Merge branch 'master' into fix-13983-disable-ssh-editing-if-ldap

Author: zeripath

docs/content/doc/usage/fail2ban-setup.en-us.md

@@ -25,9 +25,27 @@ on a bad authentication from the web or CLI using SSH or HTTP respectively:
 ```log
 2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
 ```
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
 ```log
-2020/10/15 16:05:09 modules/ssh/ssh.go:188:publicKeyHandler() [E] SearchPublicKeyByContent: public key does not exist [id: 0] Failed authentication attempt from xxx.xxx.xxx.xxx
+2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
 ```
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
 ```log
 2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
 ```

modules/ssh/ssh.go

@@ -134,14 +134,25 @@ func sessionHandler(session ssh.Session) {
 }
 
 func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
+	if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
+		log.Debug("Handle Public Key: Fingerprint: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())
+	}
+
 	if ctx.User() != setting.SSH.BuiltinServerUser {
-		log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
+		log.Warn("Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
+		log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
 		return false
 	}
 
 	// check if we have a certificate
 	if cert, ok := key.(*gossh.Certificate); ok {
+		if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
+			log.Debug("Handle Certificate: %s Fingerprint: %s is a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
+		}
+
 		if len(setting.SSH.TrustedUserCAKeys) == 0 {
+			log.Warn("Certificate Rejected: No trusted certificate authorities for this server")
+			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
 			return false
 		}
 
@@ -151,7 +162,7 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
 			pkey, err := models.SearchPublicKeyByContentExact(principal)
 			if err != nil {
 				if models.IsErrKeyNotExist(err) {
-					log.Debug("Principal Rejected: Unknown Principal: %s", principal)
+					log.Debug("Principal Rejected: %s Unknown Principal: %s", ctx.RemoteAddr(), principal)
 					continue principalLoop
 				}
 				log.Error("SearchPublicKeyByContentExact: %v", err)
@@ -172,33 +183,58 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
 
 			// check the CA of the cert
 			if !c.IsUserAuthority(cert.SignatureKey) {
-				log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal)
+				if log.IsDebug() {
+					log.Debug("Principal Rejected: %s Untrusted Authority Signature Fingerprint %s for Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(cert.SignatureKey), principal)
+				}
 				continue principalLoop
 			}
 
 			// validate the cert for this principal
 			if err := c.CheckCert(principal, cert); err != nil {
-				// User is presenting an invalid cerficate - STOP any further processing
-				log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal)
+				// User is presenting an invalid certificate - STOP any further processing
+				if log.IsError() {
+					log.Error("Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s from %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal, ctx.RemoteAddr())
+				}
+				log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
+
 				return false
 			}
 
+			if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
+				log.Debug("Successfully authenticated: %s Certificate Fingerprint: %s Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key), principal)
+			}
 			ctx.SetValue(giteaKeyID, pkey.ID)
 
 			return true
 		}
+
+		if log.IsWarn() {
+			log.Warn("From %s Fingerprint: %s is a certificate, but no valid principals found", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
+			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
+		}
+		return false
+	}
+
+	if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
+		log.Debug("Handle Public Key: %s Fingerprint: %s is not a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
 	}
 
 	pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
 	if err != nil {
 		if models.IsErrKeyNotExist(err) {
-			log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key))
+			if log.IsWarn() {
+				log.Warn("Unknown public key: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())
+				log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
+			}
 			return false
 		}
-		log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
+		log.Error("SearchPublicKeyByContent: %v", err)
 		return false
 	}
 
+	if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
+		log.Debug("Successfully authenticated: %s Public Key Fingerprint: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
+	}
 	ctx.SetValue(giteaKeyID, pkey.ID)
 
 	return true

modules/structs/issue.go

@@ -50,8 +50,9 @@ type Issue struct {
 	Ref              string     `json:"ref"`
 	Labels           []*Label   `json:"labels"`
 	Milestone        *Milestone `json:"milestone"`
-	Assignee         *User      `json:"assignee"`
-	Assignees        []*User    `json:"assignees"`
+	// deprecated
+	Assignee  *User   `json:"assignee"`
+	Assignees []*User `json:"assignees"`
 	// Whether the issue is open or closed
 	//
 	// type: string
@@ -83,7 +84,8 @@ type CreateIssueOption struct {
 	// required:true
 	Title string `json:"title" binding:"Required"`
 	Body  string `json:"body"`
-	// username of assignee
+	Ref   string `json:"ref"`
+	// deprecated
 	Assignee  string   `json:"assignee"`
 	Assignees []string `json:"assignees"`
 	// swagger:strfmt date-time
@@ -97,8 +99,10 @@ type CreateIssueOption struct {
 
 // EditIssueOption options for editing an issue
 type EditIssueOption struct {
-	Title     string   `json:"title"`
-	Body      *string  `json:"body"`
+	Title string  `json:"title"`
+	Body  *string `json:"body"`
+	Ref   *string `json:"ref"`
+	// deprecated
 	Assignee  *string  `json:"assignee"`
 	Assignees []string `json:"assignees"`
 	Milestone *int64   `json:"milestone"`

routers/api/v1/repo/issue.go

@@ -486,6 +486,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 		PosterID:     ctx.User.ID,
 		Poster:       ctx.User,
 		Content:      form.Body,
+		Ref:          form.Ref,
 		DeadlineUnix: deadlineUnix,
 	}
 
@@ -625,6 +626,13 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
 	if form.Body != nil {
 		issue.Content = *form.Body
 	}
+	if form.Ref != nil {
+		err = issue_service.ChangeIssueRef(issue, ctx.User, *form.Ref)
+		if err != nil {
+			ctx.Error(http.StatusInternalServerError, "UpdateRef", err)
+			return
+		}
+	}
 
 	// Update or remove the deadline, only if set and allowed
 	if (form.Deadline != nil || form.RemoveDeadline != nil) && canWrite {

templates/repo/issue/view_content/pull.tmpl

@@ -363,8 +363,8 @@
 									{{end}}
 								</div>
 							</div>
-							<div class="dib ml-3">{{$.i18n.Tr "repo.pulls.merge_instruction_hint" | Safe}}</div>
-							<div class="instruct" style="display:none">
+							<div class="instruct-toggle ml-3">{{$.i18n.Tr "repo.pulls.merge_instruction_hint" | Safe}}</div>
+							<div class="instruct-content" style="display:none">
 								<div class="ui divider"></div>
 								<div><h3 class="di">{{$.i18n.Tr "step1"}} </h3>{{$.i18n.Tr "repo.pulls.merge_instruction_step1_desc"}}</div>
 								<div class="ui secondary segment">

templates/swagger/v1_json.tmpl

@@ -11937,7 +11937,7 @@
       ],
       "properties": {
         "assignee": {
-          "description": "username of assignee",
+          "description": "deprecated",
           "type": "string",
           "x-go-name": "Assignee"
         },
@@ -11976,6 +11976,10 @@
           "format": "int64",
           "x-go-name": "Milestone"
         },
+        "ref": {
+          "type": "string",
+          "x-go-name": "Ref"
+        },
         "title": {
           "type": "string",
           "x-go-name": "Title"
@@ -12778,6 +12782,7 @@
       "type": "object",
       "properties": {
         "assignee": {
+          "description": "deprecated",
           "type": "string",
           "x-go-name": "Assignee"
         },
@@ -12802,6 +12807,10 @@
           "format": "int64",
           "x-go-name": "Milestone"
         },
+        "ref": {
+          "type": "string",
+          "x-go-name": "Ref"
+        },
         "state": {
           "type": "string",
           "x-go-name": "State"

web_src/js/index.js

@@ -1120,6 +1120,8 @@ async function initRepository() {
       e.preventDefault();
       $(`.${$(this).data('do')}-fields`).show();
       $(this).parent().hide();
+      $('.instruct-toggle').hide();
+      $('.instruct-content').hide();
     });
     $('.merge-button > .dropdown').dropdown({
       onChange(_text, _value, $choice) {
@@ -1133,6 +1135,7 @@ async function initRepository() {
       e.preventDefault();
       $(this).closest('.form').hide();
       $mergeButton.parent().show();
+      $('.instruct-toggle').show();
     });
     initReactionSelector();
   }
@@ -1199,7 +1202,7 @@ async function initRepository() {
 
 function initPullRequestMergeInstruction() {
   $('.show-instruction').on('click', () => {
-    $('.instruct').toggle();
+    $('.instruct-content').toggle();
   });
 }
 

web_src/less/_base.less

@@ -101,6 +101,9 @@
   --color-code-bg: #ffffff;
   --color-markdown-code-block: #00000010;
   --color-secondary-bg: #f4f4f4;
+  /* backgrounds */
+  --checkbox-mask-checked: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="-1 -1 18 18" width="16" height="16"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg>');
+  --checkbox-mask-indeterminate: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16"><path fill-rule="evenodd" d="M2 7.75A.75.75 0 012.75 7h10a.75.75 0 010 1.5h-10A.75.75 0 012 7.75z"></path></svg>');
 }
 
 :root:lang(ja) {

web_src/less/_markdown.less

@@ -203,16 +203,19 @@
     pointer-events: none;
     background: var(--color-text);
     mask-size: cover;
+    -webkit-mask-size: cover;
   }
 
   input[type="checkbox"]:checked::after {
     content: "";
-    mask-image: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="-1 -1 18 18" width="16" height="16"><path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 010 1.06l-7.25 7.25a.75.75 0 01-1.06 0L2.22 9.28a.75.75 0 011.06-1.06L6 10.94l6.72-6.72a.75.75 0 011.06 0z"></path></svg>');
+    mask-image: var(--checkbox-mask-checked);
+    -webkit-mask-image: var(--checkbox-mask-checked);
   }
 
   input[type="checkbox"]:indeterminate::after {
     content: "";
-    mask-image: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16"><path fill-rule="evenodd" d="M2 7.75A.75.75 0 012.75 7h10a.75.75 0 010 1.5h-10A.75.75 0 012 7.75z"></path></svg>');
+    mask-image: var(--checkbox-mask-indeterminate);
+    -webkit-mask-image: var(--checkbox-mask-indeterminate);
   }
 
   ul ul,

web_src/less/_repository.less

@@ -593,6 +593,10 @@
   }
 
   &.view.issue {
+    .instruct-toggle {
+      display: inline-block;
+    }
+
     .title {
       padding-bottom: 0 !important;