Only show SSH clone URL if signed in (#2169) (#2170)

* Add configuration flag SSH_EXPOSE_ANONYMOUS

If this flag (default True) is set to false, the SSH clone URL will only be exposed if the current user is signed in.

* Default SSH exposure set to false

To match GitHub and for security reasons, SSH URL exposure is disabled by default.
In addition to that. minor code changes have been applied.

Signed-off-by: Stefan Kalscheuer <[email protected]>

* Add integration tests

* Hide clone button neither HTTP and SSH is enabled

Signed-off-by: Stefan Kalscheuer <[email protected]>

Author: stklcode

conf/app.ini

@@ -126,6 +126,8 @@ SSH_KEY_TEST_PATH =
 SSH_KEYGEN_PATH = ssh-keygen
 ; Enable SSH Authorized Key Backup when rewriting all keys, default is true
 SSH_BACKUP_AUTHORIZED_KEYS = true
+; Enable exposure of SSH clone URL to anonymous visitors, default is false
+SSH_EXPOSE_ANONYMOUS = false
 ; Indicate whether to check minimum key size with corresponding type
 MINIMUM_KEY_SIZE_CHECK = false
 ; Disable CDN even in "prod" mode

integrations/repo_test.go

@@ -5,8 +5,13 @@
 package integrations
 
 import (
+	"fmt"
 	"net/http"
 	"testing"
+
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestViewRepo(t *testing.T) {
@@ -37,3 +42,35 @@ func TestViewRepo3(t *testing.T) {
 	session := loginUser(t, "user3")
 	session.MakeRequest(t, req, http.StatusOK)
 }
+
+func TestViewRepo1CloneLinkAnonymous(t *testing.T) {
+	prepareTestEnv(t)
+
+	req := NewRequest(t, "GET", "/user2/repo1")
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	link, exists := htmlDoc.doc.Find("#repo-clone-https").Attr("data-link")
+	assert.True(t, exists, "The template has changed")
+	assert.Equal(t, setting.AppURL+"user2/repo1.git", link)
+	_, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link")
+	assert.False(t, exists)
+}
+
+func TestViewRepo1CloneLinkAuthorized(t *testing.T) {
+	prepareTestEnv(t)
+
+	session := loginUser(t, "user2")
+
+	req := NewRequest(t, "GET", "/user2/repo1")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	link, exists := htmlDoc.doc.Find("#repo-clone-https").Attr("data-link")
+	assert.True(t, exists, "The template has changed")
+	assert.Equal(t, setting.AppURL+"user2/repo1.git", link)
+	link, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link")
+	assert.True(t, exists, "The template has changed")
+	sshURL := fmt.Sprintf("%s@%s:user2/repo1.git", setting.RunUser, setting.SSH.Domain)
+	assert.Equal(t, sshURL, link)
+}

modules/context/repo.go

@@ -285,6 +285,7 @@ func RepoAssignment() macaron.Handler {
 		ctx.Data["IsRepositoryWriter"] = ctx.Repo.IsWriter()
 
 		ctx.Data["DisableSSH"] = setting.SSH.Disabled
+		ctx.Data["ExposeAnonSSH"] = setting.SSH.ExposeAnonymous
 		ctx.Data["DisableHTTP"] = setting.Repository.DisableHTTPGit
 		ctx.Data["CloneLink"] = repo.CloneLink()
 		ctx.Data["WikiCloneLink"] = repo.WikiCloneLink()

modules/setting/setting.go

@@ -99,6 +99,7 @@ var (
 		AuthorizedKeysBackup bool           `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
 		MinimumKeySizeCheck  bool           `ini:"-"`
 		MinimumKeySizes      map[string]int `ini:"-"`
+		ExposeAnonymous      bool           `ini:"SSH_EXPOSE_ANONYMOUS"`
 	}{
 		Disabled:           false,
 		StartBuiltinServer: false,
@@ -707,6 +708,7 @@ func NewContext() {
 		}
 	}
 	SSH.AuthorizedKeysBackup = sec.Key("SSH_AUTHORIZED_KEYS_BACKUP").MustBool(true)
+	SSH.ExposeAnonymous = sec.Key("SSH_EXPOSE_ANONYMOUS").MustBool(false)
 
 	if err = Cfg.Section("server").MapTo(&LFS); err != nil {
 		log.Fatal(4, "Failed to map LFS settings: %v", err)

templates/repo/bare.tmpl

@@ -28,9 +28,11 @@
 								{{else}}
 									<input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly>
 								{{end}}
-								<button class="ui basic button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
-									<i class="octicon octicon-clippy"></i>
-								</button>
+								{{if not (and $.DisableHTTP $.DisableSSH)}}
+									<button class="ui basic button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
+										<i class="octicon octicon-clippy"></i>
+									</button>
+								{{end}}
 							</div>
 						</div>
 						<div class="ui divider"></div>

templates/repo/home.tmpl

@@ -56,19 +56,21 @@
 								{{if UseHTTPS}}HTTPS{{else}}HTTP{{end}}
 							</button>
 						{{end}}
-						{{if not $.DisableSSH}}
+						{{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
 							<button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.CloneLink.SSH}}">
 								SSH
 							</button>
 						{{end}}
 						{{if not $.DisableHTTP}}
 							<input id="repo-clone-url" value="{{$.CloneLink.HTTPS}}" readonly>
-						{{else}}
+						{{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
 							<input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly>
 						{{end}}
-						<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
-							<i class="octicon octicon-clippy"></i>
-						</button>
+						{{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}}
+							<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
+								<i class="octicon octicon-clippy"></i>
+							</button>
+						{{end}}
 						<div class="ui basic jump dropdown icon button poping up" data-content="{{.i18n.Tr "repo.download_archive"}}" data-variation="tiny inverted" data-position="top right">
 							<i class="download icon"></i>
 							<div class="menu">

templates/repo/wiki/view.tmpl

@@ -35,19 +35,21 @@
 							{{if UseHTTPS}}HTTPS{{else}}HTTP{{end}}
 						</button>
 					{{end}}
-					{{if not $.DisableSSH}}
+					{{if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
 						<button class="ui basic clone button" id="repo-clone-ssh" data-link="{{.WikiCloneLink.SSH}}">
 							SSH
 						</button>
 					{{end}}
 					{{if not $.DisableHTTP}}
 						<input id="repo-clone-url" value="{{$.WikiCloneLink.HTTPS}}" readonly>
-					{{else}}
+					{{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
 						<input id="repo-clone-url" value="{{$.WikiCloneLink.SSH}}" readonly>
 					{{end}}
-					<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
-						<i class="octicon octicon-clippy"></i>
-					</button>
+					{{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}}
+						<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
+							<i class="octicon octicon-clippy"></i>
+						</button>
+					{{end}}
 				</div>
 			</div>
 		</div>