git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

Only show SSH clone URL if signed in (#2169) (#2170)

Browse source 
* Add configuration flag SSH_EXPOSE_ANONYMOUS

If this flag (default True) is set to false, the SSH clone URL will only be exposed if the current user is signed in.

* Default SSH exposure set to false

To match GitHub and for security reasons, SSH URL exposure is disabled by default.
In addition to that. minor code changes have been applied.

Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>

* Add integration tests

* Hide clone button neither HTTP and SSH is enabled

Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
This commit is contained in:
Stefan Kalscheuer 2017-07-15 16:21:51 +02:00 committed by Lunny Xiao
commit 0b177574c9
7 changed files with 61 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
conf/app.ini vendored
View file

@ -126,6 +126,8 @@ SSH_KEY_TEST_PATH =
SSH_KEYGEN_PATH = ssh-keygen SSH_KEYGEN_PATH = ssh-keygen
; Enable SSH Authorized Key Backup when rewriting all keys, default is true ; Enable SSH Authorized Key Backup when rewriting all keys, default is true
SSH_BACKUP_AUTHORIZED_KEYS = true SSH_BACKUP_AUTHORIZED_KEYS = true
; Enable exposure of SSH clone URL to anonymous visitors, default is false
SSH_EXPOSE_ANONYMOUS = false
; Indicate whether to check minimum key size with corresponding type ; Indicate whether to check minimum key size with corresponding type
MINIMUM_KEY_SIZE_CHECK = false MINIMUM_KEY_SIZE_CHECK = false
; Disable CDN even in "prod" mode ; Disable CDN even in "prod" mode

37
integrations/repo_test.go
View file

@ -5,8 +5,13 @@
package integrations package integrations
import ( import (
"fmt"
"net/http" "net/http"
"testing" "testing"
"code.gitea.io/gitea/modules/setting"
"github.com/stretchr/testify/assert"
) )
func TestViewRepo(t *testing.T) { func TestViewRepo(t *testing.T) {
@ -37,3 +42,35 @@ func TestViewRepo3(t *testing.T) {
session := loginUser(t, "user3") session := loginUser(t, "user3")
session.MakeRequest(t, req, http.StatusOK) session.MakeRequest(t, req, http.StatusOK)
} }
func TestViewRepo1CloneLinkAnonymous(t *testing.T) {
prepareTestEnv(t)
req := NewRequest(t, "GET", "/user2/repo1")
resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
link, exists := htmlDoc.doc.Find("#repo-clone-https").Attr("data-link")
assert.True(t, exists, "The template has changed")
assert.Equal(t, setting.AppURL+"user2/repo1.git", link)
_, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link")
assert.False(t, exists)
}
func TestViewRepo1CloneLinkAuthorized(t *testing.T) {
prepareTestEnv(t)
session := loginUser(t, "user2")
req := NewRequest(t, "GET", "/user2/repo1")
resp := session.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
link, exists := htmlDoc.doc.Find("#repo-clone-https").Attr("data-link")
assert.True(t, exists, "The template has changed")
assert.Equal(t, setting.AppURL+"user2/repo1.git", link)
link, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link")
assert.True(t, exists, "The template has changed")
sshURL := fmt.Sprintf("%s@%s:user2/repo1.git", setting.RunUser, setting.SSH.Domain)
assert.Equal(t, sshURL, link)
}

1
modules/context/repo.go
View file

@ -285,6 +285,7 @@ func RepoAssignment() macaron.Handler {
ctx.Data["IsRepositoryWriter"] = ctx.Repo.IsWriter() ctx.Data["IsRepositoryWriter"] = ctx.Repo.IsWriter()
ctx.Data["DisableSSH"] = setting.SSH.Disabled ctx.Data["DisableSSH"] = setting.SSH.Disabled
ctx.Data["ExposeAnonSSH"] = setting.SSH.ExposeAnonymous
ctx.Data["DisableHTTP"] = setting.Repository.DisableHTTPGit ctx.Data["DisableHTTP"] = setting.Repository.DisableHTTPGit
ctx.Data["CloneLink"] = repo.CloneLink() ctx.Data["CloneLink"] = repo.CloneLink()
ctx.Data["WikiCloneLink"] = repo.WikiCloneLink() ctx.Data["WikiCloneLink"] = repo.WikiCloneLink()

2
modules/setting/setting.go
View file

@ -99,6 +99,7 @@ var (
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
MinimumKeySizeCheck bool `ini:"-"` MinimumKeySizeCheck bool `ini:"-"`
MinimumKeySizes map[string]int `ini:"-"` MinimumKeySizes map[string]int `ini:"-"`
ExposeAnonymous bool `ini:"SSH_EXPOSE_ANONYMOUS"`
}{ }{
Disabled: false, Disabled: false,
StartBuiltinServer: false, StartBuiltinServer: false,
@ -707,6 +708,7 @@ func NewContext() {
} }
} }
SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true) SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
SSH.ExposeAnonymous = sec.Key("SSH_EXPOSE_ANONYMOUS").MustBool(false)
if err = Cfg.Section("server").MapTo(&LFS); err != nil { if err = Cfg.Section("server").MapTo(&LFS); err != nil {
log.Fatal(4, "Failed to map LFS settings: %v", err) log.Fatal(4, "Failed to map LFS settings: %v", err)

2
templates/repo/bare.tmpl
View file

@ -28,9 +28,11 @@
{{else}} {{else}}
<input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly> <input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly>
{{end}} {{end}}
{{if not (and $.DisableHTTP $.DisableSSH)}}
<button class="ui basic button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url"> <button class="ui basic button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
<i class="octicon octicon-clippy"></i> <i class="octicon octicon-clippy"></i>
</button> </button>
{{end}}
</div> </div>
</div> </div>
<div class="ui divider"></div> <div class="ui divider"></div>

6
templates/repo/home.tmpl
View file

@ -56,19 +56,21 @@
{{if UseHTTPS}}HTTPS{{else}}HTTP{{end}} {{if UseHTTPS}}HTTPS{{else}}HTTP{{end}}
</button> </button>
{{end}} {{end}}
{{if not $.DisableSSH}} {{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
<button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.CloneLink.SSH}}"> <button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.CloneLink.SSH}}">
SSH SSH
</button> </button>
{{end}} {{end}}
{{if not $.DisableHTTP}} {{if not $.DisableHTTP}}
<input id="repo-clone-url" value="{{$.CloneLink.HTTPS}}" readonly> <input id="repo-clone-url" value="{{$.CloneLink.HTTPS}}" readonly>
{{else}} {{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
<input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly> <input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly>
{{end}} {{end}}
{{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}}
<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url"> <button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
<i class="octicon octicon-clippy"></i> <i class="octicon octicon-clippy"></i>
</button> </button>
{{end}}
<div class="ui basic jump dropdown icon button poping up" data-content="{{.i18n.Tr "repo.download_archive"}}" data-variation="tiny inverted" data-position="top right"> <div class="ui basic jump dropdown icon button poping up" data-content="{{.i18n.Tr "repo.download_archive"}}" data-variation="tiny inverted" data-position="top right">
<i class="download icon"></i> <i class="download icon"></i>
<div class="menu"> <div class="menu">

6
templates/repo/wiki/view.tmpl
View file

@ -35,19 +35,21 @@
{{if UseHTTPS}}HTTPS{{else}}HTTP{{end}} {{if UseHTTPS}}HTTPS{{else}}HTTP{{end}}
</button> </button>
{{end}} {{end}}
{{if not $.DisableSSH}} {{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
<button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.WikiCloneLink.SSH}}"> <button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.WikiCloneLink.SSH}}">
SSH SSH
</button> </button>
{{end}} {{end}}
{{if not $.DisableHTTP}} {{if not $.DisableHTTP}}
<input id="repo-clone-url" value="{{$.WikiCloneLink.HTTPS}}" readonly> <input id="repo-clone-url" value="{{$.WikiCloneLink.HTTPS}}" readonly>
{{else}} {{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
<input id="repo-clone-url" value="{{$.WikiCloneLink.SSH}}" readonly> <input id="repo-clone-url" value="{{$.WikiCloneLink.SSH}}" readonly>
{{end}} {{end}}
{{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}}
<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url"> <button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
<i class="octicon octicon-clippy"></i> <i class="octicon octicon-clippy"></i>
</button> </button>
{{end}}
</div> </div>
</div> </div>
</div> </div>