0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-11-24 20:22:48 +01:00
Commit graph

163 commits

Author SHA1 Message Date
Rowan Bohde
0b5da27570
allow the actions user to login via the jwt token (#32527) (#32580)
Backport #32527

We have some actions that leverage the Gitea API that began receiving
401 errors, with a message that the user was not found. These actions
use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to
authenticate with the Gitea API. The format of this env var in actions
jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a
corresponding update to `act_runner`) Since it was a JWT, the OAuth
parsing logic attempted to parse it as an OAuth token, and would return
user not found, instead of falling back to look up the running task and
assigning it to the actions user.

Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting
to parse Oauth JWTs. The code to parse potential old
`ACTION_RUNTIME_TOKEN` was kept in case someone is running an older
version of act_runner that doesn't support the Actions JWT.
2024-11-21 03:18:00 +00:00
Giteabot
6555cfcac3
Fix basic auth with webauthn (#32531) (#32536)
Backport #32531 by @lunny

WebAuthn should behave the same way as TOTP. When enabled, basic auth
with username/password should need to WebAuthn auth, otherwise returned
401.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-11-16 18:21:00 +00:00
wxiaoguang
26437a03b0
Disable Oauth check if oauth disabled (#32368) (#32480)
Partially backport Disable Oauth check if oauth disabled #32368
2024-11-12 06:09:47 +00:00
Lunny Xiao
d86433cce2
Don't init singing keys if oauth2 provider disabled (#32177)
Backport #32148
2024-10-03 11:34:56 -04:00
Giteabot
b39aa8528b
Fix nuget/conan/container packages upload bugs (#31967) (#31982)
Backport #31967 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-09-05 07:34:41 +00:00
silverwind
74f0c84fa4
Enable more revive linter rules (#30608)
Noteable additions:

- `redefines-builtin-id` forbid variable names that shadow go builtins
- `empty-lines` remove unnecessary empty lines that `gofumpt` does not
remove for some reason
- `superfluous-else` eliminate more superfluous `else` branches

Rules are also sorted alphabetically and I cleaned up various parts of
`.golangci.yml`.
2024-04-22 11:48:42 +00:00
Jonathan Tran
b18c04ebde
fix: Fix to delete cookie when AppSubURL is non-empty (#30375)
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
2024-04-14 12:46:56 +08:00
silverwind
68ec9b4859
Migrate margin and padding helpers to tailwind (#30043)
This will conclude the refactor of 1:1 class replacements to tailwind,
except `gt-hidden`. Commands ran:

```bash
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-0#tw-$1$2-0#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-1#tw-$1$2-0.5#g' {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-2#tw-$1$2-1#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-3#tw-$1$2-2#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-4#tw-$1$2-4#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-5#tw-$1$2-8#g'   {web_src/js,templates,routers,services}/**/*
```
2024-03-24 17:42:49 +01:00
Lunny Xiao
82db9a2ba7
Fix the bug that user may logout if he switch pages too fast (#29962)
This PR fixed a bug when the user switching pages too fast, he will
logout automatically.

The reason is that when the error is context cancelled, the previous
code think user hasn't login then the session will be deleted. Now it
will return the errors but not think it's not login.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-03-21 08:48:08 +00:00
silverwind
82e102f8b0
Replace more gt- with tw- (#29678)
This will conclude the trivial class replacements.
2024-03-08 22:02:05 +01:00
Lunny Xiao
e2277d07ca
Move some asymkey functions to service layer (#28894)
After the moving, all models will not depend on `util.Rename` so that I
can do next step refactoring.
2024-03-04 08:57:39 +00:00
KN4CK3R
c337ff0ec7
Add user blocking (#29028)
Fixes #17453

This PR adds the abbility to block a user from a personal account or
organization to restrict how the blocked user can interact with the
blocker. The docs explain what's the consequence of blocking a user.

Screenshots:


![grafik](https://github.com/go-gitea/gitea/assets/1666336/4ed884f3-e06a-4862-afd3-3b8aa2488dc6)


![grafik](https://github.com/go-gitea/gitea/assets/1666336/ae6d4981-f252-4f50-a429-04f0f9f1cdf1)


![grafik](https://github.com/go-gitea/gitea/assets/1666336/ca153599-5b0f-4b4a-90fe-18bdfd6f0b6b)

---------

Co-authored-by: Lauris BH <lauris@nix.lv>
2024-03-04 08:16:03 +00:00
6543
a3f05d0d98
remove util.OptionalBool and related functions (#29513)
and migrate affected code

_last refactoring bits to replace **util.OptionalBool** with
**optional.Option[bool]**_
2024-03-02 16:42:31 +01:00
Lunny Xiao
29f149bd9f
Move context from modules to services (#29440)
Since `modules/context` has to depend on `models` and many other
packages, it should be moved from `modules/context` to
`services/context` according to design principles. There is no logic
code change on this PR, only move packages.

- Move `code.gitea.io/gitea/modules/context` to
`code.gitea.io/gitea/services/context`
- Move `code.gitea.io/gitea/modules/contexttest` to
`code.gitea.io/gitea/services/contexttest` because of depending on
context
- Move `code.gitea.io/gitea/modules/upload` to
`code.gitea.io/gitea/services/context/upload` because of depending on
context
2024-02-27 08:12:22 +01:00
6543
4ba642d07d
Revert "Support SAML authentication (#25165)" (#29358)
This reverts #25165 (5bb8d1924d), as there
was a chance some important reviews got missed.

so after reverting this patch it will be resubmitted for reviewing again

https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242

temporary Open #5512 again
2024-02-24 12:18:49 +08:00
Zettat123
b762a1f1b1
Fix tarball/zipball download bug (#29342)
Fix #29249

~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~

Apply #26430 to archive download URLs.
2024-02-23 17:49:46 +00:00
6543
7fbdb60fc1
Start to migrate from util.OptionalBool to optional.Option[bool] (#29329)
just create transition helper and migrate two structs
2024-02-23 02:18:33 +00:00
techknowlogick
5bb8d1924d
Support SAML authentication (#25165)
Closes https://github.com/go-gitea/gitea/issues/5512

This PR adds basic SAML support
- Adds SAML 2.0 as an auth source
- Adds SAML configuration documentation
- Adds integration test:
- Use bare-bones SAML IdP to test protocol flow and test account is
linked successfully (only runs on Postgres by default)
- Adds documentation for configuring and running SAML integration test
locally

Future PRs:
- Support group mapping
- Support auto-registration (account linking)

Co-Authored-By: @jackHay22

---------

Co-authored-by: jackHay22 <jack@allspice.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: morphelinho <morphelinho@users.noreply.github.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: silverwind <me@silverwind.io>
2024-02-23 00:08:17 +00:00
Johan Van de Wauw
740c6a226c
Fix c/p error in inline documentation (#29148)
Fix small copy/paste error in inline documentation

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-02-19 10:51:58 +00:00
wxiaoguang
8be198cdef
Use general token signing secret (#29205)
Use a clearly defined "signing secret" for token signing.
2024-02-18 17:39:04 +00:00
wxiaoguang
45c15387b2
Refactor JWT secret generating & decoding code (#29172)
Old code is not consistent for generating & decoding the JWT secrets.

Now, the callers only need to use 2 consistent functions:
NewJwtSecretWithBase64 and DecodeJwtSecretBase64

And remove a non-common function Base64FixedDecode from util.go
2024-02-16 15:18:30 +00:00
KN4CK3R
f8b471ace1
Unify user update methods (#28733)
Fixes #28660
Fixes an admin api bug related to `user.LoginSource`
Fixed `/user/emails` response not identical to GitHub api

This PR unifies the user update methods. The goal is to keep the logic
only at one place (having audit logs in mind). For example, do the
password checks only in one method not everywhere a password is updated.

After that PR is merged, the user creation should be next.
2024-02-04 13:29:09 +00:00
KN4CK3R
fc1bae00a4
Fix SSPI user creation (#28948)
Fixes #28945

Setting the avatar is wrong and creating a random password is equal to
leave it empty.
2024-01-27 09:27:34 +00:00
wxiaoguang
e743570f65
Refactor timeutil package (#28623)
1. make names more readable
2. remove unused FormatLong/FormatShort
3. use `FormatDate` instead of `Format "2006-01-02"`
2023-12-28 10:09:57 +00:00
Jack Hay
4e879fed90
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
Lunny Xiao
df1e7d0067
Use db.Find instead of writing methods for every object (#28084)
For those simple objects, it's unnecessary to write the find and count
methods again and again.
2023-11-24 03:49:41 +00:00
KN4CK3R
4f4fea734c
Unify two factor check (#27915)
Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
2023-11-06 08:22:39 +00:00
Lunny Xiao
1bf5527eac
Refactor Find Sources and fix bug when view a user who belongs to an unactive auth source (#27798)
The steps to reproduce it.

First, create a new oauth2 source.
Then, a user login with this oauth2 source.
Disable the oauth2 source.
Visit users -> settings -> security, 500 will be displayed.
This is because this page only load active Oauth2 sources but not all
Oauth2 sources.
2023-11-03 01:41:00 +00:00
Lunny Xiao
cddf245c12
Replace more db.DefaultContext (#27628)
Target #27065
2023-10-15 17:46:06 +02:00
JakobDev
76a85a4ce9
Final round of db.DefaultContext refactor (#27587)
Last part of #27065
2023-10-14 08:37:24 +00:00
KN4CK3R
c6c829fe3f
Enhanced auth token / remember me (#27606)
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
2023-10-14 00:56:41 +00:00
JakobDev
ebe803e514
Penultimate round of db.DefaultContext refactor (#27414)
Part of #27065

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-10-11 04:24:07 +00:00
Lunny Xiao
5c9fbcca00
Fix attachment download bug (#27486) 2023-10-10 15:33:56 +00:00
CaiCandong
7ad31567cd
Fix ldap admin privileges update bug (#27051)
When the user does not set a username lookup condition, LDAP will get an
empty string `""` for the user, hence the following code
```
if isExist, err := user_model.IsUserExist(db.DefaultContext, 0, sr.Username)
```
The user presence determination will always be nonexistent, so updates
to user information will never be performed.


Fix #27049
2023-10-01 11:32:12 +00:00
Lunny Xiao
6e87a44034
Allow get release download files and lfs files with oauth2 token format (#26430)
Fix #26165
Fix #25257
2023-10-01 10:41:52 +00:00
JakobDev
7047df36d4
Another round of db.DefaultContext refactor (#27103)
Part of #27065

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-09-25 13:17:37 +00:00
silverwind
1b1c55f73f
Increase auth provider icon size on login page (#27122)
Before, 20px:
<img width="474" alt="Screenshot 2023-09-19 at 00 10 05"
src="https://github.com/go-gitea/gitea/assets/115237/4bed4edb-219d-4844-9d3c-0d747033b09f">

After, 28px:
<img width="576" alt="Screenshot 2023-09-19 at 00 20 40"
src="https://github.com/go-gitea/gitea/assets/115237/f482ac09-38ae-4c84-80d9-0bd39b7f9772">


Dropdown in account settings is unchanged at 20px:
<img width="157" alt="Screenshot 2023-09-19 at 00 09 11"
src="https://github.com/go-gitea/gitea/assets/115237/9c998cdf-eeed-4118-9262-664faaa56092">

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-09-19 21:47:13 +00:00
wxiaoguang
8531ca0837
Make SSPI auth mockable (#27036)
Before, the SSPI auth is only complied for Windows, it's difficult to
test and it breaks a lot.

Now, make the SSPI auth mockable and testable.
2023-09-17 23:32:56 +00:00
JakobDev
c548dde205
More refactoring of db.DefaultContext (#27083)
Next step of #27065
2023-09-15 06:13:19 +00:00
JakobDev
76659b1114
Reduce usage of db.DefaultContext (#27073)
Part of #27065

This reduces the usage of `db.DefaultContext`. I think I've got enough
files for the first PR. When this is merged, I will continue working on
this.

Considering how many files this PR affect, I hope it won't take to long
to merge, so I don't end up in the merge conflict hell.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 17:09:32 +00:00
KN4CK3R
591f586bf1
Extract auth middleware from service (#27028)
Related #27027

Extract the router logic from `services/auth/middleware.go` into
`routers/web` <-> `routers/common` <-> `routers/api`.
2023-09-12 08:15:16 +02:00
Sven Seeberg
5f7fa27a44
Improve LDAP group config documentation, fixes #21159 (#21227)
Improve the wording of the LDAP group attributes documentation and
expand the examples.
2023-09-05 13:18:53 -04:00
KN4CK3R
0eebeeec90
Remove Named interface (#26913)
`Named` is implemented by every `Method` and future implementations
should implement the method too.
2023-09-05 15:58:30 +00:00
Jack Hay
c0ab7070e5
Update team invitation email link (#26550)
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: Jonathan Tran <jonnytran@gmail.com>
2023-08-31 16:26:13 +00:00
KN4CK3R
5315153059
Use Set[Type] instead of map[Type]bool/struct{}. (#26804) 2023-08-30 06:55:25 +00:00
wxiaoguang
c91a7e8dbb
Use object-fit: contain for oauth2 custom icons (#26493) 2023-08-14 16:21:04 +00:00
wxiaoguang
ed1be4ca68
Handle base64 decoding correctly to avoid panic (#26483)
Fix the panic if the "base64 secret" is too long.
2023-08-14 10:30:16 +00:00
harryzcy
0f9f6567bb
Bump github.com/golang-jwt/jwt to v5 (#25975)
Bumping `github.com/golang-jwt/jwt` from v4 to v5.

`github.com/golang-jwt/jwt` v5 is bringing some breaking changes:

- standard `Valid()` method on claims is removed. It's replaced by
`ClaimsValidator` interface implementing `Validator()` method instead,
which is called after standard validation. Gitea doesn't seem to be
using this logic.
- `jwt.Token` has a field `Valid`, so it's checked in `ParseToken`
function in `services/auth/source/oauth2/token.go`

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-19 09:57:10 +00:00
wxiaoguang
265a28802a
Fix SSPI auth panic (#25955)
Try to fix #25952

Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-18 17:32:49 +00:00
caicandong
491cc06ffe
Fix the error message when the token is incorrect (#25701)
we refactored `userIDFromToken` for the token parsing part into a new
function `parseToken`. `parseToken` returns the string `token` from
request, and a boolean `ok` representing whether the token exists or
not. So we can distinguish between token non-existence and token
inconsistency in the `verfity` function, thus solving the problem of no
proper error message when the token is inconsistent.
close #24439  
related #22119

---------

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-11 10:04:28 +08:00