Commit Graph

517 Commits

Author SHA1 Message Date
Catherine 6f84e0f0d4 Allow limiting maximum lifetime of preview sites. 2026-05-28 22:20:49 +00:00
Catherine a7063e00ef Implement site expiration.
Requires `feature = ["expiration"]`.
2026-05-29 00:13:44 +02:00
Catherine 9113025646 Fix typo in package name. NFC 2026-05-28 21:49:23 +00:00
Catherine af333e3d15 Stabilize existence-cache feature.
Also, make the logging a bit quieter.
2026-05-28 23:45:50 +02:00
Catherine f2811a4947 log.Printlog.Println. NFC 2026-05-28 23:45:50 +02:00
Catherine 4d9872067d Expose the binary serialization of the manifest.
This action implies a commitment to maintain the binary serialization
in a forward-compatible way (which is really the status quo).
2026-05-28 23:44:01 +02:00
Catherine de3162bba2 Move OS-related modules into a sub-package. NFC
Historically git-pages did not use those, but the codebase is growing
a bit out of hand and it seems like a good place to start.
2026-05-28 15:37:51 +02:00
Catherine 6e232b5229 Add an index of all known features.
This helps avoid incorrect behavior on typos and notifies end users
that a feature has been stabilized and removed. It also helps us avoid
reusing feature names by accident.
2026-05-28 12:01:47 +00:00
Catherine 3efb332351 Implement pull request preview authorization.
Requires `feature = ["preview"]`.
2026-05-25 23:59:39 +00:00
Catherine 24a54f6fce Factor out forge API integration code. NFC 2026-05-25 21:27:59 +00:00
miyuko ddfa41dadc Allow forge auth for any repo in the forge user's namespace. 2026-05-23 02:37:10 +01:00
Catherine 19332e750f Actually skip creating existence cache for FS backend.
Otherwise, if the feature is enabled, the cache would be refreshed
on every query.
2026-05-19 12:22:42 +00:00
Catherine 9af5565659 Make the existence cache more type-safe.
This makes the uncertain nature of a Bloom filter hit explicit at every
call site.
2026-05-19 12:22:39 +00:00
Catherine 0d24e1aa70 Rename "site existence cache" to "existence cache", tidy it up.
This commit includes no behavioral changes, only cosmetic ones:
 * Renames the concept to "existence cache".
 * Makes log messages more concise.
 * Adds written rationale for the module.
 * Renames feature to `existence-cache`.
2026-05-19 12:22:22 +00:00
miyuko c1400d5934 Add site-level granularity to the domain existence cache. 2026-05-19 05:07:06 +01:00
miyuko f096666829 Remove useless check. 2026-05-19 04:28:38 +01:00
Catherine e40456b51c Correctly handle PATCH requests that overwrite the root node. 2026-05-17 06:46:23 +00:00
Catherine b9165ba288 [breaking-change] Reorder -audit-log columns for readability. 2026-05-14 15:47:44 +02:00
Catherine f1e773b749 Make PAGES_INSECURE bypass [limit].allowed-repository-url-prefixes.
This is the intended behavior but it was accidentally broken
in commit 2c109a5e1e.
2026-05-14 13:16:25 +00:00
Catherine 55f87083e5 [security] Fix false positives on Caddy endpoint due to domain cache.
In commit bbdaae7280, a domain cache was
introduced to deal with misbehaving crawlers that forge `Host:` header
and may cause thousands of expensive S3 requests to be submitted.
This domain cache is implemented using a Bloom filter (which can
produce false positives but not false negatives) for S3 backend, and
using a function always returning true (which will be a false positive
in most cases) for the FS backend.

Both of these behaviors are unacceptable for the Caddy endpoint, but
the FS backend case much more so. If you use git-pages with Caddy you
should upgrade to a build that includes this commit as soon as possible
or Let's Encrypt may rate-limit or restrict your account when you get
unlucky with a crawler.
v0.9.0
2026-05-11 10:26:53 +00:00
miyuko a9fc5780b1 Record git repo URL in the principal when forge auth is used.
Resolves: https://codeberg.org/git-pages/git-pages/issues/167
2026-05-11 03:40:46 +01:00
miyuko ad92847fa0 Record git repo URL in manifest for archive uploads with forge auth.
Resolves: https://codeberg.org/git-pages/git-pages/issues/165
2026-05-11 03:38:54 +01:00
Catherine 3311fb639d Fix incorrect example use case of _headers.
git-pages enables CORS automatically and unconditionally, but COOP/COEP
have to be configured manually.
2026-05-05 03:12:51 +00:00
Catherine 93ce4f9671 Bring authorization flow documentation up to date. 2026-05-05 02:56:08 +00:00
Catherine 73e47cd8d5 Significantly improve efficiency of tracing.
I thought I was being smart by using a trie to record blob existence
and sizes. I was not. The trie approach had at least ~5 times less
throughput and consumed entirely unreasonable amounts of RAM.

A hashmap works just fine here.
2026-05-05 01:57:41 +00:00
Catherine dd7268a657 Fix typo. 2026-05-03 12:30:17 +00:00
Catherine edae862551 Surface detached status of audit records in diagnostic output. 2026-05-03 12:01:33 +00:00
miyuko 5808e90e5a Allow detaching all audit records related to a site. 2026-05-03 11:53:01 +00:00
miyuko 684553ba72 Replace pelletier/go-toml with BurntSushi/toml.
Most of the code was borrowed from
https://codeberg.org/whitequark/ircv3-filehost-server.
2026-04-27 18:26:33 +01:00
miyuko 89f672beda Allow detaching audit records from their blobs for garbage collection.
Resolves: https://codeberg.org/git-pages/git-pages/issues/148
2026-04-27 17:29:16 +01:00
miyuko a233cdfbb8 Fix S3Backend.SearchAuditLog ignoring search options. 2026-04-27 16:48:36 +01:00
Catherine 4d8e620846 Account for manifest's own size for -size-histogram. 2026-04-27 01:16:16 +02:00
Catherine e8112c1abe Add a CLI command -audit-expire to purge old audit records.
This is particularly important with the FS backend, where there isn't
necessarily native tooling capable of handling this task correctly
(since not every filesystem supports file "birth times", and since
restoring data from a backup will reset the "birth time" of audit
records to the moment of restoration).
2026-04-26 23:10:22 +00:00
Catherine b0a674abf4 Fix incorrect start time in AuditID.CompareTime. 2026-04-26 22:59:36 +00:00
Catherine f001107056 Create audit records as read-only when using FS backend.
There is no reason to ever modify the records.
2026-04-26 22:55:30 +00:00
Catherine b7170e3077 Create a domain cache for CLI operations.
Fixes a regression (crash) in `-update-site` introduced in commit
  bbdaae7280
.
v0.8.1
2026-04-26 21:05:55 +00:00
whitequark 7f5e02081d Add links to support channels. 2026-04-25 22:52:06 +02:00
Catherine 59cf185143 Only log media type for PUT, PATCH, and POST requests.
There isn't much point in logging `Accept:` for GET requests and it
is very noisy.
2026-04-23 16:42:46 +00:00
Catherine c5c5306688 [breaking-change] Use a distinct scope for forge DNS allowlist authz.
Before this commit, a `_git-pages-repository.<host>` TXT record would
allow both forge DNS allowlist authorization, as well as normal DNS
allowlist authorization. This means that a site set up to have its
contents updated by a Forgejo Action could have its contents replaced
by the contents of the repository which contains the Forgejo Action,
which will effectively erase the site in most cases. This is a classic
confused deputy scenario.

To fix this, forge DNS allowlist authorization now uses a distinct
`_git-pages-forge-allowlist.<host>` TXT record, removing ambiguity
that allows this scenario to happen.

The issue was introduced in 27a6de792c
and existed in `main` for about a hour, so it is unlikely anybody
has been impacted by this.
v0.8.0
2026-04-23 15:20:32 +00:00
Catherine 27a6de792c Allow using forge authorization with non-wildcard domains.
The new authorization method combines DNS allowlist and existing forge
authorization methods: DNS records are used to determine the allowed
repository URL, and forge authorization is used to check for push
permissions to that URL.
2026-04-22 01:59:37 +00:00
Catherine 2c109a5e1e Factor out common authorization code. NFC
This commit unifies most of the implementation of `AuthorizeDeletion`
and `AuthorizeUpdateFromArchive`, with the latter additionally checking
that the repository URL in the authorization grant follows the limits.

This is done in preparation of adding a second forge authorization
sub-mechanism that can handle non-wildcard domains.
2026-04-22 01:59:37 +00:00
Catherine d17c645927 Improve forge authorization error message for invalid tokens.
Before:

    - not authorized by forge (wildcard)
      - cannot check repository permissions: GET https://codeberg.org/api/v1/repos/whitequark/whitequark.codeberg.page returned 401 Unauthorized

After:

    - not authorized by forge (wildcard)
      - no access to whitequark/whitequark.codeberg.page or invalid token
2026-04-22 01:59:37 +00:00
Catherine 57e9d05c7f Update default index branch name for codeberg-pages-compat quirk.
The actual Codeberg Pages v2 server uses the Forgejo default branch
for the index repository. The quirk previously used the `main` branch
unconditionally.

This is complex to implement, so per discussion with gusted we have
decided to change the default branch to `pages` so that it has parity
with non-Codeberg-specific behavior.
2026-04-22 00:47:49 +00:00
woodpecker-bot 1e6afe6570 [Renovate] Update docker.io/library/caddy:2.11.2-builder Docker digest to 10ed025 2026-04-20 02:41:04 +02:00
Andrew Cassidy b3692362d8 Allow loading secrets from an additional configuration file.
Adds the `-secrets` command line flag, which defaults to `$CREDENTIALS_DIRECTORY/secrets.toml` if it exists. The secrets.toml file will be loaded the same way as the main config.toml.

Reviewed-on: https://codeberg.org/git-pages/git-pages/pulls/137
Reviewed-by: Catherine <whitequark@whitequark.org>
Co-authored-by: Andrew Cassidy <drewcassidy@me.com>
Co-committed-by: Andrew Cassidy <drewcassidy@me.com>
2026-04-20 02:40:34 +02:00
David Leadbeater 021c493daa Revert "Revert "[Renovate] Update all dependencies""
This reverts commit 57dc8f8520.
2026-04-18 23:12:49 +10:00
David Leadbeater b54664258b Update go-git API to v6.0.0-alpha.2 2026-04-18 23:12:18 +10:00
Catherine 57dc8f8520 Revert "[Renovate] Update all dependencies"
This reverts commit 2b35996f62.
2026-04-18 12:08:07 +00:00
woodpecker-bot 2b35996f62 [Renovate] Update all dependencies 2026-04-18 11:59:05 +00:00
Catherine cf050f505b Improve performance of -trace-garbage. 2026-04-14 05:01:37 +00:00