* Add support for ssh commit signing
* Split out ssh verification to separate file
* Show ssh key fingerprint on commit page
* Update sshsig lib
* Make sure we verify against correct namespace
* Add ssh public key verification via ssh signatures
When adding a public ssh key also validate that this user actually
owns the key by signing a token with the private key.
* Remove some gpg references and make verify key optional
* Fix spaces indentation
* Update options/locale/locale_en-US.ini
Co-authored-by: Gusted <williamzijl7@hotmail.com>
* Update templates/user/settings/keys_ssh.tmpl
Co-authored-by: Gusted <williamzijl7@hotmail.com>
* Update options/locale/locale_en-US.ini
Co-authored-by: Gusted <williamzijl7@hotmail.com>
* Update options/locale/locale_en-US.ini
Co-authored-by: Gusted <williamzijl7@hotmail.com>
* Update models/ssh_key_commit_verification.go
Co-authored-by: Gusted <williamzijl7@hotmail.com>
* Reword ssh/gpg_key_success message
* Change Badsignature to NoKeyFound
* Add sign/verify tests
* Fix upstream api changes to user_model User
* Match exact on SSH signature
* Fix code review remarks
Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Fixes issue with windows users & letsencrypt
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Following the merging of https://github.com/go-git/go-git/pull/330 we
can now add a setting to avoid go-git reading and caching large objects.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Upgrade Gliderlabs SSH to 0.3.3 and add FailedConnectionCallback
Following the merging of https://github.com/gliderlabs/ssh/pull/143 we
can now report connections to the ssh server that have failed before
public key exchange has completed using the standard fail2ban message.
This PR updates Gliderlabs SSH and adds a callback that will provide this
logging.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* move the callback to its own function to make the logging appear little nicer
Signed-off-by: Andrew Thornton <art27@cantab.net>
* use certmagic for more extensible/robust ACME cert handling
* accept TOS based on config option
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
* Vendor: update gitea.com/macaron/session to a177a270
* make vendor
* Vendor: update gitea.com/macaron/macaron to 0db5d458
* make vendor
* Vendor: update gitea.com/macaron/cache to 905232fb
* make vendor
* Vendor: update gitea.com/macaron/i18n to 4ca3dd0c
* make vendor
* Vendor: update gitea.com/macaron/gzip to efa5e847
* make vendor
* Vendor: update gitea.com/macaron/captcha to e8597820
* make vendor
* Update to go-org 1.3.2
Fix #12727
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Fix unit test
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Add a storage layer for attachments
* Fix some bug
* fix test
* Fix copyright head and lint
* Fix bug
* Add setting for minio and flags for migrate-storage
* Add documents
* fix lint
* Add test for minio store type on attachments
* fix test
* fix test
* Apply suggestions from code review
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
* Add warning when storage migrated successfully
* Fix drone
* fix test
* rebase
* Fix test
* display the error on console
* Move minio test to amd64 since minio docker don't support arm64
* refactor the codes
* add trace
* Fix test
* remove log on xorm
* Fi download bug
* Add a storage layer for attachments
* Add setting for minio and flags for migrate-storage
* fix lint
* Add test for minio store type on attachments
* Apply suggestions from code review
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
* Fix drone
* fix test
* Fix test
* display the error on console
* Move minio test to amd64 since minio docker don't support arm64
* refactor the codes
* add trace
* Fix test
* Add URL function to serve attachments directly from S3/Minio
* Add ability to enable/disable redirection in attachment configuration
* Fix typo
* Add a storage layer for attachments
* Add setting for minio and flags for migrate-storage
* fix lint
* Add test for minio store type on attachments
* Apply suggestions from code review
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
* Fix drone
* fix test
* Fix test
* display the error on console
* Move minio test to amd64 since minio docker don't support arm64
* don't change unrelated files
* Fix lint
* Fix build
* update go.mod and go.sum
* Use github.com/minio/minio-go/v6
* Remove unused function
* Upgrade minio to v7 and some other improvements
* fix lint
* Fix go mod
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
Co-authored-by: Tyler <tystuyfzand@gmail.com>
* Fix the intermittent TestGPGGit failures
Reattempt to open the listener if the port is busy with a delay up to a second
Switch from generating a private key each time, just use a known good key
* Add single sign-on support via SSPI on Windows
* Ensure plugins implement interface
* Ensure plugins implement interface
* Move functions used only by the SSPI auth method to sspi_windows.go
* Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected
* Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links.
* Update documentation for the new 'SPNEGO with SSPI' login source
* Mention in documentation that ROOT_URL should contain the FQDN of the server
* Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing)
* Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources)
* Add option in SSPIConfig for removing of domains from logon names
* Update helper text for StripDomainNames option
* Make sure handleSignIn() is called after a new user object is created by SSPI auth method
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates
* Remove code duplication
* Log errors in ActiveLoginSources
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Revert suffix of randomly generated E-mails for Reverse proxy authentication
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Revert unneeded white-space change in template
Co-Authored-By: Lauris BH <lauris@nix.lv>
* Add copyright comments at the top of new files
* Use loopback name for randomly generated emails
* Add locale tag for the SSPISeparatorReplacement field with proper casing
* Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields
* Update docs/content/doc/features/authentication.en-us.md
Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>
* Remove Priority() method and define the order in which SSO auth methods should be executed in one place
* Log authenticated username only if it's not empty
* Rephrase helper text for automatic creation of users
* Return error if more than one active SSPI auth source is found
* Change newUser() function to return error, letting caller log/handle the error
* Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed
* Refactor initialization of the list containing SSO auth methods
* Validate SSPI settings on POST
* Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page
* Make 'Default language' in SSPI config empty, unless changed by admin
* Show error if admin tries to add a second authentication source of type SSPI
* Simplify declaration of global variable
* Rebuild gitgraph.js on Linux
* Make sure config values containing only whitespace are not accepted
* Graceful Shutdown for windows and others
Restructures modules/graceful, adding shutdown for windows, removing and
replacing the old minwinsvc code.
Creates a new waitGroup - terminate which allows for goroutines to
finish up after the shutdown of the servers.
Shutdown and terminate hooks are added for goroutines.
* Remove unused functions - these can be added in a different PR
* Add startup timeout functionality
* Document STARTUP_TIMEOUT
* migrate gplus to google oauth2 provider. this still provides support for old gplus connections.
* Update models/oauth2.go
Co-Authored-By: Antoine GIRARD <sapk@users.noreply.github.com>
* make vendor