From b79ade104858ce6714a7329b7629b331564a2ea5 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 26 Mar 2013 17:00:50 -0400
Subject: [PATCH] Integrate pull-request #76: enforce HTTP Basic authentication

---
 distrib/gitblit.properties |  360 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 350 insertions(+), 10 deletions(-)

diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index f3e2ac1..ba4fa2c 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -1,4 +1,19 @@
 #
+# Gitblit Settings
+#
+
+# This settings file supports parameterization from the command-line for the
+# following command-line parameters:
+#
+#   --baseFolder    ${baseFolder}    SINCE 1.2.1
+#
+# Settings that support ${baseFolder} parameter substitution are indicated with the
+# BASEFOLDER attribute.  If the --baseFolder argument is unspecified, ${baseFolder}
+# and it's trailing / will be discarded from the setting value leaving a relative
+# path that is equivalent to pre-1.2.1 releases.
+#
+# e.g. "${baseFolder}/git" becomes "git", if --baseFolder is unspecified 
+#
 # Git Servlet Settings
 #
 
@@ -10,7 +25,19 @@
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-git.repositoriesFolder = git
+# BASEFOLDER
+git.repositoriesFolder = ${baseFolder}/git
+
+# Build the available repository list at startup and cache this list for reuse.
+# This reduces disk io when presenting the repositories page, responding to rpcs,
+# etc, but it means that  Gitblit will not automatically identify repositories
+# added or deleted by external tools.
+#
+# For this case you can use curl, wget, etc to issue an rpc request to clear the
+# cache (e.g. https://localhost/rpc?req=CLEAR_REPOSITORY_CACHE)
+#
+# SINCE 1.1.0
+git.cacheRepositoryList = true
 
 # Search the repositories folder subfolders for other repositories.
 # Repositories MAY NOT be nested (i.e. one repository within another)
@@ -21,6 +48,34 @@
 # SINCE 0.5.0
 git.searchRepositoriesSubfolders = true
 
+# Maximum number of folders to recurse into when searching for repositories.
+# The default value, -1, disables depth limits.
+#
+# SINCE 1.1.0
+git.searchRecursionDepth = -1
+
+# List of regex exclusion patterns to match against folders found in
+# *git.repositoriesFolder*.
+# Use forward slashes even on Windows!!
+# e.g. test/jgit\.git
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 1.1.0
+git.searchExclusions =
+
+# List of regex url patterns for extracting a repository name when locating
+# submodules.
+#   e.g. git.submoduleUrlPatterns = .*?://github.com/(.*) will extract
+#   *gitblit/gitblit.git* from *git://github.com/gitblit/gitblit.git*
+# If no matches are found then the submodule repository name is assumed to be
+# whatever trails the last / character. (e.g. gitblit.git).
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 1.1.0
+git.submoduleUrlPatterns = .*?://github.com/(.*)
+
 # Allow push/pull over http/https with JGit servlet.
 # If you do NOT want to allow Git clients to clone/push to Gitblit set this
 # to false.  You might want to do this if you are only using ssh:// or git://.
@@ -30,12 +85,48 @@
 # SINCE 0.5.0
 git.enableGitServlet = true
 
+# If you want to restrict all git servlet access to those with valid X509 client
+# certificates then set this value to true.
+#
+# SINCE 1.2.0
+git.requiresClientCertificate = false
+
+# Enforce date checks on client certificates to ensure that they are not being
+# used prematurely and that they have not expired.
+#
+# SINCE 1.2.0
+git.enforceCertificateValidity = true
+
+# List of OIDs to extract from a client certificate DN to map a certificate to
+# an account username.
+#
+# e.g. git.certificateUsernameOIDs = CN
+# e.g. git.certificateUsernameOIDs = FirstName LastName
+#
+# SPACE-DELIMITED
+# SINCE 1.2.0
+git.certificateUsernameOIDs = CN
+
 # Only serve/display bare repositories.
 # If there are non-bare repositories in git.repositoriesFolder and this setting
 # is true, they will be excluded from the ui. 
 #
 # SINCE 0.9.0
 git.onlyAccessBareRepositories = false
+
+# Allow an authenticated user to create a destination repository on a push if
+# the repository does not already exist.
+#
+# Administrator accounts can create a repository in any project.
+# These repositories are created with the default access restriction and authorization
+# control values.  The pushing account is set as the owner.
+#
+# Non-administrator accounts with the CREATE role may create personal repositories.
+# These repositories are created as VIEW restricted for NAMED users.
+# The pushing account is set as the owner.
+#
+# SINCE 1.2.0
+git.allowCreateOnPush = true
 
 # The default access restriction for new repositories.
 # Valid values are NONE, PUSH, CLONE, VIEW
@@ -47,6 +138,75 @@
 # SINCE 1.0.0
 git.defaultAccessRestriction = NONE
 
+# The default authorization control for new repositories.
+# Valid values are AUTHENTICATED and NAMED
+#  AUTHENTICATED = any authenticated user is granted restricted access
+#  NAMED = only named users/teams are granted restricted access
+#
+# SINCE 1.1.0
+git.defaultAuthorizationControl = NAMED
+
+# Enable JGit-based garbage collection. (!!EXPERIMENTAL!!)
+#
+# USE AT YOUR OWN RISK!
+#
+# If enabled, the garbage collection executor scans all repositories once a day
+# at the hour of your choosing.  The GC executor will take each repository "offline",
+# one-at-a-time, to check if the repository satisfies it's GC trigger requirements.
+#
+# While the repository is offline it will be inaccessible from the web UI or from
+# any of the other services (git, rpc, rss, etc).
+#
+# Gitblit's GC Executor MAY NOT PLAY NICE with the other Git kids on the block,
+# especially on Windows systems, so if you are using other tools please coordinate
+# their usage with your GC Executor schedule or do not use this feature.
+#
+# The GC algorithm complex and the JGit team advises caution when using their
+# young implementation of GC.
+#
+# http://wiki.eclipse.org/EGit/New_and_Noteworthy/2.1#Garbage_Collector_and_Repository_Storage_Statistics
+#
+# EXPERIMENTAL
+# SINCE 1.2.0
+# RESTART REQUIRED
+git.enableGarbageCollection = false
+
+# Hour of the day for the GC Executor to scan repositories.
+# This value is in 24-hour time.
+#
+# SINCE 1.2.0
+git.garbageCollectionHour = 0
+
+# The default minimum total filesize of loose objects to trigger early garbage
+# collection.
+#
+# You may specify a custom threshold for a repository in the repository's settings.
+# Common unit suffixes of k, m, or g are supported.
+#
+# SINCE 1.2.0
+git.defaultGarbageCollectionThreshold = 500k
+
+# The default period, in days, between GCs for a repository.  If the total filesize
+# of the loose object exceeds *git.garbageCollectionThreshold* or the repository's
+# custom threshold, this period will be short-circuited. 
+#
+# e.g. if a repository collects 100KB of loose objects every day with a 500KB
+# threshold and a period of 7 days, it will take 5 days for the loose objects to
+# be collected, packed, and pruned.
+#
+# OR
+#
+# if a repository collects 10KB of loose objects every day with a 500KB threshold
+# and a period of 7 days, it will take the full 7 days for the loose objects to be
+# collected, packed, and pruned.
+#
+# You may specify a custom period for a repository in the repository's settings.
+#
+# The minimum value is 1 day since the GC Executor only runs once a day.
+#
+# SINCE 1.2.0
+git.defaultGarbageCollectionPeriod = 7
+
 # Number of bytes of a pack file to load into memory in a single read operation.
 # This is the "page size" of the JGit buffer cache, used for all pack access
 # operations. All disk IO occurs as single window reads. Setting this too large
@@ -56,6 +216,7 @@
 # Default on JGit is 8 KiB on all platforms.
 #
 # Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
@@ -72,6 +233,7 @@
 # Default on JGit is 10 MiB on all platforms.
 #
 # Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
@@ -85,6 +247,7 @@
 # this value.
 #
 # Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
@@ -98,6 +261,7 @@
 # available for network sockets and other repository data manipulation.
 #
 # Default on JGit is 128 file descriptors on all platforms.
+# Documentation courtesy of the Gerrit project.
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
@@ -118,6 +282,7 @@
 # Default is 50 MiB on all platforms.
 #
 # Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
@@ -134,6 +299,7 @@
 #
 # Default on JGit is false. Although potentially slower, it yields much more
 # predictable behavior.
+# Documentation courtesy of the Gerrit project.
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
@@ -149,14 +315,16 @@
 #
 # RESTART REQUIRED
 # SINCE 0.8.0
-groovy.scriptsFolder = groovy
+# BASEFOLDER
+groovy.scriptsFolder = ${baseFolder}/groovy
 
 # Specify the directory Grape uses for downloading libraries.
 # http://groovy.codehaus.org/Grape
 #
 # RESTART REQUIRED
 # SINCE 1.0.0
-groovy.grapeFolder = groovy/grape
+# BASEFOLDER
+groovy.grapeFolder = ${baseFolder}/groovy/grape
 
 # Scripts to execute on Pre-Receive.
 #
@@ -216,6 +384,53 @@
 groovy.customFields = 
 
 #
+# Fanout Settings
+#
+
+# Fanout is a PubSub notification service that can be used by Sparkleshare
+# to eliminate repository change polling.  The fanout service runs in a separate
+# thread on a separate port from the Gitblit http/https application.
+# This service is provided so that Sparkleshare may be used with Gitblit in
+# firewalled environments or where reliance on Sparkleshare's default notifications
+# server (notifications.sparkleshare.org) is unwanted.
+#
+# This service maintains an open socket connection from the client to the
+# Fanout PubSub service. This service may not work properly behind a proxy server.  
+
+# Specify the interface for Fanout to bind it's service.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 1.2.1
+# RESTART REQUIRED
+fanout.bindInterface = localhost
+
+# port for serving the Fanout PubSub service.  <= 0 disables this service.
+# On Unix/Linux systems, ports < 1024 require root permissions.
+# Recommended value: 17000
+#
+# SINCE 1.2.1
+# RESTART REQUIRED
+fanout.port = 0
+
+# Use Fanout NIO service.  If false, a multi-threaded socket service will be used.
+# Be advised, the socket implementation spawns a thread per connection plus the
+# connection acceptor thread.  The NIO implementation is completely single-threaded.
+#
+# SINCE 1.2.1
+# RESTART REQUIRED
+fanout.useNio = true
+
+# Concurrent connection limit.  <= 0 disables concurrent connection throttling.
+# If > 0, only the specified number of concurrent connections will be allowed
+# and all other connections will be rejected.
+#
+# SINCE 1.2.1
+# RESTART REQUIRED
+fanout.connectionLimit = 0
+
+#
 # Authentication Settings
 #
 
@@ -224,6 +439,12 @@
 # SINCE 0.5.0
 # RESTART REQUIRED
 web.authenticateViewPages = false
+
+# if web.authenticateViewPages=true you may optionally require a client-side
+# basic authentication prompt instead of the standard form-based login. 
+#
+# SINCE 1.3.0
+web.enforceHttpBasicAuthentication = false
 
 # Require admin authentication for the admin functions and pages
 #
@@ -237,18 +458,26 @@
 # SINCE 0.5.0
 web.allowCookieAuthentication = true
 
+# Config file for storing project metadata
+#
+# SINCE 1.2.0
+# BASEFOLDER
+web.projectsFile = ${baseFolder}/projects.conf
+
 # Either the full path to a user config file (users.conf)
 # OR the full path to a simple user properties file (users.properties)
 # OR a fully qualified class name that implements the IUserService interface.
 #
 # Alternative user services:
 #    com.gitblit.LdapUserService
+#    com.gitblit.RedmineUserService
 #
 # Any custom user service implementation must have a public default constructor.
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-realm.userService = users.conf
+# BASEFOLDER
+realm.userService = ${baseFolder}/users.conf
 
 # How to store passwords.
 # Valid values are plain, md5, or combined-md5.  md5 is the hash of password.
@@ -307,7 +536,8 @@
 # http://googlewebmastercentral.blogspot.com/2008/06/improving-on-robots-exclusion-protocol.html
 #
 # SINCE 1.0.0
-web.robots.txt = 
+# BASEFOLDER
+web.robots.txt = ${baseFolder}/robots.txt
 
 # If true, the web ui layout will respond and adapt to the browser's dimensions.
 # if false, the web ui will use a 940px fixed-width layout.
@@ -326,6 +556,19 @@
 # SINCE 0.5.0   
 web.allowZipDownloads = true
 
+# If *web.allowZipDownloads=true* the following formats will be displayed for
+# download compressed archive links:
+#
+# zip   = standard .zip
+# tar   = standard tar format (preserves *nix permissions and symlinks)
+# gz    = gz-compressed tar
+# xz    = xz-compressed tar
+# bzip2 = bzip2-compressed tar
+#
+# SPACE-DELIMITED
+# SINCE 1.2.0
+web.compressedDownloads = zip gz
+
 # Allow optional Lucene integration. Lucene indexing is an opt-in feature.
 # A repository may specify branches to index with Lucene instead of using Git
 # commit traversal. There are scenarios where you may want to completely disable
@@ -335,12 +578,31 @@
 # SINCE 0.9.0
 web.allowLuceneIndexing = true
 
+# Allows an authenticated user to create forks of a repository
+#
+# set this to false if you want to disable all fork controls on the web site
+#
+web.allowForking = true
+
+# Controls the length of shortened commit hash ids
+#
+# SINCE 1.2.0
+web.shortCommitIdLength = 6
+
 # Use Clippy (Flash solution) to provide a copy-to-clipboard button.
 # If false, a button with a more primitive JavaScript-based prompt box will
 # offer a 3-step (click, ctrl+c, enter) copy-to-clipboard alternative.
 #
 # SINCE 0.8.0
 web.allowFlashCopyToClipboard = true
+
+# Default maximum number of commits that a repository may contribute to the
+# activity page, regardless of the selected duration.  This setting may be valuable
+# for an extremely busy server.  This value may also be configed per-repository
+# in Edit Repository. 0 disables this throttle.
+#
+# SINCE 1.2.0
+web.maxActivityCommits = 0
 
 # Default number of entries to include in RSS Syndication links
 #
@@ -374,6 +636,7 @@
 # Specifying "gitblit" uses the internal login message.
 #
 # SINCE 0.7.0
+# BASEFOLDER
 web.loginMessage = gitblit
 
 # This is the message displayed above the repositories table.
@@ -381,6 +644,7 @@
 # Specifying "gitblit" uses the internal welcome message.
 #
 # SINCE 0.5.0
+# BASEFOLDER
 web.repositoriesMessage = gitblit
 
 # Ordered list of charsets/encodings to use when trying to display a blob.
@@ -545,7 +809,7 @@
 #
 # SPACE-DELIMITED
 # SINCE 0.5.0
-web.prettyPrintExtensions = c cpp cs css htm html java js php pl prefs properties py rb sh sql xml vb
+web.prettyPrintExtensions = c cpp cs css frm groovy htm html java js php pl prefs properties py rb scala sh sql xml vb
 
 # Registered extensions for markdown transformation
 #
@@ -690,7 +954,8 @@
 # Use forward slashes even on Windows!!
 #
 # SINCE 0.6.0
-federation.proposalsFolder = proposals
+# BASEFOLDER
+federation.proposalsFolder = ${baseFolder}/proposals
 
 # The default pull frequency if frequency is unspecified on a registration
 #
@@ -767,6 +1032,8 @@
 #
 
 # URL of the LDAP server.
+# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to
+# send StartTLS command.
 #
 # SINCE 1.0.0
 realm.ldap.server = ldap://localhost
@@ -790,7 +1057,8 @@
 #
 # SINCE 1.0.0
 # RESTART REQUIRED
-realm.ldap.backingUserService = users.conf
+# BASEFOLDER
+realm.ldap.backingUserService = ${baseFolder}/users.conf
 
 # Delegate team membership control to LDAP.
 #
@@ -881,6 +1149,45 @@
 # SINCE 1.0.0
 realm.ldap.email = email
 
+# Defines the cache period to be used when caching LDAP queries. This is currently
+# only used for LDAP user synchronization.
+#
+# Must be of the form '<long> <TimeUnit>' where <TimeUnit> is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS' 
+# default: 2 MINUTES
+#
+# RESTART REQUIRED
+realm.ldap.ldapCachePeriod = 2 MINUTES
+
+# Defines whether to synchronize all LDAP users into the backing user service
+#
+# Valid values: true, false
+# If left blank, false is assumed
+realm.ldap.synchronizeUsers.enable = false
+
+# Defines whether to delete non-existent LDAP users from the backing user service
+# during synchronization. depends on  realm.ldap.synchronizeUsers.enable = true
+#
+# Valid values: true, false
+# If left blank, true is assumed
+realm.ldap.synchronizeUsers.removeDeleted = true
+
+# Attribute on the USER record that indicate their username to be used in gitblit
+# when synchronizing users from LDAP
+# if blank, Gitblit will use uid
+# For MS Active Directory this may be sAMAccountName
+realm.ldap.uid = uid
+
+# The RedmineUserService must be backed by another user service for standard user
+# and team management.
+# default: users.conf
+#
+# RESTART REQUIRED
+# BASEFOLDER
+realm.redmine.backingUserService = ${baseFolder}/users.conf
+
+# URL of the Redmine.
+realm.redmine.url = http://example.com/redmine
+
 #
 # Server Settings
 #
@@ -889,7 +1196,8 @@
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.tempFolder = temp
+# BASEFOLDER
+server.tempFolder = ${baseFolder}/temp
 
 # Use Jetty NIO connectors.  If false, Jetty Socket connectors will be used.
 #
@@ -955,17 +1263,49 @@
 # RESTART REQUIRED
 server.ajpBindInterface = localhost
 
+# Alias of certificate to use for https/SSL serving.  If blank the first
+# certificate found in the keystore will be used. 
+#
+# SINCE 1.2.0
+# RESTART REQUIRED
+server.certificateAlias = localhost
+
 # Password for SSL keystore.
 # Keystore password and certificate password must match.
 # This is provided for convenience, its probably more secure to set this value
 # using the --storePassword command line parameter.
 #
+# If you are using the official JRE or JDK from Oracle you may not have the
+# JCE Unlimited Strength Jurisdiction Policy files bundled with your JVM.  Because
+# of this, your store/key password can not exceed 7 characters.  If you require
+# longer passwords you may need to install the JCE Unlimited Strength Jurisdiction
+# Policy files from Oracle.
+#
+# http://www.oracle.com/technetwork/java/javase/downloads/index.html
+#
+# Gitblit and the Gitblit Certificate Authority will both indicate if Unlimited
+# Strength encryption is available.
+#
 # SINCE 0.5.0
 # RESTART REQUIRED
 server.storePassword = gitblit
+
+# If serving over https (recommended) you might consider requiring clients to
+# authenticate with ssl certificates.  If enabled, only https clients with the
+# a valid client certificate will be able to access Gitblit.
+#
+# If disabled, client certificate authentication is optional and will be tried
+# first before falling-back to form authentication or basic authentication.
+#
+# Requiring client certificates to access any of Gitblit may be too extreme,
+# consider this carefully.
+#
+# SINCE 1.2.0
+# RESTART REQUIRED
+server.requireClientCertificates = false
 
 # Port for shutdown monitor to listen on.
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.shutdownPort = 8081
\ No newline at end of file
+server.shutdownPort = 8081

--
Gitblit v1.9.1