From 5a62ae5cbf47cf6537f6c95aba4b1d04dea5f5af Mon Sep 17 00:00:00 2001 From: zeripath Date: Sat, 19 Oct 2019 15:27:15 +0100 Subject: [PATCH] Add setting to disable BASIC authentication (#8586) Closes #8561. --- custom/conf/app.ini.sample | 6 +++++- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 4 ++++ modules/auth/auth.go | 3 +++ modules/setting/service.go | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index e4e791d4a7e9..c08dd62e7d28 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -436,6 +436,10 @@ ALLOW_ONLY_EXTERNAL_REGISTRATION = false REQUIRE_SIGNIN_VIEW = false ; Mail notification ENABLE_NOTIFY_MAIL = false +; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password +; If you set this to false you will not be able to access the tokens endpoints on the API with your password +; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token +ENABLE_BASIC_AUTHENTICATION = true ; More detail: https://github.com/gogits/gogs/issues/165 ENABLE_REVERSE_PROXY_AUTHENTICATION = false ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false @@ -866,6 +870,6 @@ TOKEN = QUEUE_TYPE = channel ; Task queue length, available only when `QUEUE_TYPE` is `channel`. QUEUE_LENGTH = 1000 -; Task queue connction string, available only when `QUEUE_TYPE` is `redis`. +; Task queue connction string, available only when `QUEUE_TYPE` is `redis`. ; If there is a password of redis, use `addrs=127.0.0.1:6379 password=123 db=0`. QUEUE_CONN_STR = "addrs=127.0.0.1:6379 db=0" diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 0df88c23e862..678f8df2382d 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -265,6 +265,10 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `REQUIRE_SIGNIN_VIEW`: **false**: Enable this to force users to log in to view any page. - `ENABLE_NOTIFY_MAIL`: **false**: Enable this to send e-mail to watchers of a repository when something happens, like creating issues. Requires `Mailer` to be enabled. +- `ENABLE_BASIC_AUTHENTICATION`: **true**: Disable this to disallow authenticaton using HTTP + BASIC and the user's password. Please note if you disable this you will not be able to access the + tokens API endpoints using a password. Further, this only disables BASIC authentication using the + password - not tokens or OAuth Basic. - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication. - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration for reverse authentication. diff --git a/modules/auth/auth.go b/modules/auth/auth.go index 624bb15cbf6e..1ba149f0f875 100644 --- a/modules/auth/auth.go +++ b/modules/auth/auth.go @@ -224,6 +224,9 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) } if u == nil { + if !setting.Service.EnableBasicAuth { + return nil, false + } u, err = models.UserSignIn(uname, passwd) if err != nil { if !models.IsErrUserNotExist(err) { diff --git a/modules/setting/service.go b/modules/setting/service.go index 905b1326f78d..dea4081ee870 100644 --- a/modules/setting/service.go +++ b/modules/setting/service.go @@ -23,6 +23,7 @@ var Service struct { ShowRegistrationButton bool RequireSignInView bool EnableNotifyMail bool + EnableBasicAuth bool EnableReverseProxyAuth bool EnableReverseProxyAutoRegister bool EnableReverseProxyEmail bool @@ -60,6 +61,7 @@ func newService() { Service.EmailDomainWhitelist = sec.Key("EMAIL_DOMAIN_WHITELIST").Strings(",") Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration)) Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool() + Service.EnableBasicAuth = sec.Key("ENABLE_BASIC_AUTHENTICATION").MustBool(true) Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool() Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool()