Main RocketGit repo
List of commits:
| Subject | Hash | Author | Date (UTC) |
|---|---|---|---|
| Cosmetic changes | d5069178bed9736db02c3233e95564ad7b429e17 | Catalin(ux) M. BOIE | 2018-08-29 21:30:42 |
| tests: added helper for totp enrollment | bad21ca093b427b200b3fbdcf2a2e1dd1820f93a | Catalin(ux) M. BOIE | 2018-08-29 20:59:17 |
| Store the timestamp of the deletion for a repo, not 1 | e761b36efaa37fc3c453e8382127e340bc736bc7 | Catalin(ux) M. BOIE | 2018-06-04 18:00:35 |
| totp: urlencode must be used when building the url for 2fa | f85ea05bf4b456cc0430e78f2705347dc79343ae | Catalin(ux) M. BOIE | 2018-05-29 17:39:06 |
| totp: remove expired entries | 06cd360eff667740bcf8a580447cb86f3c2e6850 | Catalin(ux) M. BOIE | 2018-05-29 17:38:16 |
| Show disk size in users list | 9cc05cb0307cf31d6d2ebacda0846b0774e704d7 | Catalin(ux) M. BOIE | 2017-12-25 08:09:22 |
| Added timeout for ldap bind/search operations | 502fbf1287f1ad37f7c6c82c473c9b472d3fa65a | Catalin(ux) M. BOIE | 2017-11-26 15:46:51 |
| Default uid_attr for ldap is now 'uid' | 6e3993359d506d76ec739dd87fa682eea6b5a3b6 | Catalin(ux) M. BOIE | 2017-11-26 14:57:58 |
| lock cache must not store 'ok' field | 5a600b275fcf50c2df2cb0253a80aa99ae145b0d | Catalin(ux) M. BOIE | 2017-11-26 14:41:33 |
| CURLOPT_SSLCERT must not be provided in newer versions of curl | d14ad10139a9a5f4f59961fbaa3fe371754e806a | Catalin(ux) M. BOIE | 2017-11-26 14:25:32 |
| Newer git, by providing an empty user, will not sent the user. This is bad, switch to using 'guest' user | 0c84bf03fa4ceb3fe4b832c39134116d8cea6105 | Catalin(ux) M. BOIE | 2017-11-26 14:23:11 |
| Fixed edit_no_check's pass field usage | ebd3ff1f73009bcf5943589e19ee8a573d80f6ac | Catalin(ux) M. BOIE | 2017-11-26 14:20:45 |
| Small fix for typos in test runner | a85032bd5854816c8df6e8d23a1817e462a6f31e | Catalin(ux) M. BOIE | 2017-11-26 13:47:18 |
| We must set oversize_diff, even if also_patch is false | c347c23a5ecc022a4354cfa27088fe3db5cddeea | Catalin(ux) M. BOIE | 2017-11-26 13:43:31 |
| Added debug for rg_cache_merge function | 740eb3b5dbd19ff8ab852ff745c4cad4b1b1a4fb | Catalin(ux) M. BOIE | 2017-11-26 13:42:38 |
| Improved a little bit the way the tests are run | c169ce030975bd0580d867a806df9c401a2b38e8 | Catalin(ux) M. BOIE | 2017-11-26 13:42:06 |
| Latest git breaks anonymous push - fix it by using 'guest' user instead of the empty one | b3d1265cc9b44786c0fd7aa2988c5614f62db978 | Catalin(ux) M. BOIE | 2017-11-26 12:39:43 |
| Lots of changes, but mostly LDAP support | 029d34fdc14587b9ef6eb9e87ac36f66caefdacf | Catalin(ux) M. BOIE | 2017-11-24 19:35:59 |
| Fix state bug which triggered a not needed update of the structure | f6118c456bfc960782a53b9dc090046d542f9db9 | Catalin(ux) M. BOIE | 2017-11-24 19:12:38 |
| Some free_result and unlock only if successfully locked | 64666ca1371c004f74376fce2e2a67ee9f608a34 | Catalin(ux) M. BOIE | 2017-10-01 06:10:47 |
Commit d5069178bed9736db02c3233e95564ad7b429e17
- Cosmetic changes
Author: Catalin(ux) M. BOIE
Author date (UTC): 2018-08-29 21:30
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2018-08-29 21:30
Parent(s): bad21ca093b427b200b3fbdcf2a2e1dd1820f93a
Signer:
Signing key:
Signing status: N
Tree: e649e5d3c5b7c0c29fa09746b536a569eb67c193
Author: Catalin(ux) M. BOIE
Author date (UTC): 2018-08-29 21:30
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2018-08-29 21:30
Parent(s): bad21ca093b427b200b3fbdcf2a2e1dd1820f93a
Signer:
Signing key:
Signing status: N
Tree: e649e5d3c5b7c0c29fa09746b536a569eb67c193
| File | Lines added | Lines deleted |
|---|---|---|
| History.txt | 8 | 0 |
| TODO | 88 | 192 |
| compare.csv | 4 | 3 |
| inc/ldap.inc.php | 6 | 3 |
| inc/user.inc.php | 19 | 0 |
| misc/compare.php | 7 | 5 |
| root/themes/default/admin/ldap/edit_ok.html | 1 | 1 |
| root/themes/default/admin/ldap/hints.html | 1 | 1 |
| root/themes/default/admin/ldap/list/header.html | 1 | 1 |
| root/themes/default/admin/ldap/list/line.html | 1 | 1 |
| root/themes/default/admin/settings/web/main.html | 2 | 2 |
| root/themes/default/features/anonpush.html | 1 | 1 |
| root/themes/default/hints/repo/clone_owner.html | 1 | 1 |
| root/themes/default/main.html | 1 | 1 |
| samples/rg.conf | 2 | 2 |
| tests/_run_tests.sh | 2 | 2 |
| tests/ask_pass | 1 | 5 |
| tests/ldap.php | 3 | 13 |
| tests/ldap/prepare.sh | 4 | 2 |
| tests/ldap/start.sh | 1 | 2 |
| tests/log.php | 3 | 2 |
| File History.txt changed (mode: 100644) (index 41c3bdb..f3d8b15) | |||
| 8 | 8 | 2016-02-23 - First merge of a pull request on the dev machine. | 2016-02-23 - First merge of a pull request on the dev machine. |
| 9 | 9 | 2016-02-24 - First unknown (to me) user created an account on rocketgit.com. | 2016-02-24 - First unknown (to me) user created an account on rocketgit.com. |
| 10 | 10 | 2016-04-04 - Announce RocketGit to RLUG (Romanian Linux User Group) (18:33) | 2016-04-04 - Announce RocketGit to RLUG (Romanian Linux User Group) (18:33) |
| 11 | 2018-06-04 - Microsoft buys GitHub | ||
| 12 | Some comments: | ||
| 13 | Rocketgit seems interesting. I saw it mentioned on kernel.org. | ||
| 14 | The site is no-frills for sure it seems, although it is fast. It looks | ||
| 15 | like it's got a lot of nice features, public or private repos, cloud | ||
| 16 | or self hosting, good instructions, etc. There's a comparison to other | ||
| 17 | git solutions at the bottom and features link at the top. The | ||
| 18 | maintainer(s) seem to care about free as in freedom which is nice. | ||
| File TODO changed (mode: 100644) (index 8daa2f2..09a528c) | |||
| 1 | 1 | == Where I stopped last time == | == Where I stopped last time == |
| 2 | [ ] Replace all 'who_nice' open coded stuff with rg_user_nice. | ||
| 3 | [ ] ldap: What should happen when we update plan_id. | ||
| 4 | What about other fields? | ||
| 5 | [ ] ldap: If I remember correctly, the password attribute was editable! | ||
| 6 | [ ] ldap: document what 'Session time' means. | ||
| 7 | Other fields need an explanation also. | ||
| 8 | [ ] Pushing by http but using ssh 2fa feature to unlock an IP is working? | ||
| 9 | Should work? | ||
| 10 | [ ] Test push by http with an empty user! CRITICAL! | ||
| 11 | [ ] scratch_codes table: we should have an 'id' column for deletion. | ||
| 12 | [ ] test: move rg_test_sc_generate into 'totp.inc.php'. | ||
| 13 | [ ] 2fa: test pushing by http(by_http.php)/ssh(?). | ||
| 14 | [ ] Compare: mouse over is not working on touch-screens! | ||
| 15 | [ ] Aug 18 15:10:04 rg2 audit[29395]: AVC avc: denied { map } for pid=29395 comm="git" path="/var/lib/rocketgit/repos/by_id/00/00/00/7B/0000007B/repos/by_id/125.git/objects/pack/pack-dbb7e352e05eec6b15b74679d813897b29fa0b62.idx" dev="dm-0" ino=133117 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:rocketgit_var_t:s0 tclass=file permissive=1 | ||
| 16 | [ ] When pushing/fetching, log also the debug id. | ||
| 17 | [ ] Truncate big descriptions. | ||
| 18 | [ ] report how many repos/users/etc. were removed. | ||
| 19 | [ ] Investigate WWW-Authenticate HTTP header. | ||
| 20 | [ ] ldap: delete a server: we must not have a user in 'users', without | ||
| 21 | a uid in ldap_cache: maybe a transaction needed? | ||
| 22 | Why? Because we will not delete that user! | ||
| 23 | When I delete a server, I have to ask the user if s/he wants to delete | ||
| 24 | also the users in 'users' table. | ||
| 2 | 25 | [ ] ldap: func test when ldap_password changes, but we have the user inserted | [ ] ldap: func test when ldap_password changes, but we have the user inserted |
| 3 | 26 | in 'users' | in 'users' |
| 4 | 27 | [ ] Will the moving of user_edit_no_check call into ldap would simplify code? | [ ] Will the moving of user_edit_no_check call into ldap would simplify code? |
| 28 | [ ] ldap: ldap_cache.prio is needed?! Not anymore! | ||
| 29 | [ ] ldap: editing a server: | ||
| 30 | - I have to update the plan_id for all users in 'users' table, if different. | ||
| 31 | - if admin changes 'uid_attr', I have to set 'username' to '', to signal the | ||
| 32 | invalidation of the entry. | ||
| 33 | Take care of the cache! Invalidate it! | ||
| 5 | 34 | [ ] Can I update users.plan_id on demand, when user logs in? | [ ] Can I update users.plan_id on demand, when user logs in? |
| 6 | 35 | No, because the statistics are not good! | No, because the statistics are not good! |
| 7 | 36 | [ ] If we change the 'uid' attribute, we must invalidate the whole cache. | [ ] If we change the 'uid' attribute, we must invalidate the whole cache. |
| 8 | But, we cannot delete anything. We need the link between uuid and uid. | ||
| 37 | But, we cannot delete anything. We need the link between ldap_cache and users. | ||
| 9 | 38 | Just mark it as unavailable. | Just mark it as unavailable. |
| 10 | 39 | [ ] Recover password must be enabled for ldap users? | [ ] Recover password must be enabled for ldap users? |
| 11 | 40 | [ ] 'deleted' field must be respected by ldap? | [ ] 'deleted' field must be respected by ldap? |
| 12 | 41 | If admin blocks/deletes/suspends an ldap account, what should we do? | If admin blocks/deletes/suspends an ldap account, what should we do? |
| 42 | I think I must respect it. | ||
| 13 | 43 | [ ] I think I should not allow the login by e-mail! If user can change the | [ ] I think I should not allow the login by e-mail! If user can change the |
| 14 | 44 | e-mail in LDAP, I have a problem. I think I can keep it. | e-mail in LDAP, I have a problem. I think I can keep it. |
| 15 | 45 | The password must match. Check! | The password must match. Check! |
| 16 | 46 | What about recovering e-mail? | What about recovering e-mail? |
| 17 | 47 | [ ] memberof must be stored in ldap_cache. | [ ] memberof must be stored in ldap_cache. |
| 18 | [ ] rg_ldap_session_time to be set by the ldap server add form. | ||
| 19 | 48 | [ ] Password must be sent encrypted from ldap_cache to 'users' (update_no_check)). | [ ] Password must be sent encrypted from ldap_cache to 'users' (update_no_check)). |
| 20 | [ ] When getting data from cache, I have to populate correctly the $ui. | ||
| 21 | It is a valid case for replication: we will have entries in | ||
| 22 | ldap_cache with 'uid' 0. | ||
| 23 | 49 | [ ] ldap: we do not have the membership and we cannot extract is_admin. | [ ] ldap: we do not have the membership and we cannot extract is_admin. |
| 24 | Probably other fields. | ||
| 25 | [ ] ldap: ce se intimpla daca schimb cimpul 'uid'? Sa permit asta? | ||
| 26 | Probably I have to clean the cache. | ||
| 27 | Because I do not store all fields in cache and the new uid field | ||
| 28 | probably is missing. Maybe I should test if the field is present and | ||
| 29 | do not delete the cache? Neh... But, if I delete the cache, I lose | ||
| 30 | the links between 'users' and ldap_cache! | ||
| 31 | Mark the ldap_cache entries as 'stalled' and use them only to link to | ||
| 32 | uid? | ||
| 33 | [ ] ldap: default for uid_attr is uid? | ||
| 50 | Probably other fields. Not clear. | ||
| 34 | 51 | [ ] ldap: what rights should I give for users added by ldap? | [ ] ldap: what rights should I give for users added by ldap? |
| 52 | Is still needed to have rights in users? | ||
| 35 | 53 | [ ] Pass also the ldap server info, next to 'post', to be able to update | [ ] Pass also the ldap server info, next to 'post', to be able to update |
| 36 | 54 | plan_id. | plan_id. |
| 37 | [ ] ldap: ldap_login: user not found in cache, binding is ok, we are at the | ||
| 38 | end of the function. We should store $ui in cache, but we do not have | ||
| 39 | the users.uid! What to do?! Should I return $ui and insert the user | ||
| 40 | in users and call a callback to update the cache because we have the | ||
| 41 | users.uid? Should it be in a transaction? | ||
| 42 | So login_by_user_pass | ||
| 43 | try to find in in users.db | ||
| 44 | if not found | ||
| 45 | try to search it in ldap_cache | ||
| 46 | if not found | ||
| 47 | search on ldap server | ||
| 48 | if found | ||
| 49 | return $ui | ||
| 50 | now, we have $ui, but the uid may be 0 | ||
| 51 | if 0 | ||
| 52 | insert the new user in database | ||
| 53 | call a callback to update ldap_cache with the | ||
| 54 | uid. | ||
| 55 | should not be in transaction, because next | ||
| 56 | time we will return without uid and we will do | ||
| 57 | an insert into db. NOT GOOD! We must not | ||
| 58 | duplicate users (anyway, it wouldn't work). | ||
| 59 | So, we need a transaction. But, what happends | ||
| 60 | when we delete stuff from the ldap_cache?! | ||
| 61 | Should we mark the users as deleted? | ||
| 62 | Should I use the uuid to not update ldap_cache? | ||
| 63 | |||
| 64 | If I do link 'users' and 'ldap_cache' by uid: | ||
| 65 | I have to call a 'post' callback, in a transaction to also update ldap_cache.uid | ||
| 66 | Nope. Cannot work. Another login will try to insert the same username. | ||
| 67 | Transactions cannot help! | ||
| 68 | |||
| 69 | CPU1 CPU2 | ||
| 70 | SELECT FROM users WHERE username = ... | ||
| 71 | SELECT FROM ldap_cache (not found) | ||
| 72 | SELECT FROM users WHERE username = ... | ||
| 73 | SELECT FROM ldap_cache (not found) | ||
| 74 | INSERT INTO users (ok) | ||
| 75 | INSERT INTO users (fail) | ||
| 76 | |||
| 77 | If I link them by uuid: | ||
| 78 | - No 'post' hook needed | ||
| 79 | - At login time, ldap_cache will give the uuid and I have to | ||
| 80 | search by it in users table. Ugly. | ||
| 81 | For both, I have to update users.username field if different. Event? | ||
| 82 | |||
| 83 | I can use an advisory lock. | ||
| 84 | |||
| 85 | Let's see what happens if I link by uuid: | ||
| 86 | first login: ldap_cache is emty | ||
| 87 | ldap_login is called | ||
| 88 | cache is empty, so I continue | ||
| 89 | bind correctly in ldap | ||
| 90 | insert into ldap_cache(..., uuid, ...) | ||
| 91 | return $ui with everything from ldap | ||
| 92 | insert into users with external_id = uuid | ||
| 93 | second login: ldap_cache has the user now | ||
| 94 | ldap_login is called | ||
| 95 | found in users | ||
| 96 | third login: users entry expired | ||
| 97 | found in users but is expired | ||
| 98 | ldap_login is called | ||
| 99 | return $ui with everything from ldap_cache | ||
| 100 | |||
| 101 | CPU1 CPU2 CPU3 | ||
| 102 | SELECT FROM users (by username/pass) | ||
| 103 | SELECT FROM users (by username/pass) | ||
| 104 | SELECT FROM ldap_cache (by ?) (not found) | ||
| 105 | ldap_bind & co. | ||
| 106 | SELECT FROM ldap_cache (not found) | ||
| 107 | ldap_bind & co. | ||
| 108 | LOCK ldap_cache | ||
| 109 | LOCK ldap_cache | ||
| 110 | SELECT FROM ldap_cache (not found) | ||
| 111 | INSERT INTO users (ok) - to find the uid; nobody can do it concurrently! | ||
| 112 | INSERT INTO ldap_cache (...uid/uuid...) | ||
| 113 | UNLOCK ldap_cache | ||
| 114 | SELECT FROM ldap_cache (found) SELECT FROM users (by username/pass) (expired) | ||
| 115 | SELECT FROM ldap_cache (found) | ||
| 116 | UNLOCK ldap_cache | ||
| 117 | |||
| 118 | I should try to do a select in ldap_cache, if not found lock the table, | ||
| 119 | do again the select in ldap_cache (someone may insert between select and lock). | ||
| 120 | So, if found in cache, I will not lock the table. | ||
| 121 | One problem: I should not do the bind with the lock taken. Fixed. | ||
| 122 | |||
| 123 | If I use uuid, when the ldap_cache returns something, I have to do | ||
| 124 | a select in db after uuid to obtain the entry! | ||
| 125 | Another query, another index... | ||
| 126 | |||
| 127 | What if I would insert into ldap_cache, under lock and then return? | ||
| 128 | Then, two threads will try to insert into 'users'! | ||
| 129 | |||
| 130 | What if I link 'users' and 'ldap_cache' by username?! | ||
| 131 | |||
| 132 | === New plan: ignore 'duplicate unique' errors === | ||
| 133 | CPU1 | ||
| 134 | SELECT FROM users (by username/pass) (not found / expired) | ||
| 135 | SELECT FROM ldap_cache (by mail/ldap_uid/cn) (not found / expired) | ||
| 136 | contact ldap server (binding/search) | ||
| 137 | INSERT INTO ldap_cache (...uid/uuid...) | ||
| 138 | INSERT INTO users (ok) - to find the uid; ignore error | ||
| 139 | apelez un callback care face update la ldap_cache.uid? | ||
| 140 | |||
| 141 | Pot insera in cache prima data (ce se intimpla daca e deja? update?) | ||
| 142 | Problema e ca e posibil sa nu gasesc row-ul in 'users' ca | ||
| 143 | sa-i fac update si inserez unul nou. Ar trebui sa-l caut mai | ||
| 144 | intii. As putea face update si daca nu merge sa fac insert. | ||
| 145 | Dar, la update, ce WHERE folosesc? external_id? | ||
| 146 | |||
| 147 | 55 | [ ] ldap: we may want to check AuthLDAPGroupAttributeIsDN from apache. | [ ] ldap: we may want to check AuthLDAPGroupAttributeIsDN from apache. |
| 148 | 56 | [ ] ldap: should we have a 'source' field in users table to signal from where | [ ] ldap: should we have a 'source' field in users table to signal from where |
| 149 | 57 | the user come from (web, ldap etc.)? | the user come from (web, ldap etc.)? |
| 150 | 58 | [ ] ldap: When updating a server prio, we have to update also the ldap_cache | [ ] ldap: When updating a server prio, we have to update also the ldap_cache |
| 151 | 59 | table. Should I use a JOIN to get rid of ldap_cache.prio? | table. Should I use a JOIN to get rid of ldap_cache.prio? |
| 152 | 60 | [ ] ldap: Do not store password in clear in database! | [ ] ldap: Do not store password in clear in database! |
| 153 | [ ] ldap: add a timeout for every server. | ||
| 154 | [ ] ldap: gather all sync stuff and commit in the end for sync=ro? | ||
| 155 | 61 | [ ] ldap: take care to not allow logins as admins if the group name is user | [ ] ldap: take care to not allow logins as admins if the group name is user |
| 156 | 62 | controlled. Should we use ^/$ by default? | controlled. Should we use ^/$ by default? |
| 157 | 63 | [ ] ldap: https://github.com/thorin/redmine_ldap_sync | [ ] ldap: https://github.com/thorin/redmine_ldap_sync |
| 159 | 65 | [ ] ldap: how to specify if an account is disabled? Some regex needed? | [ ] ldap: how to specify if an account is disabled? Some regex needed? |
| 160 | 66 | [ ] ldap: server settings: select between one level or subtree. | [ ] ldap: server settings: select between one level or subtree. |
| 161 | 67 | [ ] ldap: what indexes are needed for ldap_* tables? | [ ] ldap: what indexes are needed for ldap_* tables? |
| 162 | [ ] ldap: Remember, I may have the full ldap db in ldap_cache table, | ||
| 163 | without a link with uid! When a ldap users login for the first time, | ||
| 164 | I can do the link (store uid in ldap_cache table). | ||
| 165 | [ ] ldap: I have to learn entryUUID now! | ||
| 166 | [ ] ldap: when a user logins, she/he uses the e-mail, or uid or something | ||
| 167 | decided by LDAP admin. | ||
| 168 | I have to identify the user in 'users'. How can I? | ||
| 169 | With a table containing: | ||
| 170 | server_id [3] - to be able to remove a server or to not have clashes? | ||
| 171 | uid [55] - may be 0 if the user did not logged in yet | ||
| 172 | ldap_uid [catalinux] | ||
| 173 | userPassword [] - we must be able to decrypt it using the same algo | ||
| 174 | sn | ||
| 175 | givenName | ||
| 176 | gidNumber | ||
| 177 | entryUUID [12345-12345-12345-12345-12345] | ||
| 178 | - to be used when sync data | ||
| 179 | mail [catalinux@rocketgit.com] | ||
| 180 | Do not forget about the groups! | ||
| 181 | When a user connects, I need to search by one of the ldap attributes | ||
| 182 | to obtain the uid, then: | ||
| 183 | if password is not valid, search next entry. | ||
| 184 | if ldap_cache.uid == 0, insert a new entry in 'users' table and update ldap_cache.uid | ||
| 185 | if ldap_cache.uid != 0, we have the uid | ||
| 186 | Can we optimize the search? | ||
| 187 | [] We should try another entry/server if the password does not match. | ||
| 188 | [ ] ldap: somehow delete old ldap servers. Also from cache. | ||
| 189 | [ ] ldap: test: login by email. | ||
| 190 | [ ] ldap: user logins by DN, and, of course, I cannot find it in the database. | ||
| 191 | I have to search for it based on entryUUID. | ||
| 192 | [ ] ldap: now the dilemma is how to add a user from inside ldap_login function! | ||
| 193 | Should we return a special flag which instructs the login function | ||
| 194 | to add the user? | ||
| 195 | [ ] ldap: what plan should have the users? Select it when adding the servers. | ||
| 196 | What if the plan is gone? Use the first one and notify admin? | ||
| 197 | [ ] ldap: now, what field will be the future username in db? uid? Configurable? | ||
| 198 | [ ] ldap: admin: add servers | ||
| 199 | Should we have a daemon to sync with the ldap server? | ||
| 200 | [ ] When upgrading and cache was not up, on rocketgit.com, logged in as admin | ||
| 201 | it asked about initial account! This is not good! | ||
| 68 | [ ] ldap: tests?: somehow delete old ldap servers. Also from cache. | ||
| 202 | 69 | [ ] 'meronos' user is with lower 'm', but in the /var/lib/rocketgit/repos/ | [ ] 'meronos' user is with lower 'm', but in the /var/lib/rocketgit/repos/ |
| 203 | 70 | folder is with bigger M! Does he renamed the user and I did not updated | folder is with bigger M! Does he renamed the user and I did not updated |
| 204 | 71 | the link? | the link? |
| 219 | 86 | [ ] Allow download of files in the repo. | [ ] Allow download of files in the repo. |
| 220 | 87 | [ ] Username must not contain '::' to not break cache! | [ ] Username must not contain '::' to not break cache! |
| 221 | 88 | Hm. Any string containing :: is at risk?! Or the = makes the diff? | Hm. Any string containing :: is at risk?! Or the = makes the diff? |
| 222 | [ ] Plan for LDAP sync: | ||
| 223 | Should I have a different password in 'users' table for backup? | ||
| 224 | I have to create the users. | ||
| 225 | I have to take it step by step: | ||
| 226 | All posible LDAP servers are verified by priority | ||
| 227 | All servers have some flags (or a single) type: | ||
| 228 | - if a direct connection is made (with or without cache) | ||
| 229 | - if ro repl is used | ||
| 230 | - if rp repl is used | ||
| 231 | But, all may be used. ro/rp replications are pretty the same. | ||
| 232 | Direct connection should be used if anything fails. | ||
| 233 | The cache may be used only if admin decided on how many seconds | ||
| 234 | a cache is valid. | ||
| 235 | ro/rp repl should populate the cache only - a user must | ||
| 236 | not be created in db if the user did not login. | ||
| 237 | So, a user tries to login: | ||
| 238 | - check database - first time the user is not there | ||
| 239 | Second time? | ||
| 240 | Should we mark the entry as being ldap? | ||
| 241 | - go to ldap function | ||
| 242 | - select in ldap cache table if a user is matching (order prio) | ||
| 243 | - if not found, do a direct lookup | ||
| 244 | - update the database? | ||
| 245 | We must insert into database to obtain the uid. | ||
| 246 | The sync process will update the database if needed (entryUUID). | ||
| 89 | [ ] Re-test totp urlencode text | ||
| 90 | [ ] Feb 16 05:59:01 r1.embedromix.ro crond[21105]: pam_systemd(crond:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions. | ||
| 91 | [ ] Why php-fpm is active on rg2?! | ||
| 92 | [ ] When doing opertions, log also the date/time, to be able to easily find | ||
| 93 | user copy/pasterd errors. | ||
| 94 | [ ] 2 users, 1 private repo, granted Access rights, but no 'refs' rights. | ||
| 95 | Trying to clone the repo by the non-owner, gives an errors as repo | ||
| 96 | does not exists! This is not correct. The user must know that the repo | ||
| 97 | is there because of the 'Access' rights. So, improve the error message! | ||
| 98 | [ ] | ||
| 247 | 99 | ||
| 248 | 100 | == BEFORE NEXT RELEASE == | == BEFORE NEXT RELEASE == |
| 101 | [ ] Sec: must read https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-zheng-updated.pdf | ||
| 102 | [ ] Allow authentication by certificate. | ||
| 103 | [ ] passwords: we need multiple round of hashing. | ||
| 104 | [ ] sess: do not store the cookie in clear, but hashed. | ||
| 105 | [ ] ldap: if user is deleted from ldap, destroy all sessions. | ||
| 106 | [ ] When we are on /user/X page, do not show the username in the first column. | ||
| 107 | [ ] Zebra for tables! | ||
| 108 | tr:nth-child(even) { | ||
| 109 | background-color: #f2f2f2 | ||
| 110 | } | ||
| 111 | [ ] Should I allow duplicate e-mails? | ||
| 112 | [ ] Limit CI disk space and report such errors | ||
| 113 | [ ] https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence | ||
| 114 | [ ] ldap: add tags based on some fields and use the tags in filtering/etc. | ||
| 115 | [ ] totp: we check 2 in the past! Do we test if a past one was not already used? | ||
| 116 | [ ] Investigate: 'add_header X-Content-Type-Options nosniff;' | ||
| 117 | [ ] Let admin/user what tls protocols are accepted. | ||
| 118 | [ ] Basic e-mail validation at sign-up. | ||
| 119 | [ ] Cache http password | ||
| 120 | http://stackoverflow.com/questions/5343068/ddg#5343146 | ||
| 121 | [ ] Add bitbucket into comparison. | ||
| 122 | Version 5.6.2 has 268MiB! Nice! Not! | ||
| 123 | [ ] Rights for login: control IP/time/2fa/etc. | ||
| 124 | [ ] Add possibility to revert a push if the test fails. | ||
| 125 | Or test the push first and then commit if passed. | ||
| 126 | [ ] Add pahole as a checker for the binaries. Next to cppcheck. | ||
| 127 | [ ] In Admin -> Users, show also the size. | ||
| 128 | Also, we need sorting. | ||
| 129 | [ ] Add webhook for mastodon (fedrated microblogging) | ||
| 130 | [ ] Limit resources for a git process (for example how many threads for gc). | ||
| 131 | [ ] https://letsencrypt.org/become-a-sponsor/ | ||
| 132 | [ ] Use 'tr:nth-child(2n) { ... } + tr:nth-child(2n + 1) { ... } for stripes. | ||
| 133 | [ ] Run test wh_http on CentOS / Debian! The client side cert test may fail. | ||
| 134 | Generic, run the functional tests also on other OSes. | ||
| 135 | [ ] ldap: gather all sync stuff and commit in the end for sync=ro? | ||
| 136 | [ ] ldap: The cache may be used only if admin decided on how many seconds | ||
| 137 | a cache is valid. | ||
| 138 | [ ] ldap: What if the plan is gone? Use the first one and notify admin? | ||
| 139 | Or prevent the deletion if is used? | ||
| 140 | [ ] ldap: after switching to C, add support for replication (both ro and rp). | ||
| 141 | ro/rp repl should populate the cache only - a user must | ||
| 142 | not be created in db if the user did not login. | ||
| 143 | [ ] Seems I do not respect users.rights field. | ||
| 144 | [ ] Split 'C' user right into 'create public repo' and 'createprivate repo'. | ||
| 249 | 145 | [ ] Add compression for JS/CSS. Think about enabling compression for html, | [ ] Add compression for JS/CSS. Think about enabling compression for html, |
| 250 | 146 | but, implement some randomization on content to defend against BREACH. | but, implement some randomization on content to defend against BREACH. |
| 251 | 147 | For CSRF tokens there is a simple and effective defence, which is to randomize the token by masking it with a different (random) value on every response. The masking does not hide the token (whoever has the token can easily reverse the masking), but it does defeat the attack technique. Guessing is impossible when the secret is changing all the time. Thus, we can expect that most frameworks will adopt this technique. Those who rely on frameworks will only need to upgrade to take advantage of the defence. Those who don’t will have to fix their code. | For CSRF tokens there is a simple and effective defence, which is to randomize the token by masking it with a different (random) value on every response. The masking does not hide the token (whoever has the token can easily reverse the masking), but it does defeat the attack technique. Guessing is impossible when the secret is changing all the time. Thus, we can expect that most frameworks will adopt this technique. Those who rely on frameworks will only need to upgrade to take advantage of the defence. Those who don’t will have to fix their code. |
| File compare.csv changed (mode: 100644) (index f595a9b..0da219f) | |||
| 1 | 1 | "Features / Product","RocketGit","Gitlab CE","GitHub","gitolite","Pagure.io","Gogs.io" | "Features / Product","RocketGit","Gitlab CE","GitHub","gitolite","Pagure.io","Gogs.io" |
| 2 | 2 | "[Legal]",,,,,, | "[Legal]",,,,,, |
| 3 | 3 | "License","Affero GPLv3+/#0f0","MIT/#0f0","Proprietary/#f00","GPLv2/#0f0","GPLv2 or later/#0f0","MIT/#0f0" | "License","Affero GPLv3+/#0f0","MIT/#0f0","Proprietary/#f00","GPLv2/#0f0","GPLv2 or later/#0f0","MIT/#0f0" |
| 4 | "Developers keep copyright when contributing {This is about contributing to the Git hosting project, not about projects hosted inside. Signing/agreeing a Contributor Licence Agreement (CLA) is very bad for free software.}","Yes","No","n/a/#f00","Yes","Yes","?" | ||
| 4 | "Developers keep copyright when contributing {This is about contributing to the Git hosting project, not about projects hosted inside. Signing/agreeing a Contributor Licence Agreement (CLA) is very bad for free software.}","Yes","Yes?","n/a/#f00","Yes","Yes","?" | ||
| 5 | 5 | "GNU Ethical Repository Criteria Evaluations (see 3)","A (-A4, +A+0, +A+1, +A+2, +A+5)/#0f0","C/#f00","F/#f00","?","A?/#0f0","?" | "GNU Ethical Repository Criteria Evaluations (see 3)","A (-A4, +A+0, +A+1, +A+2, +A+5)/#0f0","C/#f00","F/#f00","?","A?/#0f0","?" |
| 6 | 6 | ,,,,,, | ,,,,,, |
| 7 | 7 | "[Features]",,,,,, | "[Features]",,,,,, |
| 8 | 8 | "Easy installation {How easy can you install the software on your server?}","Yes","Yes","Yes?","Yes","Yes","Yes" | "Easy installation {How easy can you install the software on your server?}","Yes","Yes","Yes?","Yes","Yes","Yes" |
| 9 | 9 | "SELinux policy {SELinux is an application firewall used to improve the security}","Yes","No","?","not needed/#0f0","?","?" | "SELinux policy {SELinux is an application firewall used to improve the security}","Yes","No","?","not needed/#0f0","?","?" |
| 10 | "Distro friendly {Is a 'yum/dnf/apt-get/etc. update' is enough to update the software? Is it free of a inner package manager?}","Yes","No (see 1)","No (see 1)","Yes","Yes?","Yes?" | ||
| 10 | "Distro friendly {Is a 'yum/dnf/apt-get/etc. update' enough to update the software? Is it free of a inner package manager?}","Yes","No (see 1)","No (see 1)","Yes","Yes?","Yes?" | ||
| 11 | 11 | "Bug tracker","Yes","Yes","Yes","No","Yes","?" | "Bug tracker","Yes","Yes","Yes","No","Yes","?" |
| 12 | "CLI commands (SSH) {Allow SSH commands to show the list of repositories show a repo status etc.}","Yes","No","?","?","?","?" | ||
| 12 | "CLI commands (SSH) {Allow SSH commands to show the list of repositories, show a repo status etc.}","Yes","No","?","?","?","?" | ||
| 13 | 13 | "API","Yes","Yes","Yes","?","Yes","?" | "API","Yes","Yes","Yes","?","Yes","?" |
| 14 | 14 | "Anonymous push {With no user created, clone, make changes, will push result in a merge request, making it super easy to contribute to a project?}","Yes","No","No","No?","No","?" | "Anonymous push {With no user created, clone, make changes, will push result in a merge request, making it super easy to contribute to a project?}","Yes","No","No","No?","No","?" |
| 15 | 15 | "Languages available (i18n)",1,"?","?",1,"?",14 | "Languages available (i18n)",1,"?","?",1,"?",14 |
| 55 | 55 | "Page speed: Desktop","96/#0f0","?","81/#0f0","n/a","64/#f00","26/#f00" | "Page speed: Desktop","96/#0f0","?","81/#0f0","n/a","64/#f00","26/#f00" |
| 56 | 56 | "CSS size","9KiB/#0f0","250KiB/#f00","560KiB/#f00","n/a","130KiB/#0f0","520KiB/#f00" | "CSS size","9KiB/#0f0","250KiB/#f00","560KiB/#f00","n/a","130KiB/#0f0","520KiB/#f00" |
| 57 | 57 | "JS size","0KiB/#0f0","1170KiB/#f00","670KiB/#f00","n/a","450KiB/#f00","350KiB/#f00" | "JS size","0KiB/#0f0","1170KiB/#f00","670KiB/#f00","n/a","450KiB/#f00","350KiB/#f00" |
| 58 | "Runtime memory footprint","?","?","?","?","?","?" | ||
| 58 | 59 | ,,,,,, | ,,,,,, |
| 59 | 60 | "[Notes]",,,,,, | "[Notes]",,,,,, |
| 60 | 61 | "*","1) It has a not standard package manager; upgrading distro does not update the git software (pip, gem etc.). Or is a big archive including packages already found in the distribution.",,,,, | "*","1) It has a not standard package manager; upgrading distro does not update the git software (pip, gem etc.). Or is a big archive including packages already found in the distribution.",,,,, |
| File inc/ldap.inc.php changed (mode: 100644) (index ebb2c98..cd53f91) | |||
| ... | ... | function rg_ldap_cosmetic_row($db, &$row) | |
| 34 | 34 | $pi = rg_plan_info($db, $row['plan_id']); | $pi = rg_plan_info($db, $row['plan_id']); |
| 35 | 35 | if ($pi['exists'] == 1) | if ($pi['exists'] == 1) |
| 36 | 36 | $row['plan'] = $pi['name']; | $row['plan'] = $pi['name']; |
| 37 | else if ($pi['ok'] == 1) | ||
| 38 | $row['plan'] = 'Plan ' . $row['plan_id'] . ' not found!'; | ||
| 37 | 39 | else | else |
| 38 | $row['plan'] = 'Error!'; | ||
| 40 | $row['plan'] = rg_plan_error(); | ||
| 41 | |||
| 42 | $row['who_nice'] = rg_user_nice($db, $row['who']); | ||
| 39 | 43 | } | } |
| 40 | 44 | ||
| 41 | 45 | /* | /* |
| ... | ... | function rg_ldap_add_high_level($db, $rg, $op, $paras) | |
| 604 | 608 | break; | break; |
| 605 | 609 | } | } |
| 606 | 610 | ||
| 607 | $ret .= rg_template('admin/ldap/edit_ok.html', | ||
| 608 | $rg, TRUE /*xss*/); | ||
| 611 | $ret .= rg_template('admin/ldap/edit_ok.html', $rg, TRUE /*xss*/); | ||
| 609 | 612 | ||
| 610 | 613 | $show_form = FALSE; | $show_form = FALSE; |
| 611 | 614 | break; | break; |
| File inc/user.inc.php changed (mode: 100644) (index 0161435..4be234c) | |||
| ... | ... | function rg_user_over_limit($db, $ui, &$max) | |
| 1774 | 1774 | return FALSE; | return FALSE; |
| 1775 | 1775 | } | } |
| 1776 | 1776 | ||
| 1777 | /* | ||
| 1778 | * Always returns a nice text representation of the uid, even if invalid. | ||
| 1779 | */ | ||
| 1780 | function rg_user_nice($db, $uid) | ||
| 1781 | { | ||
| 1782 | if ($uid == 0) | ||
| 1783 | return 'anonymous'; | ||
| 1784 | |||
| 1785 | $ui = rg_user_info($db, $uid, '', ''); | ||
| 1786 | if ($ui['exists'] == 1) | ||
| 1787 | return $ui['username']; | ||
| 1788 | |||
| 1789 | return 'n/a'; | ||
| 1790 | } | ||
| 1791 | |||
| 1792 | |||
| 1777 | 1793 | /* | /* |
| 1778 | 1794 | * High level functions | * High level functions |
| 1779 | 1795 | */ | */ |
| ... | ... | function rg_process_input($content_length, $content_encoding, &$err) | |
| 2180 | 2196 | */ | */ |
| 2181 | 2197 | function rg_user_http_git($db, $rg, $paras) | function rg_user_http_git($db, $rg, $paras) |
| 2182 | 2198 | { | { |
| 2199 | global $rg_log_sid; | ||
| 2200 | |||
| 2183 | 2201 | rg_prof_start('user_http_git'); | rg_prof_start('user_http_git'); |
| 2184 | 2202 | rg_log_enter('user_http_git'); | rg_log_enter('user_http_git'); |
| 2185 | 2203 | ||
| ... | ... | function rg_user_http_git($db, $rg, $paras) | |
| 2257 | 2275 | } | } |
| 2258 | 2276 | ||
| 2259 | 2277 | $host = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : ''; | $host = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : ''; |
| 2278 | // TODO: not clear if passing here login_ui is correct | ||
| 2260 | 2279 | $r = rg_repo_fetch_push_helper($db, $host, $rg['ip'], | $r = rg_repo_fetch_push_helper($db, $host, $rg['ip'], |
| 2261 | 2280 | $rg['login_ui'], $prefix, $user, $repo, $service); | $rg['login_ui'], $prefix, $user, $repo, $service); |
| 2262 | 2281 | rg_log_ml('DEBUG: repo_fetch_push_helper returns: ' . print_r($r, TRUE)); | rg_log_ml('DEBUG: repo_fetch_push_helper returns: ' . print_r($r, TRUE)); |
| File misc/compare.php changed (mode: 100644) (index 4c102b3..5f49399) | |||
| ... | ... | if (!$out) | |
| 100 | 100 | ||
| 101 | 101 | fwrite($out, '<div class="main_title">Git hosting solutions comparison</div>' . "\n"); | fwrite($out, '<div class="main_title">Git hosting solutions comparison</div>' . "\n"); |
| 102 | 102 | fwrite($out, '<div>' | fwrite($out, '<div>' |
| 103 | . '<b>Notes</b>:<br />' | ||
| 103 | . '<i>' . "\n" | ||
| 104 | . '- This document was generated on ' . gmdate('Y-m-d') . '.<br />' . "\n" | ||
| 104 | 105 | . '- To contribute to this document, just e-mail us to' | . '- To contribute to this document, just e-mail us to' |
| 105 | 106 | . ' in@rocketgit.com or clone the RocketGit' | . ' in@rocketgit.com or clone the RocketGit' |
| 106 | 107 | . ' <a href="https://rocketgit.com/user/catalinux/rocketgit">repository</a>' | . ' <a href="https://rocketgit.com/user/catalinux/rocketgit">repository</a>' |
| 107 | . ', make changes and push them.<br />' | ||
| 108 | . '- Move mouse over features field for more information.' | ||
| 108 | . ', make changes and push them.<br />' . "\n" | ||
| 109 | . '- Move the mouse over the features field for more information.' | ||
| 110 | . '</i>' . "\n" | ||
| 109 | 111 | . '</div>' . "\n"); | . '</div>' . "\n"); |
| 110 | 112 | fwrite($out, '<table class="compare">' . "\n"); | fwrite($out, '<table class="compare">' . "\n"); |
| 111 | 113 | ||
| ... | ... | while (($line = fgetcsv($h)) !== FALSE) { | |
| 158 | 160 | $q = strpos($f, '}'); | $q = strpos($f, '}'); |
| 159 | 161 | $baloon = trim(substr($f, $p + 1, $q - $p - 1)); | $baloon = trim(substr($f, $p + 1, $q - $p - 1)); |
| 160 | 162 | $newf = trim(substr($f, 0, $p)); | $newf = trim(substr($f, 0, $p)); |
| 161 | $f = '<span title="' . rg_xss_safe($baloon) . '">' | ||
| 162 | . $newf . '</span>'; | ||
| 163 | $f = $newf . ' <span title="' . rg_xss_safe($baloon) | ||
| 164 | . '">?</span>'; | ||
| 163 | 165 | } | } |
| 164 | 166 | } else if (strstr($f, '/#')) { | } else if (strstr($f, '/#')) { |
| 165 | 167 | $t = explode('/#', $f); | $t = explode('/#', $f); |
| File root/themes/default/admin/ldap/edit_ok.html changed (mode: 100644) (index fa13532..0db0b01) | |||
| 1 | 1 | <div class="mess ok"> | <div class="mess ok"> |
| 2 | Configuration has been successfully saved. | ||
| 2 | LDAP server has been successfully added/edited. | ||
| 3 | 3 | </div> | </div> |
| File root/themes/default/admin/ldap/hints.html changed (mode: 100644) (index 7f9de23..3972356) | |||
| ... | ... | If you want to use <a href="https://en.wikipedia.org/wiki/Lightweight_Directory_ | |
| 3 | 3 | for users and groups, here you can add the servers and their parameters.<br /> | for users and groups, here you can add the servers and their parameters.<br /> |
| 4 | 4 | ||
| 5 | 5 | <br /> | <br /> |
| 6 | The list will be used in the increasing order of the priority.<br /> | ||
| 6 | The list will be checked in the increasing order of the priority.<br /> | ||
| File root/themes/default/admin/ldap/list/header.html changed (mode: 100644) (index 9eada9f..7f3273e) | |||
| 19 | 19 | <th>Group attr</th> | <th>Group attr</th> |
| 20 | 20 | <th>Group filter</th> | <th>Group filter</th> |
| 21 | 21 | <th>Admin group</th> | <th>Admin group</th> |
| 22 | <th>CA certificate</th> | ||
| 23 | 22 | <th>Timeout</th> | <th>Timeout</th> |
| 23 | <th>CA certificate</th> | ||
| 24 | 24 | <th>Operations</th> | <th>Operations</th> |
| 25 | 25 | </tr> | </tr> |
| 26 | 26 | ||
| File root/themes/default/admin/ldap/list/line.html changed (mode: 100644) (index eaccb38..475c373) | |||
| 3 | 3 | <td>@@name@@</td> | <td>@@name@@</td> |
| 4 | 4 | <td>@@plan@@</td> | <td>@@plan@@</td> |
| 5 | 5 | <td>@@prio@@</td> | <td>@@prio@@</td> |
| 6 | <td>@@who@@</td> | ||
| 6 | <td>@@who_nice@@</td> | ||
| 7 | 7 | <td>@@itime_nice@@</td> | <td>@@itime_nice@@</td> |
| 8 | 8 | <td>@@url@@</td> | <td>@@url@@</td> |
| 9 | 9 | <td>@@bind_dn@@</td> | <td>@@bind_dn@@</td> |
| File root/themes/default/admin/settings/web/main.html changed (mode: 100644) (index e4da2b3..05593bb) | |||
| 14 | 14 | </p> | </p> |
| 15 | 15 | ||
| 16 | 16 | <p> | <p> |
| 17 | <label for="http_allow">HTTP port (put 0 to disallow)</label><br /> | ||
| 17 | <label for="http_allow">HTTP port (put 0 to disable)</label><br /> | ||
| 18 | 18 | <input type="text" name="http_allow" id="http_allow" value="@@http_allow@@" /> | <input type="text" name="http_allow" id="http_allow" value="@@http_allow@@" /> |
| 19 | 19 | </p> | </p> |
| 20 | 20 | ||
| 21 | 21 | <p> | <p> |
| 22 | <label for="https_allow">HTTPS port (put 0 to disallow)</label><br /> | ||
| 22 | <label for="https_allow">HTTPS port (put 0 to disable)</label><br /> | ||
| 23 | 23 | <input type="text" name="https_allow" id="https_allow" value="@@https_allow@@" /> | <input type="text" name="https_allow" id="https_allow" value="@@https_allow@@" /> |
| 24 | 24 | </p> | </p> |
| 25 | 25 | ||
| File root/themes/default/features/anonpush.html changed (mode: 100644) (index f01bb78..17eddac) | |||
| 20 | 20 | </div> | </div> |
| 21 | 21 | <br /> | <br /> |
| 22 | 22 | And that is it! Your push will be transformed into a pull request | And that is it! Your push will be transformed into a pull request |
| 23 | and will wait to be merged by an admin. | ||
| 23 | and will wait to be merged by the owner of the project. | ||
| 24 | 24 | </div> | </div> |
| 25 | 25 | </div> | </div> |
| File root/themes/default/hints/repo/clone_owner.html changed (mode: 100644) (index 3ca16a6..cc6ddf1) | |||
| ... | ... | git push origin --tags<br /> | |
| 26 | 26 | If you do not have the project locally, and want to clone it:<br /> | If you do not have the project locally, and want to clone it:<br /> |
| 27 | 27 | <div class="xcode"> | <div class="xcode"> |
| 28 | 28 | git clone @@ri::clone_url_http@@ local_project_dir<br /> | git clone @@ri::clone_url_http@@ local_project_dir<br /> |
| 29 | or<br /> | ||
| 29 | # or<br /> | ||
| 30 | 30 | git clone @@ri::clone_url_ssh@@ local_project_dir<br /> | git clone @@ri::clone_url_ssh@@ local_project_dir<br /> |
| 31 | 31 | cd local_project_dir | cd local_project_dir |
| 32 | 32 | </div> | </div> |
| File root/themes/default/main.html changed (mode: 100644) (index 04b55ca..b68e740) | |||
| 2 | 2 | <div class="island" style="background-color: #bbb; color: #fff; width: 100%"> | <div class="island" style="background-color: #bbb; color: #fff; width: 100%"> |
| 3 | 3 | <div class="island_title island_title_big">Welcome to RocketGit!</div> | <div class="island_title island_title_big">Welcome to RocketGit!</div> |
| 4 | 4 | <span style="font-weight: bold; font-size: 16pt"> | <span style="font-weight: bold; font-size: 16pt"> |
| 5 | Free (as in speech and and as in beer) software | ||
| 5 | Free (as in speech and as in beer) software | ||
| 6 | 6 | (<a href="https://www.gnu.org/licenses/agpl-3.0.html" target="_blank">AGPLv3+</a>) | (<a href="https://www.gnu.org/licenses/agpl-3.0.html" target="_blank">AGPLv3+</a>) |
| 7 | 7 | for hosting | for hosting |
| 8 | 8 | <a href="https://git-scm.com/" target="_blank">Git®</a> projects, | <a href="https://git-scm.com/" target="_blank">Git®</a> projects, |
| File samples/rg.conf changed (mode: 100644) (index b07b51b..3fd84f1) | |||
| 43 | 43 | ||
| 44 | 44 | # Allow .ico, 'themes' folder and robots.txt | # Allow .ico, 'themes' folder and robots.txt |
| 45 | 45 | # Also, avoid scripts that are looking for exploits | # Also, avoid scripts that are looking for exploits |
| 46 | RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ | ||
| 46 | RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ [nocase] | ||
| 47 | 47 | RewriteRule .* - [last] | RewriteRule .* - [last] |
| 48 | 48 | ||
| 49 | 49 | # Force the use of only one name even if we have more aliases. | # Force the use of only one name even if we have more aliases. |
| 50 | 50 | # https://httpd.apache.org/docs/2.4/rewrite/remapping.html | # https://httpd.apache.org/docs/2.4/rewrite/remapping.html |
| 51 | #RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}" | ||
| 51 | #RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}" [nocase] | ||
| 52 | 52 | #RewriteRule "^/?(.*)" "http://%{SERVER_NAME}:%{SERVER_PORT}/$1" [last,redirect=301,noescape] | #RewriteRule "^/?(.*)" "http://%{SERVER_NAME}:%{SERVER_PORT}/$1" [last,redirect=301,noescape] |
| 53 | 53 | ||
| 54 | 54 | # all rest | # all rest |
| File tests/_run_tests.sh changed (mode: 100755) (index 6e63463..a12af96) | |||
| 1 | 1 | #!/bin/bash | #!/bin/bash |
| 2 | 2 | ||
| 3 | tests="ldap ldap_core ldap \ | ||
| 3 | tests="ldap_core ldap \ | ||
| 4 | 4 | admin_set_web git_big_push admin_set_git by_http wh_lambda http_keys \ | admin_set_web git_big_push admin_set_git by_http wh_lambda http_keys \ |
| 5 | 5 | http_forgot \ | http_forgot \ |
| 6 | 6 | api wh_cloud pr_anon wh_http ssh http_totp totp git_log1 \ | api wh_cloud pr_anon wh_http ssh http_totp totp git_log1 \ |
| ... | ... | if [ "${failed}${errs}" = "" ]; then | |
| 44 | 44 | fi | fi |
| 45 | 45 | ||
| 46 | 46 | if [ "${failed}" != "" ]; then | if [ "${failed}" != "" ]; then |
| 47 | echo "Some tests failed: ${failed}" | ||
| 47 | echo "One or more tests failed: ${failed}" | ||
| 48 | 48 | fi | fi |
| 49 | 49 | ||
| 50 | 50 | if [ "${errs}" != "" ]; then | if [ "${errs}" != "" ]; then |
| File tests/ask_pass changed (mode: 100755) (index c4c995f..7aa8b37) | |||
| 1 | 1 | #!/bin/bash | #!/bin/bash |
| 2 | 2 | ||
| 3 | 3 | if [ "${1:0:8}" = "Username" ]; then | if [ "${1:0:8}" = "Username" ]; then |
| 4 | #echo -n "'" | ||
| 5 | 4 | echo -n "${git_username}" | echo -n "${git_username}" |
| 6 | #echo "'" | ||
| 7 | 5 | fi | fi |
| 8 | 6 | ||
| 9 | 7 | if [ "${1:0:8}" = "Password" ]; then | if [ "${1:0:8}" = "Password" ]; then |
| 10 | #echo -n "'" | ||
| 11 | echo -n "${git_password}" | ||
| 12 | #echo "'" | ||
| 8 | echo -n "${git_password}${RG_LOGIN_TOKEN}" | ||
| 13 | 9 | fi | fi |
| File tests/ldap.php changed (mode: 100644) (index d784fad..1ef98fe) | |||
| ... | ... | rg_log_exit(); | |
| 281 | 281 | rg_log(''); | rg_log(''); |
| 282 | 282 | rg_log_enter('Deleting user user4...'); | rg_log_enter('Deleting user user4...'); |
| 283 | 283 | $r = rg_ldap_core_connect('ldap://' . $l1['rg_ldap_addr'] | $r = rg_ldap_core_connect('ldap://' . $l1['rg_ldap_addr'] |
| 284 | . ':' . $l1['rg_ldap_port'], 3 /*timeout*/); | ||
| 284 | . ':' . $l1['rg_ldap_port'], 3); | ||
| 285 | 285 | if ($r['ok'] !== 1) { | if ($r['ok'] !== 1) { |
| 286 | 286 | rg_log('Cannot connect to second server: ' . $r['errmsg'] . '!'); | rg_log('Cannot connect to second server: ' . $r['errmsg'] . '!'); |
| 287 | 287 | exit(1); | exit(1); |
| ... | ... | rg_log_exit(); | |
| 473 | 473 | ||
| 474 | 474 | rg_log(''); | rg_log(''); |
| 475 | 475 | rg_log_enter('Deleting a LDAP server...'); | rg_log_enter('Deleting a LDAP server...'); |
| 476 | $sql = 'SELECT id FROM ldap_servers WHERE name = @@name@@ AND who = @@who@@'; | ||
| 477 | $params = array('who' => $rg_ui['uid'], 'name' => $name); | ||
| 478 | $res = rg_sql_query_params($db, $sql, $params); | ||
| 479 | if ($res === FALSE) { | ||
| 480 | rg_log('Cannot do the select query: ' . rg_sql_error() . '!'); | ||
| 481 | exit(1); | ||
| 482 | } | ||
| 483 | $row = rg_sql_fetch_array($res); | ||
| 484 | rg_sql_free_result($res); | ||
| 485 | $_id = $row['id']; | ||
| 486 | 476 | $data = array( | $data = array( |
| 487 | 477 | 'delete' => 1, | 'delete' => 1, |
| 488 | 478 | 'token' => $token, | 'token' => $token, |
| 489 | 'delete_list[' . $_id . ']' => 'on' | ||
| 479 | 'delete_list[' . $id . ']' => 'on' | ||
| 490 | 480 | ); | ); |
| 491 | 481 | $headers = array(); | $headers = array(); |
| 492 | 482 | $r = do_req($test_url . '/op/admin/ldap/list', $data, $headers); | $r = do_req($test_url . '/op/admin/ldap/list', $data, $headers); |
| ... | ... | if ($r === FALSE) { | |
| 496 | 486 | } | } |
| 497 | 487 | if (!strstr($r['body'], 'The selected LDAP servers have been successfully deleted.')) { | if (!strstr($r['body'], 'The selected LDAP servers have been successfully deleted.')) { |
| 498 | 488 | rg_log_ml('r: ' . print_r($r, TRUE)); | rg_log_ml('r: ' . print_r($r, TRUE)); |
| 499 | rg_log('Cannot delete LDAP server!'); | ||
| 489 | rg_log('Cannot delete LDAP server(s)!'); | ||
| 500 | 490 | exit(1); | exit(1); |
| 501 | 491 | } | } |
| 502 | 492 | rg_log_exit(); | rg_log_exit(); |
| File tests/ldap/prepare.sh changed (mode: 100755) (index 7069302..a6b48e8) | |||
| 1 | 1 | #!/bin/bash | #!/bin/bash |
| 2 | 2 | ||
| 3 | 3 | # Wait till the server answers | # Wait till the server answers |
| 4 | while [ 1 ]; do | ||
| 4 | tries=0 | ||
| 5 | while [ "${tries}" -lt "40" ]; do | ||
| 5 | 6 | ldapsearch -x -P3 -s base -H ldap://${rg_ldap_addr}:${rg_ldap_port} &>/dev/null | ldapsearch -x -P3 -s base -H ldap://${rg_ldap_addr}:${rg_ldap_port} &>/dev/null |
| 6 | 7 | if [ "${?}" != "0" ]; then | if [ "${?}" != "0" ]; then |
| 7 | sleep .1 | ||
| 8 | sleep .5 | ||
| 9 | tries=$((${tries} + 1)) | ||
| 8 | 10 | continue | continue |
| 9 | 11 | fi | fi |
| 10 | 12 | break | break |
| File tests/ldap/start.sh changed (mode: 100644) (index b70e62c..a070391) | |||
| ... | ... | mkdir -p chroot/var/lib/ldap | |
| 5 | 5 | ||
| 6 | 6 | rm -rf chroot-${rg_ldap_ns} | rm -rf chroot-${rg_ldap_ns} |
| 7 | 7 | mkdir -p chroot-${rg_ldap_ns}/etc/openldap | mkdir -p chroot-${rg_ldap_ns}/etc/openldap |
| 8 | mkdir -p chroot-${rg_ldap_ns}/var/lib/ldap | ||
| 8 | 9 | ||
| 9 | 10 | cp -a conf.tmpl chroot-${rg_ldap_ns}/etc/openldap/slapd.d | cp -a conf.tmpl chroot-${rg_ldap_ns}/etc/openldap/slapd.d |
| 10 | 11 | ||
| 11 | mkdir -p chroot-${rg_ldap_ns}/var/lib/ldap | ||
| 12 | |||
| 13 | 12 | #strace -f -s200 -o slapd.strace \ | #strace -f -s200 -o slapd.strace \ |
| 14 | 13 | /usr/sbin/slapd \ | /usr/sbin/slapd \ |
| 15 | 14 | -h "ldap://${rg_ldap_addr}:${rg_ldap_port} ldaps://${rg_ldap_addr}:${rg_ldap_ports} ldapi://ldapi-${rg_ldap_ns}.sock" \ | -h "ldap://${rg_ldap_addr}:${rg_ldap_port} ldaps://${rg_ldap_addr}:${rg_ldap_ports} ldapi://ldapi-${rg_ldap_ns}.sock" \ |
| File tests/log.php changed (mode: 100644) (index 99843b7..9c0d3f8) | |||
| ... | ... | rg_log($n); | |
| 18 | 18 | ||
| 19 | 19 | rg_log_ml("Multiline test\nline2\nline3"); | rg_log_ml("Multiline test\nline2\nline3"); |
| 20 | 20 | ||
| 21 | $c = @file_get_contents('log-' . date('Ymd') . '.log'); | ||
| 21 | $f = 'log-' . gmdate('Ymd') . '.log'; | ||
| 22 | $c = @file_get_contents($f); | ||
| 22 | 23 | if ($c === FALSE) { | if ($c === FALSE) { |
| 23 | rg_log('Cannot read log content!'); | ||
| 24 | rg_log('Cannot read log content from ' . $f . '!'); | ||
| 24 | 25 | exit(1); | exit(1); |
| 25 | 26 | } | } |
| 26 | 27 | $x = explode("\n", $c); | $x = explode("\n", $c); |
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/rocketgit
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit
Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/rocketgit
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!