[FEAT] Allow pushmirror to use publickey authentication

- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by @Gusted, so it's fine to change copyright holder to Forgejo). - Add the option to use SSH for push mirrors, this would allow for the deploy keys feature to be used and not require tokens to be used which cannot be limited to a specific repository. The private key is stored encrypted (via the `keying` module) on the database and NEVER given to the user, to avoid accidental exposure and misuse. - CAVEAT: This does require the `ssh` binary to be present, which may not be available in containerized environments, this could be solved by adding a SSH client into forgejo itself and use the forgejo binary as SSH command, but should be done in another PR. - CAVEAT: Mirroring of LFS content is not supported, this would require the previous stated problem to be solved due to LFS authentication (an attempt was made at forgejo/forgejo#2544). - Integration test added. - Resolves #4416
author: Philip Peterson <pc.peterso@gmail.com> 2024-08-04 20:46:05 +0200
committer: Gusted <postmaster@gusted.xyz> 2024-08-22 17:05:07 +0200
commit: 03508b33a8e890b05d845bbd8ead8672b8f03578 (patch)
tree: 88e53a4ae4e2efe16e85d819e0702f5f72bb7b98
parent: Merge pull request '[SEC] Add `keying` module' (#5041) from gusted/sec-keying... (diff)
download: forgejo-03508b33a8e890b05d845bbd8ead8672b8f03578.tar.xz
forgejo-03508b33a8e890b05d845bbd8ead8672b8f03578.zip
24 files changed, 648 insertions, 66 deletions
diff --git a/.deadcode-out b/.deadcode-out
index 539056a429..72d5df86dc 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -170,11 +170,6 @@ code.gitea.io/gitea/modules/json
 	StdJSON.NewDecoder
 	StdJSON.Indent
 
-code.gitea.io/gitea/modules/keying
-	DeriveKey
-	Key.Encrypt
-	Key.Decrypt
-
 code.gitea.io/gitea/modules/markup
 	GetRendererByType
 	RenderString
diff --git a/models/forgejo_migrations/migrate.go b/models/forgejo_migrations/migrate.go
index e9db250e75..598ec8bbaa 100644
--- a/models/forgejo_migrations/migrate.go
+++ b/models/forgejo_migrations/migrate.go
@@ -78,6 +78,8 @@ var migrations = []*Migration{
 	NewMigration("Add external_url to attachment table", AddExternalURLColumnToAttachmentTable),
 	// v20 -> v21
 	NewMigration("Creating Quota-related tables", CreateQuotaTables),
+	// v21 -> v22
+	NewMigration("Add SSH keypair to `pull_mirror` table", AddSSHKeypairToPushMirror),
 }
 
 // GetCurrentDBVersion returns the current Forgejo database version.
diff --git a/models/forgejo_migrations/v21.go b/models/forgejo_migrations/v21.go
new file mode 100644
index 0000000000..53f141b2ab
--- /dev/null
+++ b/models/forgejo_migrations/v21.go
@@ -0,0 +1,16 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgejo_migrations //nolint:revive
+
+import "xorm.io/xorm"
+
+func AddSSHKeypairToPushMirror(x *xorm.Engine) error {
+	type PushMirror struct {
+		ID         int64  `xorm:"pk autoincr"`
+		PublicKey  string `xorm:"VARCHAR(100)"`
+		PrivateKey []byte `xorm:"BLOB"`
+	}
+
+	return x.Sync(&PushMirror{})
+}
diff --git a/models/repo/pushmirror.go b/models/repo/pushmirror.go
index 3cf54facae..68fb504fdc 100644
--- a/models/repo/pushmirror.go
+++ b/models/repo/pushmirror.go
@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/git"
 	giturl "code.gitea.io/gitea/modules/git/url"
+	"code.gitea.io/gitea/modules/keying"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -32,6 +33,10 @@ type PushMirror struct {
 	RemoteName    string
 	RemoteAddress string `xorm:"VARCHAR(2048)"`
 
+	// A keypair formatted in OpenSSH format.
+	PublicKey  string `xorm:"VARCHAR(100)"`
+	PrivateKey []byte `xorm:"BLOB"`
+
 	SyncOnCommit   bool `xorm:"NOT NULL DEFAULT true"`
 	Interval       time.Duration
 	CreatedUnix    timeutil.TimeStamp `xorm:"created"`
@@ -82,6 +87,29 @@ func (m *PushMirror) GetRemoteName() string {
 	return m.RemoteName
 }
 
+// GetPublicKey returns a sanitized version of the public key.
+// This should only be used when displaying the public key to the user, not for actual code.
+func (m *PushMirror) GetPublicKey() string {
+	return strings.TrimSuffix(m.PublicKey, "\n")
+}
+
+// SetPrivatekey encrypts the given private key and store it in the database.
+// The ID of the push mirror must be known, so this should be done after the
+// push mirror is inserted.
+func (m *PushMirror) SetPrivatekey(ctx context.Context, privateKey []byte) error {
+	key := keying.DeriveKey(keying.ContextPushMirror)
+	m.PrivateKey = key.Encrypt(privateKey, keying.ColumnAndID("private_key", m.ID))
+
+	_, err := db.GetEngine(ctx).ID(m.ID).Cols("private_key").Update(m)
+	return err
+}
+
+// Privatekey retrieves the encrypted private key and decrypts it.
+func (m *PushMirror) Privatekey() ([]byte, error) {
+	key := keying.DeriveKey(keying.ContextPushMirror)
+	return key.Decrypt(m.PrivateKey, keying.ColumnAndID("private_key", m.ID))
+}
+
 // UpdatePushMirror updates the push-mirror
 func UpdatePushMirror(ctx context.Context, m *PushMirror) error {
 	_, err := db.GetEngine(ctx).ID(m.ID).AllCols().Update(m)
diff --git a/models/repo/pushmirror_test.go b/models/repo/pushmirror_test.go
index ebaa6e53ba..c3368ccafe 100644
--- a/models/repo/pushmirror_test.go
+++ b/models/repo/pushmirror_test.go
@@ -50,3 +50,30 @@ func TestPushMirrorsIterate(t *testing.T) {
 		return nil
 	})
 }
+
+func TestPushMirrorPrivatekey(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	m := &repo_model.PushMirror{
+		RemoteName: "test-privatekey",
+	}
+	require.NoError(t, db.Insert(db.DefaultContext, m))
+
+	privateKey := []byte{0x00, 0x01, 0x02, 0x04, 0x08, 0x10}
+	t.Run("Set privatekey", func(t *testing.T) {
+		require.NoError(t, m.SetPrivatekey(db.DefaultContext, privateKey))
+	})
+
+	t.Run("Normal retrieval", func(t *testing.T) {
+		actualPrivateKey, err := m.Privatekey()
+		require.NoError(t, err)
+		assert.EqualValues(t, privateKey, actualPrivateKey)
+	})
+
+	t.Run("Incorrect retrieval", func(t *testing.T) {
+		m.ID++
+		actualPrivateKey, err := m.Privatekey()
+		require.Error(t, err)
+		assert.Empty(t, actualPrivateKey)
+	})
+}
diff --git a/modules/git/repo.go b/modules/git/repo.go
index 857424fcd4..84db08d70c 100644
--- a/modules/git/repo.go
+++ b/modules/git/repo.go
@@ -1,5 +1,6 @@
 // Copyright 2015 The Gogs Authors. All rights reserved.
 // Copyright 2017 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package git
@@ -18,6 +19,7 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/modules/proxy"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 )
 
@@ -190,17 +192,39 @@ func CloneWithArgs(ctx context.Context, args TrustedCmdArgs, from, to string, op
 
 // PushOptions options when push to remote
 type PushOptions struct {
-	Remote  string
-	Branch  string
-	Force   bool
-	Mirror  bool
-	Env     []string
-	Timeout time.Duration
+	Remote         string
+	Branch         string
+	Force          bool
+	Mirror         bool
+	Env            []string
+	Timeout        time.Duration
+	PrivateKeyPath string
 }
 
 // Push pushs local commits to given remote branch.
 func Push(ctx context.Context, repoPath string, opts PushOptions) error {
 	cmd := NewCommand(ctx, "push")
+
+	if opts.PrivateKeyPath != "" {
+		// Preserve the behavior that existing environments are used if no
+		// environments are passed.
+		if len(opts.Env) == 0 {
+			opts.Env = os.Environ()
+		}
+
+		// Use environment because it takes precedence over using -c core.sshcommand
+		// and it's possible that a system might have an existing GIT_SSH_COMMAND
+		// environment set.
+		opts.Env = append(opts.Env, "GIT_SSH_COMMAND=ssh"+
+			fmt.Sprintf(` -i %s`, opts.PrivateKeyPath)+
+			" -o IdentitiesOnly=yes"+
+			// This will store new SSH host keys and verify connections to existing
+			// host keys, but it doesn't allow replacement of existing host keys. This
+			// means TOFU is used for Git over SSH pushes.
+			" -o StrictHostKeyChecking=accept-new"+
+			" -o UserKnownHostsFile="+filepath.Join(setting.SSH.RootPath, "known_hosts"))
+	}
+
 	if opts.Force {
 		cmd.AddArguments("-f")
 	}
diff --git a/modules/keying/keying.go b/modules/keying/keying.go
index 7cf5f28a44..7c595c7f92 100644
--- a/modules/keying/keying.go
+++ b/modules/keying/keying.go
@@ -18,6 +18,7 @@ package keying
 import (
 	"crypto/rand"
 	"crypto/sha256"
+	"encoding/binary"
 
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/hkdf"
@@ -44,6 +45,9 @@ func Init(ikm []byte) {
 // This must be a hardcoded string and must not be arbitrarily constructed.
 type Context string
 
+// Used for the `push_mirror` table.
+var ContextPushMirror Context = "pushmirror"
+
 // Derive *the* key for a given context, this is a determistic function. The
 // same key will be provided for the same context.
 func DeriveKey(context Context) *Key {
@@ -109,3 +113,13 @@ func (k *Key) Decrypt(ciphertext, additionalData []byte) ([]byte, error) {
 
 	return e.Open(nil, nonce, ciphertext, additionalData)
 }
+
+// ColumnAndID generates a context that can be used as additional context for
+// encrypting and decrypting data. It requires the column name and the row ID
+// (this requires to be known beforehand). Be careful when using this, as the
+// table name isn't part of this context. This means it's not bound to a
+// particular table. The table should be part of the context that the key was
+// derived for, in which case it binds through that.
+func ColumnAndID(column string, id int64) []byte {
+	return binary.BigEndian.AppendUint64(append([]byte(column), ':'), uint64(id))
+}
diff --git a/modules/keying/keying_test.go b/modules/keying/keying_test.go
index 16a6781af8..8a6e8d5ab4 100644
--- a/modules/keying/keying_test.go
+++ b/modules/keying/keying_test.go
@@ -4,6 +4,7 @@
 package keying_test
 
 import (
+	"math"
 	"testing"
 
 	"code.gitea.io/gitea/modules/keying"
@@ -94,3 +95,17 @@ func TestKeying(t *testing.T) {
 		})
 	})
 }
+
+func TestKeyingColumnAndID(t *testing.T) {
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table", math.MinInt64))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table", -1))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table", 0))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, keying.ColumnAndID("table", 1))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x3a, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table", math.MaxInt64))
+
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table2", math.MinInt64))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table2", -1))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, keying.ColumnAndID("table2", 0))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, keying.ColumnAndID("table2", 1))
+	assert.EqualValues(t, []byte{0x74, 0x61, 0x62, 0x6c, 0x65, 0x32, 0x3a, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, keying.ColumnAndID("table2", math.MaxInt64))
+}
diff --git a/modules/lfs/endpoint.go b/modules/lfs/endpoint.go
index 2931defcd9..97bd7d4446 100644
--- a/modules/lfs/endpoint.go
+++ b/modules/lfs/endpoint.go
@@ -60,6 +60,10 @@ func endpointFromURL(rawurl string) *url.URL {
 	case "git":
 		u.Scheme = "https"
 		return u
+	case "ssh":
+		u.Scheme = "https"
+		u.User = nil
+		return u
 	case "file":
 		return u
 	default:
diff --git a/modules/structs/mirror.go b/modules/structs/mirror.go
index 8259583cde..1b6566803a 100644
--- a/modules/structs/mirror.go
+++ b/modules/structs/mirror.go
@@ -12,6 +12,7 @@ type CreatePushMirrorOption struct {
 	RemotePassword string `json:"remote_password"`
 	Interval       string `json:"interval"`
 	SyncOnCommit   bool   `json:"sync_on_commit"`
+	UseSSH         bool   `json:"use_ssh"`
 }
 
 // PushMirror represents information of a push mirror
@@ -27,4 +28,5 @@ type PushMirror struct {
 	LastError      string     `json:"last_error"`
 	Interval       string     `json:"interval"`
 	SyncOnCommit   bool       `json:"sync_on_commit"`
+	PublicKey      string     `json:"public_key"`
 }
diff --git a/modules/util/util.go b/modules/util/util.go
index b6ea283551..0444680228 100644
--- a/modules/util/util.go
+++ b/modules/util/util.go
@@ -1,11 +1,14 @@
 // Copyright 2017 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package util
 
 import (
 	"bytes"
+	"crypto/ed25519"
 	"crypto/rand"
+	"encoding/pem"
 	"fmt"
 	"math/big"
 	"strconv"
@@ -13,6 +16,7 @@ import (
 
 	"code.gitea.io/gitea/modules/optional"
 
+	"golang.org/x/crypto/ssh"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 )
@@ -229,3 +233,23 @@ func ReserveLineBreakForTextarea(input string) string {
 	// Other than this, we should respect the original content, even leading or trailing spaces.
 	return strings.ReplaceAll(input, "\r\n", "\n")
 }
+
+// GenerateSSHKeypair generates a ed25519 SSH-compatible keypair.
+func GenerateSSHKeypair() (publicKey, privateKey []byte, err error) {
+	public, private, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		return nil, nil, fmt.Errorf("ed25519.GenerateKey: %w", err)
+	}
+
+	privPEM, err := ssh.MarshalPrivateKey(private, "")
+	if err != nil {
+		return nil, nil, fmt.Errorf("ssh.MarshalPrivateKey: %w", err)
+	}
+
+	sshPublicKey, err := ssh.NewPublicKey(public)
+	if err != nil {
+		return nil, nil, fmt.Errorf("ssh.NewPublicKey: %w", err)
+	}
+
+	return ssh.MarshalAuthorizedKey(sshPublicKey), pem.EncodeToMemory(privPEM), nil
+}
diff --git a/modules/util/util_test.go b/modules/util/util_test.go
index 8ed1e32078..549b53f5a7 100644
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@@ -1,14 +1,19 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package util
+package util_test
 
 import (
+	"bytes"
+	"crypto/rand"
 	"regexp"
 	"strings"
 	"testing"
 
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -43,7 +48,7 @@ func TestURLJoin(t *testing.T) {
 		newTest("/a/b/c#hash",
 			"/a", "b/c#hash"),
 	} {
-		assert.Equal(t, test.Expected, URLJoin(test.Base, test.Elements...))
+		assert.Equal(t, test.Expected, util.URLJoin(test.Base, test.Elements...))
 	}
 }
 
@@ -59,7 +64,7 @@ func TestIsEmptyString(t *testing.T) {
 	}
 
 	for _, v := range cases {
-		assert.Equal(t, v.expected, IsEmptyString(v.s))
+		assert.Equal(t, v.expected, util.IsEmptyString(v.s))
 	}
 }
 
@@ -100,42 +105,42 @@ func Test_NormalizeEOL(t *testing.T) {
 	unix := buildEOLData(data1, "\n")
 	mac := buildEOLData(data1, "\r")
 
-	assert.Equal(t, unix, NormalizeEOL(dos))
-	assert.Equal(t, unix, NormalizeEOL(mac))
-	assert.Equal(t, unix, NormalizeEOL(unix))
+	assert.Equal(t, unix, util.NormalizeEOL(dos))
+	assert.Equal(t, unix, util.NormalizeEOL(mac))
+	assert.Equal(t, unix, util.NormalizeEOL(unix))
 
 	dos = buildEOLData(data2, "\r\n")
 	unix = buildEOLData(data2, "\n")
 	mac = buildEOLData(data2, "\r")
 
-	assert.Equal(t, unix, NormalizeEOL(dos))
-	assert.Equal(t, unix, NormalizeEOL(mac))
-	assert.Equal(t, unix, NormalizeEOL(unix))
+	assert.Equal(t, unix, util.NormalizeEOL(dos))
+	assert.Equal(t, unix, util.NormalizeEOL(mac))
+	assert.Equal(t, unix, util.NormalizeEOL(unix))
 
-	assert.Equal(t, []byte("one liner"), NormalizeEOL([]byte("one liner")))
-	assert.Equal(t, []byte("\n"), NormalizeEOL([]byte("\n")))
-	assert.Equal(t, []byte("\ntwo liner"), NormalizeEOL([]byte("\ntwo liner")))
-	assert.Equal(t, []byte("two liner\n"), NormalizeEOL([]byte("two liner\n")))
-	assert.Equal(t, []byte{}, NormalizeEOL([]byte{}))
+	assert.Equal(t, []byte("one liner"), util.NormalizeEOL([]byte("one liner")))
+	assert.Equal(t, []byte("\n"), util.NormalizeEOL([]byte("\n")))
+	assert.Equal(t, []byte("\ntwo liner"), util.NormalizeEOL([]byte("\ntwo liner")))
+	assert.Equal(t, []byte("two liner\n"), util.NormalizeEOL([]byte("two liner\n")))
+	assert.Equal(t, []byte{}, util.NormalizeEOL([]byte{}))
 
-	assert.Equal(t, []byte("mix\nand\nmatch\n."), NormalizeEOL([]byte("mix\r\nand\rmatch\n.")))
+	assert.Equal(t, []byte("mix\nand\nmatch\n."), util.NormalizeEOL([]byte("mix\r\nand\rmatch\n.")))
 }
 
 func Test_RandomInt(t *testing.T) {
-	randInt, err := CryptoRandomInt(255)
+	randInt, err := util.CryptoRandomInt(255)
 	assert.GreaterOrEqual(t, randInt, int64(0))
 	assert.LessOrEqual(t, randInt, int64(255))
 	require.NoError(t, err)
 }
 
 func Test_RandomString(t *testing.T) {
-	str1, err := CryptoRandomString(32)
+	str1, err := util.CryptoRandomString(32)
 	require.NoError(t, err)
 	matches, err := regexp.MatchString(`^[a-zA-Z0-9]{32}$`, str1)
 	require.NoError(t, err)
 	assert.True(t, matches)
 
-	str2, err := CryptoRandomString(32)
+	str2, err := util.CryptoRandomString(32)
 	require.NoError(t, err)
 	matches, err = regexp.MatchString(`^[a-zA-Z0-9]{32}$`, str1)
 	require.NoError(t, err)
@@ -143,13 +148,13 @@ func Test_RandomString(t *testing.T) {
 
 	assert.NotEqual(t, str1, str2)
 
-	str3, err := CryptoRandomString(256)
+	str3, err := util.CryptoRandomString(256)
 	require.NoError(t, err)
 	matches, err = regexp.MatchString(`^[a-zA-Z0-9]{256}$`, str3)
 	require.NoError(t, err)
 	assert.True(t, matches)
 
-	str4, err := CryptoRandomString(256)
+	str4, err := util.CryptoRandomString(256)
 	require.NoError(t, err)
 	matches, err = regexp.MatchString(`^[a-zA-Z0-9]{256}$`, str4)
 	require.NoError(t, err)
@@ -159,34 +164,34 @@ func Test_RandomString(t *testing.T) {
 }
 
 func Test_RandomBytes(t *testing.T) {
-	bytes1, err := CryptoRandomBytes(32)
+	bytes1, err := util.CryptoRandomBytes(32)
 	require.NoError(t, err)
 
-	bytes2, err := CryptoRandomBytes(32)
+	bytes2, err := util.CryptoRandomBytes(32)
 	require.NoError(t, err)
 
 	assert.NotEqual(t, bytes1, bytes2)
 
-	bytes3, err := CryptoRandomBytes(256)
+	bytes3, err := util.CryptoRandomBytes(256)
 	require.NoError(t, err)
 
-	bytes4, err := CryptoRandomBytes(256)
+	bytes4, err := util.CryptoRandomBytes(256)
 	require.NoError(t, err)
 
 	assert.NotEqual(t, bytes3, bytes4)
 }
 
 func TestOptionalBoolParse(t *testing.T) {
-	assert.Equal(t, optional.None[bool](), OptionalBoolParse(""))
-	assert.Equal(t, optional.None[bool](), OptionalBoolParse("x"))
+	assert.Equal(t, optional.None[bool](), util.OptionalBoolParse(""))
+	assert.Equal(t, optional.None[bool](), util.OptionalBoolParse("x"))
 
-	assert.Equal(t, optional.Some(false), OptionalBoolParse("0"))
-	assert.Equal(t, optional.Some(false), OptionalBoolParse("f"))
-	assert.Equal(t, optional.Some(false), OptionalBoolParse("False"))
+	assert.Equal(t, optional.Some(false), util.OptionalBoolParse("0"))
+	assert.Equal(t, optional.Some(false), util.OptionalBoolParse("f"))
+	assert.Equal(t, optional.Some(false), util.OptionalBoolParse("False"))
 
-	assert.Equal(t, optional.Some(true), OptionalBoolParse("1"))
-	assert.Equal(t, optional.Some(true), OptionalBoolParse("t"))
-	assert.Equal(t, optional.Some(true), OptionalBoolParse("True"))
+	assert.Equal(t, optional.Some(true), util.OptionalBoolParse("1"))
+	assert.Equal(t, optional.Some(true), util.OptionalBoolParse("t"))
+	assert.Equal(t, optional.Some(true), util.OptionalBoolParse("True"))
 }
 
 // Test case for any function which accepts and returns a single string.
@@ -209,7 +214,7 @@ var upperTests = []StringTest{
 
 func TestToUpperASCII(t *testing.T) {
 	for _, tc := range upperTests {
-		assert.Equal(t, ToUpperASCII(tc.in), tc.out)
+		assert.Equal(t, util.ToUpperASCII(tc.in), tc.out)
 	}
 }
 
@@ -217,27 +222,56 @@ func BenchmarkToUpper(b *testing.B) {
 	for _, tc := range upperTests {
 		b.Run(tc.in, func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
-				ToUpperASCII(tc.in)
+				util.ToUpperASCII(tc.in)
 			}
 		})
 	}
 }
 
 func TestToTitleCase(t *testing.T) {
-	assert.Equal(t, `Foo Bar Baz`, ToTitleCase(`foo bar baz`))
-	assert.Equal(t, `Foo Bar Baz`, ToTitleCase(`FOO BAR BAZ`))
+	assert.Equal(t, `Foo Bar Baz`, util.ToTitleCase(`foo bar baz`))
+	assert.Equal(t, `Foo Bar Baz`, util.ToTitleCase(`FOO BAR BAZ`))
 }
 
 func TestToPointer(t *testing.T) {
-	assert.Equal(t, "abc", *ToPointer("abc"))
-	assert.Equal(t, 123, *ToPointer(123))
+	assert.Equal(t, "abc", *util.ToPointer("abc"))
+	assert.Equal(t, 123, *util.ToPointer(123))
 	abc := "abc"
-	assert.NotSame(t, &abc, ToPointer(abc))
+	assert.NotSame(t, &abc, util.ToPointer(abc))
 	val123 := 123
-	assert.NotSame(t, &val123, ToPointer(val123))
+	assert.NotSame(t, &val123, util.ToPointer(val123))
 }
 
 func TestReserveLineBreakForTextarea(t *testing.T) {
-	assert.Equal(t, "test\ndata", ReserveLineBreakForTextarea("test\r\ndata"))
-	assert.Equal(t, "test\ndata\n", ReserveLineBreakForTextarea("test\r\ndata\r\n"))
+	assert.Equal(t, "test\ndata", util.ReserveLineBreakForTextarea("test\r\ndata"))
+	assert.Equal(t, "test\ndata\n", util.ReserveLineBreakForTextarea("test\r\ndata\r\n"))
+}
+
+const (
+	testPublicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOhB7/zzhC+HXDdGOdLwJln5NYwm6UNXx3chmQSVTG4\n"
+	testPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz
+c2gtZWQyNTUxOQAAACADoQe/884Qvh1w3RjnS8CZZ+TWMJulDV8d3IZkElUxuAAA
+AIggISIjICEiIwAAAAtzc2gtZWQyNTUxOQAAACADoQe/884Qvh1w3RjnS8CZZ+TW
+MJulDV8d3IZkElUxuAAAAEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0e
+HwOhB7/zzhC+HXDdGOdLwJln5NYwm6UNXx3chmQSVTG4AAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----` + "\n"
+)
+
+func TestGeneratingEd25519Keypair(t *testing.T) {
+	defer test.MockProtect(&rand.Reader)()
+
+	// Only 32 bytes needs to be provided to generate a ed25519 keypair.
+	// And another 32 bytes are required, which is included as random value
+	// in the OpenSSH format.
+	b := make([]byte, 64)
+	for i := 0; i < 64; i++ {
+		b[i] = byte(i)
+	}
+	rand.Reader = bytes.NewReader(b)
+
+	publicKey, privateKey, err := util.GenerateSSHKeypair()
+	require.NoError(t, err)
+	assert.EqualValues(t, testPublicKey, string(publicKey))
+	assert.EqualValues(t, testPrivateKey, string(privateKey))
 }
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 148c1eeb92..c6c30b5154 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1102,6 +1102,10 @@ mirror_prune = Prune
 mirror_prune_desc = Remove obsolete remote-tracking references
 mirror_interval = Mirror interval (valid time units are "h", "m", "s"). 0 to disable periodic sync. (Minimum interval: %s)
 mirror_interval_invalid = The mirror interval is not valid.
+mirror_public_key = Public SSH key
+mirror_use_ssh.text = Use SSH authentication
+mirror_use_ssh.helper = Forgejo will mirror the repository via Git over SSH and create a keypair for you when you select this option. You must ensure that the generated public key is authorized to push to the destination repository. You cannot use password-based authorization when selecting this.
+mirror_denied_combination = Cannot use public key and password based authentication in combination.
 mirror_sync = synced
 mirror_sync_on_commit = Sync when commits are pushed
 mirror_address = Clone from URL
@@ -2177,12 +2181,14 @@ settings.mirror_settings.push_mirror.none = No push mirrors configured
 settings.mirror_settings.push_mirror.remote_url = Git remote repository URL
 settings.mirror_settings.push_mirror.add = Add push mirror
 settings.mirror_settings.push_mirror.edit_sync_time = Edit mirror sync interval
+settings.mirror_settings.push_mirror.none = None
 
 settings.units.units = Repository units
 settings.units.overview = Overview
 settings.units.add_more = Add more...
 
 settings.sync_mirror = Synchronize now
+settings.mirror_settings.push_mirror.copy_public_key = Copy public key
 settings.pull_mirror_sync_in_progress = Pulling changes from the remote %s at the moment.
 settings.pull_mirror_sync_quota_exceeded = Quota exceeded, not pulling changes.
 settings.push_mirror_sync_in_progress = Pushing changes to the remote %s at the moment.
diff --git a/release-notes/4819.md b/release-notes/4819.md
new file mode 100644
index 0000000000..88c3f77326
--- /dev/null
+++ b/release-notes/4819.md
@@ -0,0 +1 @@
+Allow push mirrors to use a SSH key as the authentication method for the mirroring action instead of using user:password authentication. The SSH keypair is created by Forgejo and the destination repository must be configured with the public key to allow for push over SSH.
diff --git a/routers/api/v1/repo/mirror.go b/routers/api/v1/repo/mirror.go
index c0297d77ad..9ccf6f05ac 100644
--- a/routers/api/v1/repo/mirror.go
+++ b/routers/api/v1/repo/mirror.go
@@ -350,6 +350,11 @@ func CreatePushMirror(ctx *context.APIContext, mirrorOption *api.CreatePushMirro
 		return
 	}
 
+	if mirrorOption.UseSSH && (mirrorOption.RemoteUsername != "" || mirrorOption.RemotePassword != "") {
+		ctx.Error(http.StatusBadRequest, "CreatePushMirror", "'use_ssh' is mutually exclusive with 'remote_username' and 'remote_passoword'")
+		return
+	}
+
 	address, err := forms.ParseRemoteAddr(mirrorOption.RemoteAddress, mirrorOption.RemoteUsername, mirrorOption.RemotePassword)
 	if err == nil {
 		err = migrations.IsMigrateURLAllowed(address, ctx.ContextUser)
@@ -365,7 +370,7 @@ func CreatePushMirror(ctx *context.APIContext, mirrorOption *api.CreatePushMirro
 		return
 	}
 
-	remoteAddress, err := util.SanitizeURL(mirrorOption.RemoteAddress)
+	remoteAddress, err := util.SanitizeURL(address)
 	if err != nil {
 		ctx.ServerError("SanitizeURL", err)
 		return
@@ -380,11 +385,29 @@ func CreatePushMirror(ctx *context.APIContext, mirrorOption *api.CreatePushMirro
 		RemoteAddress: remoteAddress,
 	}
 
+	var plainPrivateKey []byte
+	if mirrorOption.UseSSH {
+		publicKey, privateKey, err := util.GenerateSSHKeypair()
+		if err != nil {
+			ctx.ServerError("GenerateSSHKeypair", err)
+			return
+		}
+		plainPrivateKey = privateKey
+		pushMirror.PublicKey = string(publicKey)
+	}
+
 	if err = db.Insert(ctx, pushMirror); err != nil {
 		ctx.ServerError("InsertPushMirror", err)
 		return
 	}
 
+	if mirrorOption.UseSSH {
+		if err = pushMirror.SetPrivatekey(ctx, plainPrivateKey); err != nil {
+			ctx.ServerError("SetPrivatekey", err)
+			return
+		}
+	}
+
 	// if the registration of the push mirrorOption fails remove it from the database
 	if err = mirror_service.AddPushMirrorRemote(ctx, pushMirror, address); err != nil {
 		if err := repo_model.DeletePushMirrors(ctx, repo_model.PushMirrorOptions{ID: pushMirror.ID, RepoID: pushMirror.RepoID}); err != nil {
diff --git a/routers/web/repo/setting/setting.go b/routers/web/repo/setting/setting.go
index 7da622101f..76539b9fa2 100644
--- a/routers/web/repo/setting/setting.go
+++ b/routers/web/repo/setting/setting.go
@@ -478,8 +478,7 @@ func SettingsPost(ctx *context.Context) {
 			ctx.ServerError("UpdateAddress", err)
 			return
 		}
-
-		remoteAddress, err := util.SanitizeURL(form.MirrorAddress)
+		remoteAddress, err := util.SanitizeURL(address)
 		if err != nil {
 			ctx.ServerError("SanitizeURL", err)
 			return
@@ -638,6 +637,12 @@ func SettingsPost(ctx *context.Context) {
 			return
 		}
 
+		if form.PushMirrorUseSSH && (form.PushMirrorUsername != "" || form.PushMirrorPassword != "") {
+			ctx.Data["Err_PushMirrorUseSSH"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_denied_combination"), tplSettingsOptions, &form)
+			return
+		}
+
 		address, err := forms.ParseRemoteAddr(form.PushMirrorAddress, form.PushMirrorUsername, form.PushMirrorPassword)
 		if err == nil {
 			err = migrations.IsMigrateURLAllowed(address, ctx.Doer)
@@ -654,7 +659,7 @@ func SettingsPost(ctx *context.Context) {
 			return
 		}
 
-		remoteAddress, err := util.SanitizeURL(form.PushMirrorAddress)
+		remoteAddress, err := util.SanitizeURL(address)
 		if err != nil {
 			ctx.ServerError("SanitizeURL", err)
 			return
@@ -668,11 +673,30 @@ func SettingsPost(ctx *context.Context) {
 			Interval:      interval,
 			RemoteAddress: remoteAddress,
 		}
+
+		var plainPrivateKey []byte
+		if form.PushMirrorUseSSH {
+			publicKey, privateKey, err := util.GenerateSSHKeypair()
+			if err != nil {
+				ctx.ServerError("GenerateSSHKeypair", err)
+				return
+			}
+			plainPrivateKey = privateKey
+			m.PublicKey = string(publicKey)
+		}
+
 		if err := db.Insert(ctx, m); err != nil {
 			ctx.ServerError("InsertPushMirror", err)
 			return
 		}
 
+		if form.PushMirrorUseSSH {
+			if err := m.SetPrivatekey(ctx, plainPrivateKey); err != nil {
+				ctx.ServerError("SetPrivatekey", err)
+				return
+			}
+		}
+
 		if err := mirror_service.AddPushMirrorRemote(ctx, m, address); err != nil {
 			if err := repo_model.DeletePushMirrors(ctx, repo_model.PushMirrorOptions{ID: m.ID, RepoID: m.RepoID}); err != nil {
 				log.Error("DeletePushMirrors %v", err)
diff --git a/services/convert/mirror.go b/services/convert/mirror.go
index 249ce2f968..85e0d1c856 100644
--- a/services/convert/mirror.go
+++ b/services/convert/mirror.go
@@ -22,5 +22,6 @@ func ToPushMirror(ctx context.Context, pm *repo_model.PushMirror) (*api.PushMirr
 		LastError:      pm.LastError,
 		Interval:       pm.Interval.String(),
 		SyncOnCommit:   pm.SyncOnCommit,
+		PublicKey:      pm.GetPublicKey(),
 	}, nil
 }
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index e18bcfdd8d..c3d9c3edc9 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -6,8 +6,10 @@
 package forms
 
 import (
+	"fmt"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strings"
 
 	"code.gitea.io/gitea/models"
@@ -88,6 +90,9 @@ func (f *MigrateRepoForm) Validate(req *http.Request, errs binding.Errors) bindi
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }
 
+// scpRegex matches the SCP-like addresses used by Git to access repositories over SSH.
+var scpRegex = regexp.MustCompile(`^([a-zA-Z0-9_]+)@([a-zA-Z0-9._-]+):(.*)$`)
+
 // ParseRemoteAddr checks if given remote address is valid,
 // and returns composed URL with needed username and password.
 func ParseRemoteAddr(remoteAddr, authUsername, authPassword string) (string, error) {
@@ -103,7 +108,15 @@ func ParseRemoteAddr(remoteAddr, authUsername, authPassword string) (string, err
 		if len(authUsername)+len(authPassword) > 0 {
 			u.User = url.UserPassword(authUsername, authPassword)
 		}
-		remoteAddr = u.String()
+		return u.String(), nil
+	}
+
+	// Detect SCP-like remote addresses and return host.
+	if m := scpRegex.FindStringSubmatch(remoteAddr); m != nil {
+		// Match SCP-like syntax and convert it to a URL.
+		// Eg, "git@forgejo.org:user/repo" becomes
+		// "ssh://git@forgejo.org/user/repo".
+		return fmt.Sprintf("ssh://%s@%s/%s", url.User(m[1]), m[2], m[3]), nil
 	}
 
 	return remoteAddr, nil
@@ -127,6 +140,7 @@ type RepoSettingForm struct {
 	PushMirrorPassword     string
 	PushMirrorSyncOnCommit bool
 	PushMirrorInterval     string
+	PushMirrorUseSSH       bool
 	Private                bool
 	Template               bool
 	EnablePrune            bool
diff --git a/services/migrations/migrate.go b/services/migrations/migrate.go
index de90c5e98f..6854a56284 100644
--- a/services/migrations/migrate.go
+++ b/services/migrations/migrate.go
@@ -71,7 +71,7 @@ func IsMigrateURLAllowed(remoteURL string, doer *user_model.User) error {
 		return &models.ErrInvalidCloneAddr{Host: u.Host, IsURLError: true}
 	}
 
-	if u.Opaque != "" || u.Scheme != "" && u.Scheme != "http" && u.Scheme != "https" && u.Scheme != "git" {
+	if u.Opaque != "" || u.Scheme != "" && u.Scheme != "http" && u.Scheme != "https" && u.Scheme != "git" && u.Scheme != "ssh" {
 		return &models.ErrInvalidCloneAddr{Host: u.Host, IsProtocolInvalid: true, IsPermissionDenied: true, IsURLError: true}
 	}
 
diff --git a/services/mirror/mirror_push.go b/services/mirror/mirror_push.go
index 8303c9fb0c..3a9644c3a1 100644
--- a/services/mirror/mirror_push.go
+++ b/services/mirror/mirror_push.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -169,11 +170,43 @@ func runPushSync(ctx context.Context, m *repo_model.PushMirror) error {
 
 		log.Trace("Pushing %s mirror[%d] remote %s", path, m.ID, m.RemoteName)
 
+		// OpenSSH isn't very intuitive when you want to specify a specific keypair.
+		// Therefore, we need to create a temporary file that stores the private key, so that OpenSSH can use it.
+		// We delete the the temporary file afterwards.
+		privateKeyPath := ""
+		if m.PublicKey != "" {
+			f, err := os.CreateTemp(os.TempDir(), m.RemoteName)
+			if err != nil {
+				log.Error("os.CreateTemp: %v", err)
+				return errors.New("unexpected error")
+			}
+
+			defer func() {
+				f.Close()
+				if err := os.Remove(f.Name()); err != nil {
+					log.Error("os.Remove: %v", err)
+				}
+			}()
+
+			privateKey, err := m.Privatekey()
+			if err != nil {
+				log.Error("Privatekey: %v", err)
+				return errors.New("unexpected error")
+			}
+
+			if _, err := f.Write(privateKey); err != nil {
+				log.Error("f.Write: %v", err)
+				return errors.New("unexpected error")
+			}
+
+			privateKeyPath = f.Name()
+		}
 		if err := git.Push(ctx, path, git.PushOptions{
-			Remote:  m.RemoteName,
-			Force:   true,
-			Mirror:  true,
-			Timeout: timeout,
+			Remote:         m.RemoteName,
+			Force:          true,
+			Mirror:         true,
+			Timeout:        timeout,
+			PrivateKeyPath: privateKeyPath,
 		}); err != nil {
 			log.Error("Error pushing %s mirror[%d] remote %s: %v", path, m.ID, m.RemoteName, err)
 
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl
index affb7dad4e..d37169c078 100644
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -136,6 +136,7 @@
 								<th class="tw-w-2/5">{{ctx.Locale.Tr "repo.settings.mirror_settings.mirrored_repository"}}</th>
 								<th>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction"}}</th>
 								<th>{{ctx.Locale.Tr "repo.settings.mirror_settings.last_update"}}</th>
+								<th>{{ctx.Locale.Tr "repo.mirror_public_key"}}</th>
 								<th></th>
 							</tr>
 						</thead>
@@ -233,6 +234,7 @@
 								<th class="tw-w-2/5">{{ctx.Locale.Tr "repo.settings.mirror_settings.pushed_repository"}}</th>
 								<th>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction"}}</th>
 								<th>{{ctx.Locale.Tr "repo.settings.mirror_settings.last_update"}}</th>
+								<th>{{ctx.Locale.Tr "repo.mirror_public_key"}}</th>
 								<th></th>
 							</tr>
 						</thead>
@@ -242,7 +244,8 @@
 								<td class="tw-break-anywhere">{{.RemoteAddress}}</td>
 								<td>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction.push"}}</td>
 								<td>{{if .LastUpdateUnix}}{{DateTime "full" .LastUpdateUnix}}{{else}}{{ctx.Locale.Tr "never"}}{{end}} {{if .LastError}}<div class="ui red label" data-tooltip-content="{{.LastError}}">{{ctx.Locale.Tr "error"}}</div>{{end}}</td>
-								<td class="right aligned">
+								<td>{{if not (eq (len .GetPublicKey) 0)}}<a data-clipboard-text="{{.GetPublicKey}}">{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.copy_public_key"}}</a>{{else}}{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.none"}}{{end}}</td>
+								<td class="right aligned df">
 									<button
 										class="ui tiny button show-modal"
 										data-modal="#push-mirror-edit-modal"
@@ -274,7 +277,7 @@
 							{{end}}
 							{{if (not .DisableNewPushMirrors)}}
 								<tr>
-									<td colspan="4">
+									<td colspan="5">
 										<form class="ui form" method="post">
 											{{template "base/disable_form_autofill"}}
 											{{.CsrfTokenHtml}}
@@ -297,6 +300,13 @@
 														<label for="push_mirror_password">{{ctx.Locale.Tr "password"}}</label>
 														<input id="push_mirror_password" name="push_mirror_password" type="password" value="{{.push_mirror_password}}" autocomplete="off">
 													</div>
+													<div class="inline field {{if .Err_PushMirrorUseSSH}}error{{end}}">
+														<div class="ui checkbox df ac">
+															<input id="push_mirror_use_ssh" name="push_mirror_use_ssh" type="checkbox" {{if .push_mirror_use_ssh}}checked{{end}}>
+															<label for="push_mirror_use_ssh" class="inline">{{ctx.Locale.Tr "repo.mirror_use_ssh.text"}}</label>
+															<span class="help tw-block">{{ctx.Locale.Tr "repo.mirror_use_ssh.helper"}}
+														</div>
+													</div>
 												</div>
 											</details>
 											<div class="field">
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index cee797761f..44c621cf41 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -21529,6 +21529,10 @@
         "sync_on_commit": {
           "type": "boolean",
           "x-go-name": "SyncOnCommit"
+        },
+        "use_ssh": {
+          "type": "boolean",
+          "x-go-name": "UseSSH"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -25325,6 +25329,10 @@
           "format": "date-time",
           "x-go-name": "LastUpdateUnix"
         },
+        "public_key": {
+          "type": "string",
+          "x-go-name": "PublicKey"
+        },
         "remote_address": {
           "type": "string",
           "x-go-name": "RemoteAddress"
diff --git a/tests/integration/api_push_mirror_test.go b/tests/integration/api_push_mirror_test.go
index 24d5330517..a797a5fbf0 100644
--- a/tests/integration/api_push_mirror_test.go
+++ b/tests/integration/api_push_mirror_test.go
@@ -7,21 +7,30 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
+	"os"
+	"path/filepath"
+	"strconv"
 	"testing"
+	"time"
 
+	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/services/migrations"
 	mirror_service "code.gitea.io/gitea/services/mirror"
 	repo_service "code.gitea.io/gitea/services/repository"
+	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -130,3 +139,130 @@ func testAPIPushMirror(t *testing.T, u *url.URL) {
 		})
 	}
 }
+
+func TestAPIPushMirrorSSH(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, _ *url.URL) {
+		defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)()
+		defer test.MockVariableValue(&setting.Mirror.Enabled, true)()
+		defer test.MockVariableValue(&setting.SSH.RootPath, t.TempDir())()
+		require.NoError(t, migrations.Init())
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		srcRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
+		assert.False(t, srcRepo.HasWiki())
+		session := loginUser(t, user.Name)
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+		pushToRepo, _, f := CreateDeclarativeRepoWithOptions(t, user, DeclarativeRepoOptions{
+			Name:         optional.Some("push-mirror-test"),
+			AutoInit:     optional.Some(false),
+			EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
+		})
+		defer f()
+
+		sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName())
+
+		t.Run("Mutual exclusive", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/push_mirrors", srcRepo.FullName()), &api.CreatePushMirrorOption{
+				RemoteAddress:  sshURL,
+				Interval:       "8h",
+				UseSSH:         true,
+				RemoteUsername: "user",
+				RemotePassword: "password",
+			}).AddTokenAuth(token)
+			resp := MakeRequest(t, req, http.StatusBadRequest)
+
+			var apiError api.APIError
+			DecodeJSON(t, resp, &apiError)
+			assert.EqualValues(t, "'use_ssh' is mutually exclusive with 'remote_username' and 'remote_passoword'", apiError.Message)
+		})
+
+		t.Run("Normal", func(t *testing.T) {
+			var pushMirror *repo_model.PushMirror
+			t.Run("Adding", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/push_mirrors", srcRepo.FullName()), &api.CreatePushMirrorOption{
+					RemoteAddress: sshURL,
+					Interval:      "8h",
+					UseSSH:        true,
+				}).AddTokenAuth(token)
+				MakeRequest(t, req, http.StatusOK)
+
+				pushMirror = unittest.AssertExistsAndLoadBean(t, &repo_model.PushMirror{RepoID: srcRepo.ID})
+				assert.NotEmpty(t, pushMirror.PrivateKey)
+				assert.NotEmpty(t, pushMirror.PublicKey)
+			})
+
+			publickey := pushMirror.GetPublicKey()
+			t.Run("Publickey", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/push_mirrors", srcRepo.FullName())).AddTokenAuth(token)
+				resp := MakeRequest(t, req, http.StatusOK)
+
+				var pushMirrors []*api.PushMirror
+				DecodeJSON(t, resp, &pushMirrors)
+				assert.Len(t, pushMirrors, 1)
+				assert.EqualValues(t, publickey, pushMirrors[0].PublicKey)
+			})
+
+			t.Run("Add deploy key", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/keys", pushToRepo.FullName()), &api.CreateKeyOption{
+					Title:    "push mirror key",
+					Key:      publickey,
+					ReadOnly: false,
+				}).AddTokenAuth(token)
+				MakeRequest(t, req, http.StatusCreated)
+
+				unittest.AssertExistsAndLoadBean(t, &asymkey_model.DeployKey{Name: "push mirror key", RepoID: pushToRepo.ID})
+			})
+
+			t.Run("Synchronize", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/push_mirrors-sync", srcRepo.FullName())).AddTokenAuth(token)
+				MakeRequest(t, req, http.StatusOK)
+			})
+
+			t.Run("Check mirrored content", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				sha := "1032bbf17fbc0d9c95bb5418dabe8f8c99278700"
+
+				req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/commits?limit=1", srcRepo.FullName())).AddTokenAuth(token)
+				resp := MakeRequest(t, req, http.StatusOK)
+
+				var commitList []*api.Commit
+				DecodeJSON(t, resp, &commitList)
+
+				assert.Len(t, commitList, 1)
+				assert.EqualValues(t, sha, commitList[0].SHA)
+
+				assert.Eventually(t, func() bool {
+					req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/commits?limit=1", srcRepo.FullName())).AddTokenAuth(token)
+					resp := MakeRequest(t, req, http.StatusOK)
+
+					var commitList []*api.Commit
+					DecodeJSON(t, resp, &commitList)
+
+					return len(commitList) != 0 && commitList[0].SHA == sha
+				}, time.Second*30, time.Second)
+			})
+
+			t.Run("Check known host keys", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				knownHosts, err := os.ReadFile(filepath.Join(setting.SSH.RootPath, "known_hosts"))
+				require.NoError(t, err)
+
+				publicKey, err := os.ReadFile(setting.SSH.ServerHostKeys[0] + ".pub")
+				require.NoError(t, err)
+
+				assert.Contains(t, string(knownHosts), string(publicKey))
+			})
+		})
+	})
+}
diff --git a/tests/integration/mirror_push_test.go b/tests/integration/mirror_push_test.go
index a8c654f69e..45bca1c7e4 100644
--- a/tests/integration/mirror_push_test.go
+++ b/tests/integration/mirror_push_test.go
@@ -1,4 +1,5 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package integration
@@ -6,18 +7,26 @@ package integration
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strconv"
 	"testing"
+	"time"
 
+	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/gitrepo"
+	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
 	gitea_context "code.gitea.io/gitea/services/context"
 	doctor "code.gitea.io/gitea/services/doctor"
 	"code.gitea.io/gitea/services/migrations"
@@ -35,8 +44,8 @@ func TestMirrorPush(t *testing.T) {
 
 func testMirrorPush(t *testing.T, u *url.URL) {
 	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)()
 
-	setting.Migrations.AllowLocalNetworks = true
 	require.NoError(t, migrations.Init())
 
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
@@ -146,3 +155,135 @@ func doRemovePushMirror(ctx APITestContext, address, username, password string,
 		assert.Contains(t, flashCookie.Value, "success")
 	}
 }
+
+func TestSSHPushMirror(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, _ *url.URL) {
+		defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)()
+		defer test.MockVariableValue(&setting.Mirror.Enabled, true)()
+		defer test.MockVariableValue(&setting.SSH.RootPath, t.TempDir())()
+		require.NoError(t, migrations.Init())
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		srcRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
+		assert.False(t, srcRepo.HasWiki())
+		sess := loginUser(t, user.Name)
+		pushToRepo, _, f := CreateDeclarativeRepoWithOptions(t, user, DeclarativeRepoOptions{
+			Name:         optional.Some("push-mirror-test"),
+			AutoInit:     optional.Some(false),
+			EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
+		})
+		defer f()
+
+		sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName())
+		t.Run("Mutual exclusive", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{
+				"_csrf":                GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())),
+				"action":               "push-mirror-add",
+				"push_mirror_address":  sshURL,
+				"push_mirror_username": "username",
+				"push_mirror_password": "password",
+				"push_mirror_use_ssh":  "true",
+				"push_mirror_interval": "0",
+			})
+			resp := sess.MakeRequest(t, req, http.StatusOK)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+
+			errMsg := htmlDoc.Find(".ui.negative.message").Text()
+			assert.Contains(t, errMsg, "Cannot use public key and password based authentication in combination.")
+		})
+
+		t.Run("Normal", func(t *testing.T) {
+			var pushMirror *repo_model.PushMirror
+			t.Run("Adding", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{
+					"_csrf":                GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())),
+					"action":               "push-mirror-add",
+					"push_mirror_address":  sshURL,
+					"push_mirror_use_ssh":  "true",
+					"push_mirror_interval": "0",
+				})
+				sess.MakeRequest(t, req, http.StatusSeeOther)
+
+				flashCookie := sess.GetCookie(gitea_context.CookieNameFlash)
+				assert.NotNil(t, flashCookie)
+				assert.Contains(t, flashCookie.Value, "success")
+
+				pushMirror = unittest.AssertExistsAndLoadBean(t, &repo_model.PushMirror{RepoID: srcRepo.ID})
+				assert.NotEmpty(t, pushMirror.PrivateKey)
+				assert.NotEmpty(t, pushMirror.PublicKey)
+			})
+
+			publickey := ""
+			t.Run("Publickey", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequest(t, "GET", fmt.Sprintf("/%s/settings", srcRepo.FullName()))
+				resp := sess.MakeRequest(t, req, http.StatusOK)
+				htmlDoc := NewHTMLParser(t, resp.Body)
+
+				publickey = htmlDoc.Find(".ui.table td a[data-clipboard-text]").AttrOr("data-clipboard-text", "")
+				assert.EqualValues(t, publickey, pushMirror.GetPublicKey())
+			})
+
+			t.Run("Add deploy key", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings/keys", pushToRepo.FullName()), map[string]string{
+					"_csrf":       GetCSRF(t, sess, fmt.Sprintf("/%s/settings/keys", pushToRepo.FullName())),
+					"title":       "push mirror key",
+					"content":     publickey,
+					"is_writable": "true",
+				})
+				sess.MakeRequest(t, req, http.StatusSeeOther)
+
+				unittest.AssertExistsAndLoadBean(t, &asymkey_model.DeployKey{Name: "push mirror key", RepoID: pushToRepo.ID})
+			})
+
+			t.Run("Synchronize", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/settings", srcRepo.FullName()), map[string]string{
+					"_csrf":          GetCSRF(t, sess, fmt.Sprintf("/%s/settings", srcRepo.FullName())),
+					"action":         "push-mirror-sync",
+					"push_mirror_id": strconv.FormatInt(pushMirror.ID, 10),
+				})
+				sess.MakeRequest(t, req, http.StatusSeeOther)
+			})
+
+			t.Run("Check mirrored content", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				shortSHA := "1032bbf17f"
+
+				req := NewRequest(t, "GET", fmt.Sprintf("/%s", srcRepo.FullName()))
+				resp := sess.MakeRequest(t, req, http.StatusOK)
+				htmlDoc := NewHTMLParser(t, resp.Body)
+
+				assert.Contains(t, htmlDoc.Find(".shortsha").Text(), shortSHA)
+
+				assert.Eventually(t, func() bool {
+					req = NewRequest(t, "GET", fmt.Sprintf("/%s", pushToRepo.FullName()))
+					resp = sess.MakeRequest(t, req, http.StatusOK)
+					htmlDoc = NewHTMLParser(t, resp.Body)
+
+					return htmlDoc.Find(".shortsha").Text() == shortSHA
+				}, time.Second*30, time.Second)
+			})
+
+			t.Run("Check known host keys", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				knownHosts, err := os.ReadFile(filepath.Join(setting.SSH.RootPath, "known_hosts"))
+				require.NoError(t, err)
+
+				publicKey, err := os.ReadFile(setting.SSH.ServerHostKeys[0] + ".pub")
+				require.NoError(t, err)
+
+				assert.Contains(t, string(knownHosts), string(publicKey))
+			})
+		})
+	})
+}
author	Philip Peterson <pc.peterso@gmail.com>	2024-08-04 20:46:05 +0200
committer	Gusted <postmaster@gusted.xyz>	2024-08-22 17:05:07 +0200
commit	03508b33a8e890b05d845bbd8ead8672b8f03578 (patch)
tree	88e53a4ae4e2efe16e85d819e0702f5f72bb7b98
parent	Merge pull request '[SEC] Add `keying` module' (#5041) from gusted/sec-keying... (diff)
download	forgejo-03508b33a8e890b05d845bbd8ead8672b8f03578.tar.xz forgejo-03508b33a8e890b05d845bbd8ead8672b8f03578.zip