123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619 |
- # -*- coding: utf-8 -*-
- """
- (c) 2014-2015 - Copyright Red Hat Inc
- Authors:
- Pierre-Yves Chibon <pingou@pingoured.fr>
- """
- from __future__ import absolute_import, unicode_literals
- import os
- from datetime import timedelta
- from pagure.mail_logging import MSG_FORMAT, ContextInjector # noqa: I101
- # Set the time after which the admin session expires
- ADMIN_SESSION_LIFETIME = timedelta(minutes=20)
- # secret key used to generate unique csrf token
- SECRET_KEY = str("<insert here your own key>")
- # url to the database server:
- DB_URL = "sqlite:////var/tmp/pagure_dev.sqlite"
- # Name the instance, used in the welcome screen upon first login (not
- # working with `local` auth)
- INSTANCE_NAME = "Pagure"
- # Provide an email to contact an instance Administrator
- ADMIN_EMAIL = "root@localhost.localdomain"
- # url to datagrepper (optional):
- # DATAGREPPER_URL = 'https://apps.fedoraproject.org/datagrepper'
- # DATAGREPPER_CATEGORY = 'pagure'
- # Send FedMsg notifications of events in pagure
- FEDMSG_NOTIFICATIONS = False
- # The FAS group in which the admin of pagure are
- ADMIN_GROUP = "sysadmin-main"
- # Hard-code a list of users that are global admins
- PAGURE_ADMIN_USERS = []
- # Whether or not to send emails
- EMAIL_SEND = False
- # The email address to which the flask.log will send the errors (tracebacks)
- EMAIL_ERROR = "root@localhost.localdomain"
- # The URL at which the project is available.
- APP_URL = "http://localhost.localdomain/"
- # Enables / Disables tickets for project for the entire pagure instance
- ENABLE_TICKETS = True
- # Enables / Disables docs for project for the entire pagure instance
- ENABLE_DOCS = True
- # Enables / Disables creating projects on this pagure instance
- ENABLE_NEW_PROJECTS = True
- # When using OIDC auth, users must be in this OIDC group to create new projects
- RESTRICT_CREATE_BY_OIDC_GROUP = None
- # When using OIDC auth, users must be a member of
- # RESTRICT_NEW_PROJECTS_BY_OIDC_GROUP and in total
- # this many groups to create new projects
- RESTRICT_CREATE_BY_OIDC_GROUP_COUNT = 0
- # Enables / Disables deleting projects on this pagure instance
- ENABLE_DEL_PROJECTS = True
- # Enables / Disables giving projects on this pagure instance
- ENABLE_GIVE_PROJECTS = True
- # Enables / Disables managing access to the repos
- ENABLE_USER_MNGT = True
- # Enables / Disables managing groups via the UI
- ENABLE_GROUP_MNGT = True
- # Enables / Disables private projects
- PRIVATE_PROJECTS = True
- # Enable / Disable user registration (local auth only)
- ALLOW_USER_REGISTRATION = True
- # Enable / Disable deleting branches in the UI
- ALLOW_DELETE_BRANCH = True
- # Allow admins to ignore existing repos when creating a new project
- ALLOW_ADMIN_IGNORE_EXISTING_REPOS = False
- # List of users that can ignore existing repos when creating a new project
- USERS_IGNORE_EXISTING_REPOS = []
- # Enable / Disable having pagure manage the user's ssh keys
- LOCAL_SSH_KEY = True
- # Enable / Disable deploy keys
- DEPLOY_KEY = True
- # Set to True if default target branch for all PRs in UI
- # should be the branch that is longest substring of the branch
- # that the PR is to be created from
- PR_TARGET_MATCHING_BRANCH = False
- # Enables / Disables showing all the projects by default on the front page
- SHOW_PROJECTS_INDEX = ["repos", "myrepos", "myforks"]
- # The URL to use to clone the git repositories.
- GIT_URL_SSH = "ssh://git@localhost.localdomain/"
- GIT_URL_GIT = "git://localhost.localdomain/"
- # Set to True if git ssh URLs should be displayed even if user
- # doesn't have SSH key uploaded
- ALWAYS_RENDER_SSH_CLONE_URL = False
- # Default queue names for the different services
- WEBHOOK_CELERY_QUEUE = "pagure_webhook"
- LOGCOM_CELERY_QUEUE = "pagure_logcom"
- LOADJSON_CELERY_QUEUE = "pagure_loadjson"
- CI_CELERY_QUEUE = "pagure_ci"
- MIRRORING_QUEUE = "pagure_mirror"
- # Number of items displayed per page
- ITEM_PER_PAGE = 48
- # Maximum size of the uploaded content
- MAX_CONTENT_LENGTH = 4 * 1024 * 1024 # 4 megabytes
- # IP addresses allowed to access the internal endpoints
- IP_ALLOWED_INTERNAL = ["127.0.0.1", "localhost", "::1"]
- # Worker configuration
- CELERY_CONFIG = {}
- # Redis configuration
- EVENTSOURCE_SOURCE = None
- WEBHOOK = False
- REDIS_HOST = "0.0.0.0"
- REDIS_PORT = 6379
- REDIS_DB = 0
- EVENTSOURCE_PORT = 8080
- # Disallow remote pull requests
- DISABLE_REMOTE_PR = False
- # Folder where to place the ssh keys for the mirroring feature
- MIRROR_SSHKEYS_FOLDER = "/var/lib/pagure/sshkeys/"
- # Folder containing the pagure user SSH authorized keys
- SSH_FOLDER = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), "..", "lcl", ".ssh"
- )
- # Folder containing to the git repos
- # Note that this must be exactly the same as GL_REPO_BASE in gitolite.rc
- GIT_FOLDER = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), "..", "lcl", "repos"
- )
- # Folder containing the clones for the remote pull-requests
- REMOTE_GIT_FOLDER = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), "..", "lcl", "remotes"
- )
- # Folder containing attachments
- ATTACHMENTS_FOLDER = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), "..", "lcl", "attachments"
- )
- # Whether to enable scanning for viruses in attachments
- VIRUS_SCAN_ATTACHMENTS = False
- # Configuration file for gitolite
- GITOLITE_CONFIG = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), "..", "lcl", "gitolite.conf"
- )
- # Configuration keys to specify where the upload folder is and what is its
- # name
- UPLOAD_FOLDER_PATH = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), "..", "lcl", "releases"
- )
- # Home folder of the gitolite user -- Folder where to run gl-compile-conf from
- GITOLITE_HOME = None
- # Version of gitolite used: 2 or 3?
- GITOLITE_VERSION = 3
- # Folder containing all the public ssh keys for gitolite
- GITOLITE_KEYDIR = None
- # Backend for git auth decisions
- # This may be either a static helper (like gitolite based) or dynamic.
- GIT_AUTH_BACKEND = "pagure_authorized_keys"
- # Legacy option name for GIT_AUTH_BACKEND, retained for backwards compatibility
- # This option overrides GIT_AUTH_BACKEND
- # GITOLITE_BACKEND = "gitolite3"
- # Whether or not this installation of Pagure should use `gitolite compile-1`
- # to improve speed of some gitolite operations. See documentation for more
- # info about how to set this up.
- GITOLITE_HAS_COMPILE_1 = False
- # Path to the gitolite.rc file
- GL_RC = None
- # Path to the /bin directory where the gitolite tools can be found
- GL_BINDIR = None
- # Whether or not to run "git gc --auto" after every change to a project
- # This will use default git config values
- # See https://git-scm.com/docs/git-gc#git-gc---auto for more details
- GIT_GARBAGE_COLLECT = False
- # SMTP settings
- SMTP_SERVER = "localhost"
- SMTP_PORT = 25
- SMTP_SSL = False
- # Specify both for enabling SMTP auth
- SMTP_USERNAME = None
- SMTP_PASSWORD = None
- # Email used to sent emails
- FROM_EMAIL = "pagure@localhost.localdomain"
- DOMAIN_EMAIL_NOTIFICATIONS = "localhost.localdomain"
- SALT_EMAIL = "<secret key to be changed>"
- # Specify which authentication method to use.
- # Refer to
- # https://docs.pagure.org/pagure/configuration.html?highlight=authentication#pagure-auth
- # for information regarding authentication providers.
- # Available options: `fas`, `openid`, `oidc`, `local`
- # Default: ``local``.
- PAGURE_AUTH = "local"
- # If PAGURE_AUTH is set to 'oidc', the following variables must be set:
- # The path to JSON file with client secrets (provided by your IdP)
- # OIDC_CLIENT_SECRETS = 'client_secrets.json'
- # When this is set to True, the cookie with OpenID Connect Token will only
- # be returned to the server via ssl (https). If you connect to the server
- # via plain http, the cookie will not be sent. This prevents sniffing
- # of the cookie contents. This may be set to False when testing your
- # application but should always be set to True in production.
- # OIDC_ID_TOKEN_COOKIE_SECURE = False
- # OIDC_SCOPES = ['openid', 'email', 'profile']
- # These specify names of expected keys provided as userinfo by IdP.
- # They may vary across different IdPs
- # OIDC_PAGURE_EMAIL = 'email'
- # OIDC_PAGURE_FULLNAME = 'name'
- # OIDC_PAGURE_USERNAME = 'preferred_username'
- # OIDC_PAGURE_SSH_KEY = 'ssh_key'
- # OIDC_PAGURE_GROUPS = 'groups'
- # This specifies fallback for getting username assuming OIDC_PAGURE_USERNAME
- # is empty - can be `email` (to use the part before `@`) or `sub`
- # (IdP-specific user id, can be a nickname, email or a numeric ID
- # depending on IdP).
- # OIDC_PAGURE_USERNAME_FALLBACK = 'email'
- #
- # More settings for OIDC are available from flask-oidc at:
- # http://flask-oidc.readthedocs.io/en/latest/#settings-reference
- # When this is set to True, the session cookie will only be returned to the
- # server via ssl (https). If you connect to the server via plain http, the
- # cookie will not be sent. This prevents sniffing of the cookie contents.
- # This may be set to False when testing your application but should always
- # be set to True in production.
- # Default: ``True``.
- SESSION_COOKIE_SECURE = False
- SESSION_COOKIE_NAME = "pagure"
- # Boolean specifying whether to check the user's IP address when retrieving
- # its session. This make things more secure (thus is on by default) but
- # under certain setup it might not work (for example is there are proxies
- # in front of the application).
- CHECK_SESSION_IP = True
- # Lenght for short commits ids or file hex
- SHORT_LENGTH = 7
- # Used by SESSION_COOKIE_PATH
- APPLICATION_ROOT = "/"
- # List of blacklisted project names
- BLACKLISTED_PROJECTS = [
- "static",
- "pv",
- "releases",
- "new",
- "api",
- "settings",
- "search",
- "fork",
- "logout",
- "login",
- "user",
- "users",
- "groups",
- "projects",
- "ssh_info",
- "issues",
- "pull-requests",
- "commits",
- "tree",
- "forks",
- "admin",
- "c",
- "wait",
- "dashboard",
- "docs/*",
- "tickets/*",
- "requests/*",
- ]
- # List of prefix allowed in project names
- ALLOWED_PREFIX = []
- # List of blacklisted group names
- BLACKLISTED_GROUPS = ["forks", "group"]
- ACLS = {
- "create_branch": "Create a git branch on a project",
- "create_project": "Create a new project",
- "commit_flag": "Flag a commit",
- "fork_project": "Fork a project",
- "generate_acls_project": "Generate the Gitolite ACLs on a project",
- "internal_access": "Access Pagure's internal APIs",
- "issue_assign": "Assign issue to someone",
- "issue_change_status": "Change the status of a ticket",
- "issue_comment": "Comment on a ticket",
- "issue_create": "Create a new ticket",
- "issue_subscribe": "Subscribe the user with this token to an issue",
- "issue_update": "Update an issue, status, comments, custom fields...",
- "issue_update_custom_fields": "Update the custom fields of an issue",
- "issue_update_milestone": "Update the milestone of an issue",
- "modify_project": "Modify an existing project",
- "pull_request_create": "Open a new pull-request",
- "pull_request_close": "Close a pull-request",
- "pull_request_comment": "Comment on a pull-request",
- "pull_request_flag": "Flag a pull-request",
- "pull_request_merge": "Merge a pull-request",
- "pull_request_subscribe": (
- "Subscribe the user with this token to a pull-request"
- ),
- "pull_request_assign": "Assign someone to a pull-request",
- "pull_request_update": (
- "Update a pull-request (title, description, assignee...)"
- ),
- "update_watch_status": "Update the watch status on a project",
- "pull_request_rebase": "Rebase a pull-request",
- "tag_project": "Allows adding git tags to a project",
- "commit": "Commit to a git repository via http(s)",
- "modify_git_alias": "Modify git aliases (create or delete)",
- "create_git_alias": "Create git aliases",
- "delete_git_alias": "Delete git aliases",
- "group_modify": "Add/Remove members from group",
- }
- # List of ACLs which a regular user is allowed to associate to an API token
- # from the ACLs above
- USER_ACLS = [
- key
- for key in ACLS.keys()
- if key not in ["generate_acls_project", "internal_access"]
- ]
- # From the ACLs above lists which ones are tolerated to be associated with
- # an API token that isn't linked to a particular project.
- CROSS_PROJECT_ACLS = [
- "create_project",
- "fork_project",
- "modify_project",
- "group_modify",
- "update_watch_status",
- "pull_request_create",
- "pull_request_update",
- "commit",
- ]
- # ACLs with which admins are allowed to create project-less API tokens
- ADMIN_API_ACLS = [
- "internal_access",
- "issue_comment",
- "issue_create",
- "issue_change_status",
- "pull_request_flag",
- "pull_request_comment",
- "pull_request_merge",
- "generate_acls_project",
- "group_modify",
- "commit_flag",
- "create_branch",
- "tag_project",
- ]
- # List of the type of CI service supported by this pagure instance
- PAGURE_CI_SERVICES = []
- # Boolean to turn on project being by default in the user's namespace
- USER_NAMESPACE = False
- # List of groups whose projects should not be shown on the user's info page
- # unless the user has direct access to it.
- EXCLUDE_GROUP_INDEX = []
- TRIGGER_CI = {
- "pretty please pagure-ci rebuild": {
- "name": "Default CI",
- "description": "Rerun default CI",
- "requires_project_hook_attr": ("ci_hook", "active_pr", True),
- }
- }
- FLAG_STATUSES_LABELS = {
- "success": "badge-success",
- "failure": "badge-danger",
- "error": "badge-danger",
- "pending": "badge-info",
- "canceled": "badge-warning",
- }
- FLAG_SUCCESS = "success"
- FLAG_FAILURE = "failure"
- FLAG_PENDING = "pending"
- # Never enable this option, this is intended for tests only, and can allow
- # easy denial of service to the system if enabled.
- ALLOW_PROJECT_DOWAIT = False
- # Settings for MQTT message sending
- MQTT_NOTIFICATIONS = False
- MQTT_HOST = None
- MQTT_PORT = None
- MQTT_USERNAME = None
- MQTT_PASSWORD = None
- MQTT_CA_CERTS = None
- MQTT_CERTFILE = None
- MQTT_KEYFILE = None
- MQTT_CIPHERS = None
- # Settings for Stomp message sending
- STOMP_NOTIFICATIONS = False
- STOMP_BROKERS = []
- STOMP_SSL = False
- STOMP_KEY_FILE = None
- STOMP_CERT_FILE = None
- STOMP_CREDS_PASSWORD = None
- STOMP_HIERARCHY = None
- LOGGING = {
- "version": 1,
- "disable_existing_loggers": False,
- "formatters": {
- "standard": {
- "format": "%(asctime)s [%(levelname)s] %(name)s: %(message)s"
- },
- "email_format": {"format": MSG_FORMAT},
- },
- "filters": {"myfilter": {"()": ContextInjector}},
- "handlers": {
- "console": {
- "formatter": "standard",
- "class": "logging.StreamHandler",
- "stream": "ext://sys.stdout",
- },
- "auth_handler": {
- "formatter": "standard",
- "class": "logging.StreamHandler",
- "stream": "ext://sys.stdout",
- },
- "email": {
- "level": "ERROR",
- "formatter": "email_format",
- "class": "logging.handlers.SMTPHandler",
- "mailhost": "localhost",
- "fromaddr": "pagure@localhost",
- "toaddrs": "root@localhost",
- "subject": "ERROR on pagure",
- "filters": ["myfilter"],
- },
- },
- # The root logger configuration; this is a catch-all configuration
- # that applies to all log messages not handled by a different logger
- "root": {"level": "INFO", "handlers": ["console"]},
- "loggers": {
- "pagure": {
- "handlers": ["console"],
- "level": "DEBUG",
- "propagate": True,
- },
- "pagure_auth": {
- "handlers": ["auth_handler"],
- "level": "DEBUG",
- "propagate": False,
- },
- "flask": {
- "handlers": ["console"],
- "level": "INFO",
- "propagate": False,
- },
- "sqlalchemy": {
- "handlers": ["console"],
- "level": "WARN",
- "propagate": False,
- },
- "binaryornot": {
- "handlers": ["console"],
- "level": "WARN",
- "propagate": True,
- },
- "MARKDOWN": {
- "handlers": ["console"],
- "level": "WARN",
- "propagate": True,
- },
- "PIL": {"handlers": ["console"], "level": "WARN", "propagate": True},
- "chardet": {
- "handlers": ["console"],
- "level": "WARN",
- "propagate": True,
- },
- "pagure.lib.encoding_utils": {
- "handlers": ["console"],
- "level": "WARN",
- "propagate": False,
- },
- },
- }
- # Gives commit access to all, all but some or just some project based on
- # groups provided by the auth system.
- EXTERNAL_COMMITTER = {}
- # Allows to require that the users are members of a certain group to be added
- # to a project (not a fork).
- REQUIRED_GROUPS = {}
- # Predefined reactions. Selecting others is possible by typing their name. The
- # order here will be preserved in the web UI picker for reactions.
- REACTIONS = [
- ("Thumbs up", "emojione-1F44D"), # Thumbs up
- ("Thumbs down", "emojione-1F44E"), # Thumbs down
- ("Confused", "emojione-1F615"), # Confused
- ("Heart", "emojione-2764"), # Heart
- ]
- # This is used for faster indexing. Do not change.
- _REACTIONS_DICT = dict(REACTIONS)
- # HTTP pull/push options
- # Whether to allow Git HTTP proxying
- ALLOW_HTTP_PULL_PUSH = True
- # Whether to allow pushing via HTTP
- ALLOW_HTTP_PUSH = False
- # Path to Gitolite-shell if using that, None to use Git directly
- HTTP_REPO_ACCESS_GITOLITE = None
- # Configuration for the key helper
- # Look a username up in the database, overrides SSH_KEYS_USERNAME_EXPECT
- SSH_KEYS_USERNAME_LOOKUP = False
- # Except certain usernames from being used via the keyhelper
- SSH_KEYS_USERNAME_FORBIDDEN = ["root"]
- # Username to expect for ssh. Set to None to disallow any access
- SSH_KEYS_USERNAME_EXPECT = None
- # Arguments to add to the SSH keys, possible replacements:
- # %(username)s: username owning this key
- SSH_KEYS_OPTIONS = (
- 'restrict,command="/usr/libexec/pagure/aclchecker.py %(username)s"'
- )
- # If not set to None, aclchecker and keyhelper will use this api admin
- # token to get authorized to internal endpoints that they use. The token
- # must have the internal_access ACL.
- SSH_ADMIN_TOKEN = None
- # ACL Checker options
- SSH_COMMAND = (
- [
- "/usr/bin/%(cmd)s",
- os.path.join(GIT_FOLDER, "%(reponame)s"),
- ],
- {"GL_USER": "%(username)s"},
- )
- CSP_HEADERS = (
- "default-src 'self';"
- "script-src 'self' '{nonce_script}'; "
- "style-src 'self' '{nonce_style}'; "
- "object-src 'none';"
- "base-uri 'self';"
- "img-src 'self' https:;"
- )
- PR_WARN_CHARACTERS = set(
- [
- chr(0x202A),
- chr(0x202B),
- chr(0x202C),
- chr(0x202D),
- chr(0x202E),
- chr(0x2066),
- chr(0x2067),
- chr(0x2068),
- chr(0x2069),
- ]
- )
|