Implement http signatures support for the API

[42wim]

Fixes #12338

This allows use to talk to the API with our ssh certificate (and/or ssh-agent) without needing to fetch an API key or tokens.
It will just automatically work when users have added their ssh principal in gitea.

This needs client code in tea
Update: also support normal pubkeys

ref: https://tools.ietf.org/html/draft-cavage-http-signatures

[42wim]

I've made PRs against go-sdk and tea:

• https://gitea.com/gitea/go-sdk/pulls/553
• https://gitea.com/gitea/tea/pulls/442

[lunny]

Did Git supports the standard?

[42wim]

Did Git supports the standard?

no

[42wim]

Is this something that could still get in 1.16 ?

[lunny]

Is this something that could still get in 1.16 ?

I think we have feature freezed for v1.16 before this PR sent. I would like to put it into v1.17 .

[codecov-commenter]

Codecov Report

Merging #17565 (2870bc0) into main (6171ea7) will increase coverage by 0.05%.
The diff coverage is 46.28%.

@@            Coverage Diff             @@
##             main   #17565      +/-   ##
==========================================
+ Coverage   47.28%   47.33%   +0.05%     
==========================================
  Files         957      959       +2     
  Lines      133374   133628     +254     
==========================================
+ Hits        63067    63257     +190     
- Misses      62633    62673      +40     
- Partials     7674     7698      +24     

Impacted Files	Coverage Δ
cmd/serv.go	2.32% <0.00%> (-0.02%)	⬇️
modules/context/repo.go	51.42% <0.00%> (ø)
modules/markup/external/external.go	1.31% <0.00%> (-0.04%)	⬇️
modules/setting/repository.go	55.71% <ø> (ø)
routers/api/v1/repo/release_attachment.go	0.00% <0.00%> (ø)
routers/install/install.go	1.77% <0.00%> (-0.01%)	⬇️
services/mailer/mailer.go	29.79% <0.00%> (-0.25%)	⬇️
services/mirror/mirror_pull.go	27.65% <0.00%> (ø)
services/repository/push.go	51.83% <0.00%> (ø)
routers/api/v1/repo/file.go	69.76% <36.36%> (-6.87%)	⬇️
... and 40 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update df9612b...2870bc0. Read the comment docs.

[lunny]

I'm afraid this may result in a performance problem like we encountered in token ?

[42wim]

I'm afraid this may result in a performance problem like we encountered in token ?

Can you give some more context ?
If the signature header doesn't exist there is no performance impact on the API, no further checks or verification is done.

[lunny]

@42wim Good work for that. But just like @6543 said, I think tests are needed. I think it's not difficult to add some tests in integrations test.

[42wim]

@lunny remarks fixed and integration tests added

[lunny]

CI failure is related.

[42wim]

latest CI failure seems to be a CI issue

[zeripath]

I'm gonna ignore this CI failure pass but if we see it a few times in other PRs and this one again I think we need to go hunt if there is a potential deadlock...

Hmm... it also happened on

https://drone.gitea.io/go-gitea/gitea/55674/2/15 - here was in code.gitea.io/gitea/modules/markup.render
https://drone.gitea.io/go-gitea/gitea/55672/2/15 - here was in github.com/go-testfixtures/testfixtures/v3.(*mySQL).resetSequences

I guess I can still ignore...

[lunny]

But yesterday, it's right https://drone.gitea.io/go-gitea/gitea/55639 for the same PR

[42wim]

Failed again, but seems to happen in other recent drone builds too.

[lunny]

Failed again, but seems to happen in other recent drone builds too.

#19887

[zeripath]

Make lgtm work