyId)
-			if key.Matches(Key(g.keyRef)) {
-				g.signer = signer
-				break
-			}
-
-			if !validEntity(signer) {
-				continue
-			}
-
-			for name := range signer.Identities {
-				if strings.Contains(name, g.keyRef) {
-					g.signer = signer
-					break pickKeyLoop
-				}
-			}
-		}
-
+		g.signer = findKey(g.keyRef, g.secretKeyring)
 		if g.signer == nil {
-			return errors.Errorf("couldn't find key for key reference %v", g.keyRef)
+			return errors.Errorf("couldn't find key for key reference %v in private keyring", g.keyRef)
 		}
 	}

@@ -232,9 +283,21 @@ func (g *GoSigner) DetachedSign(source string, destination string) error {
 	}
 	defer signature.Close()

-	err = openpgp.ArmoredDetachSign(signature, g.signer, message, g.signerConfig)
-	if err != nil {
-		return errors.Wrap(err, "error creating detached signature")
+	if g.tpmPrivateKey != nil {
+		encoder, err := armor.Encode(signature, openpgp.SignatureType, nil)
+		if err != nil {
+			return errors.Wrap(err, "error creating armoring encoder")
+		}
+		defer encoder.Close()
+		err = tpmk.OpenPGPDetachSign(encoder, g.signer, message, nil, g.tpmPrivateKey)
+		if err != nil {
+			return errors.Wrap(err, "error creating detached signature with TPM-backed key")
+		}
+	} else {
+		err = openpgp.ArmoredDetachSign(signature, g.signer, message, g.signerConfig)
+		if err != nil {
+			return errors.Wrap(err, "error creating detached signature")
+		}
 	}

 	return nil
@@ -13,7 +13,6 @@ import (

 // ConfigStructure is structure of main configuration
 type ConfigStructure struct { // nolint: maligned
-<<<<<<< HEAD
 	// General
 	RootDir              string   `json:"rootDir"                       yaml:"root_dir"`
 	LogLevel             string   `json:"logLevel"                      yaml:"log_level"`
@@ -64,10 +63,6 @@ type ConfigStructure struct { // nolint: maligned
 	SwiftPublishRoots      map[string]SwiftPublishRoot      `json:"SwiftPublishEndpoints"         yaml:"swift_publish_endpoints"`
 	AzurePublishRoots      map[string]AzureEndpoint         `json:"AzurePublishEndpoints"         yaml:"azure_publish_endpoints"`
 	PackagePoolStorage     PackagePoolStorage               `json:"packagePoolStorage"            yaml:"packagepool_storage"`
-
-        // Authentication
-	UseAuth                bool                             `json:"useAuth"`
-	Auth                   AAuth                            `json:"Auth"`
 }

 // DBConfig
@@ -216,19 +211,9 @@ type AzureEndpoint struct {
 	Endpoint    string `json:"endpoint"     yaml:"endpoint"`
 }

-type AAuth struct {
-	Type       string `json:"authType"`
-	Server     string `json:"server"`
-	LdapDN     string `json:"ldapDN"`
-	LdapFilter string `json:"ldapFilter"`
-	SecureTLS  bool   `json:"secureTLS"`
-}
-
 // Config is configuration for aptly, shared by all modules
 var Config = ConfigStructure{
 	RootDir:                filepath.Join(os.Getenv("HOME"), ".aptly"),
-	LogFile:                "",
-	UseAuth:                false, // should we enable auth
 	DownloadConcurrency:    4,
 	DownloadLimit:          0,
 	Downloader:             "default",
@@ -258,7 +243,6 @@ var Config = ConfigStructure{
 	LogFormat:              "default",
 	ServeInAPIMode:         false,
 	EnableSwaggerEndpoint:  false,
-	Auth:                   AAuth{},
 }

 // LoadConfig loads configuration from json file
@@ -155,15 +155,7 @@ func (s *ConfigSuite) TestSaveConfig(c *C) {
 		"  \"packagePoolStorage\": {\n" +
 		"    \"type\": \"local\",\n" +
 		"    \"path\": \"/tmp/aptly-pool\"\n" +
-		"  },\n" +
-		"  \"useAuth\": false,\n"+
-		"  \"Auth\": {\n"+
-		"    \"authType\": \"\",\n"+
-		"    \"server\": \"\",\n"+
-		"    \"ldapDN\": \"\",\n"+
-		"    \"ldapFilter\": \"\",\n"+
-		"    \"secureTLS\": false\n"+
-		"  }\n"+
+		"  }\n" +
 		"}")
 }
Author	SHA1	Message	Date
André Roth	a7862627a9	fix build	2025-02-15 23:48:12 +01:00
Charles Duffy	43a4d06dbe	Implement support for TPM-backed signing keys (#953 )	2025-02-15 23:48:12 +01:00