From 1da0da125183b8a5e0ffecbd210e148a2c79c9af Mon Sep 17 00:00:00 2001 From: Inon Sharony Date: Thu, 24 May 2018 14:14:28 +0300 Subject: [PATCH 1/5] LFS: make HTTP auth period configurable --- cmd/serv.go | 2 +- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/setting/setting.go | 10 ++++++---- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/cmd/serv.go b/cmd/serv.go index 5d567e6d641e3..2d83c76cc1c7e 100644 --- a/cmd/serv.go +++ b/cmd/serv.go @@ -268,7 +268,7 @@ func runServ(c *cli.Context) error { claims := jwt.MapClaims{ "repo": repo.ID, "op": lfsVerb, - "exp": now.Add(5 * time.Minute).Unix(), + "exp": now.Add(time.Duration(setting.LFS.HTTPAuthExpiryMinutes) * time.Minute).Unix(), "nbf": now.Unix(), } if user != nil { diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 0d2af62373265..bd157af28b554 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -115,6 +115,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `LFS_START_SERVER`: **false**: Enables git-lfs support. - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files. - `LFS_JWT_SECRET`: **\**: LFS authentication secret, change this a unique string. +- `LFS_HTTP_AUTH_EXPIRY_MINUTES`: **5**: LFS authentication validity period in minutes, pushes taking longer than this may fail. - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests on another (https) port. - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true. diff --git a/modules/setting/setting.go b/modules/setting/setting.go index adf4bb74fd299..6811c30964690 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -136,10 +136,11 @@ var ( } LFS struct { - StartServer bool `ini:"LFS_START_SERVER"` - ContentPath string `ini:"LFS_CONTENT_PATH"` - JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` - JWTSecretBytes []byte `ini:"-"` + StartServer bool `ini:"LFS_START_SERVER"` + ContentPath string `ini:"LFS_CONTENT_PATH"` + JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` + JWTSecretBytes []byte `ini:"-"` + HTTPAuthExpiryMinutes int `ini:"LFS_HTTP_AUTH_EXPIRY_MINUTES"` } // Security settings @@ -827,6 +828,7 @@ func NewContext() { if !filepath.IsAbs(LFS.ContentPath) { LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath) } + LFS.HTTPAuthExpiryMinutes = sec.Key("LFS_HTTP_AUTH_EXPIRY_MINUTES").MustInt(5); if LFS.StartServer { From 788423fc11e22ed7af94c2878f31db0929d1797d Mon Sep 17 00:00:00 2001 From: Inon S Date: Thu, 24 May 2018 14:58:29 +0300 Subject: [PATCH 2/5] Formatting: Removed semicolon Due to automated fmt-check failure (drone.gitea.io) --- modules/setting/setting.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 6811c30964690..73c755609216a 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -828,7 +828,7 @@ func NewContext() { if !filepath.IsAbs(LFS.ContentPath) { LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath) } - LFS.HTTPAuthExpiryMinutes = sec.Key("LFS_HTTP_AUTH_EXPIRY_MINUTES").MustInt(5); + LFS.HTTPAuthExpiryMinutes = sec.Key("LFS_HTTP_AUTH_EXPIRY_MINUTES").MustInt(5) if LFS.StartServer { From edc8b7eae9988909252b42f60a4bc128656a3bbb Mon Sep 17 00:00:00 2001 From: Inon Sharony Date: Sun, 27 May 2018 08:58:05 +0300 Subject: [PATCH 3/5] applying code reviews --- custom/conf/app.ini.sample | 2 ++ docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index f9a188c3a1da6..85695ba991e0b 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -189,6 +189,8 @@ LFS_START_SERVER = false LFS_CONTENT_PATH = data/lfs ; LFS authentication secret, change this yourself LFS_JWT_SECRET = +; LFS authentication validity period in minutes, pushes taking longer than this may fail. +LFS_HTTP_AUTH_EXPIRY_MINUTES = 20 ; Define allowed algorithms and their minimum key length (use -1 to disable a type) [ssh.minimum_key_sizes] diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index bd157af28b554..f67a53ff47f31 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -115,7 +115,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `LFS_START_SERVER`: **false**: Enables git-lfs support. - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files. - `LFS_JWT_SECRET`: **\**: LFS authentication secret, change this a unique string. -- `LFS_HTTP_AUTH_EXPIRY_MINUTES`: **5**: LFS authentication validity period in minutes, pushes taking longer than this may fail. +- `LFS_HTTP_AUTH_EXPIRY_MINUTES`: **20**: LFS authentication validity period in minutes, pushes taking longer than this may fail. - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests on another (https) port. - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true. From ebdab8976e22b9b5f751e034a2e209354558e047 Mon Sep 17 00:00:00 2001 From: Inon Sharony Date: Sun, 27 May 2018 09:16:51 +0300 Subject: [PATCH 4/5] Applied code review comment: Change HTTPAuthExpiry to time.Duration --- cmd/serv.go | 2 +- custom/conf/app.ini.sample | 4 ++-- modules/setting/setting.go | 14 ++++++++------ 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/cmd/serv.go b/cmd/serv.go index 2d83c76cc1c7e..990355be98cf6 100644 --- a/cmd/serv.go +++ b/cmd/serv.go @@ -268,7 +268,7 @@ func runServ(c *cli.Context) error { claims := jwt.MapClaims{ "repo": repo.ID, "op": lfsVerb, - "exp": now.Add(time.Duration(setting.LFS.HTTPAuthExpiryMinutes) * time.Minute).Unix(), + "exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(), "nbf": now.Unix(), } if user != nil { diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 85695ba991e0b..9cd7366ba51df 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -189,8 +189,8 @@ LFS_START_SERVER = false LFS_CONTENT_PATH = data/lfs ; LFS authentication secret, change this yourself LFS_JWT_SECRET = -; LFS authentication validity period in minutes, pushes taking longer than this may fail. -LFS_HTTP_AUTH_EXPIRY_MINUTES = 20 +; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. +LFS_HTTP_AUTH_EXPIRY = 20m ; Define allowed algorithms and their minimum key length (use -1 to disable a type) [ssh.minimum_key_sizes] diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 73c755609216a..03ab9bbf01386 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -136,11 +136,11 @@ var ( } LFS struct { - StartServer bool `ini:"LFS_START_SERVER"` - ContentPath string `ini:"LFS_CONTENT_PATH"` - JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` - JWTSecretBytes []byte `ini:"-"` - HTTPAuthExpiryMinutes int `ini:"LFS_HTTP_AUTH_EXPIRY_MINUTES"` + StartServer bool `ini:"LFS_START_SERVER"` + ContentPath string `ini:"LFS_CONTENT_PATH"` + JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` + JWTSecretBytes []byte `ini:"-"` + HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"` } // Security settings @@ -828,7 +828,9 @@ func NewContext() { if !filepath.IsAbs(LFS.ContentPath) { LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath) } - LFS.HTTPAuthExpiryMinutes = sec.Key("LFS_HTTP_AUTH_EXPIRY_MINUTES").MustInt(5) + + sec = Cfg.Section("LFS") + LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(20 * time.Minute) if LFS.StartServer { From ef7cff100eda3b12f29ed540687616db00b813f9 Mon Sep 17 00:00:00 2001 From: Inon S Date: Tue, 29 May 2018 08:26:21 +0300 Subject: [PATCH 5/5] Updated config cheat sheet --- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 58a5f42b4a8dc..3f8ebea61f860 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -115,7 +115,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `LFS_START_SERVER`: **false**: Enables git-lfs support. - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files. - `LFS_JWT_SECRET`: **\**: LFS authentication secret, change this a unique string. -- `LFS_HTTP_AUTH_EXPIRY_MINUTES`: **20**: LFS authentication validity period in minutes, pushes taking longer than this may fail. +- `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail. - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests on another (https) port. - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.