summaryrefslogtreecommitdiffstats
path: root/services/secrets
diff options
context:
space:
mode:
authorDaniel Baumann <daniel@debian.org>2024-10-18 20:33:49 +0200
committerDaniel Baumann <daniel@debian.org>2024-10-18 20:33:49 +0200
commitdd136858f1ea40ad3c94191d647487fa4f31926c (patch)
tree58fec94a7b2a12510c9664b21793f1ed560c6518 /services/secrets
parentInitial commit. (diff)
downloadforgejo-dd136858f1ea40ad3c94191d647487fa4f31926c.tar.xz
forgejo-dd136858f1ea40ad3c94191d647487fa4f31926c.zip
Adding upstream version 9.0.0.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to 'services/secrets')
-rw-r--r--services/secrets/secrets.go83
-rw-r--r--services/secrets/validation.go25
2 files changed, 108 insertions, 0 deletions
diff --git a/services/secrets/secrets.go b/services/secrets/secrets.go
new file mode 100644
index 0000000..031c474
--- /dev/null
+++ b/services/secrets/secrets.go
@@ -0,0 +1,83 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package secrets
+
+import (
+ "context"
+
+ "code.gitea.io/gitea/models/db"
+ secret_model "code.gitea.io/gitea/models/secret"
+)
+
+func CreateOrUpdateSecret(ctx context.Context, ownerID, repoID int64, name, data string) (*secret_model.Secret, bool, error) {
+ if err := ValidateName(name); err != nil {
+ return nil, false, err
+ }
+
+ s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
+ OwnerID: ownerID,
+ RepoID: repoID,
+ Name: name,
+ })
+ if err != nil {
+ return nil, false, err
+ }
+
+ if len(s) == 0 {
+ s, err := secret_model.InsertEncryptedSecret(ctx, ownerID, repoID, name, data)
+ if err != nil {
+ return nil, false, err
+ }
+ return s, true, nil
+ }
+
+ if err := secret_model.UpdateSecret(ctx, s[0].ID, data); err != nil {
+ return nil, false, err
+ }
+
+ return s[0], false, nil
+}
+
+func DeleteSecretByID(ctx context.Context, ownerID, repoID, secretID int64) error {
+ s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
+ OwnerID: ownerID,
+ RepoID: repoID,
+ SecretID: secretID,
+ })
+ if err != nil {
+ return err
+ }
+ if len(s) != 1 {
+ return secret_model.ErrSecretNotFound{}
+ }
+
+ return deleteSecret(ctx, s[0])
+}
+
+func DeleteSecretByName(ctx context.Context, ownerID, repoID int64, name string) error {
+ if err := ValidateName(name); err != nil {
+ return err
+ }
+
+ s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
+ OwnerID: ownerID,
+ RepoID: repoID,
+ Name: name,
+ })
+ if err != nil {
+ return err
+ }
+ if len(s) != 1 {
+ return secret_model.ErrSecretNotFound{}
+ }
+
+ return deleteSecret(ctx, s[0])
+}
+
+func deleteSecret(ctx context.Context, s *secret_model.Secret) error {
+ if _, err := db.DeleteByID[secret_model.Secret](ctx, s.ID); err != nil {
+ return err
+ }
+ return nil
+}
diff --git a/services/secrets/validation.go b/services/secrets/validation.go
new file mode 100644
index 0000000..3db5b96
--- /dev/null
+++ b/services/secrets/validation.go
@@ -0,0 +1,25 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package secrets
+
+import (
+ "regexp"
+
+ "code.gitea.io/gitea/modules/util"
+)
+
+// https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
+var (
+ namePattern = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
+ forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
+
+ ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
+)
+
+func ValidateName(name string) error {
+ if !namePattern.MatchString(name) || forbiddenPrefixPattern.MatchString(name) {
+ return ErrInvalidName
+ }
+ return nil
+}