From 2bde83b51de8739397dabdba97c68135e70d7faa Mon Sep 17 00:00:00 2001
From: Pawel Boguslawski <pawel.boguslawski@ib.pl>
Date: Mon, 31 Jan 2022 17:49:06 +0100
Subject: [PATCH 1/3] DISABLE_ACCESS_TOKENS parameter for disabling access
 tokens added

Access tokens are hardcoded and cannot be disabled (i.e. when
owner doesn't want this kind of authentication).

This mod introduces new DISABLE_ACCESS_TOKENS parameter in app.ini
section [security]. When disabled (default when parameter is not
present) gitea behaves as without this mod (access tokens feature
is available). When enabled, access tokens feature and its UI
elements are not avaiable.

This mod also hides those areas on Settings/Applications page
that are disabled in config and hides menu link to Applications
page if all its areas are disabled in config.

Related: https://github.com/go-gitea/gitea/pull/13129
Author-Change-Id: IB#1115254
---
 custom/conf/app.example.ini                   |  3 +++
 .../doc/advanced/config-cheat-sheet.en-us.md  |  1 +
 modules/setting/setting.go                    |  2 ++
 modules/templates/helper.go                   |  6 +++++
 routers/web/user/setting/applications.go      | 23 +++++++++++++++----
 templates/user/settings/applications.tmpl     |  2 ++
 templates/user/settings/navbar.tmpl           |  2 ++
 7 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 586c924c4ab83..95bd985f68861 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -372,6 +372,9 @@ INTERNAL_TOKEN=
 ;; Set to true to disable webhooks feature.
 ;DISABLE_WEBHOOKS = false
 ;;
+;; Set to false to disable access tokens feature.
+;DISABLE_ACCESS_TOKENS = false
+;;
 ;; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
 ;ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;;
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 6cbc9b91f985b..fb18c7ae60a2f 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -498,6 +498,7 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
    Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
    This maybe harmful to you website or your operating system.
 - `DISABLE_WEBHOOKS`: **false**: Set to `true` to disable webhooks feature.
+- `DISABLE_ACCESS_TOKENS`: **false**: Set to `true` to disable access tokens feature.
 - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to Gitea repositories you should set the environment appropriately.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index abd6716c74e6e..c7b6fb8ccc3a7 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -187,6 +187,7 @@ var (
 	ImportLocalPaths                   bool
 	DisableGitHooks                    bool
 	DisableWebhooks                    bool
+	DisableAccessTokens                bool
 	OnlyAllowPushIfGiteaEnvironmentSet bool
 	PasswordComplexity                 []string
 	PasswordHashAlgo                   string
@@ -868,6 +869,7 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
 	DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
+	DisableAccessTokens = sec.Key("DISABLE_ACCESS_TOKENS").MustBool(false)
 	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
 	PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index fc07b49c71925..6fdc510124e5f 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -236,6 +236,12 @@ func NewFuncMap() []template.FuncMap {
 		"DisableWebhooks": func() bool {
 			return setting.DisableWebhooks
 		},
+		"DisableAccessTokens": func() bool {
+			return setting.DisableAccessTokens
+		},
+		"DisableOAuth2": func() bool {
+			return !setting.OAuth2.Enable
+		},
 		"DisableImportLocal": func() bool {
 			return !setting.ImportLocalPaths
 		},
diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
index 20ffdfaf840e8..fbfe0bfaa4247 100644
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@@ -6,6 +6,7 @@
 package setting
 
 import (
+	"fmt"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -44,6 +45,11 @@ func ApplicationsPost(ctx *context.Context) {
 		return
 	}
 
+	if setting.DisableAccessTokens {
+		ctx.ServerError("AccessToken", fmt.Errorf("cannot modify access token; access tokens disabled"))
+		return
+	}
+
 	t := &models.AccessToken{
 		UID:  ctx.User.ID,
 		Name: form.Name,
@@ -73,6 +79,10 @@ func ApplicationsPost(ctx *context.Context) {
 
 // DeleteApplication response for delete user access token
 func DeleteApplication(ctx *context.Context) {
+	if setting.DisableAccessTokens {
+		ctx.ServerError("DeleteAccessToken", fmt.Errorf("cannot delete access token; access tokens disabled"))
+		return
+	}
 	if err := models.DeleteAccessTokenByID(ctx.FormInt64("id"), ctx.User.ID); err != nil {
 		ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
 	} else {
@@ -85,14 +95,17 @@ func DeleteApplication(ctx *context.Context) {
 }
 
 func loadApplicationsData(ctx *context.Context) {
-	tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
-	if err != nil {
-		ctx.ServerError("ListAccessTokens", err)
-		return
+	if setting.DisableAccessTokens {
+		tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
+		if err != nil {
+			ctx.ServerError("ListAccessTokens", err)
+			return
+		}
+		ctx.Data["Tokens"] = tokens
 	}
-	ctx.Data["Tokens"] = tokens
 	ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
 	if setting.OAuth2.Enable {
+		var err error
 		ctx.Data["Applications"], err = auth.GetOAuth2ApplicationsByUserID(ctx.User.ID)
 		if err != nil {
 			ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
diff --git a/templates/user/settings/applications.tmpl b/templates/user/settings/applications.tmpl
index 811ce5d64397b..aa4c2fb38212c 100644
--- a/templates/user/settings/applications.tmpl
+++ b/templates/user/settings/applications.tmpl
@@ -3,6 +3,7 @@
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
+		{{if not DisableAccessTokens}}
 		<h4 class="ui top attached header">
 			{{.i18n.Tr "settings.manage_access_token"}}
 		</h4>
@@ -46,6 +47,7 @@
 				</button>
 			</form>
 		</div>
+		{{end}}
 
 		{{if .EnableOAuth2}}
 			{{template "user/settings/grants_oauth2" .}}
diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl
index 3477a5949b849..419cc9ba17c96 100644
--- a/templates/user/settings/navbar.tmpl
+++ b/templates/user/settings/navbar.tmpl
@@ -12,9 +12,11 @@
 		<a class="{{if .PageIsSettingsSecurity}}active{{end}} item" href="{{AppSubUrl}}/user/settings/security">
 			{{.i18n.Tr "settings.security"}}
 		</a>
+		{{if or (not DisableAccessTokens) (not DisableOAuth2)}}
 		<a class="{{if .PageIsSettingsApplications}}active{{end}} item" href="{{AppSubUrl}}/user/settings/applications">
 			{{.i18n.Tr "settings.applications"}}
 		</a>
+		{{end}}
 		<a class="{{if .PageIsSettingsKeys}}active{{end}} item" href="{{AppSubUrl}}/user/settings/keys">
 			{{.i18n.Tr "settings.ssh_gpg_keys"}}
 		</a>

From 7a5e48377a143c8b5bf520f2786cf6bcb3c3f161 Mon Sep 17 00:00:00 2001
From: Pawel Boguslawski <pawel.boguslawski@ib.pl>
Date: Mon, 31 Jan 2022 18:00:13 +0100
Subject: [PATCH 2/3] Missing negation added

Fixes: 2bde83b51de8739397dabdba97c68135e70d7faa
Author-Change-Id: IB#1115254
---
 routers/web/user/setting/applications.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
index fbfe0bfaa4247..eea744512fb3b 100644
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@@ -95,7 +95,7 @@ func DeleteApplication(ctx *context.Context) {
 }
 
 func loadApplicationsData(ctx *context.Context) {
-	if setting.DisableAccessTokens {
+	if !setting.DisableAccessTokens {
 		tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
 		if err != nil {
 			ctx.ServerError("ListAccessTokens", err)

From 3de67bf63a97a1fcf58e9aee1c51691fa3b4a04a Mon Sep 17 00:00:00 2001
From: Pawel Boguslawski <pawel.boguslawski@ib.pl>
Date: Thu, 3 Feb 2022 18:06:50 +0100
Subject: [PATCH 3/3] Disabling existing access tokens added

When DISABLE_ACCESS_TOKENS=true, existing access tokens should be disabled.

Fixes: 2bde83b51de8739397dabdba97c68135e70d7faa
Related: https://github.com/go-gitea/gitea/pull/18488#pullrequestreview-871933144
Author-Change-Id: IB#1115254
---
 models/token.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/models/token.go b/models/token.go
index 44428a0809273..9042f4a59e169 100644
--- a/models/token.go
+++ b/models/token.go
@@ -94,6 +94,12 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) {
 	if token == "" {
 		return nil, ErrAccessTokenEmpty{}
 	}
+
+	// Existing tokens are invalid if access tokens feature is disabled.
+	if setting.DisableAccessTokens {
+		return nil, ErrAccessTokenNotExist{token}
+	}
+
 	// A token is defined as being SHA1 sum these are 40 hexadecimal bytes long
 	if len(token) != 40 {
 		return nil, ErrAccessTokenNotExist{token}