From 3ddaba1d9ed133a69db3f826a176e588e7d0116f Mon Sep 17 00:00:00 2001 From: Pawel Boguslawski Date: Mon, 31 Jan 2022 12:54:58 +0100 Subject: [PATCH] DISABLE_2FA parameter for disabling 2FA added Gitea does not use 2FA when reverse proxy auth is enabled. 2FA is hardcoded and cannot be disabled (i.e. when stronger authentication scheme is implemented on reverse proxy). Leaving unused elements like 2FA in UI should be avoided to make UI clean and to avoid unnecessarry maintanance (questions/problems from users). This mod introduces new `DISABLE_2FA` parameter in app.ini section `[security]`. When disabled (default when parameter is not present) gitea behaves as without this mod (2FA is available). When enabled, 2FA feature and its UI elements are not avaiable. This mod also hides those areas on Settings/Security page that are disabled in config and hides menu link to Security page if all its areas are disabled in config. Related: https://github.com/go-gitea/gitea/pull/13129 Author-Change-Id: IB#1115243 --- custom/conf/app.example.ini | 3 +++ docs/content/doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/context/context.go | 1 + modules/setting/setting.go | 2 ++ modules/templates/helper.go | 3 +++ templates/admin/user/list.tmpl | 4 ++++ templates/org/member/members.tmpl | 2 ++ templates/user/settings/navbar.tmpl | 2 ++ templates/user/settings/security/security.tmpl | 4 ++++ 9 files changed, 22 insertions(+) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 586c924c4ab8..67c0bf5a323f 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -372,6 +372,9 @@ INTERNAL_TOKEN= ;; Set to true to disable webhooks feature. ;DISABLE_WEBHOOKS = false ;; +;; Set to false to disable 2FA feature. +;DISABLE_2FA = false +;; ;; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED ;ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true ;; diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 6cbc9b91f985..bc6ac4001acf 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -498,6 +498,7 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o Gitea instance and perform arbitrary actions in the name of the Gitea OS user. This maybe harmful to you website or your operating system. - `DISABLE_WEBHOOKS`: **false**: Set to `true` to disable webhooks feature. +- `DISABLE_2FA`: **false**: Set to `true` to disable 2FA feature. - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to Gitea repositories you should set the environment appropriately. - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. - `INTERNAL_TOKEN`: **\**: Secret used to validate communication within Gitea binary. diff --git a/modules/context/context.go b/modules/context/context.go index 503885064992..c0587e654977 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -706,6 +706,7 @@ func Contexter() func(next http.Handler) http.Handler { ctx.Data["EnableSwagger"] = setting.API.EnableSwagger ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn + ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp ctx.Data["DisableMigrations"] = setting.Repository.DisableMigrations ctx.Data["DisableStars"] = setting.Repository.DisableStars diff --git a/modules/setting/setting.go b/modules/setting/setting.go index abd6716c74e6..a12b4e933c6a 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -187,6 +187,7 @@ var ( ImportLocalPaths bool DisableGitHooks bool DisableWebhooks bool + Disable2FA bool OnlyAllowPushIfGiteaEnvironmentSet bool PasswordComplexity []string PasswordHashAlgo string @@ -868,6 +869,7 @@ func loadFromConf(allowEmpty bool, extraConfig string) { ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true) DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false) + Disable2FA = sec.Key("DISABLE_2FA").MustBool(false) OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) diff --git a/modules/templates/helper.go b/modules/templates/helper.go index fc07b49c7192..ec963c0cd01d 100644 --- a/modules/templates/helper.go +++ b/modules/templates/helper.go @@ -236,6 +236,9 @@ func NewFuncMap() []template.FuncMap { "DisableWebhooks": func() bool { return setting.DisableWebhooks }, + "Disable2FA": func() bool { + return setting.Disable2FA + }, "DisableImportLocal": func() bool { return !setting.ImportLocalPaths }, diff --git a/templates/admin/user/list.tmpl b/templates/admin/user/list.tmpl index 93e6f38c2701..08feed6b6a9f 100644 --- a/templates/admin/user/list.tmpl +++ b/templates/admin/user/list.tmpl @@ -73,7 +73,9 @@ {{.i18n.Tr "admin.users.activated"}} {{.i18n.Tr "admin.users.admin"}} {{.i18n.Tr "admin.users.restricted"}} + {{if not Disable2FA}} {{.i18n.Tr "admin.users.2fa"}} + {{end}} {{.i18n.Tr "admin.users.repos"}} {{.i18n.Tr "admin.users.created"}} @@ -92,7 +94,9 @@ {{if .IsActive}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}} {{if .IsAdmin}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}} {{if .IsRestricted}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}} + {{if not Disable2FA}} {{if index $.UsersTwoFaStatus .ID}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}} + {{end}} {{.NumRepos}} {{.CreatedUnix.FormatShort}} {{if .LastLoginUnix}} diff --git a/templates/org/member/members.tmpl b/templates/org/member/members.tmpl index 49d8f52f8722..c446e12f62e6 100644 --- a/templates/org/member/members.tmpl +++ b/templates/org/member/members.tmpl @@ -37,6 +37,7 @@ {{if index $.MembersIsUserOrgOwner .ID}}{{svg "octicon-shield-lock"}} {{$.i18n.Tr "org.members.owner"}}{{else}}{{$.i18n.Tr "org.members.member"}}{{end}} + {{if not Disable2FA}}
{{$.i18n.Tr "admin.users.2fa"}} @@ -51,6 +52,7 @@
+ {{end}}
{{if eq $.SignedUser.ID .ID}} diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl index 3477a5949b84..2fb22210c469 100644 --- a/templates/user/settings/navbar.tmpl +++ b/templates/user/settings/navbar.tmpl @@ -9,9 +9,11 @@ {{.i18n.Tr "settings.appearance"}} + {{if or (not Disable2FA) .EnableOpenIDSignIn .EnableOpenIDSignUp}} {{.i18n.Tr "settings.security"}} + {{end}} {{.i18n.Tr "settings.applications"}} diff --git a/templates/user/settings/security/security.tmpl b/templates/user/settings/security/security.tmpl index d93be9f64016..a860ad8b729e 100644 --- a/templates/user/settings/security/security.tmpl +++ b/templates/user/settings/security/security.tmpl @@ -3,9 +3,13 @@ {{template "user/settings/navbar" .}}
{{template "base/alert" .}} + {{if not Disable2FA}} {{template "user/settings/security/twofa" .}} {{template "user/settings/security/webauthn" .}} + {{end}} + {{if .EnableOpenIDSignUp}} {{template "user/settings/security/accountlinks" .}} + {{end}} {{if .EnableOpenIDSignIn}} {{template "user/settings/security/openid" .}} {{end}}