The keying modules tries to solve two problems, the lack of key
separation and the lack of AEAD being used for encryption. The currently
used `secrets` doesn't provide this and is hard to adjust to provide
this functionality.
For encryption, the additional data is now a parameter that can be used,
as the underlying primitive is an AEAD constructions. This allows for
context binding to happen and can be seen as defense-in-depth; it
ensures that if a value X is encrypted for context Y (e.g. ID=3,
Column="private_key") it will only decrypt if that context Y is also
given in the Decrypt function. This makes confused deputy attack harder
to exploit.[^1]
For key separation, HKDF is used to derives subkeys from some IKM, which
is the value of the `[service].SECRET_KEY` config setting. The context
for subkeys are hardcoded, any variable should be shuffled into the the
additional data parameter when encrypting.
[^1]: This is still possible, because the used AEAD construction is not
key-comitting. For Forgejo's current use-case this risk is negligible,
because the subkeys aren't known to a malicious user (which is required
for such attack), unless they also have access to the IKM (at which
point you can assume the whole system is compromised). See
https://scottarc.blog/2022/10/17/lucid-multi-key-deputies-require-commitment/
Remove the snapping of the images on the projects cards, the images are
way too small to notice that when scrolling you're being snapped to
these images and when you do notice it, it doesn't make sense as you
wouldn't expect it to be snapped.
This is a step towards making Forgejo's binaries (the one listed in the
release tab) reproducible.
In order to make the actual binary reproducible, we have to ensure that
the release workflow has the correct configuration to produce such
reproducible binaries. The release workflow currently uses the
Dockerfile to produce binaries, as this is one of the easiest ways to do
cross-compiling for Go binaries with CGO enabled (due to SQLite). In the
Dockerfile, two new arguments are being given to the build command.
`-trimpath` ensures that the workpath directory doesn't get included in
the binary; this means that file names (such as for panics) are
relative (to the workpath) and not absolute, which shouldn't impact
debugging. `-buildid=` is added to the linker flag; it sets the BuildID
of the Go linker to be empty; the `-buildid` hashes the input actions
and output content; these vary from build to build for unknown reasons,
but likely because of the involvement of temporary file names, this
doesn't have any effect on the behavior of the resulting binary.
The Makefile receives a new command, `reproduce-build#$VERSION` which
can be used by people to produce a reproducible Forgejo binary of a
particular release; it roughly does what the release workflow also does.
Build the Dockerfile and extract the Forgejo binary from it. This
doesn't allow to produce a reproducible version for every release, only
for those that include this patch, as it needs to call the makefile of
that version in order to make a reproducible binary.
There's one thing left to do: the Dockerfile pins the Go version to a
minor level and not to a patch level. This means that if a new Go patch
version is released, that will be used instead and will result in a
different binary that isn't bit to bit the same as the one that Forgejo
has released.
One method to set them all... or something like that.
The defaults for git-grep options were scattered over the run
function body. This change refactors them into a separate method.
The application of defaults is checked implicitly by existing
tests and linters, and the new approach makes it very easy
to inspect the desired defaults are set.
When the Forgejo CLI binary is `forgejo-cli`, the `--verbose` or `--quiet`
arguments are available globally for all sub-commands. The same
sub-commands can be used with `forgejo forgejo-cli`, those flags are
not available.
Fix#31807
ps: the newly added params's value will be changed.
When the first time you selected the filter, the values of params will
be `0` or `1`
But in pager it will be `true` or `false`.
So do we have `boolToInt` function?
(cherry picked from commit 7092402a2db255ecde2c20574b973fb632c16d2e)
Conflicts:
routers/web/org/home.go
trivial conflict s/pager.AddParam/pager.AddParamString/
Modifies forms:
- (new) org team
- (new) repo webhook
- (new) repo protected branch
The forms are not completely rewritten to semantic HTML yet. The focus
of this change was on standard elements, some custom solutions were left
untouched for now.
- swaps the order fo permission radio buttons as per https://codeberg.org/forgejo/forgejo/issues/4983
- uses fieldsets to group related inputs
- ensures consistent styling across forms
- can be improved later, e.g. using horizontal lines between sections
- fixes: previous font size of labels was smaller than the font size of the help text
- help text are now part of the label, clicking them now also activates the input
- drop unused CSS (no required checkboxes in grouped class remain)
- playwright testing:
- move login boilerplate to utils
- automated form accessibility checking
- allow defining the scope, because legacy parts of the forms are not yet accessible
- assert some CSS properties that should not be overriden
- the Makefile adjustment was necessary, because eslint scanned some internal files in the tests/e2e/reports directory
- Regression of #4571
- We aren't showing the ticks generated by chartjs, because we want to
show the avatar of the person instead. You can't *realy* disable that
tick, so instead I opted to make them transparent in #4571, however they
still affected the generation of ticks so if enough authors were being
shown, for some the ticks were being skipped. Adjust the settings to
make sure they are always being shown.
- Resolves https://codeberg.org/forgejo/forgejo/issues/4982
* support changing label colors
* support changing issue state
* use helpers to keep type conversions DRY
* drop the x/exp license because it is no longer used
The tests are performed by the gof3 compliance suite
- When a comment was updated or deleted and was part of an
pending/ongoing review, it would have triggered a notification, such as
a webhook.
- This patch checks if the comment is part of a pending review and then
does not fire a notification and, in the case of updating a comment,
does not save the content history because this is not necessary if it is
still a "draft" comment given it is a pending comment (there is no need
to see my embarrassing typos).
- Adds integration tests.
- Resolves https://codeberg.org/forgejo/forgejo/issues/4368