diff --git a/models/ssh_key.go b/models/ssh_key.go
index b2e432655..70512dccf 100644
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -665,6 +665,82 @@ func deletePublicKeys(e Engine, keyIDs ...int64) error {
return err
}
+// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key
+func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) {
+ sources := make([]*LoginSource, 0, 5)
+ externals := make([]bool, len(keys))
+keyloop:
+ for i, key := range keys {
+ if key.LoginSourceID == 0 {
+ externals[i] = false
+ continue keyloop
+ }
+
+ var source *LoginSource
+
+ sourceloop:
+ for _, s := range sources {
+ if s.ID == key.LoginSourceID {
+ source = s
+ break sourceloop
+ }
+ }
+
+ if source == nil {
+ var err error
+ source, err = GetLoginSourceByID(key.LoginSourceID)
+ if err != nil {
+ if IsErrLoginSourceNotExist(err) {
+ externals[i] = false
+ sources[i] = &LoginSource{
+ ID: key.LoginSourceID,
+ }
+ continue keyloop
+ }
+ return nil, err
+ }
+ }
+
+ ldapSource := source.LDAP()
+ if ldapSource != nil &&
+ source.IsSyncEnabled &&
+ (source.Type == LoginLDAP || source.Type == LoginDLDAP) &&
+ len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
+ // Disable setting SSH keys for this user
+ externals[i] = true
+ }
+ }
+
+ return externals, nil
+}
+
+// PublicKeyIsExternallyManaged returns whether the provided KeyID represents an externally managed Key
+func PublicKeyIsExternallyManaged(id int64) (bool, error) {
+ key, err := GetPublicKeyByID(id)
+ if err != nil {
+ return false, err
+ }
+ if key.LoginSourceID == 0 {
+ return false, nil
+ }
+ source, err := GetLoginSourceByID(key.LoginSourceID)
+ if err != nil {
+ if IsErrLoginSourceNotExist(err) {
+ return false, nil
+ }
+ return false, err
+ }
+ ldapSource := source.LDAP()
+ if ldapSource != nil &&
+ source.IsSyncEnabled &&
+ (source.Type == LoginLDAP || source.Type == LoginDLDAP) &&
+ len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 {
+ // Disable setting SSH keys for this user
+ return true, nil
+ }
+ return false, nil
+}
+
// DeletePublicKey deletes SSH key information both in database and authorized_keys file.
func DeletePublicKey(doer *User, id int64) (err error) {
key, err := GetPublicKeyByID(id)
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index d7d6b751f..6b772d239 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -556,6 +556,7 @@ principal_state_desc = This principal has been used in the last 7 days
show_openid = Show on profile
hide_openid = Hide from profile
ssh_disabled = SSH Disabled
+ssh_externally_managed = This SSH key is externally managed for this user
manage_social = Manage Associated Social Accounts
social_desc = These social accounts are linked to your Gitea account. Make sure you recognize all of them as they can be used to sign in to your Gitea account.
unbind = Unlink
diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go
index 033b29f42..806966065 100644
--- a/routers/api/v1/user/key.go
+++ b/routers/api/v1/user/key.go
@@ -267,7 +267,16 @@ func DeletePublicKey(ctx *context.APIContext) {
// "404":
// "$ref": "#/responses/notFound"
- if err := models.DeletePublicKey(ctx.User, ctx.ParamsInt64(":id")); err != nil {
+ id := ctx.ParamsInt64(":id")
+ externallyManaged, err := models.PublicKeyIsExternallyManaged(id)
+ if err != nil {
+ ctx.Error(http.StatusInternalServerError, "PublicKeyIsExternallyManaged", err)
+ }
+ if externallyManaged {
+ ctx.Error(http.StatusForbidden, "", "SSH Key is externally managed for this user")
+ }
+
+ if err := models.DeletePublicKey(ctx.User, id); err != nil {
if models.IsErrKeyNotExist(err) {
ctx.NotFound()
} else if models.IsErrKeyAccessDenied(err) {
diff --git a/routers/user/setting/keys.go b/routers/user/setting/keys.go
index 6a39666e9..76c7ef9da 100644
--- a/routers/user/setting/keys.go
+++ b/routers/user/setting/keys.go
@@ -160,7 +160,18 @@ func DeleteKey(ctx *context.Context) {
ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success"))
}
case "ssh":
- if err := models.DeletePublicKey(ctx.User, ctx.QueryInt64("id")); err != nil {
+ keyID := ctx.QueryInt64("id")
+ external, err := models.PublicKeyIsExternallyManaged(keyID)
+ if err != nil {
+ ctx.ServerError("sshKeysExternalManaged", err)
+ return
+ }
+ if external {
+ ctx.Flash.Error(ctx.Tr("setting.ssh_externally_managed"))
+ ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
+ return
+ }
+ if err := models.DeletePublicKey(ctx.User, keyID); err != nil {
ctx.Flash.Error("DeletePublicKey: " + err.Error())
} else {
ctx.Flash.Success(ctx.Tr("settings.ssh_key_deletion_success"))
@@ -188,6 +199,13 @@ func loadKeysData(ctx *context.Context) {
}
ctx.Data["Keys"] = keys
+ externalKeys, err := models.PublicKeysAreExternallyManaged(keys)
+ if err != nil {
+ ctx.ServerError("ListPublicKeys", err)
+ return
+ }
+ ctx.Data["ExternalKeys"] = externalKeys
+
gpgkeys, err := models.ListGPGKeys(ctx.User.ID, models.ListOptions{})
if err != nil {
ctx.ServerError("ListGPGKeys", err)
diff --git a/templates/user/settings/keys_ssh.tmpl b/templates/user/settings/keys_ssh.tmpl
index 9a4db09c2..95e95b0dd 100644
--- a/templates/user/settings/keys_ssh.tmpl
+++ b/templates/user/settings/keys_ssh.tmpl
@@ -1,7 +1,7 @@
<h4 class="ui top attached header">
{{.i18n.Tr "settings.manage_ssh_keys"}}
<div class="ui right">
- {{if not .DisableSSH}}
+ {{if not .DisableSSH }}
<div class="ui blue tiny show-panel button" data-panel="#add-ssh-key-panel">{{.i18n.Tr "settings.add_key"}}</div>
{{else}}
<div class="ui blue tiny button disabled">{{.i18n.Tr "settings.ssh_disabled"}}</div>
@@ -13,25 +13,25 @@
<div class="item">
{{.i18n.Tr "settings.ssh_desc"}}
</div>
- {{range .Keys}}
+ {{range $index, $key := .Keys}}
<div class="item">
- <div class="right floated content">
- <button class="ui red tiny button delete-button" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}">
- {{$.i18n.Tr "settings.delete_key"}}
- </button>
- </div>
- <div class="left floated content">
- <span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
- </div>
- <div class="content">
- <strong>{{.Name}}</strong>
- <div class="print meta">
- {{.Fingerprint}}
- </div>
- <div class="activity meta">
- <i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i>
- </div>
- </div>
+ <div class="right floated content">
+ <button class="ui red tiny button delete-button{{if index $.ExternalKeys $index}} disabled{{end}}" id="delete-ssh" data-url="{{$.Link}}/delete?type=ssh" data-id="{{.ID}}"{{if index $.ExternalKeys $index}} title="{{$.i18n.Tr "settings.ssh_externally_managed"}}"{{end}}>
+ {{$.i18n.Tr "settings.delete_key"}}
+ </button>
+ </div>
+ <div class="left floated content">
+ <span class="{{if .HasRecentActivity}}green{{end}}" {{if .HasRecentActivity}}data-content="{{$.i18n.Tr "settings.key_state_desc"}}" data-variation="inverted tiny"{{end}}>{{svg "octicon-key" 32}}</span>
+ </div>
+ <div class="content">
+ <strong>{{.Name}}</strong>
+ <div class="print meta">
+ {{.Fingerprint}}
+ </div>
+ <div class="activity meta">
+ <i>{{$.i18n.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> — {{svg "octicon-info"}} {{if .HasUsed}}{{$.i18n.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.no_activity"}}{{end}}</i>
+ </div>
+ </div>
</div>
{{end}}
</div>