mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-23 07:43:18 -05:00
fcb535c5c3
This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
195 lines
5.7 KiB
Go
195 lines
5.7 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package setting
|
|
|
|
import (
|
|
"path"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"github.com/unknwon/com"
|
|
)
|
|
|
|
// enumerates all the policy repository creating
|
|
const (
|
|
RepoCreatingLastUserVisibility = "last"
|
|
RepoCreatingPrivate = "private"
|
|
RepoCreatingPublic = "public"
|
|
)
|
|
|
|
// Repository settings
|
|
var (
|
|
Repository = struct {
|
|
AnsiCharset string
|
|
ForcePrivate bool
|
|
DefaultPrivate string
|
|
MaxCreationLimit int
|
|
MirrorQueueLength int
|
|
PullRequestQueueLength int
|
|
PreferredLicenses []string
|
|
DisableHTTPGit bool
|
|
AccessControlAllowOrigin string
|
|
UseCompatSSHURI bool
|
|
DefaultCloseIssuesViaCommitsInAnyBranch bool
|
|
|
|
// Repository editor settings
|
|
Editor struct {
|
|
LineWrapExtensions []string
|
|
PreviewableFileModes []string
|
|
} `ini:"-"`
|
|
|
|
// Repository upload settings
|
|
Upload struct {
|
|
Enabled bool
|
|
TempPath string
|
|
AllowedTypes []string `delim:"|"`
|
|
FileMaxSize int64
|
|
MaxFiles int
|
|
} `ini:"-"`
|
|
|
|
// Repository local settings
|
|
Local struct {
|
|
LocalCopyPath string
|
|
} `ini:"-"`
|
|
|
|
// Pull request settings
|
|
PullRequest struct {
|
|
WorkInProgressPrefixes []string
|
|
} `ini:"repository.pull-request"`
|
|
|
|
// Issue Setting
|
|
Issue struct {
|
|
LockReasons []string
|
|
} `ini:"repository.issue"`
|
|
|
|
Signing struct {
|
|
SigningKey string
|
|
SigningName string
|
|
SigningEmail string
|
|
InitialCommit []string
|
|
CRUDActions []string `ini:"CRUD_ACTIONS"`
|
|
Merges []string
|
|
Wiki []string
|
|
} `ini:"repository.signing"`
|
|
}{
|
|
AnsiCharset: "",
|
|
ForcePrivate: false,
|
|
DefaultPrivate: RepoCreatingLastUserVisibility,
|
|
MaxCreationLimit: -1,
|
|
MirrorQueueLength: 1000,
|
|
PullRequestQueueLength: 1000,
|
|
PreferredLicenses: []string{"Apache License 2.0,MIT License"},
|
|
DisableHTTPGit: false,
|
|
AccessControlAllowOrigin: "",
|
|
UseCompatSSHURI: false,
|
|
DefaultCloseIssuesViaCommitsInAnyBranch: false,
|
|
|
|
// Repository editor settings
|
|
Editor: struct {
|
|
LineWrapExtensions []string
|
|
PreviewableFileModes []string
|
|
}{
|
|
LineWrapExtensions: strings.Split(".txt,.md,.markdown,.mdown,.mkd,", ","),
|
|
PreviewableFileModes: []string{"markdown"},
|
|
},
|
|
|
|
// Repository upload settings
|
|
Upload: struct {
|
|
Enabled bool
|
|
TempPath string
|
|
AllowedTypes []string `delim:"|"`
|
|
FileMaxSize int64
|
|
MaxFiles int
|
|
}{
|
|
Enabled: true,
|
|
TempPath: "data/tmp/uploads",
|
|
AllowedTypes: []string{},
|
|
FileMaxSize: 3,
|
|
MaxFiles: 5,
|
|
},
|
|
|
|
// Repository local settings
|
|
Local: struct {
|
|
LocalCopyPath string
|
|
}{
|
|
LocalCopyPath: "tmp/local-repo",
|
|
},
|
|
|
|
// Pull request settings
|
|
PullRequest: struct {
|
|
WorkInProgressPrefixes []string
|
|
}{
|
|
WorkInProgressPrefixes: []string{"WIP:", "[WIP]"},
|
|
},
|
|
|
|
// Issue settings
|
|
Issue: struct {
|
|
LockReasons []string
|
|
}{
|
|
LockReasons: strings.Split("Too heated,Off-topic,Spam,Resolved", ","),
|
|
},
|
|
|
|
// Signing settings
|
|
Signing: struct {
|
|
SigningKey string
|
|
SigningName string
|
|
SigningEmail string
|
|
InitialCommit []string
|
|
CRUDActions []string `ini:"CRUD_ACTIONS"`
|
|
Merges []string
|
|
Wiki []string
|
|
}{
|
|
SigningKey: "default",
|
|
SigningName: "",
|
|
SigningEmail: "",
|
|
InitialCommit: []string{"always"},
|
|
CRUDActions: []string{"pubkey", "twofa", "parentsigned"},
|
|
Merges: []string{"pubkey", "twofa", "basesigned", "commitssigned"},
|
|
Wiki: []string{"never"},
|
|
},
|
|
}
|
|
RepoRootPath string
|
|
ScriptType = "bash"
|
|
)
|
|
|
|
func newRepository() {
|
|
homeDir, err := com.HomeDir()
|
|
if err != nil {
|
|
log.Fatal("Failed to get home directory: %v", err)
|
|
}
|
|
homeDir = strings.Replace(homeDir, "\\", "/", -1)
|
|
|
|
// Determine and create root git repository path.
|
|
sec := Cfg.Section("repository")
|
|
Repository.DisableHTTPGit = sec.Key("DISABLE_HTTP_GIT").MustBool()
|
|
Repository.UseCompatSSHURI = sec.Key("USE_COMPAT_SSH_URI").MustBool()
|
|
Repository.MaxCreationLimit = sec.Key("MAX_CREATION_LIMIT").MustInt(-1)
|
|
RepoRootPath = sec.Key("ROOT").MustString(path.Join(homeDir, "gitea-repositories"))
|
|
forcePathSeparator(RepoRootPath)
|
|
if !filepath.IsAbs(RepoRootPath) {
|
|
RepoRootPath = filepath.Join(AppWorkPath, RepoRootPath)
|
|
} else {
|
|
RepoRootPath = filepath.Clean(RepoRootPath)
|
|
}
|
|
ScriptType = sec.Key("SCRIPT_TYPE").MustString("bash")
|
|
|
|
if err = Cfg.Section("repository").MapTo(&Repository); err != nil {
|
|
log.Fatal("Failed to map Repository settings: %v", err)
|
|
} else if err = Cfg.Section("repository.editor").MapTo(&Repository.Editor); err != nil {
|
|
log.Fatal("Failed to map Repository.Editor settings: %v", err)
|
|
} else if err = Cfg.Section("repository.upload").MapTo(&Repository.Upload); err != nil {
|
|
log.Fatal("Failed to map Repository.Upload settings: %v", err)
|
|
} else if err = Cfg.Section("repository.local").MapTo(&Repository.Local); err != nil {
|
|
log.Fatal("Failed to map Repository.Local settings: %v", err)
|
|
} else if err = Cfg.Section("repository.pull-request").MapTo(&Repository.PullRequest); err != nil {
|
|
log.Fatal("Failed to map Repository.PullRequest settings: %v", err)
|
|
}
|
|
|
|
if !filepath.IsAbs(Repository.Upload.TempPath) {
|
|
Repository.Upload.TempPath = path.Join(AppWorkPath, Repository.Upload.TempPath)
|
|
}
|
|
}
|