* Encrypt LDAP bind password in db with SECRET_KEY
The LDAP source bind password are currently stored in plaintext in the db
This PR simply encrypts them with the setting.SECRET_KEY.
Fix #15460
Signed-off-by: Andrew Thornton <art27@cantab.net>
* remove ui warning regarding unencrypted password
Co-authored-by: silverwind <me@silverwind.io>
* Fix and restyle menu on code line
* fix multiline and more tweaks
* move to separate files
* remove has-context-menu class
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
There was a small regression in #15303 whereby token auth
with 2FA active would be disallowed.
This PR fixes this.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
`Requires=` has the behaviour of stopping `gitea.service` when the
database is stopped but not bringing it up again after the database is
started again. Use `Wants=` to define a weak requirement instead,
meaning `gitea.service` will be kept running when the database is
stopped, which is not an issue because gitea will just reconnect later
on.
Fixes: https://github.com/go-gitea/gitea/issues/15866
Co-authored-by: zeripath <art27@cantab.net>
- Replace remaining font icons with SVG in issue sidebar
- Rework issue due date display
- Realign avatar in timeline
- Fix font size in repo search and code explore
- Consolidate active button styles
- Fix loading form on arc-green
- Align time tracker buttons vertically
Fixes: https://github.com/go-gitea/gitea/issues/15896
Move the token API discussion into a common section discussing the
generation and listing of the tokens. Add a note on the display of
the sha1 during creation and listing.
Co-authored-by: Norwin <noerw@users.noreply.github.com>
If the gitea service is stopped because of the db going down
it needs an `After=db.service` to ensure it is restarted in
addition to the `Requires=db.service` to ensure that the db
is started before gitea is started.
Fix #15866
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
The Tor browser does not use the system-ui font and no other fonts in the stack match
its default fonts. In fact it is possible that it will in future only
match generic fonts. This means that all rendering will first try the
emoji fonts before falling back to the sans-serif font for glyphs.
In this case has the emoji fall back fonts for Tor contains empty glyphs
for numbers - in order to protect privacy - and leads to numbers being
rendered as empty glyphs. This is clearly not ideal and whilst we could
use the Arimo font - as I state above I suspect that Tor will eventually
ban detecting this and we should instead move the sans-serif font higher
in the stack so that it matches before the emoji fonts.
Partial fix of #15844
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Hold the event source when there are no listeners
The event source does not need to run when there are no listeners. Therefore
pause it when there are none.
* add some more logging
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username
ReverseProxy users should generate a session on reverse proxy username change.
Also prevent ReverseProxy users from changing their username.
Fix #2407
* add testcase
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Prevent double-login for Git HTTP and LFS and simplify login
There are a number of inconsistencies with our current methods for
logging in for git and lfs. The first is that there is a double login
process. This is particularly evident in 1.13 where there are no less
than 4 hash checks for basic authentication due to the previous
IsPasswordSet behaviour.
This duplicated code had individual inconsistencies that were not
helpful and caused confusion.
This PR does the following:
* Remove the specific login code from the git and lfs handlers except
for the lfs special bearer token
* Simplify the meaning of DisableBasicAuthentication to allow Token and
Oauth2 sign-in.
* The removal of the specific code from git and lfs means that these
both now have the same login semantics and can - if not
DisableBasicAuthentication - login from external services. Further it
allows Oauth2 token authentication as per our standard mechanisms.
* The change in the recovery handler prevents the service from
re-attempting to login - primarily because this could easily cause a
further panic and it is wasteful.
* add test
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
* move shutdownfns, terminatefns and hammerfns out of separate goroutines
Coalesce the shutdownfns etc into a list of functions that get run at shutdown
rather then have them run at goroutines blocked on selects.
This may help reduce the background select/poll load in certain
configurations.
* The LevelDB queues can actually wait on empty instead of polling
Slight refactor to cause leveldb queues to wait on empty instead of polling.
* Shutdown the shadow level queue once it is empty
* Remove bytefifo additional goroutine for readToChan as it can just be run in run
* Remove additional removeWorkers goroutine for workers
* Simplify the AtShutdown and AtTerminate functions and add Channel Flusher
* Add shutdown flusher to CUQ
* move persistable channel shutdown stuff to Shutdown Fn
* Ensure that UPCQ has the correct config
* handle shutdown during the flushing
* reduce risk of race between zeroBoost and addWorkers
* prevent double shutdown
Signed-off-by: Andrew Thornton <art27@cantab.net>
In #15826 it has become apparent that there are a few occasions when a response can
hang during writing, and because there is no timeout go will happily just block
interminably. This PR adds a fixed 5 second timeout to all writes to a connection.
Fix #15826
Signed-off-by: Andrew Thornton <art27@cantab.net>
Fixes http: superfluous response.WriteHeader call from code.gitea.io/gitea/modules/context.(*Response).WriteHeader (response.go:67)
* Looking again we don't need this writeHeader as all of our downstream
implementations will always do it for us
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
* Only write config in environment-to-ini if there are changes
Only write the new config in environment-to-ini if there are changes or the
destination is not the same as the customconf.
Fix #15719
Fix #15857
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
* Restore PAM user autocreation functionality
PAM autoregistration of users currently fails due to email invalidity.
This PR adds a new setting to PAM to allow an email domain to be set
or just sets the email to the noreply address and if that fails falls
back to uuid@localhost
Fix #15702
Signed-off-by: Andrew Thornton <art27@cantab.net>
* As per KN4CKER
Signed-off-by: Andrew Thornton <art27@cantab.net>
- Update all JS dependencies to latest version
- Use Node 16 on CI
- Add new lint rules
- Add some gitignore entries for debug files
Co-authored-by: Lauris BH <lauris@nix.lv>
A common bug report is the otherwise harmless sshd logging:
```
Could not load host certificate "/data/ssh/ssh_host_ed25519_cert": No such file or directory
```
This PR simply checks if these files exist before creation of sshd_config and if
they do not exist, doesn't add a reference to them.
Fix #14110 amongst others.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lauris BH <lauris@nix.lv>