Version 1.11.0

better custom app.ini
optional sso support
always create root user

CHANGELOG

@@ -264,3 +264,58 @@
 * Switch to more recent build of xgo (#6070) (#6072)
 * In basic auth check for tokens before call UserSignIn (#5725) (#6083)
 
+[1.9.3]
+* Update Gitea to 1.7.3
+* Fix server 500 when trying to migrate to an already existing repository (#6188) (#6197)
+* Load Issue attributes for API /repos/{owner}/{repo}/issues/{index} (#6122) (#6185)
+* Fix bug whereby user could change private repository to public when force private enabled. (#6156) (#6165)
+* Fix bug when update owner team then visit team's repo return 404 (#6119) (#6166)
+* Fix heatmap and repository menu display in Internet Explorer 9+ (#6117) (#6137)
+* Fix prohibit login check on authorization (#6106) (#6115)
+* Fix LDAP protocol error regression by moving to ldap.v3 (#6105) (#6107)
+* Fix deadlock in webhook PullRequest (#6102) (#6104)
+* Fix redirect loop when password change is required and Gitea is installed as a suburl (#5965) (#6101)
+* Fix compare button regression (#5929) (#6098)
+* Recover panic in orgmode.Render if bad orgfile (#4982) (#5903) (#6097)
+
+[1.9.4]
+* Update Gitea to 1.7.4
+* Fix potential XSS vulnerability in repository description. (#6306) (#6308)
+* Fix wrong release commit id (#6224) (#6300)
+* Fix panic on empty signed commits (#6292) (#6300)
+* Fix organization dropdown not being scrollable when using mouse wheel (#5988) (#6246)
+* Fix displaying dashboard even if required to change password (#6214) (#6215)
+
+[1.9.5]
+* Update Gitea to 1.7.5
+* unitTypeCode not being used in accessLevelUnit (#6419) (#6423)
+* ParsePatch function to work with quoted diff --git strings (#6323) (#6332)
+
+[1.9.6]
+* Update Gitea to 1.7.6
+* Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6595)
+* Allow resend of confirmation email when logged in (#6482) (#6487)
+
+[1.10.0]
+* Update Gitea to 1.8.0
+* [Full changelog](https://github.com/go-gitea/gitea/releases/tag/v1.8.0)
+* Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6594)
+* Resolve 2FA bypass on API (#6676) (#6674)
+* Prevent the creation of empty sessions for non-logged in users (#6690) (#6677)
+* Expose issue stopwatch toggling via API (#5970)
+* Pull request conflict files detection (#5951)
+* Implement "conversation lock" for issue comments (#5073)
+* Feature: Archive repos (#5009)
+* Allow to set organization visibility (public, internal, private) (#1763)
+* Added URL mapping for Release attachments like on github.com (#1707)
+
+[1.10.1]
+* Update Gitea to 1.8.1
+
+[1.10.2]
+* Update Gitea to 1.8.2
+
+[1.11.0]
+* better custom app.ini integration
+* optional sso support
+

CloudronManifest.json

@@ -4,7 +4,7 @@
   "author": "Gitea developers",
   "description": "file://DESCRIPTION.md",
   "tagline": "A painless self-hosted Git Service",
-  "version": "1.9.2",
+  "version": "1.11.0",
   "healthCheckPath": "/healthcheck",
   "httpPort": 3000,
   "addons": {
@@ -24,6 +24,7 @@
   "website": "https://gitea.io",
   "contactEmail": "apps@cloudron.io",
   "icon": "file://logo.png",
+  "optionalSso": true,
   "mediaLinks": [
     "https://s3.amazonaws.com/cloudron-app-screenshots/io.gitea.cloudronapp/f89a2ab8d49094c80589f69a2d60bef63b2dbb62/1.png",
     "https://s3.amazonaws.com/cloudron-app-screenshots/io.gitea.cloudronapp/f89a2ab8d49094c80589f69a2d60bef63b2dbb62/2.png",

DESCRIPTION.md

@@ -1,4 +1,4 @@
-This app packages Gitea <upstream>1.7.2</upstream>
+This app packages Gitea <upstream>1.8.2</upstream>
 
 Gitea is a painless self-hosted Git service. It is similar to GitHub, Bitbucket or Gitlab.
 

Dockerfile

@@ -13,7 +13,8 @@ RUN adduser --disabled-login --gecos 'Gitea' git
 RUN passwd -d git
 
 RUN mkdir -p /home/git/gitea
-RUN curl -L https://dl.gitea.io/gitea/1.7.2/gitea-1.7.2-linux-amd64 -o /home/git/gitea/gitea \
+WORKDIR /home/git
+RUN curl -L https://dl.gitea.io/gitea/1.8.2/gitea-1.8.2-linux-amd64 -o /home/git/gitea/gitea \
     && chmod +x /home/git/gitea/gitea
 
 # setup config paths

POSTINSTALL.md

@@ -1,12 +1,14 @@
-This app integrates with the Cloudron SSO. Admins on Cloudron automatically
-become admins on Gitea.
+A default admin user has been setup with the following credentials (use the `Local` authentication source when logging in):
 
-If you want to disable Cloudron SSO, do the following:
+```
+username: root
+password: changeme
+```
 
-* Admin Panel -> Authentication -> 'cloudron' -> Uncheck 'This authentication is activated'
-* Admin Panel -> Users -> Change Authentication Source to 'Local' and also give a password
+**Note:** Please change the password and email immediately after installation.
 
-You can edit `/app/data/app.ini` and add any custom configuration. See the 
-[configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet)
-for more information.
+<sso>
+This app integrates with the Cloudron SSO. Cloudron users can login and use Gitea
+using the `Cloudron` authentication source.
+</sso>
 

start.sh

@@ -7,27 +7,56 @@ mkdir -p /run/gitea/tmp/uploads /run/sshd
 setup_ldap_source() {
     set -eu
 
-    # Wait for gitea to finish db setup, before we insert ldap source in db
-    while ! curl --fail http://localhost:3000/healthcheck; do
-        echo "Waiting for gitea to come up"
-        sleep 1
-    done
-
-    now=$(date +%s)
-
     # Get the existing LDAP source status. This allows the user to disable LDAP
+    # Note that this method is deprecated since this app now supports optionalSso
     ldap_status=$(mysql -u"${MYSQL_USERNAME}" -p"${MYSQL_PASSWORD}" -h mysql --database="${MYSQL_DATABASE}" -N -B -e "select is_actived from login_source WHERE name='cloudron';")
     [[ -z "${ldap_status}" ]] && ldap_status="1"
 
+    now=$(date +%s)
+
     if mysql -u"${MYSQL_USERNAME}" -p"${MYSQL_PASSWORD}" -h mysql --database="${MYSQL_DATABASE}" \
-        -e "REPLACE INTO login_source (id, type, name, is_actived, cfg, created_unix, updated_unix) VALUES (1,2,'cloudron',${ldap_status},'{\"Name\":\"cloudron\",\"Host\":\"${LDAP_SERVER}\",\"Port\":${LDAP_PORT},\"UseSSL\":false,\"SkipVerify\":true,\"BindDN\":\"${LDAP_BIND_DN}\",\"BindPassword\":\"${LDAP_BIND_PASSWORD}\",\"UserBase\":\"${LDAP_USERS_BASE_DN}\",\"AttributeUsername\":\"username\",\"AttributeName\":\"displayname\",\"AttributeSurname\":\"\",\"AttributeMail\":\"mail\",\"Filter\":\"(\\\\u007C(mail=%[1]s)(username=%[1]s))\",\"AdminFilter\":\"(memberof=cn=admins,${LDAP_GROUPS_BASE_DN})\"}','${now}','${now}');"; then
-        echo "LDAP Authentication was setup with status ${ldap_status}"
+        -e "REPLACE INTO login_source (id, type, name, is_actived, cfg, created_unix, updated_unix) VALUES (1,2,'cloudron',${ldap_status},'{\"Name\":\"cloudron\",\"Host\":\"${LDAP_SERVER}\",\"Port\":${LDAP_PORT},\"UseSSL\":false,\"SkipVerify\":true,\"BindDN\":\"${LDAP_BIND_DN}\",\"BindPassword\":\"${LDAP_BIND_PASSWORD}\",\"UserBase\":\"${LDAP_USERS_BASE_DN}\",\"AttributeUsername\":\"username\",\"AttributeName\":\"displayname\",\"AttributeSurname\":\"\",\"AttributeMail\":\"mail\",\"Filter\":\"(\\\\u007C(mail=%[1]s)(username=%[1]s))\"}','${now}','${now}');"; then
+        echo "==> LDAP Authentication was setup with activation status ${ldap_status}"
     else
-        echo "Failed to setup LDAP authentication"
+        echo "==> Failed to setup LDAP authentication"
         exit 1
     fi
 }
 
+setup_root_user() {
+    set -eu
+
+    if sudo -H -u git /home/git/gitea/gitea admin create-user --name root --password changeme --email test@cloudron.io --admin -c /run/gitea/app.ini; then
+        echo "==> root user added"
+    else
+        echo "==> Failed to add root user"
+        exit 1
+    fi
+}
+
+setup_auth() {
+    set -eu
+
+    # Wait for gitea to finish db setup, before we do any db operations
+    while ! curl --fail http://localhost:3000/healthcheck; do
+        echo "==> Waiting for gitea to come up"
+        sleep 1
+    done
+
+    echo "==> Gitea is up, setting up auth"
+
+    if [[ -n "${LDAP_SERVER:-}" ]]; then
+        setup_ldap_source
+    fi
+
+    user_count=$(mysql -u"${MYSQL_USERNAME}" -p"${MYSQL_PASSWORD}" -h mysql --database="${MYSQL_DATABASE}" -N -B -e "SELECT count(*) FROM user;")
+    # be careful, not to create root user for existing LDAP based installs
+    if [[ "${user_count}" == "0" ]]; then
+        echo "==> Setting up root user for first run"
+        setup_root_user
+    fi
+}
+
 # SSH_PORT can be unset to disable SSH
 disable_ssh="false"
 if [[ -z "${SSH_PORT:-}" ]]; then
@@ -52,19 +81,15 @@ chmod 0644 /app/data/sshd/*.pub
 
 sed -e "s/^Port .*/Port ${SSH_PORT}/" /etc/ssh/sshd_config > /run/gitea/sshd_config
 
-cp /home/git/app.ini.template "/run/gitea/app.ini"
+if [[ ! -f /app/data/app.ini ]]; then
+    echo -e "; Add customizations here - https://docs.gitea.io/en-us/config-cheat-sheet/" > /app/data/app.ini
 
-# create default user config file
-if ! [ -f /app/data/app.ini ]; then
-    cp /home/git/app.ini.template /app/data/app.ini
-fi
-
-if [ "$(crudini --get /app/data/app.ini security SECRET_KEY)" == "##SECRET_KEY" ]; then
-    echo "Generating new SECRET_KEY"
+    echo "==> Generating new SECRET_KEY"
     crudini --set "/app/data/app.ini" security SECRET_KEY $(pwgen -1 -s)
 fi
 
 # merge user config file
+cp /home/git/app.ini.template "/run/gitea/app.ini"
 crudini --merge "/run/gitea/app.ini" < "/app/data/app.ini"
 
 # override important values
@@ -94,11 +119,12 @@ crudini --set "/run/gitea/app.ini" log MODE "console"
 crudini --set "/run/gitea/app.ini" log ROOT_PATH "/run/gitea"
 crudini --set "/run/gitea/app.ini" indexer ISSUE_INDEXER_PATH "/app/data/appdata/indexers/issues.bleve"
 
+echo "==> Creating dirs and changing permissions"
 mkdir -p /app/data/repository /app/data/ssh /app/data/custom
-
 chown -R git:git /app/data /run/gitea
 
-( setup_ldap_source ) &
+# this expects app.ini to be available
+( setup_auth ) &
 
 exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Gitea
 

test/package.json

@@ -9,17 +9,17 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "ejs": "^2.3.4",
+    "ejs": "^2.6.1",
     "expect.js": "^0.3.1",
     "mkdirp": "^0.5.1",
-    "mocha": "^2.3.4",
-    "rimraf": "^2.4.4",
-    "superagent": "^1.4.0"
+    "mocha": "^6.1.4",
+    "rimraf": "^2.6.3",
+    "superagent": "^5.0.5"
   },
   "dependencies": {
-    "chromedriver": "^2.38.2",
-    "selenium-server-standalone-jar": "^3.3.1",
-    "selenium-webdriver": "^3.3.0",
+    "chromedriver": "^74.0.0",
+    "selenium-server-standalone-jar": "^3.141.5",
+    "selenium-webdriver": "^3.6.0",
     "superagent": "^1.8.5"
   }
 }

test/test.js

@@ -37,11 +37,12 @@ describe('Application life cycle test', function () {
     var username = process.env.USERNAME;
     var password = process.env.PASSWORD;
     var TIMEOUT = parseInt(process.env.TIMEOUT, 10) || 5000;
-    var email, token;
+    var email = process.env.EMAIL, token;
 
     before(function (done) {
         if (!process.env.USERNAME) return done(new Error('USERNAME env var not set'));
         if (!process.env.PASSWORD) return done(new Error('PASSWORD env var not set'));
+        if (!process.env.EMAIL) return done(new Error('EMAIL env var not set'));
 
         var seleniumJar= require('selenium-server-standalone-jar');
         var SeleniumServer = require('selenium-webdriver/remote').SeleniumServer;
@@ -58,12 +59,12 @@ describe('Application life cycle test', function () {
         done();
     });
 
-    function waitForUrl(url, done) {
-        browser.wait(function () {
+    function waitForUrl(url) {
+        return browser.wait(function () {
             return browser.getCurrentUrl().then(function (currentUrl) {
                 return currentUrl === url;
             });
-        }, TIMEOUT).then(function () { done(); });
+        }, TIMEOUT);
     }
 
     function getAppInfo() {
@@ -128,11 +129,13 @@ return done();
         }).then(function () {
             return browser.findElement(by.xpath('//button[contains(text(), "Commit Changes")]')).click();
         }).then(function () {
-            waitForUrl('https://' + app.fqdn + '/' + username + '/' + reponame + '/src/branch/master/newfile', done);
+            return waitForUrl('https://' + app.fqdn + '/' + username + '/' + reponame + '/src/branch/master/newfile');
+        }).then(function () {
+            done();
         });
     }
 
-    function login(done) {
+    function login(username, password, done) {
         browser.get('https://' + app.fqdn + '/user/login').then(function () {
             return browser.findElement(by.id('user_name')).sendKeys(username);
         }).then(function () {
@@ -146,6 +149,18 @@ return done();
         });
     }
 
+    function adminLogin(done) {
+        login('root', 'changeme', done);
+    }
+
+    function logout(done) {
+        browser.get('https://' + app.fqdn + '/user/logout').then(function () {
+            return waitForUrl('https://' + app.fqdn + '/explore/repos');
+        }).then(function () {
+            done();
+        });
+    }
+
     function addPublicKey(done) {
         var publicKey = fs.readFileSync(__dirname + '/id_rsa.pub', 'utf8');
 
@@ -310,8 +325,11 @@ return done();
         });
     });
 
-    it('can login', login);
+    it('can admin login', adminLogin);
     it('can send mail', sendMail);
+    it('can logout', logout);
+
+    it('can login', login.bind(null, username, password));
     it('can set avatar', setAvatar);
     it('can get avatar', checkAvatar);
 
@@ -334,7 +352,7 @@ return done();
         done();
     });
 
-    it('can login', login);
+    it('can login', login.bind(null, username, password));
     it('displays correct clone url', checkCloneUrl);
     it('can clone the url', cloneRepo);
     it('file exists in repo', fileExists);
@@ -347,7 +365,7 @@ return done();
         execSync('cloudron restore --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
 
-    it('can login', login);
+    it('can login', login.bind(null, username, password));
     it('can get avatar', checkAvatar);
     it('can clone the url', cloneRepo);
     it('file exists in repo', function () { expect(fs.existsSync(repodir + '/newfile')).to.be(true); });
@@ -365,7 +383,7 @@ return done();
         });
     });
 
-    it('can login', login);
+    it('can login', login.bind(null, username, password));
     it('can get avatar', checkAvatar);
     it('displays correct clone url', checkCloneUrl);
     it('can clone the url', cloneRepo);
@@ -387,7 +405,7 @@ return done();
         app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
         expect(app).to.be.an('object');
 
-        login(function (error) {
+        login(email, password, function (error) {
             if (error) return done(error);
 
             // ensure we don't hit NXDOMAIN in the mean time
@@ -398,13 +416,33 @@ return done();
         });
     });
 
+    // No SSO
+    it('install app (no sso)', function () {
+        execSync('cloudron install --new --wait --no-sso --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    });
+
+    it('can get app information', function () {
+        var inspect = JSON.parse(execSync('cloudron inspect'));
+
+        app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
+
+        expect(app).to.be.an('object');
+    });
+
+    it('can admin login (no sso)', adminLogin);
+    it('can logout', logout);
+
+    it('uninstall app (no sso)', function () {
+        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    });
+
     // test update
     it('can install app', function () {
         execSync(`cloudron install --new --wait --appstore-id ${app.manifest.id} --location ${LOCATION} -p SSH_PORT=${SSH_PORT}`, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
 
     it('can get app information', getAppInfo);
-    it('can login', login);
+    it('can login', login.bind(null, username, password));
     it('can set avatar', setAvatar);
     it('can get avatar', checkAvatar);
     it('can add public key', addPublicKey);
@@ -416,8 +454,11 @@ return done();
         execSync('cloudron install --wait --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
 
-    it('can login', login);
-    it('can send mail', sendMail);
+    xit('can admin login', adminLogin);
+    xit('can send mail', sendMail);
+    xit('can logout', logout);
+
+    it('can login', login.bind(null, username, password));
     it('can get avatar', checkAvatar);
     it('can clone the url', cloneRepo);
     it('file exists in cloned repo', fileExists);