From 2cb66fff60c95efbd58b797f1197f2421f4687ce Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Mon, 22 May 2023 08:05:44 +0800 Subject: Support wildcard in email domain allow/block list (#24831) Replace #20257 (which is stale and incomplete) Close #20255 Major changes: * Deprecate the "WHITELIST", use "ALLOWLIST" * Add wildcard support for EMAIL_DOMAIN_ALLOWLIST/EMAIL_DOMAIN_BLOCKLIST * Update example config file and document * Improve tests --- modules/setting/service.go | 27 ++++++++++++++++++++---- modules/setting/service_test.go | 46 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 4 deletions(-) create mode 100644 modules/setting/service_test.go (limited to 'modules/setting') diff --git a/modules/setting/service.go b/modules/setting/service.go index d4a31ba5d4..03225f566b 100644 --- a/modules/setting/service.go +++ b/modules/setting/service.go @@ -10,6 +10,8 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/structs" + + "github.com/gobwas/glob" ) // enumerates all the types of captchas @@ -33,8 +35,8 @@ var Service = struct { ResetPwdCodeLives int RegisterEmailConfirm bool RegisterManualConfirm bool - EmailDomainWhitelist []string - EmailDomainBlocklist []string + EmailDomainAllowList []glob.Glob + EmailDomainBlockList []glob.Glob DisableRegistration bool AllowOnlyInternalRegistration bool AllowOnlyExternalRegistration bool @@ -114,6 +116,20 @@ func (a AllowedVisibility) ToVisibleTypeSlice() (result []structs.VisibleType) { return result } +func CompileEmailGlobList(sec ConfigSection, keys ...string) (globs []glob.Glob) { + for _, key := range keys { + list := sec.Key(key).Strings(",") + for _, s := range list { + if g, err := glob.Compile(s); err == nil { + globs = append(globs, g) + } else { + log.Error("Skip invalid email allow/block list expression %q: %v", s, err) + } + } + } + return globs +} + func loadServiceFrom(rootCfg ConfigProvider) { sec := rootCfg.Section("service") Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180) @@ -130,8 +146,11 @@ func loadServiceFrom(rootCfg ConfigProvider) { } else { Service.RegisterManualConfirm = false } - Service.EmailDomainWhitelist = sec.Key("EMAIL_DOMAIN_WHITELIST").Strings(",") - Service.EmailDomainBlocklist = sec.Key("EMAIL_DOMAIN_BLOCKLIST").Strings(",") + if sec.HasKey("EMAIL_DOMAIN_WHITELIST") { + deprecatedSetting(rootCfg, "service", "EMAIL_DOMAIN_WHITELIST", "service", "EMAIL_DOMAIN_ALLOWLIST", "1.21") + } + Service.EmailDomainAllowList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_WHITELIST", "EMAIL_DOMAIN_ALLOWLIST") + Service.EmailDomainBlockList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_BLOCKLIST") Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration)) Service.ShowMilestonesDashboardPage = sec.Key("SHOW_MILESTONES_DASHBOARD_PAGE").MustBool(true) Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool() diff --git a/modules/setting/service_test.go b/modules/setting/service_test.go new file mode 100644 index 0000000000..656e759f42 --- /dev/null +++ b/modules/setting/service_test.go @@ -0,0 +1,46 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package setting + +import ( + "testing" + + "github.com/gobwas/glob" + "github.com/stretchr/testify/assert" +) + +func TestLoadServices(t *testing.T) { + oldService := Service + defer func() { + Service = oldService + }() + + cfg, err := NewConfigProviderFromData(` +[service] +EMAIL_DOMAIN_WHITELIST = d1, *.w +EMAIL_DOMAIN_ALLOWLIST = d2, *.a +EMAIL_DOMAIN_BLOCKLIST = d3, *.b +`) + assert.NoError(t, err) + loadServiceFrom(cfg) + + match := func(globs []glob.Glob, s string) bool { + for _, g := range globs { + if g.Match(s) { + return true + } + } + return false + } + + assert.True(t, match(Service.EmailDomainAllowList, "d1")) + assert.True(t, match(Service.EmailDomainAllowList, "foo.w")) + assert.True(t, match(Service.EmailDomainAllowList, "d2")) + assert.True(t, match(Service.EmailDomainAllowList, "foo.a")) + assert.False(t, match(Service.EmailDomainAllowList, "d3")) + + assert.True(t, match(Service.EmailDomainBlockList, "d3")) + assert.True(t, match(Service.EmailDomainBlockList, "foo.b")) + assert.False(t, match(Service.EmailDomainBlockList, "d1")) +} -- cgit v1.2.3