Enforce Gitea environment for pushes (#8982)
* Enforce Gitea environment for pushes * Update custom/conf/app.ini.sample Co-Authored-By: Antoine GIRARD <sapk@users.noreply.github.com>
This commit is contained in:
parent
3621944c2d
commit
dd1beee2ef
4 changed files with 42 additions and 18 deletions
25
cmd/hook.go
25
cmd/hook.go
|
@ -16,6 +16,7 @@ import (
|
||||||
"code.gitea.io/gitea/models"
|
"code.gitea.io/gitea/models"
|
||||||
"code.gitea.io/gitea/modules/git"
|
"code.gitea.io/gitea/modules/git"
|
||||||
"code.gitea.io/gitea/modules/private"
|
"code.gitea.io/gitea/modules/private"
|
||||||
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
)
|
)
|
||||||
|
@ -55,7 +56,13 @@ var (
|
||||||
|
|
||||||
func runHookPreReceive(c *cli.Context) error {
|
func runHookPreReceive(c *cli.Context) error {
|
||||||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
|
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
|
||||||
return nil
|
if setting.OnlyAllowPushIfGiteaEnvironmentSet {
|
||||||
|
fail(`Rejecting changes as Gitea environment not set.
|
||||||
|
If you are pushing over SSH you must push with a key managed by
|
||||||
|
Gitea or set your environment appropriately.`, "")
|
||||||
|
} else {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
setup("hooks/pre-receive.log")
|
setup("hooks/pre-receive.log")
|
||||||
|
@ -115,7 +122,13 @@ func runHookPreReceive(c *cli.Context) error {
|
||||||
|
|
||||||
func runHookUpdate(c *cli.Context) error {
|
func runHookUpdate(c *cli.Context) error {
|
||||||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
|
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
|
||||||
return nil
|
if setting.OnlyAllowPushIfGiteaEnvironmentSet {
|
||||||
|
fail(`Rejecting changes as Gitea environment not set.
|
||||||
|
If you are pushing over SSH you must push with a key managed by
|
||||||
|
Gitea or set your environment appropriately.`, "")
|
||||||
|
} else {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
setup("hooks/update.log")
|
setup("hooks/update.log")
|
||||||
|
@ -125,7 +138,13 @@ func runHookUpdate(c *cli.Context) error {
|
||||||
|
|
||||||
func runHookPostReceive(c *cli.Context) error {
|
func runHookPostReceive(c *cli.Context) error {
|
||||||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
|
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
|
||||||
return nil
|
if setting.OnlyAllowPushIfGiteaEnvironmentSet {
|
||||||
|
fail(`Rejecting changes as Gitea environment not set.
|
||||||
|
If you are pushing over SSH you must push with a key managed by
|
||||||
|
Gitea or set your environment appropriately.`, "")
|
||||||
|
} else {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
setup("hooks/post-receive.log")
|
setup("hooks/post-receive.log")
|
||||||
|
|
|
@ -190,7 +190,7 @@ PROTOCOL = http
|
||||||
DOMAIN = localhost
|
DOMAIN = localhost
|
||||||
ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
|
ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
|
||||||
; when STATIC_URL_PREFIX is empty it will follow APP_URL
|
; when STATIC_URL_PREFIX is empty it will follow APP_URL
|
||||||
STATIC_URL_PREFIX =
|
STATIC_URL_PREFIX =
|
||||||
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
|
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
|
||||||
HTTP_ADDR = 0.0.0.0
|
HTTP_ADDR = 0.0.0.0
|
||||||
HTTP_PORT = 3000
|
HTTP_PORT = 3000
|
||||||
|
@ -383,6 +383,8 @@ MIN_PASSWORD_LENGTH = 6
|
||||||
IMPORT_LOCAL_PATHS = false
|
IMPORT_LOCAL_PATHS = false
|
||||||
; Set to true to prevent all users (including admin) from creating custom git hooks
|
; Set to true to prevent all users (including admin) from creating custom git hooks
|
||||||
DISABLE_GIT_HOOKS = false
|
DISABLE_GIT_HOOKS = false
|
||||||
|
; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
|
||||||
|
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
|
||||||
;Comma separated list of character classes required to pass minimum complexity.
|
;Comma separated list of character classes required to pass minimum complexity.
|
||||||
;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used.
|
;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used.
|
||||||
;Use "off" to disable checking.
|
;Use "off" to disable checking.
|
||||||
|
@ -515,9 +517,9 @@ SKIP_TLS_VERIFY = false
|
||||||
; Number of history information in each page
|
; Number of history information in each page
|
||||||
PAGING_NUM = 10
|
PAGING_NUM = 10
|
||||||
; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy
|
; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy
|
||||||
PROXY_URL =
|
PROXY_URL =
|
||||||
; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
|
; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
|
||||||
PROXY_HOSTS =
|
PROXY_HOSTS =
|
||||||
|
|
||||||
[mailer]
|
[mailer]
|
||||||
ENABLED = false
|
ENABLED = false
|
||||||
|
|
|
@ -244,6 +244,7 @@ relation to port exhaustion.
|
||||||
authentication provided email.
|
authentication provided email.
|
||||||
- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom
|
- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom
|
||||||
git hooks.
|
git hooks.
|
||||||
|
- `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately.
|
||||||
- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
|
- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
|
||||||
- `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
|
- `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
|
||||||
- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
|
- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
|
||||||
|
|
|
@ -140,18 +140,19 @@ var (
|
||||||
}
|
}
|
||||||
|
|
||||||
// Security settings
|
// Security settings
|
||||||
InstallLock bool
|
InstallLock bool
|
||||||
SecretKey string
|
SecretKey string
|
||||||
LogInRememberDays int
|
LogInRememberDays int
|
||||||
CookieUserName string
|
CookieUserName string
|
||||||
CookieRememberName string
|
CookieRememberName string
|
||||||
ReverseProxyAuthUser string
|
ReverseProxyAuthUser string
|
||||||
ReverseProxyAuthEmail string
|
ReverseProxyAuthEmail string
|
||||||
MinPasswordLength int
|
MinPasswordLength int
|
||||||
ImportLocalPaths bool
|
ImportLocalPaths bool
|
||||||
DisableGitHooks bool
|
DisableGitHooks bool
|
||||||
PasswordComplexity []string
|
OnlyAllowPushIfGiteaEnvironmentSet bool
|
||||||
PasswordHashAlgo string
|
PasswordComplexity []string
|
||||||
|
PasswordHashAlgo string
|
||||||
|
|
||||||
// UI settings
|
// UI settings
|
||||||
UI = struct {
|
UI = struct {
|
||||||
|
@ -778,6 +779,7 @@ func NewContext() {
|
||||||
MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
|
MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
|
||||||
ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
|
ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
|
||||||
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
|
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
|
||||||
|
OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
|
||||||
PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
|
PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
|
||||||
CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
|
CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
|
||||||
|
|
||||||
|
|
Reference in a new issue