From 0b177574c92b2f8c4a4d0d9de01ff1bf5eda06a2 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Sat, 15 Jul 2017 16:21:51 +0200 Subject: [PATCH] Only show SSH clone URL if signed in (#2169) (#2170) * Add configuration flag SSH_EXPOSE_ANONYMOUS If this flag (default True) is set to false, the SSH clone URL will only be exposed if the current user is signed in. * Default SSH exposure set to false To match GitHub and for security reasons, SSH URL exposure is disabled by default. In addition to that. minor code changes have been applied. Signed-off-by: Stefan Kalscheuer * Add integration tests * Hide clone button neither HTTP and SSH is enabled Signed-off-by: Stefan Kalscheuer --- conf/app.ini | 2 ++ integrations/repo_test.go | 37 +++++++++++++++++++++++++++++++++++ modules/context/repo.go | 1 + modules/setting/setting.go | 2 ++ templates/repo/bare.tmpl | 8 +++++--- templates/repo/home.tmpl | 12 +++++++----- templates/repo/wiki/view.tmpl | 12 +++++++----- 7 files changed, 61 insertions(+), 13 deletions(-) diff --git a/conf/app.ini b/conf/app.ini index 8f04435b5..bb0654e2e 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -126,6 +126,8 @@ SSH_KEY_TEST_PATH = SSH_KEYGEN_PATH = ssh-keygen ; Enable SSH Authorized Key Backup when rewriting all keys, default is true SSH_BACKUP_AUTHORIZED_KEYS = true +; Enable exposure of SSH clone URL to anonymous visitors, default is false +SSH_EXPOSE_ANONYMOUS = false ; Indicate whether to check minimum key size with corresponding type MINIMUM_KEY_SIZE_CHECK = false ; Disable CDN even in "prod" mode diff --git a/integrations/repo_test.go b/integrations/repo_test.go index 004156b44..f5ba4d8d8 100644 --- a/integrations/repo_test.go +++ b/integrations/repo_test.go @@ -5,8 +5,13 @@ package integrations import ( + "fmt" "net/http" "testing" + + "code.gitea.io/gitea/modules/setting" + + "github.com/stretchr/testify/assert" ) func TestViewRepo(t *testing.T) { @@ -37,3 +42,35 @@ func TestViewRepo3(t *testing.T) { session := loginUser(t, "user3") session.MakeRequest(t, req, http.StatusOK) } + +func TestViewRepo1CloneLinkAnonymous(t *testing.T) { + prepareTestEnv(t) + + req := NewRequest(t, "GET", "/user2/repo1") + resp := MakeRequest(t, req, http.StatusOK) + + htmlDoc := NewHTMLParser(t, resp.Body) + link, exists := htmlDoc.doc.Find("#repo-clone-https").Attr("data-link") + assert.True(t, exists, "The template has changed") + assert.Equal(t, setting.AppURL+"user2/repo1.git", link) + _, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link") + assert.False(t, exists) +} + +func TestViewRepo1CloneLinkAuthorized(t *testing.T) { + prepareTestEnv(t) + + session := loginUser(t, "user2") + + req := NewRequest(t, "GET", "/user2/repo1") + resp := session.MakeRequest(t, req, http.StatusOK) + + htmlDoc := NewHTMLParser(t, resp.Body) + link, exists := htmlDoc.doc.Find("#repo-clone-https").Attr("data-link") + assert.True(t, exists, "The template has changed") + assert.Equal(t, setting.AppURL+"user2/repo1.git", link) + link, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link") + assert.True(t, exists, "The template has changed") + sshURL := fmt.Sprintf("%s@%s:user2/repo1.git", setting.RunUser, setting.SSH.Domain) + assert.Equal(t, sshURL, link) +} diff --git a/modules/context/repo.go b/modules/context/repo.go index e46170b76..d636496f5 100644 --- a/modules/context/repo.go +++ b/modules/context/repo.go @@ -285,6 +285,7 @@ func RepoAssignment() macaron.Handler { ctx.Data["IsRepositoryWriter"] = ctx.Repo.IsWriter() ctx.Data["DisableSSH"] = setting.SSH.Disabled + ctx.Data["ExposeAnonSSH"] = setting.SSH.ExposeAnonymous ctx.Data["DisableHTTP"] = setting.Repository.DisableHTTPGit ctx.Data["CloneLink"] = repo.CloneLink() ctx.Data["WikiCloneLink"] = repo.WikiCloneLink() diff --git a/modules/setting/setting.go b/modules/setting/setting.go index f24a87653..82187e81b 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -99,6 +99,7 @@ var ( AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` MinimumKeySizeCheck bool `ini:"-"` MinimumKeySizes map[string]int `ini:"-"` + ExposeAnonymous bool `ini:"SSH_EXPOSE_ANONYMOUS"` }{ Disabled: false, StartBuiltinServer: false, @@ -707,6 +708,7 @@ func NewContext() { } } SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true) + SSH.ExposeAnonymous = sec.Key("SSH_EXPOSE_ANONYMOUS").MustBool(false) if err = Cfg.Section("server").MapTo(&LFS); err != nil { log.Fatal(4, "Failed to map LFS settings: %v", err) diff --git a/templates/repo/bare.tmpl b/templates/repo/bare.tmpl index b72738fe3..bd37228ad 100644 --- a/templates/repo/bare.tmpl +++ b/templates/repo/bare.tmpl @@ -28,9 +28,11 @@ {{else}} {{end}} - + {{if not (and $.DisableHTTP $.DisableSSH)}} + + {{end}}
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl index 664326c56..5af574ee0 100644 --- a/templates/repo/home.tmpl +++ b/templates/repo/home.tmpl @@ -56,19 +56,21 @@ {{if UseHTTPS}}HTTPS{{else}}HTTP{{end}} {{end}} - {{if not $.DisableSSH}} + {{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}} {{end}} {{if not $.DisableHTTP}} - {{else}} + {{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}} {{end}} - + {{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}} + + {{end}}
diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl index b9aa4e956..8eab1ac07 100644 --- a/templates/repo/wiki/view.tmpl +++ b/templates/repo/wiki/view.tmpl @@ -35,19 +35,21 @@ {{if UseHTTPS}}HTTPS{{else}}HTTP{{end}} {{end}} - {{if not $.DisableSSH}} + {{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}} {{end}} {{if not $.DisableHTTP}} - {{else}} + {{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}} {{end}} - + {{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}} + + {{end}}