* Enforce Gitea environment for pushes * Update custom/conf/app.ini.sample Co-Authored-By: Antoine GIRARD <sapk@users.noreply.github.com>tags/v1.11.0-rc1
"code.gitea.io/gitea/models" | "code.gitea.io/gitea/models" | ||||
"code.gitea.io/gitea/modules/git" | "code.gitea.io/gitea/modules/git" | ||||
"code.gitea.io/gitea/modules/private" | "code.gitea.io/gitea/modules/private" | ||||
"code.gitea.io/gitea/modules/setting" | |||||
"github.com/urfave/cli" | "github.com/urfave/cli" | ||||
) | ) | ||||
func runHookPreReceive(c *cli.Context) error { | func runHookPreReceive(c *cli.Context) error { | ||||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | ||||
return nil | |||||
if setting.OnlyAllowPushIfGiteaEnvironmentSet { | |||||
fail(`Rejecting changes as Gitea environment not set. | |||||
If you are pushing over SSH you must push with a key managed by | |||||
Gitea or set your environment appropriately.`, "") | |||||
} else { | |||||
return nil | |||||
} | |||||
} | } | ||||
setup("hooks/pre-receive.log") | setup("hooks/pre-receive.log") | ||||
func runHookUpdate(c *cli.Context) error { | func runHookUpdate(c *cli.Context) error { | ||||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | ||||
return nil | |||||
if setting.OnlyAllowPushIfGiteaEnvironmentSet { | |||||
fail(`Rejecting changes as Gitea environment not set. | |||||
If you are pushing over SSH you must push with a key managed by | |||||
Gitea or set your environment appropriately.`, "") | |||||
} else { | |||||
return nil | |||||
} | |||||
} | } | ||||
setup("hooks/update.log") | setup("hooks/update.log") | ||||
func runHookPostReceive(c *cli.Context) error { | func runHookPostReceive(c *cli.Context) error { | ||||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | ||||
return nil | |||||
if setting.OnlyAllowPushIfGiteaEnvironmentSet { | |||||
fail(`Rejecting changes as Gitea environment not set. | |||||
If you are pushing over SSH you must push with a key managed by | |||||
Gitea or set your environment appropriately.`, "") | |||||
} else { | |||||
return nil | |||||
} | |||||
} | } | ||||
setup("hooks/post-receive.log") | setup("hooks/post-receive.log") |
DOMAIN = localhost | DOMAIN = localhost | ||||
ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ | ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ | ||||
; when STATIC_URL_PREFIX is empty it will follow APP_URL | ; when STATIC_URL_PREFIX is empty it will follow APP_URL | ||||
STATIC_URL_PREFIX = | |||||
STATIC_URL_PREFIX = | |||||
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. | ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. | ||||
HTTP_ADDR = 0.0.0.0 | HTTP_ADDR = 0.0.0.0 | ||||
HTTP_PORT = 3000 | HTTP_PORT = 3000 | ||||
IMPORT_LOCAL_PATHS = false | IMPORT_LOCAL_PATHS = false | ||||
; Set to true to prevent all users (including admin) from creating custom git hooks | ; Set to true to prevent all users (including admin) from creating custom git hooks | ||||
DISABLE_GIT_HOOKS = false | DISABLE_GIT_HOOKS = false | ||||
; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED | |||||
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true | |||||
;Comma separated list of character classes required to pass minimum complexity. | ;Comma separated list of character classes required to pass minimum complexity. | ||||
;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. | ;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. | ||||
;Use "off" to disable checking. | ;Use "off" to disable checking. | ||||
; Number of history information in each page | ; Number of history information in each page | ||||
PAGING_NUM = 10 | PAGING_NUM = 10 | ||||
; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy | ; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy | ||||
PROXY_URL = | |||||
PROXY_URL = | |||||
; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. | ; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. | ||||
PROXY_HOSTS = | |||||
PROXY_HOSTS = | |||||
[mailer] | [mailer] | ||||
ENABLED = false | ENABLED = false |
authentication provided email. | authentication provided email. | ||||
- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom | - `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom | ||||
git hooks. | git hooks. | ||||
- `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately. | |||||
- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. | - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. | ||||
- `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary. | - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary. | ||||
- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) | - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) |
} | } | ||||
// Security settings | // Security settings | ||||
InstallLock bool | |||||
SecretKey string | |||||
LogInRememberDays int | |||||
CookieUserName string | |||||
CookieRememberName string | |||||
ReverseProxyAuthUser string | |||||
ReverseProxyAuthEmail string | |||||
MinPasswordLength int | |||||
ImportLocalPaths bool | |||||
DisableGitHooks bool | |||||
PasswordComplexity []string | |||||
PasswordHashAlgo string | |||||
InstallLock bool | |||||
SecretKey string | |||||
LogInRememberDays int | |||||
CookieUserName string | |||||
CookieRememberName string | |||||
ReverseProxyAuthUser string | |||||
ReverseProxyAuthEmail string | |||||
MinPasswordLength int | |||||
ImportLocalPaths bool | |||||
DisableGitHooks bool | |||||
OnlyAllowPushIfGiteaEnvironmentSet bool | |||||
PasswordComplexity []string | |||||
PasswordHashAlgo string | |||||
// UI settings | // UI settings | ||||
UI = struct { | UI = struct { | ||||
MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) | MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) | ||||
ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) | ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) | ||||
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) | DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) | ||||
OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) | |||||
PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") | PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") | ||||
CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) | CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) | ||||