diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d68217b43c2c..587d04d3285fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,56 @@ This changelog goes through all the changes that have been made in each release without substantial changes to our git log; to see the highlights of what has been added to each release, please refer to the [blog](https://blog.gitea.io). +## [1.14.3](https://github.com/go-gitea/gitea/releases/tag/v1.14.3) - 2021-06-18 + +* SECURITY + * Encrypt migration credentials at rest (#15895) (#16187) + * Only check access tokens if they are likely to be tokens (#16164) (#16171) + * Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039) + * Fix setting of SameSite on cookies (#15989) (#15991) +* API + * Repository object only count releases as releases (#16184) (#16190) + * EditOrg respect RepoAdminChangeTeamAccess option (#16184) (#16190) + * Fix overly strict edit pr permissions (#15900) (#16081) +* BUGFIXES + * Run processors on whole of text (#16155) (#16185) + * Class `issue-keyword` is being incorrectly stripped off spans (#16163) (#16172) + * Fix language switch for install page (#16043) (#16128) + * Fix bug on getIssueIDsByRepoID (#16119) (#16124) + * Set self-adjusting deadline for connection writing (#16068) (#16123) + * Fix http path bug (#16117) (#16120) + * Fix data URI scramble (#16098) (#16118) + * Merge all deleteBranch as one function and also fix bug when delete branch don't close related PRs (#16067) (#16097) + * git migration: don't prompt interactively for clone credentials (#15902) (#16082) + * Fix case change in ownernames (#16045) (#16050) + * Don't manipulate input params in email notification (#16011) (#16033) + * Remove branch URL before IssueRefURL (#15968) (#15970) + * Fix layout of milestone view (#15927) (#15940) + * GitHub Migration, migrate draft releases too (#15884) (#15888) + * Close the gitrepo when deleting the repository (#15876) (#15887) + * Upgrade xorm to v1.1.0 (#15869) (#15885) + * Fix blame row height alignment (#15863) (#15883) + * Fix error message when saving generated LOCAL_ROOT_URL config (#15880) (#15882) + * Backport Fix LFS commit finder not working (#15856) (#15874) + * Stop calling WriteHeader in Write (#15862) (#15873) + * Add timeout to writing to responses (#15831) (#15872) + * Return go-get info on subdirs (#15642) (#15871) + * Restore PAM user autocreation functionality (#15825) (#15867) + * Fix truncate utf8 string (#15828) (#15854) + * Fix bound address/port for caddy's certmagic library (#15758) (#15848) + * Upgrade unrolled/render to v1.1.1 (#15845) (#15846) + * Queue manager FlushAll can loop rapidly - add delay (#15733) (#15840) + * Tagger can be empty, as can Commit and Author - tolerate this (#15835) (#15839) + * Set autocomplete off on branches selector (#15809) (#15833) + * Add missing error to Doctor log (#15813) (#15824) + * Move restore repo to internal router and invoke from command to avoid open the same db file or queues files (#15790) (#15816) +* ENHANCEMENTS + * Removable media support to snap package (#16136) (#16138) + * Move sans-serif fallback font higher than emoji fonts (#15855) (#15892) +* DOCKER + * Only write config in environment-to-ini if there are changes (#15861) (#15868) + * Only offer hostcertificates if they exist (#15849) (#15853) + ## [1.14.2](https://github.com/go-gitea/gitea/releases/tag/v1.14.2) - 2021-05-09 * API diff --git a/cmd/generate.go b/cmd/generate.go index 13a99c94f462b..35c77a815b1d9 100644 --- a/cmd/generate.go +++ b/cmd/generate.go @@ -71,7 +71,7 @@ func runGenerateInternalToken(c *cli.Context) error { } func runGenerateLfsJwtSecret(c *cli.Context) error { - JWTSecretBase64, err := generate.NewJwtSecret() + JWTSecretBase64, err := generate.NewJwtSecretBase64() if err != nil { return err } diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index f316fff6ad01c..4f84e2ac33269 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -859,7 +859,9 @@ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take ef - `ACCESS_TOKEN_EXPIRATION_TIME`: **3600**: Lifetime of an OAuth2 access token in seconds - `REFRESH_TOKEN_EXPIRATION_TIME`: **730**: Lifetime of an OAuth2 refresh token in hours - `INVALIDATE_REFRESH_TOKENS`: **false**: Check if refresh token has already been used -- `JWT_SECRET`: **\**: OAuth2 authentication secret for access and refresh tokens, change this a unique string. +- `JWT_SIGNING_ALGORITHM`: **RS256**: Algorithm used to sign OAuth2 tokens. Valid values: \[`HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`\] +- `JWT_SECRET`: **\**: OAuth2 authentication secret for access and refresh tokens, change this to a unique string. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `HS256`, `HS384` or `HS512`. +- `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `CUSTOM_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider ## i18n (`i18n`) diff --git a/docs/content/doc/developers/oauth2-provider.md b/docs/content/doc/developers/oauth2-provider.md index 29305a24ca197..efe78eed97659 100644 --- a/docs/content/doc/developers/oauth2-provider.md +++ b/docs/content/doc/developers/oauth2-provider.md @@ -23,10 +23,13 @@ Gitea supports acting as an OAuth2 provider to allow third party applications to ## Endpoints -| Endpoint | URL | -| ---------------------- | --------------------------- | -| Authorization Endpoint | `/login/oauth/authorize` | -| Access Token Endpoint | `/login/oauth/access_token` | +| Endpoint | URL | +| ------------------------ | ----------------------------------- | +| OpenID Connect Discovery | `/.well-known/openid-configuration` | +| Authorization Endpoint | `/login/oauth/authorize` | +| Access Token Endpoint | `/login/oauth/access_token` | +| OpenID Connect UserInfo | `/login/oauth/userinfo` | +| JSON Web Key Set | `/login/oauth/keys` | ## Supported OAuth2 Grants diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go index 98c9fb6ec7393..7052e74b018ea 100644 --- a/integrations/api_repo_test.go +++ b/integrations/api_repo_test.go @@ -223,7 +223,7 @@ func TestAPIViewRepo(t *testing.T) { DecodeJSON(t, resp, &repo) assert.EqualValues(t, 1, repo.ID) assert.EqualValues(t, "repo1", repo.Name) - assert.EqualValues(t, 3, repo.Releases) + assert.EqualValues(t, 2, repo.Releases) assert.EqualValues(t, 1, repo.OpenIssues) assert.EqualValues(t, 3, repo.OpenPulls) @@ -466,7 +466,7 @@ func TestAPIRepoTransfer(t *testing.T) { session := loginUser(t, user.Name) token := getTokenForLoggedInUser(t, session) repoName := "moveME" - repo := new(models.Repository) + apiRepo := new(api.Repository) req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/user/repos?token=%s", token), &api.CreateRepoOption{ Name: repoName, Description: "repo move around", @@ -475,12 +475,12 @@ func TestAPIRepoTransfer(t *testing.T) { AutoInit: true, }) resp := session.MakeRequest(t, req, http.StatusCreated) - DecodeJSON(t, resp, repo) + DecodeJSON(t, resp, apiRepo) //start testing for _, testCase := range testCases { user = models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User) - repo = models.AssertExistsAndLoadBean(t, &models.Repository{ID: repo.ID}).(*models.Repository) + repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: apiRepo.ID}).(*models.Repository) session = loginUser(t, user.Name) token = getTokenForLoggedInUser(t, session) req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer?token=%s", repo.OwnerName, repo.Name, token), &api.TransferRepoOption{ @@ -491,7 +491,7 @@ func TestAPIRepoTransfer(t *testing.T) { } //cleanup - repo = models.AssertExistsAndLoadBean(t, &models.Repository{ID: repo.ID}).(*models.Repository) + repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: apiRepo.ID}).(*models.Repository) _ = models.DeleteRepository(user, repo.OwnerID, repo.ID) } diff --git a/integrations/org_count_test.go b/integrations/org_count_test.go index 755ee3cee59f0..20917dc17e0c5 100644 --- a/integrations/org_count_test.go +++ b/integrations/org_count_test.go @@ -114,11 +114,12 @@ func doCheckOrgCounts(username string, orgCounts map[string]int, strict bool, ca Name: username, }).(*models.User) - user.GetOrganizations(&models.SearchOrganizationsOptions{All: true}) + orgs, err := models.GetOrgsByUserID(user.ID, true) + assert.NoError(t, err) calcOrgCounts := map[string]int{} - for _, org := range user.Orgs { + for _, org := range orgs { calcOrgCounts[org.LowerName] = org.NumRepos count, ok := canonicalCounts[org.LowerName] if ok { diff --git a/models/oauth2.go b/models/oauth2.go index cc9de74f84ebc..46da60e02dd65 100644 --- a/models/oauth2.go +++ b/models/oauth2.go @@ -132,6 +132,9 @@ func GetActiveOAuth2Providers() ([]string, map[string]OAuth2Provider, error) { // InitOAuth2 initialize the OAuth2 lib and register all active OAuth2 providers in the library func InitOAuth2() error { + if err := oauth2.InitSigningKey(); err != nil { + return err + } if err := oauth2.Init(x); err != nil { return err } diff --git a/models/oauth2_application.go b/models/oauth2_application.go index 82d8f4cdf7b1f..3509dba54e2f8 100644 --- a/models/oauth2_application.go +++ b/models/oauth2_application.go @@ -12,8 +12,8 @@ import ( "strings" "time" + "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/secret" - "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" @@ -540,10 +540,10 @@ type OAuth2Token struct { // ParseOAuth2Token parses a singed jwt string func ParseOAuth2Token(jwtToken string) (*OAuth2Token, error) { parsedToken, err := jwt.ParseWithClaims(jwtToken, &OAuth2Token{}, func(token *jwt.Token) (interface{}, error) { - if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + if token.Method == nil || token.Method.Alg() != oauth2.DefaultSigningKey.SigningMethod().Alg() { return nil, fmt.Errorf("unexpected signing algo: %v", token.Header["alg"]) } - return setting.OAuth2.JWTSecretBytes, nil + return oauth2.DefaultSigningKey.VerifyKey(), nil }) if err != nil { return nil, err @@ -559,8 +559,9 @@ func ParseOAuth2Token(jwtToken string) (*OAuth2Token, error) { // SignToken signs the token with the JWT secret func (token *OAuth2Token) SignToken() (string, error) { token.IssuedAt = time.Now().Unix() - jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS512, token) - return jwtToken.SignedString(setting.OAuth2.JWTSecretBytes) + jwtToken := jwt.NewWithClaims(oauth2.DefaultSigningKey.SigningMethod(), token) + oauth2.DefaultSigningKey.PreProcessToken(jwtToken) + return jwtToken.SignedString(oauth2.DefaultSigningKey.SignKey()) } // OIDCToken represents an OpenID Connect id_token @@ -583,8 +584,9 @@ type OIDCToken struct { } // SignToken signs an id_token with the (symmetric) client secret key -func (token *OIDCToken) SignToken(clientSecret string) (string, error) { +func (token *OIDCToken) SignToken(signingKey oauth2.JWTSigningKey) (string, error) { token.IssuedAt = time.Now().Unix() - jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, token) - return jwtToken.SignedString([]byte(clientSecret)) + jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token) + signingKey.PreProcessToken(jwtToken) + return jwtToken.SignedString(signingKey.SignKey()) } diff --git a/models/user.go b/models/user.go index 002c050651f17..5998341422197 100644 --- a/models/user.go +++ b/models/user.go @@ -112,7 +112,6 @@ type User struct { LoginName string Type UserType OwnedOrgs []*User `xorm:"-"` - Orgs []*User `xorm:"-"` Repos []*Repository `xorm:"-"` Location string Website string @@ -603,58 +602,6 @@ func (u *User) GetOwnedOrganizations() (err error) { return err } -// GetOrganizations returns paginated organizations that user belongs to. -// TODO: does not respect All and show orgs you privately participate -func (u *User) GetOrganizations(opts *SearchOrganizationsOptions) error { - sess := x.NewSession() - defer sess.Close() - - schema, err := x.TableInfo(new(User)) - if err != nil { - return err - } - groupByCols := &strings.Builder{} - for _, col := range schema.Columns() { - fmt.Fprintf(groupByCols, "`%s`.%s,", schema.Name, col.Name) - } - groupByStr := groupByCols.String() - groupByStr = groupByStr[0 : len(groupByStr)-1] - - sess.Select("`user`.*, count(repo_id) as org_count"). - Table("user"). - Join("INNER", "org_user", "`org_user`.org_id=`user`.id"). - Join("LEFT", builder. - Select("id as repo_id, owner_id as repo_owner_id"). - From("repository"). - Where(accessibleRepositoryCondition(u)), "`repository`.repo_owner_id = `org_user`.org_id"). - And("`org_user`.uid=?", u.ID). - GroupBy(groupByStr) - if opts.PageSize != 0 { - sess = opts.setSessionPagination(sess) - } - type OrgCount struct { - User `xorm:"extends"` - OrgCount int - } - orgCounts := make([]*OrgCount, 0, 10) - - if err := sess. - Asc("`user`.name"). - Find(&orgCounts); err != nil { - return err - } - - orgs := make([]*User, len(orgCounts)) - for i, orgCount := range orgCounts { - orgCount.User.NumRepos = orgCount.OrgCount - orgs[i] = &orgCount.User - } - - u.Orgs = orgs - - return nil -} - // DisplayName returns full name if it's not empty, // returns username otherwise. func (u *User) DisplayName() string { diff --git a/modules/auth/oauth2/jwtsigningkey.go b/modules/auth/oauth2/jwtsigningkey.go new file mode 100644 index 0000000000000..75e62a7c43039 --- /dev/null +++ b/modules/auth/oauth2/jwtsigningkey.go @@ -0,0 +1,378 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/pem" + "fmt" + "io/ioutil" + "math/big" + "os" + "path/filepath" + "strings" + + "code.gitea.io/gitea/modules/generate" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/util" + + "github.com/dgrijalva/jwt-go" + ini "gopkg.in/ini.v1" +) + +// ErrInvalidAlgorithmType represents an invalid algorithm error. +type ErrInvalidAlgorithmType struct { + Algorightm string +} + +func (err ErrInvalidAlgorithmType) Error() string { + return fmt.Sprintf("JWT signing algorithm is not supported: %s", err.Algorightm) +} + +// JWTSigningKey represents a algorithm/key pair to sign JWTs +type JWTSigningKey interface { + IsSymmetric() bool + SigningMethod() jwt.SigningMethod + SignKey() interface{} + VerifyKey() interface{} + ToJWK() (map[string]string, error) + PreProcessToken(*jwt.Token) +} + +type hmacSigningKey struct { + signingMethod jwt.SigningMethod + secret []byte +} + +func (key hmacSigningKey) IsSymmetric() bool { + return true +} + +func (key hmacSigningKey) SigningMethod() jwt.SigningMethod { + return key.signingMethod +} + +func (key hmacSigningKey) SignKey() interface{} { + return key.secret +} + +func (key hmacSigningKey) VerifyKey() interface{} { + return key.secret +} + +func (key hmacSigningKey) ToJWK() (map[string]string, error) { + return map[string]string{ + "kty": "oct", + "alg": key.SigningMethod().Alg(), + }, nil +} + +func (key hmacSigningKey) PreProcessToken(*jwt.Token) {} + +type rsaSingingKey struct { + signingMethod jwt.SigningMethod + key *rsa.PrivateKey + id string +} + +func newRSASingingKey(signingMethod jwt.SigningMethod, key *rsa.PrivateKey) (rsaSingingKey, error) { + kid, err := createPublicKeyFingerprint(key.Public().(*rsa.PublicKey)) + if err != nil { + return rsaSingingKey{}, err + } + + return rsaSingingKey{ + signingMethod, + key, + base64.RawURLEncoding.EncodeToString(kid), + }, nil +} + +func (key rsaSingingKey) IsSymmetric() bool { + return false +} + +func (key rsaSingingKey) SigningMethod() jwt.SigningMethod { + return key.signingMethod +} + +func (key rsaSingingKey) SignKey() interface{} { + return key.key +} + +func (key rsaSingingKey) VerifyKey() interface{} { + return key.key.Public() +} + +func (key rsaSingingKey) ToJWK() (map[string]string, error) { + pubKey := key.key.Public().(*rsa.PublicKey) + + return map[string]string{ + "kty": "RSA", + "alg": key.SigningMethod().Alg(), + "kid": key.id, + "e": base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pubKey.E)).Bytes()), + "n": base64.RawURLEncoding.EncodeToString(pubKey.N.Bytes()), + }, nil +} + +func (key rsaSingingKey) PreProcessToken(token *jwt.Token) { + token.Header["kid"] = key.id +} + +type ecdsaSingingKey struct { + signingMethod jwt.SigningMethod + key *ecdsa.PrivateKey + id string +} + +func newECDSASingingKey(signingMethod jwt.SigningMethod, key *ecdsa.PrivateKey) (ecdsaSingingKey, error) { + kid, err := createPublicKeyFingerprint(key.Public().(*ecdsa.PublicKey)) + if err != nil { + return ecdsaSingingKey{}, err + } + + return ecdsaSingingKey{ + signingMethod, + key, + base64.RawURLEncoding.EncodeToString(kid), + }, nil +} + +func (key ecdsaSingingKey) IsSymmetric() bool { + return false +} + +func (key ecdsaSingingKey) SigningMethod() jwt.SigningMethod { + return key.signingMethod +} + +func (key ecdsaSingingKey) SignKey() interface{} { + return key.key +} + +func (key ecdsaSingingKey) VerifyKey() interface{} { + return key.key.Public() +} + +func (key ecdsaSingingKey) ToJWK() (map[string]string, error) { + pubKey := key.key.Public().(*ecdsa.PublicKey) + + return map[string]string{ + "kty": "EC", + "alg": key.SigningMethod().Alg(), + "kid": key.id, + "crv": pubKey.Params().Name, + "x": base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()), + "y": base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()), + }, nil +} + +func (key ecdsaSingingKey) PreProcessToken(token *jwt.Token) { + token.Header["kid"] = key.id +} + +// createPublicKeyFingerprint creates a fingerprint of the given key. +// The fingerprint is the sha256 sum of the PKIX structure of the key. +func createPublicKeyFingerprint(key interface{}) ([]byte, error) { + bytes, err := x509.MarshalPKIXPublicKey(key) + if err != nil { + return nil, err + } + + checksum := sha256.Sum256(bytes) + + return checksum[:], nil +} + +// CreateJWTSingingKey creates a signing key from an algorithm / key pair. +func CreateJWTSingingKey(algorithm string, key interface{}) (JWTSigningKey, error) { + var signingMethod jwt.SigningMethod + switch algorithm { + case "HS256": + signingMethod = jwt.SigningMethodHS256 + case "HS384": + signingMethod = jwt.SigningMethodHS384 + case "HS512": + signingMethod = jwt.SigningMethodHS512 + + case "RS256": + signingMethod = jwt.SigningMethodRS256 + case "RS384": + signingMethod = jwt.SigningMethodRS384 + case "RS512": + signingMethod = jwt.SigningMethodRS512 + + case "ES256": + signingMethod = jwt.SigningMethodES256 + case "ES384": + signingMethod = jwt.SigningMethodES384 + case "ES512": + signingMethod = jwt.SigningMethodES512 + default: + return nil, ErrInvalidAlgorithmType{algorithm} + } + + switch signingMethod.(type) { + case *jwt.SigningMethodECDSA: + privateKey, ok := key.(*ecdsa.PrivateKey) + if !ok { + return nil, jwt.ErrInvalidKeyType + } + return newECDSASingingKey(signingMethod, privateKey) + case *jwt.SigningMethodRSA: + privateKey, ok := key.(*rsa.PrivateKey) + if !ok { + return nil, jwt.ErrInvalidKeyType + } + return newRSASingingKey(signingMethod, privateKey) + default: + secret, ok := key.([]byte) + if !ok { + return nil, jwt.ErrInvalidKeyType + } + return hmacSigningKey{signingMethod, secret}, nil + } +} + +// DefaultSigningKey is the default signing key for JWTs. +var DefaultSigningKey JWTSigningKey + +// InitSigningKey creates the default signing key from settings or creates a random key. +func InitSigningKey() error { + var err error + var key interface{} + + switch setting.OAuth2.JWTSigningAlgorithm { + case "HS256": + fallthrough + case "HS384": + fallthrough + case "HS512": + key, err = loadOrCreateSymmetricKey() + + case "RS256": + fallthrough + case "RS384": + fallthrough + case "RS512": + fallthrough + case "ES256": + fallthrough + case "ES384": + fallthrough + case "ES512": + key, err = loadOrCreateAsymmetricKey() + + default: + return ErrInvalidAlgorithmType{setting.OAuth2.JWTSigningAlgorithm} + } + + if err != nil { + return fmt.Errorf("Error while loading or creating symmetric key: %v", err) + } + + signingKey, err := CreateJWTSingingKey(setting.OAuth2.JWTSigningAlgorithm, key) + if err != nil { + return err + } + + DefaultSigningKey = signingKey + + return nil +} + +// loadOrCreateSymmetricKey checks if the configured secret is valid. +// If it is not valid a new secret is created and saved in the configuration file. +func loadOrCreateSymmetricKey() (interface{}, error) { + key := make([]byte, 32) + n, err := base64.RawURLEncoding.Decode(key, []byte(setting.OAuth2.JWTSecretBase64)) + if err != nil || n != 32 { + key, err = generate.NewJwtSecret() + if err != nil { + log.Fatal("error generating JWT secret: %v", err) + return nil, err + } + + setting.CreateOrAppendToCustomConf(func(cfg *ini.File) { + secretBase64 := base64.RawURLEncoding.EncodeToString(key) + cfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64) + }) + } + + return key, nil +} + +// loadOrCreateAsymmetricKey checks if the configured private key exists. +// If it does not exist a new random key gets generated and saved on the configured path. +func loadOrCreateAsymmetricKey() (interface{}, error) { + keyPath := setting.OAuth2.JWTSigningPrivateKeyFile + + isExist, err := util.IsExist(keyPath) + if err != nil { + log.Fatal("Unable to check if %s exists. Error: %v", keyPath, err) + } + if !isExist { + err := func() error { + key, err := func() (interface{}, error) { + if strings.HasPrefix(setting.OAuth2.JWTSigningAlgorithm, "RS") { + return rsa.GenerateKey(rand.Reader, 4096) + } + return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + }() + if err != nil { + return err + } + + bytes, err := x509.MarshalPKCS8PrivateKey(key) + if err != nil { + return err + } + + privateKeyPEM := &pem.Block{Type: "PRIVATE KEY", Bytes: bytes} + + if err := os.MkdirAll(filepath.Dir(keyPath), os.ModePerm); err != nil { + return err + } + + f, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return err + } + defer func() { + if err = f.Close(); err != nil { + log.Error("Close: %v", err) + } + }() + + return pem.Encode(f, privateKeyPEM) + }() + if err != nil { + log.Fatal("Error generating private key: %v", err) + return nil, err + } + } + + bytes, err := ioutil.ReadFile(keyPath) + if err != nil { + return nil, err + } + + block, _ := pem.Decode(bytes) + if block == nil { + return nil, fmt.Errorf("no valid PEM data found in %s", keyPath) + } else if block.Type != "PRIVATE KEY" { + return nil, fmt.Errorf("expected PRIVATE KEY, got %s in %s", block.Type, keyPath) + } + + return x509.ParsePKCS8PrivateKey(block.Bytes) +} diff --git a/modules/convert/repository.go b/modules/convert/repository.go index 9a4fbb97caec7..7f3d67137f755 100644 --- a/modules/convert/repository.go +++ b/modules/convert/repository.go @@ -91,7 +91,7 @@ func innerToRepo(repo *models.Repository, mode models.AccessMode, isParent bool) return nil } - numReleases, _ := models.GetReleaseCountByRepoID(repo.ID, models.FindReleasesOptions{IncludeDrafts: false, IncludeTags: true}) + numReleases, _ := models.GetReleaseCountByRepoID(repo.ID, models.FindReleasesOptions{IncludeDrafts: false, IncludeTags: false}) mirrorInterval := "" if repo.IsMirror { diff --git a/modules/generate/generate.go b/modules/generate/generate.go index 96589d3fb9ac5..4ed2a503b0041 100644 --- a/modules/generate/generate.go +++ b/modules/generate/generate.go @@ -38,14 +38,23 @@ func NewInternalToken() (string, error) { return internalToken, nil } -// NewJwtSecret generate a new value intended to be used by LFS_JWT_SECRET. -func NewJwtSecret() (string, error) { - JWTSecretBytes := make([]byte, 32) - _, err := io.ReadFull(rand.Reader, JWTSecretBytes) +// NewJwtSecret generates a new value intended to be used for JWT secrets. +func NewJwtSecret() ([]byte, error) { + bytes := make([]byte, 32) + _, err := io.ReadFull(rand.Reader, bytes) + if err != nil { + return nil, err + } + return bytes, nil +} + +// NewJwtSecretBase64 generates a new base64 encoded value intended to be used for JWT secrets. +func NewJwtSecretBase64() (string, error) { + bytes, err := NewJwtSecret() if err != nil { return "", err } - return base64.RawURLEncoding.EncodeToString(JWTSecretBytes), nil + return base64.RawURLEncoding.EncodeToString(bytes), nil } // NewSecretKey generate a new value intended to be used by SECRET_KEY. diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go index 38c656fc29858..8b9224b86a6cb 100644 --- a/modules/setting/lfs.go +++ b/modules/setting/lfs.go @@ -54,7 +54,7 @@ func newLFSService() { n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) if err != nil || n != 32 { - LFS.JWTSecretBase64, err = generate.NewJwtSecret() + LFS.JWTSecretBase64, err = generate.NewJwtSecretBase64() if err != nil { log.Fatal("Error generating JWT Secret for custom config: %v", err) return diff --git a/modules/setting/setting.go b/modules/setting/setting.go index d26c054cd79dd..f648179155594 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -371,14 +371,17 @@ var ( AccessTokenExpirationTime int64 RefreshTokenExpirationTime int64 InvalidateRefreshTokens bool - JWTSecretBytes []byte `ini:"-"` + JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"` JWTSecretBase64 string `ini:"JWT_SECRET"` + JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"` MaxTokenLength int }{ Enable: true, AccessTokenExpirationTime: 3600, RefreshTokenExpirationTime: 730, InvalidateRefreshTokens: false, + JWTSigningAlgorithm: "RS256", + JWTSigningPrivateKeyFile: "jwt/private.pem", MaxTokenLength: math.MaxInt16, } @@ -801,21 +804,8 @@ func NewContext() { return } - if OAuth2.Enable { - OAuth2.JWTSecretBytes = make([]byte, 32) - n, err := base64.RawURLEncoding.Decode(OAuth2.JWTSecretBytes, []byte(OAuth2.JWTSecretBase64)) - - if err != nil || n != 32 { - OAuth2.JWTSecretBase64, err = generate.NewJwtSecret() - if err != nil { - log.Fatal("error generating JWT secret: %v", err) - return - } - - CreateOrAppendToCustomConf(func(cfg *ini.File) { - cfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64) - }) - } + if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) { + OAuth2.JWTSigningPrivateKeyFile = filepath.Join(CustomPath, OAuth2.JWTSigningPrivateKeyFile) } sec = Cfg.Section("admin") diff --git a/modules/structs/org.go b/modules/structs/org.go index 483f5044a8982..38c6c6d6d849b 100644 --- a/modules/structs/org.go +++ b/modules/structs/org.go @@ -31,6 +31,8 @@ type CreateOrgOption struct { RepoAdminChangeTeamAccess bool `json:"repo_admin_change_team_access"` } +// TODO: make EditOrgOption fields optional after https://gitea.com/go-chi/binding/pulls/5 got merged + // EditOrgOption options for editing an organization type EditOrgOption struct { FullName string `json:"full_name"` @@ -40,5 +42,5 @@ type EditOrgOption struct { // possible values are `public`, `limited` or `private` // enum: public,limited,private Visibility string `json:"visibility" binding:"In(,public,limited,private)"` - RepoAdminChangeTeamAccess bool `json:"repo_admin_change_team_access"` + RepoAdminChangeTeamAccess *bool `json:"repo_admin_change_team_access"` } diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini index a8d4b5f70f9db..09dc4a0a9de52 100644 --- a/options/locale/locale_pt-PT.ini +++ b/options/locale/locale_pt-PT.ini @@ -728,6 +728,9 @@ mirror_lfs=Armazenamento de Ficheiros Grandes (LFS) mirror_lfs_desc=Habilitar o espelhamento de dados LFS. mirror_lfs_endpoint_desc=A sincronização irá tentar usar o URL de clonagem para determinar o servidor LFS. Também pode especificar um destino personalizado se os dados do repositório LFS forem armazenados noutro lugar. mirror_last_synced=Última sincronização +mirror_password_placeholder=(inalterada) +mirror_password_blank_placeholder=(não definida) +mirror_password_help=Altere o nome de utilizador para eliminar uma senha armazenada. watchers=Vigilantes stargazers=Fãs forks=Derivações @@ -810,13 +813,13 @@ migrate.migrate_items_options=É necessário um código de acesso para migrar it migrated_from=Migrado de %[2]s migrated_from_fake=Migrado de %[1]s migrate.migrate=Migrar de %s -migrate.migrating=Migrando de %s... +migrate.migrating=Migrando a partir de %s ... migrate.migrating_failed=A migração de %s falhou. -migrate.github.description=Migrando dados do Github.com ou do Github Enterprise. -migrate.git.description=Migrando ou espelhando dados git a partir de serviços Git -migrate.gitlab.description=Migrando dados do GitLab.com ou de um servidor GitLab auto-hospedado. -migrate.gitea.description=Migrando dados do Gitea.com ou de um servidor Gitea auto-hospedado. -migrate.gogs.description=Migrando dados de notabug.com ou de outro servidor Gogs auto-hospedado. +migrate.github.description=Migrar dados do Github.com ou do Github Enterprise. +migrate.git.description=Migrar ou espelhar dados git a partir de serviços Git +migrate.gitlab.description=Migrar dados do GitLab.com ou de um servidor GitLab auto-hospedado. +migrate.gitea.description=Migrar dados do Gitea.com ou de um servidor Gitea auto-hospedado. +migrate.gogs.description=Migrar dados de notabug.com ou de outro servidor Gogs auto-hospedado. mirror_from=espelho de forked_from=derivado de @@ -1532,6 +1535,9 @@ settings.githooks=Automatismos do Git settings.basic_settings=Configurações básicas settings.mirror_settings=Configurações do espelhamento settings.mirror_settings.docs=Configure o seu repositório para puxar e/ou enviar automaticamente as modificações de/para outro repositório. Ramos, etiquetas e cometimentos serão sincronizados automaticamente. Como é que eu faço um espelho de outro repositório? +settings.mirror_settings.mirrored_repository=Repositório espelhado +settings.mirror_settings.direction=Sentido +settings.mirror_settings.last_update=Última modificação settings.mirror_settings.push_mirror.none=Não foram configurados quaisquer espelhos de envio settings.mirror_settings.push_mirror.remote_url=URL do repositório remoto Git settings.mirror_settings.push_mirror.add=Adicionar espelho de envio diff --git a/options/locale/locale_zh-TW.ini b/options/locale/locale_zh-TW.ini index d2ff1305e2f0f..81e7b7e0afdca 100644 --- a/options/locale/locale_zh-TW.ini +++ b/options/locale/locale_zh-TW.ini @@ -822,11 +822,19 @@ migrated_from_fake=已從 %[1]s 遷移 migrate.migrate=從 %s 遷移 migrate.migrating=正在從 %s 遷移... migrate.migrating_failed=從 %s 遷移失敗 +migrate.migrating_failed.error=錯誤:%s migrate.github.description=從 Github.com 或 Github Enterprise 遷移資料。 migrate.git.description=從 Git 服務遷移或鏡像資料。 migrate.gitlab.description=從 GitLab.com 或自託管的 Gitlab 伺服器遷移資料。 migrate.gitea.description=從 Gitea.com 或自託管的 Gitea 伺服器遷移資料。 migrate.gogs.description=從 notabug.org 或自託管的 Gogs 伺服器遷移資料。 +migrate.migrating_git=正在遷移 Git 資料 +migrate.migrating_topics=正在遷移主題 +migrate.migrating_milestones=正在遷移里程碑 +migrate.migrating_labels=正在遷移標籤 +migrate.migrating_releases=正在遷移版本發佈 +migrate.migrating_issues=正在遷移問題 +migrate.migrating_pulls=正在遷移合併請求 mirror_from=鏡像自 forked_from=fork 自 diff --git a/routers/api/v1/org/org.go b/routers/api/v1/org/org.go index e0f36aa1e657d..f4a634f4d56c0 100644 --- a/routers/api/v1/org/org.go +++ b/routers/api/v1/org/org.go @@ -264,7 +264,13 @@ func Edit(ctx *context.APIContext) { if form.Visibility != "" { org.Visibility = api.VisibilityModes[form.Visibility] } - if err := models.UpdateUserCols(org, "full_name", "description", "website", "location", "visibility"); err != nil { + if form.RepoAdminChangeTeamAccess != nil { + org.RepoAdminChangeTeamAccess = *form.RepoAdminChangeTeamAccess + } + if err := models.UpdateUserCols(org, + "full_name", "description", "website", "location", + "visibility", "repo_admin_change_team_access", + ); err != nil { ctx.Error(http.StatusInternalServerError, "EditOrganization", err) return } diff --git a/routers/api/v1/utils/utils.go b/routers/api/v1/utils/utils.go index ad1a136db463a..10ab3ebd0cfb9 100644 --- a/routers/api/v1/utils/utils.go +++ b/routers/api/v1/utils/utils.go @@ -55,7 +55,7 @@ func parseTime(value string) (int64, error) { // prepareQueryArg unescape and trim a query arg func prepareQueryArg(ctx *context.APIContext, name string) (value string, err error) { value, err = url.PathUnescape(ctx.Query(name)) - value = strings.Trim(value, " ") + value = strings.TrimSpace(value) return } diff --git a/routers/install/install.go b/routers/install/install.go index a7040bccad9f7..ad985cf184882 100644 --- a/routers/install/install.go +++ b/routers/install/install.go @@ -343,7 +343,7 @@ func SubmitInstall(ctx *context.Context) { cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) var secretKey string - if secretKey, err = generate.NewJwtSecret(); err != nil { + if secretKey, err = generate.NewJwtSecretBase64(); err != nil { ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form) return } diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go index 5667eea45c963..72295b4447c28 100644 --- a/routers/web/user/oauth.go +++ b/routers/web/user/oauth.go @@ -13,6 +13,7 @@ import ( "strings" "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/log" @@ -24,6 +25,7 @@ import ( "gitea.com/go-chi/binding" "github.com/dgrijalva/jwt-go" + jsoniter "github.com/json-iterator/go" ) const ( @@ -131,7 +133,7 @@ type AccessTokenResponse struct { IDToken string `json:"id_token,omitempty"` } -func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*AccessTokenResponse, *AccessTokenError) { +func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { if setting.OAuth2.InvalidateRefreshTokens { if err := grant.IncreaseCounter(); err != nil { return nil, &AccessTokenError{ @@ -223,7 +225,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac idToken.EmailVerified = app.User.IsActive } - signedIDToken, err = idToken.SignToken(clientSecret) + signedIDToken, err = idToken.SignToken(signingKey) if err != nil { return nil, &AccessTokenError{ ErrorCode: AccessTokenErrorCodeInvalidRequest, @@ -480,12 +482,37 @@ func GrantApplicationOAuth(ctx *context.Context) { func OIDCWellKnown(ctx *context.Context) { t := ctx.Render.TemplateLookup("user/auth/oidc_wellknown") ctx.Resp.Header().Set("Content-Type", "application/json") + ctx.Data["SigningKey"] = oauth2.DefaultSigningKey if err := t.Execute(ctx.Resp, ctx.Data); err != nil { log.Error("%v", err) ctx.Error(http.StatusInternalServerError) } } +// OIDCKeys generates the JSON Web Key Set +func OIDCKeys(ctx *context.Context) { + jwk, err := oauth2.DefaultSigningKey.ToJWK() + if err != nil { + log.Error("Error converting signing key to JWK: %v", err) + ctx.Error(http.StatusInternalServerError) + return + } + + jwk["use"] = "sig" + + jwks := map[string][]map[string]string{ + "keys": { + jwk, + }, + } + + ctx.Resp.Header().Set("Content-Type", "application/json") + enc := jsoniter.NewEncoder(ctx.Resp) + if err := enc.Encode(jwks); err != nil { + log.Error("Failed to encode representation as json. Error: %v", err) + } +} + // AccessTokenOAuth manages all access token requests by the client func AccessTokenOAuth(ctx *context.Context) { form := *web.GetForm(ctx).(*forms.AccessTokenForm) @@ -513,13 +540,25 @@ func AccessTokenOAuth(ctx *context.Context) { form.ClientSecret = pair[1] } } + + signingKey := oauth2.DefaultSigningKey + if signingKey.IsSymmetric() { + clientKey, err := oauth2.CreateJWTSingingKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret)) + if err != nil { + handleAccessTokenError(ctx, AccessTokenError{ + ErrorCode: AccessTokenErrorCodeInvalidRequest, + ErrorDescription: "Error creating signing key", + }) + return + } + signingKey = clientKey + } + switch form.GrantType { case "refresh_token": - handleRefreshToken(ctx, form) - return + handleRefreshToken(ctx, form, signingKey) case "authorization_code": - handleAuthorizationCode(ctx, form) - return + handleAuthorizationCode(ctx, form, signingKey) default: handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnsupportedGrantType, @@ -528,7 +567,7 @@ func AccessTokenOAuth(ctx *context.Context) { } } -func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) { +func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) { token, err := models.ParseOAuth2Token(form.RefreshToken) if err != nil { handleAccessTokenError(ctx, AccessTokenError{ @@ -556,7 +595,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) { log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID) return } - accessToken, tokenErr := newAccessTokenResponse(grant, form.ClientSecret) + accessToken, tokenErr := newAccessTokenResponse(grant, signingKey) if tokenErr != nil { handleAccessTokenError(ctx, *tokenErr) return @@ -564,7 +603,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) { ctx.JSON(http.StatusOK, accessToken) } -func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm) { +func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) { app, err := models.GetOAuth2ApplicationByClientID(form.ClientID) if err != nil { handleAccessTokenError(ctx, AccessTokenError{ @@ -618,7 +657,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm) { ErrorDescription: "cannot proceed your request", }) } - resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, form.ClientSecret) + resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, signingKey) if tokenErr != nil { handleAccessTokenError(ctx, *tokenErr) return diff --git a/routers/web/web.go b/routers/web/web.go index df9efe25d6c5e..2c8a6411a1d10 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -295,6 +295,7 @@ func RegisterRoutes(m *web.Route) { }, ignSignInAndCsrf, reqSignIn) m.Get("/login/oauth/userinfo", ignSignInAndCsrf, user.InfoOAuth) m.Post("/login/oauth/access_token", CorsHandler(), bindIgnErr(forms.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + m.Get("/login/oauth/keys", ignSignInAndCsrf, user.OIDCKeys) m.Group("/user/settings", func() { m.Get("", userSetting.Profile) diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl index 6b1f8f899c13a..93a048b513da2 100644 --- a/templates/user/auth/oidc_wellknown.tmpl +++ b/templates/user/auth/oidc_wellknown.tmpl @@ -2,11 +2,18 @@ "issuer": "{{AppUrl | JSEscape | Safe}}", "authorization_endpoint": "{{AppUrl | JSEscape | Safe}}login/oauth/authorize", "token_endpoint": "{{AppUrl | JSEscape | Safe}}login/oauth/access_token", + "jwks_uri": "{{AppUrl | JSEscape | Safe}}login/oauth/keys", "userinfo_endpoint": "{{AppUrl | JSEscape | Safe}}login/oauth/userinfo", "response_types_supported": [ "code", "id_token" ], + "id_token_signing_alg_values_supported": [ + "{{.SigningKey.SigningMethod.Alg | JSEscape | Safe}}" + ], + "subject_types_supported": [ + "public" + ], "scopes_supported": [ "openid", "profile", diff --git a/templates/user/dashboard/repolist.tmpl b/templates/user/dashboard/repolist.tmpl index 8ac07e1df63ea..f39d3711d473f 100644 --- a/templates/user/dashboard/repolist.tmpl +++ b/templates/user/dashboard/repolist.tmpl @@ -9,7 +9,7 @@ :more-repos-link="'{{.ContextUser.HomeLink}}'" {{if not .ContextUser.IsOrganization}} :organizations="[ - {{range .ContextUser.Orgs}} + {{range .Orgs}} {name: '{{.Name}}', num_repos: '{{.NumRepos}}'}, {{end}} ]"