Merge branch 'add-ldap-configuration-edit-tests' into move-login-out-of-models

Author: zeripath

.drone.yml

@@ -404,7 +404,7 @@ steps:
 
   - name: update
     pull: default
-    image: alpine:3.14
+    image: alpine:3.13
     commands:
       - ./build/update-locales.sh
 

CHANGELOG.md

@@ -216,6 +216,18 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
   * Remove utf8 option from installation page (#16126)
   * Use Wants= over Requires= in systemd file (#15897)
 
+## [1.14.5](https://github.com/go-gitea/gitea/releases/tag/v1.14.5) - 2021-07-16
+
+* SECURITY
+  * Hide mirror passwords on repo settings page (#16022) (#16355)
+  * Update bluemonday to v1.0.15 (#16379) (#16380)
+* BUGFIXES
+  * Retry rename on lock induced failures (#16435) (#16439)
+  * Validate issue index before querying DB (#16406) (#16410)
+  * Fix crash following ldap authentication update (#16447) (#16449)
+* ENHANCEMENTS
+  * Redirect on bad CSRF instead of presenting bad page (#14937) (#16378)
+
 ## [1.14.4](https://github.com/go-gitea/gitea/releases/tag/v1.14.4) - 2021-07-06
 
 * BUGFIXES

Dockerfile

@@ -1,7 +1,7 @@
 
 ###################################
 #Build stage
-FROM golang:1.16-alpine3.14 AS build-env
+FROM golang:1.16-alpine3.13 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@@ -25,7 +25,7 @@ RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go
 
-FROM alpine:3.14
+FROM alpine:3.13
 LABEL maintainer="[email protected]"
 
 EXPOSE 22 3000

Dockerfile.rootless

@@ -1,7 +1,7 @@
 
 ###################################
 #Build stage
-FROM golang:1.16-alpine3.14 AS build-env
+FROM golang:1.16-alpine3.13 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@@ -25,7 +25,7 @@ RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go
 
-FROM alpine:3.14
+FROM alpine:3.13
 LABEL maintainer="[email protected]"
 
 EXPOSE 2222 3000

custom/conf/app.example.ini

@@ -652,6 +652,9 @@ PATH =
 ;; Default value for AllowCreateOrganization
 ;; Every new user will have rights set to create organizations depending on this setting
 ;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+;; Default value for IsRestricted
+;; Every new user will have restricted permissions depending on this setting
+;DEFAULT_USER_IS_RESTRICTED = false
 ;;
 ;; Either "public", "limited" or "private", default is "public"
 ;; Limited is for users visible only to signed users

docs/config.yaml

@@ -18,7 +18,7 @@ params:
   description: Git with a cup of tea
   author: The Gitea Authors
   website: https://docs.gitea.io
-  version: 1.14.4
+  version: 1.14.5
   minGoVersion: 1.14
   goVersion: 1.16
   minNodeVersion: 12.17

docs/content/doc/advanced/adding-legal-pages.en-us.md

@@ -32,7 +32,7 @@ You absolutely must not place a general ToS or privacy statement that implies th
 Create or append to `/path/to/custom/templates/custom/extra_links_footer.tmpl`:
 
 ```go
-<a class="item" href="{{AppSubUrl}}/privacy.html">Privacy Policy</a>
+<a class="item" href="{{AppSubUrl}}/assets/privacy.html">Privacy Policy</a>
 ```
 
 Restart Gitea to see the changes.

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -502,6 +502,7 @@ relation to port exhaustion.
 - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
 - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
 - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
+- `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
 - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default.
 - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access.
 - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles.

docs/content/doc/advanced/customizing-gitea.en-us.md

@@ -102,7 +102,7 @@ For instance, let's say you are in Germany and must add the famously legally-req
 just place it under your "$GITEA_CUSTOM/public/" directory (for instance `$GITEA_CUSTOM/public/impressum.html`) and put a link to it in either `$GITEA_CUSTOM/templates/custom/extra_links.tmpl` or `$GITEA_CUSTOM/templates/custom/extra_links_footer.tmpl`.
 
 To match the current style, the link should have the class name "item", and you can use `{{AppSubUrl}}` to get the base URL:
-`<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>`
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`
 
 For more information, see [Adding Legal Pages](https://docs.gitea.io/en-us/adding-legal-pages).
 
@@ -174,21 +174,21 @@ You can display STL file directly in Gitea by adding:
 
   if ($('.view-raw>a[href$=".stl" i]').length) {
     $("body").append(
-      '<link href="/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">'
+      '<link href="/assets/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">'
     );
     Promise.all([
-      lS("/Madeleine.js/src/lib/stats.js"),
-      lS("/Madeleine.js/src/lib/detector.js"),
-      lS("/Madeleine.js/src/lib/three.min.js"),
-      lS("/Madeleine.js/src/Madeleine.js"),
+      lS("/assets/Madeleine.js/src/lib/stats.js"),
+      lS("/assets/Madeleine.js/src/lib/detector.js"),
+      lS("/assets/Madeleine.js/src/lib/three.min.js"),
+      lS("/assets/Madeleine.js/src/Madeleine.js"),
     ]).then(function () {
       $(".view-raw")
         .attr("id", "view-raw")
         .attr("style", "padding: 0;margin-bottom: -10px;");
       new Madeleine({
         target: "view-raw",
         data: $('.view-raw>a[href$=".stl" i]').attr("href"),
-        path: "/Madeleine.js/src",
+        path: "/assets/Madeleine.js/src",
       });
       $('.view-raw>a[href$=".stl"]').remove();
     });

docs/content/doc/advanced/customizing-gitea.zh-cn.md

@@ -61,7 +61,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 "custom/public/"目录下（比如 `custom/public/impressum.html`）并且将它与 `custom/templates/custom/extra_links.tmpl` 链接起来即可。
 
 这个链接应当使用一个名为“item”的 class 来匹配当前样式，您可以使用 `{{AppSubUrl}}` 来获取 base URL:
-`<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>`
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`
 
 同理，您可以将页签添加到 `extra_tabs.tmpl` 中，使用同样的方式来添加页签。它的具体样式需要与
 `templates/repo/header.tmpl` 中已有的其他选项卡的样式匹配

docs/content/doc/advanced/external-renderers.en-us.md

@@ -164,5 +164,5 @@ And so you could write some CSS:
 
 Add your stylesheet to your custom directory e.g `custom/public/css/my-style-XXXXX.css` and import it using a custom header file `custom/templates/custom/header.tmpl`:
 ```html
-<link type="text/css" href="{{AppSubUrl}}/css/my-style-XXXXX.css" />
+<link type="text/css" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
 ```

docs/content/doc/usage/fail2ban-setup.en-us.md

@@ -108,3 +108,12 @@ this to your Nginx configuration so that IPs don't show up as 127.0.0.1:
 ```
 proxy_set_header X-Real-IP $remote_addr;
 ```
+
+The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
+as well as the list of IP addresses and networks that describe trusted proxy servers
+(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).
+
+```
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network
+```

integrations/auth_ldap_test.go

@@ -144,6 +144,60 @@ func TestLDAPUserSignin(t *testing.T) {
 	assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())
 }
 
+func TestLDAPAuthChange(t *testing.T) {
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "")
+
+	session := loginUser(t, "user1")
+	req := NewRequest(t, "GET", "/admin/auths")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	doc := NewHTMLParser(t, resp.Body)
+	href, exists := doc.Find("table.table td a").Attr("href")
+	if !exists {
+		assert.True(t, exists, "No authentication source found")
+		return
+	}
+
+	req = NewRequest(t, "GET", href)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	doc = NewHTMLParser(t, resp.Body)
+	csrf := doc.GetCSRF()
+	host, _ := doc.Find(`input[name="host"]`).Attr("value")
+	assert.Equal(t, host, getLDAPServerHost())
+	binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value")
+	assert.Equal(t, binddn, "uid=gitea,ou=service,dc=planetexpress,dc=com")
+
+	req = NewRequestWithValues(t, "POST", href, map[string]string{
+		"_csrf":                    csrf,
+		"type":                     "2",
+		"name":                     "ldap",
+		"host":                     getLDAPServerHost(),
+		"port":                     "389",
+		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",
+		"bind_password":            "password",
+		"user_base":                "ou=people,dc=planetexpress,dc=com",
+		"filter":                   "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))",
+		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",
+		"restricted_filter":        "(uid=leela)",
+		"attribute_username":       "uid",
+		"attribute_name":           "givenName",
+		"attribute_surname":        "sn",
+		"attribute_mail":           "mail",
+		"attribute_ssh_public_key": "",
+		"is_sync_enabled":          "on",
+		"is_active":                "on",
+	})
+	session.MakeRequest(t, req, http.StatusFound)
+
+	req = NewRequest(t, "GET", href)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	doc = NewHTMLParser(t, resp.Body)
+	host, _ = doc.Find(`input[name="host"]`).Attr("value")
+	assert.Equal(t, host, getLDAPServerHost())
+	binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value")
+	assert.Equal(t, binddn, "uid=gitea,ou=service,dc=planetexpress,dc=com")
+}
+
 func TestLDAPUserSync(t *testing.T) {
 	if skipLDAPTests() {
 		t.Skip()

integrations/signup_test.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/stretchr/testify/assert"
 	"github.com/unknwon/i18n"
@@ -33,6 +34,28 @@ func TestSignup(t *testing.T) {
 	MakeRequest(t, req, http.StatusOK)
 }
 
+func TestSignupAsRestricted(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	setting.Service.EnableCaptcha = false
+	setting.Service.DefaultUserIsRestricted = true
+
+	req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
+		"user_name": "restrictedUser",
+		"email":     "[email protected]",
+		"password":  "examplePassword!1",
+		"retype":    "examplePassword!1",
+	})
+	MakeRequest(t, req, http.StatusFound)
+
+	// should be able to view new user's page
+	req = NewRequest(t, "GET", "/restrictedUser")
+	MakeRequest(t, req, http.StatusOK)
+
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{Name: "restrictedUser"}).(*models.User)
+	assert.True(t, user2.IsRestricted)
+}
+
 func TestSignupEmail(t *testing.T) {
 	defer prepareTestEnv(t)()
 

models/helper.go

@@ -5,6 +5,8 @@
 package models
 
 import (
+	"encoding/binary"
+
 	jsoniter "github.com/json-iterator/go"
 )
 
@@ -32,13 +34,32 @@ func valuesUser(m map[int64]*User) []*User {
 	return values
 }
 
-// JSONUnmarshalIgnoreErroneousBOM - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's
-// possible that a Blob may gain an unwanted prefix of 0xff 0xfe.
-func JSONUnmarshalIgnoreErroneousBOM(bs []byte, v interface{}) error {
+// JSONUnmarshalHandleDoubleEncode - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's
+// possible that a Blob may be double encoded or gain an unwanted prefix of 0xff 0xfe.
+func JSONUnmarshalHandleDoubleEncode(bs []byte, v interface{}) error {
 	json := jsoniter.ConfigCompatibleWithStandardLibrary
-	err := json.Unmarshal(bs, &v)
+	err := json.Unmarshal(bs, v)
+	if err != nil {
+		ok := true
+		rs := []byte{}
+		temp := make([]byte, 2)
+		for _, rn := range string(bs) {
+			if rn > 0xffff {
+				ok = false
+				break
+			}
+			binary.LittleEndian.PutUint16(temp, uint16(rn))
+			rs = append(rs, temp...)
+		}
+		if ok {
+			if rs[0] == 0xff && rs[1] == 0xfe {
+				rs = rs[2:]
+			}
+			err = json.Unmarshal(rs, v)
+		}
+	}
 	if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe {
-		err = json.Unmarshal(bs[2:], &v)
+		err = json.Unmarshal(bs[2:], v)
 	}
 	return err
 }

models/migrations/v189.go

@@ -5,18 +5,38 @@
 package migrations
 
 import (
+	"encoding/binary"
 	"fmt"
 
 	jsoniter "github.com/json-iterator/go"
 	"xorm.io/xorm"
 )
 
 func unwrapLDAPSourceCfg(x *xorm.Engine) error {
-	jsonUnmarshalIgnoreErroneousBOM := func(bs []byte, v interface{}) error {
+	jsonUnmarshalHandleDoubleEncode := func(bs []byte, v interface{}) error {
 		json := jsoniter.ConfigCompatibleWithStandardLibrary
-		err := json.Unmarshal(bs, &v)
+		err := json.Unmarshal(bs, v)
+		if err != nil {
+			ok := true
+			rs := []byte{}
+			temp := make([]byte, 2)
+			for _, rn := range string(bs) {
+				if rn > 0xffff {
+					ok = false
+					break
+				}
+				binary.LittleEndian.PutUint16(temp, uint16(rn))
+				rs = append(rs, temp...)
+			}
+			if ok {
+				if rs[0] == 0xff && rs[1] == 0xfe {
+					rs = rs[2:]
+				}
+				err = json.Unmarshal(rs, v)
+			}
+		}
 		if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe {
-			err = json.Unmarshal(bs[2:], &v)
+			err = json.Unmarshal(bs[2:], v)
 		}
 		return err
 	}
@@ -59,7 +79,7 @@ func unwrapLDAPSourceCfg(x *xorm.Engine) error {
 			wrapped := &WrappedSource{
 				Source: map[string]interface{}{},
 			}
-			err := jsonUnmarshalIgnoreErroneousBOM([]byte(source.Cfg), &wrapped)
+			err := jsonUnmarshalHandleDoubleEncode([]byte(source.Cfg), &wrapped)
 			if err != nil {
 				return fmt.Errorf("failed to unmarshal %s: %w", string(source.Cfg), err)
 			}