Mercurial > kallithea
changeset 6127:a89be5fb75d2
hg: drop pointless push_ssl configuration setting - if there is a risk push can be compromised, credentials can also easily be stolen for pull
Everybody should have a ssl-only setup now. Alternatively, there is a use case
for 'only anonymous traffic on ssl - all authentication and authenticated
traffic must be on ssl'. That can be done with proper web server configuration.
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Fri, 12 Aug 2016 03:04:48 +0200 |
| parents | a1b3f392032b |
| children | b4db7ff78343 |
| files | kallithea/controllers/admin/settings.py kallithea/lib/base.py kallithea/lib/db_manage.py kallithea/lib/middleware/simplegit.py kallithea/lib/middleware/simplehg.py kallithea/lib/utils.py kallithea/model/forms.py kallithea/templates/admin/settings/settings_vcs.html |
| diffstat | 8 files changed, 3 insertions(+), 45 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/admin/settings.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/controllers/admin/settings.py Fri Aug 12 03:04:48 2016 +0200 @@ -71,9 +71,6 @@ if k == 'paths_/': k = 'paths_root_path' - if k == 'web_push_ssl': - v = str2bool(v) - k = k.replace('.', '_') if each.ui_section in ['hooks', 'extensions']: @@ -99,9 +96,6 @@ force_defaults=False) try: - sett = Ui.get_by_key('web', 'push_ssl') - sett.ui_value = form_result['web_push_ssl'] - if c.visual.allow_repo_location_change: sett = Ui.get_by_key('paths', '/') sett.ui_value = form_result['paths_root_path']
--- a/kallithea/lib/base.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/lib/base.py Fri Aug 12 03:04:48 2016 +0200 @@ -249,20 +249,6 @@ def _get_ip_addr(self, environ): return _get_ip_addr(environ) - def _check_ssl(self, environ): - """ - Checks the SSL check flag and returns False if SSL is not present - and required True otherwise - """ - #check if we have SSL required ! if not it's a bad request ! - if str2bool(Ui.get_by_key('web', 'push_ssl').ui_value): - org_proto = environ.get('wsgi._org_proto', environ['wsgi.url_scheme']) - if org_proto != 'https': - log.debug('proto is %s and SSL is required BAD REQUEST !', - org_proto) - return False - return True - def _check_locking_state(self, environ, action, repo, user_id): """ Checks locking on this repository, if locking is enabled and lock is
--- a/kallithea/lib/db_manage.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/lib/db_manage.py Fri Aug 12 03:04:48 2016 +0200 @@ -424,9 +424,7 @@ self.create_ui_settings(path) ui_config = [ - ('web', 'push_ssl', 'false'), ('web', 'allow_archive', 'gz zip bz2'), - ('web', 'allow_push', '*'), ('web', 'baseurl', '/'), ('paths', '/', path), #('phases', 'publish', 'false')
--- a/kallithea/lib/middleware/simplegit.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/lib/middleware/simplegit.py Fri Aug 12 03:04:48 2016 +0200 @@ -66,8 +66,6 @@ def _handle_request(self, environ, start_response): if not is_git(environ): return self.application(environ, start_response) - if not self._check_ssl(environ): - return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) ip_addr = self._get_ip_addr(environ) username = None
--- a/kallithea/lib/middleware/simplehg.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/lib/middleware/simplehg.py Fri Aug 12 03:04:48 2016 +0200 @@ -71,8 +71,6 @@ def _handle_request(self, environ, start_response): if not is_mercurial(environ): return self.application(environ, start_response) - if not self._check_ssl(environ): - return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response) ip_addr = self._get_ip_addr(environ) username = None
--- a/kallithea/lib/utils.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/lib/utils.py Fri Aug 12 03:04:48 2016 +0200 @@ -365,14 +365,12 @@ ui_.ui_key, ui_val) baseui.setconfig(safe_str(ui_.ui_section), safe_str(ui_.ui_key), ui_val) - if ui_.ui_key == 'push_ssl': - # force set push_ssl requirement to False, kallithea - # handles that - baseui.setconfig(safe_str(ui_.ui_section), safe_str(ui_.ui_key), - False) if clear_session: meta.Session.remove() + # force set push_ssl requirement to False, Kallithea handles that + baseui.setconfig('web', 'push_ssl', False) + baseui.setconfig('web', 'allow_push', '*') # prevent interactive questions for ssh password / passphrase ssh = baseui.config('ui', 'ssh', default='ssh') baseui.setconfig('ui', 'ssh', '%s -oBatchMode=yes -oIdentitiesOnly=yes' % ssh)
--- a/kallithea/model/forms.py Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/model/forms.py Fri Aug 12 03:04:48 2016 +0200 @@ -373,7 +373,6 @@ class _ApplicationUiSettingsForm(formencode.Schema): allow_extra_fields = True filter_extra_fields = False - web_push_ssl = v.StringBoolean(if_missing=False) paths_root_path = All( v.ValidPath(), v.UnicodeString(strip=True, min=1, not_empty=True)
--- a/kallithea/templates/admin/settings/settings_vcs.html Fri Aug 12 03:04:48 2016 +0200 +++ b/kallithea/templates/admin/settings/settings_vcs.html Fri Aug 12 03:04:48 2016 +0200 @@ -1,19 +1,6 @@ ${h.form(url('admin_settings'), method='post')} <div class="form"> <div class="fields"> - <div class="field"> - <div class="label label-checkbox"> - <label>${_('Web')}:</label> - </div> - <div class="checkboxes"> - <div class="checkbox"> - ${h.checkbox('web_push_ssl', 'True')} - <label for="web_push_ssl">${_('Require SSL for vcs operations')}</label> - </div> - <span class="help-block">${_('Activate to require SSL both pushing and pulling. If SSL certificate is missing, it will return an HTTP Error 406: Not Acceptable.')}</span> - </div> - </div> - <div class="field"> <div class="label label-checkbox"> <label>${_('Hooks')}:</label>