log real ip of requests from ssh (#21216)

Partially fix #21213.

This PR will get client IP address from SSH_CONNECTION env which should
be the first field of that. And deliver it to the internal API so Gitea
routers could record the real IP from SSH requests.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
This commit is contained in:
Lunny Xiao 2022-10-11 16:57:37 +08:00 committed by GitHub
parent c540ee08d3
commit 1428877c37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 2 deletions

View file

@ -10,6 +10,8 @@ import (
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"os"
"strings"
"code.gitea.io/gitea/modules/httplib" "code.gitea.io/gitea/modules/httplib"
"code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/json"
@ -18,13 +20,14 @@ import (
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
) )
func newRequest(ctx context.Context, url, method string) *httplib.Request { func newRequest(ctx context.Context, url, method, sourceIP string) *httplib.Request {
if setting.InternalToken == "" { if setting.InternalToken == "" {
log.Fatal(`The INTERNAL_TOKEN setting is missing from the configuration file: %q. log.Fatal(`The INTERNAL_TOKEN setting is missing from the configuration file: %q.
Ensure you are running in the correct environment or set the correct configuration file with -c.`, setting.CustomConf) Ensure you are running in the correct environment or set the correct configuration file with -c.`, setting.CustomConf)
} }
return httplib.NewRequest(url, method). return httplib.NewRequest(url, method).
SetContext(ctx). SetContext(ctx).
Header("X-Real-IP", sourceIP).
Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken)) Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken))
} }
@ -42,8 +45,16 @@ func decodeJSONError(resp *http.Response) *Response {
return &res return &res
} }
func getClientIP() string {
sshConnEnv := strings.TrimSpace(os.Getenv("SSH_CONNECTION"))
if len(sshConnEnv) == 0 {
return "127.0.0.1"
}
return strings.Fields(sshConnEnv)[0]
}
func newInternalRequest(ctx context.Context, url, method string) *httplib.Request { func newInternalRequest(ctx context.Context, url, method string) *httplib.Request {
req := newRequest(ctx, url, method).SetTLSClientConfig(&tls.Config{ req := newRequest(ctx, url, method, getClientIP()).SetTLSClientConfig(&tls.Config{
InsecureSkipVerify: true, InsecureSkipVerify: true,
ServerName: setting.Domain, ServerName: setting.Domain,
}) })

View file

@ -17,6 +17,7 @@ import (
"code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/modules/web"
"gitea.com/go-chi/binding" "gitea.com/go-chi/binding"
chi_middleware "github.com/go-chi/chi/v5/middleware"
) )
// CheckInternalToken check internal token is set // CheckInternalToken check internal token is set
@ -57,6 +58,9 @@ func Routes() *web.Route {
r := web.NewRoute() r := web.NewRoute()
r.Use(context.PrivateContexter()) r.Use(context.PrivateContexter())
r.Use(CheckInternalToken) r.Use(CheckInternalToken)
// Log the real ip address of the request from SSH is really helpful for diagnosing sometimes.
// Since internal API will be sent only from Gitea sub commands and it's under control (checked by InternalToken), we can trust the headers.
r.Use(chi_middleware.RealIP)
r.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent) r.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent)
r.Post("/ssh/{id}/update/{repoid}", UpdatePublicKeyInRepo) r.Post("/ssh/{id}/update/{repoid}", UpdatePublicKeyInRepo)