kallithea Changeset - a89be5fb75d2

Changeset - a89be5fb75d2

Parent rev.

Child rev.

[Not reviewed]

default

0 8 0

Mads Kiilerich - 9 years ago 2016-08-12 03:04:48
madski@unity3d.com

hg: drop pointless push_ssl configuration setting - if there is a risk push can be compromised, credentials can also easily be stolen for pull

Everybody should have a ssl-only setup now. Alternatively, there is a use case
for 'only anonymous traffic on ssl - all authentication and authenticated
traffic must be on ssl'. That can be done with proper web server configuration.

8 files changed with 3 insertions and 45 deletions:

kallithea/controllers/admin/settings.py

kallithea/lib/base.py

kallithea/lib/db_manage.py

kallithea/lib/middleware/simplegit.py

kallithea/lib/middleware/simplehg.py

kallithea/lib/utils.py

kallithea/model/forms.py

kallithea/templates/admin/settings/settings_vcs.html

0 comments (0 inline, 0 general)

kallithea/controllers/admin/settings.py

➞

Show inline comments

@@ @@ -68,15 +68,12 @@ class SettingsController(BaseController) @@
         for each in ret:
             k = each.ui_section + '_' + each.ui_key
             v = each.ui_value
             if k == 'paths_/':
                 k = 'paths_root_path'
             if k == 'web_push_ssl':
                 v = str2bool(v)
             k = k.replace('.', '_')
             if each.ui_section in ['hooks', 'extensions']:
                 v = each.ui_active
             settings[k] = v
@@ @@ -96,15 +93,12 @@ class SettingsController(BaseController) @@
                      errors=errors.error_dict or {},
                      prefix_error=False,
                      encoding="UTF-8",
                      force_defaults=False)
             try:
                 sett = Ui.get_by_key('web', 'push_ssl')
                 sett.ui_value = form_result['web_push_ssl']
                 if c.visual.allow_repo_location_change:
                     sett = Ui.get_by_key('paths', '/')
                     sett.ui_value = form_result['paths_root_path']
                 #HOOKS
                 sett = Ui.get_by_key('hooks', Ui.HOOK_UPDATE)

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -246,26 +246,12 @@ class BaseVCSController(object): @@
         return True
     def _get_ip_addr(self, environ):
         return _get_ip_addr(environ)
     def _check_ssl(self, environ):
         """
         Checks the SSL check flag and returns False if SSL is not present
         and required True otherwise
         """
         #check if we have SSL required  ! if not it's a bad request !
         if str2bool(Ui.get_by_key('web', 'push_ssl').ui_value):
             org_proto = environ.get('wsgi._org_proto', environ['wsgi.url_scheme'])
             if org_proto != 'https':
                 log.debug('proto is %s and SSL is required BAD REQUEST !',
                           org_proto)
                 return False
         return True
     def _check_locking_state(self, environ, action, repo, user_id):
         """
         Checks locking on this repository, if locking is enabled and lock is
         present returns a tuple of make_lock, locked, locked_by.
         make_lock can have 3 states None (do nothing) True, make lock
         False release lock, This value is later propagated to hooks, which

kallithea/lib/db_manage.py

➞

Show inline comments

@@ @@ -421,15 +421,13 @@ class DbManage(object): @@
     def create_settings(self, path):
         self.create_ui_settings(path)
         ui_config = [
             ('web', 'push_ssl', 'false'),
             ('web', 'allow_archive', 'gz zip bz2'),
             ('web', 'allow_push', '*'),
             ('web', 'baseurl', '/'),
             ('paths', '/', path),
             #('phases', 'publish', 'false')
+        ]
         for section, key, value in ui_config:
             ui_conf = Ui()

kallithea/lib/middleware/simplegit.py

➞

Show inline comments

@@ @@ -63,14 +63,12 @@ def is_git(environ): @@
 class SimpleGit(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_git(environ):
             return self.application(environ, start_response)
         if not self._check_ssl(environ):
             return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
         ip_addr = self._get_ip_addr(environ)
         username = None
         self._git_first_op = False
         # skip passing error to error controller
         environ['pylons.status_code_redirect'] = True

kallithea/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -68,14 +68,12 @@ def is_mercurial(environ): @@
 class SimpleHg(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_mercurial(environ):
             return self.application(environ, start_response)
         if not self._check_ssl(environ):
             return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
         ip_addr = self._get_ip_addr(environ)
         username = None
         # skip passing error to error controller
         environ['pylons.status_code_redirect'] = True

kallithea/lib/utils.py

➞

Show inline comments

@@ @@ -362,20 +362,18 @@ def make_ui(read_from='file', path=None, @@
             if ui_.ui_active:
                 ui_val = safe_str(ui_.ui_value)
                 log.debug('settings ui from db: [%s] %s=%s', ui_.ui_section,
                           ui_.ui_key, ui_val)
                 baseui.setconfig(safe_str(ui_.ui_section), safe_str(ui_.ui_key),
                                  ui_val)
             if ui_.ui_key == 'push_ssl':
                 # force set push_ssl requirement to False, kallithea
                 # handles that
                 baseui.setconfig(safe_str(ui_.ui_section), safe_str(ui_.ui_key),
                                  False)
         if clear_session:
             meta.Session.remove()
         # force set push_ssl requirement to False, Kallithea handles that
         baseui.setconfig('web', 'push_ssl', False)
         baseui.setconfig('web', 'allow_push', '*')
         # prevent interactive questions for ssh password / passphrase
         ssh = baseui.config('ui', 'ssh', default='ssh')
         baseui.setconfig('ui', 'ssh', '%s -oBatchMode=yes -oIdentitiesOnly=yes' % ssh)
     return baseui

kallithea/model/forms.py

➞

Show inline comments

@@ @@ -370,13 +370,12 @@ def ApplicationVisualisationForm(): @@
 def ApplicationUiSettingsForm():
     class _ApplicationUiSettingsForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = False
         web_push_ssl = v.StringBoolean(if_missing=False)
         paths_root_path = All(
             v.ValidPath(),
             v.UnicodeString(strip=True, min=1, not_empty=True)
+        )
         hooks_changegroup_update = v.StringBoolean(if_missing=False)
         hooks_changegroup_repo_size = v.StringBoolean(if_missing=False)

kallithea/templates/admin/settings/settings_vcs.html

➞

Show inline comments

 ${h.form(url('admin_settings'), method='post')}
     <div class="form">
         <div class="fields">
             <div class="field">
                 <div class="label label-checkbox">
                     <label>${_('Web')}:</label>
                 </div>
                 <div class="checkboxes">
                     <div class="checkbox">
                         ${h.checkbox('web_push_ssl', 'True')}
                         <label for="web_push_ssl">${_('Require SSL for vcs operations')}</label>
                     </div>
                     <span class="help-block">${_('Activate to require SSL both pushing and pulling. If SSL certificate is missing, it will return an HTTP Error 406: Not Acceptable.')}</span>
                 </div>
              </div>
              <div class="field">
                 <div class="label label-checkbox">
                     <label>${_('Hooks')}:</label>
                 </div>
                 <div class="checkboxes">
                     <div class="checkbox">

0 comments (0 inline, 0 general)