Commit graph

355 commits

Author SHA1 Message Date
Lunny Xiao 55a5717760
Remove unused zapx replace statement on go.mod (#24515)
Fix #23617

Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-04 12:37:39 +02:00
木木田 8be6da3e2f
Add ntlm authentication support for mail (#23811)
Add ntlm authentication support for mail
use "github.com/Azure/go-ntlmssp"

---------

Co-authored-by: yangtan_win <YangTan@Fitsco.com.cn>
Co-authored-by: silverwind <me@silverwind.io>
2023-05-02 17:40:46 -04:00
KN4CK3R bf999e4069
Add Debian package registry (#24426)
Co-authored-by: @awkwardbunny

This PR adds a Debian package registry.
You can follow [this
tutorial](https://www.baeldung.com/linux/create-debian-package) to build
a *.deb package for testing.
Source packages are not supported at the moment and I did not find
documentation of the architecture "all" and how these packages should be
treated.


![grafik](https://user-images.githubusercontent.com/1666336/218126879-eb80a866-775c-4c8e-8529-5797203a64e6.png)

Part of #20751.

Revised copy of #22854.

---------

Co-authored-by: Brian Hong <brian@hongs.me>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-02 12:31:35 -04:00
Yarden Shoham c0ddec8a2a
Revert "Add Debian package registry" (#24412)
Reverts go-gitea/gitea#22854
2023-04-28 18:06:41 -04:00
KN4CK3R bf77e2163b
Add Debian package registry (#22854)
Co-authored-by: @awkwardbunny

This PR adds a Debian package registry. You can follow [this
tutorial](https://www.baeldung.com/linux/create-debian-package) to build
a *.deb package for testing. Source packages are not supported at the
moment and I did not find documentation of the architecture "all" and
how these packages should be treated.

---------

Co-authored-by: Brian Hong <brian@hongs.me>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-04-28 17:51:36 -04:00
Zettat123 cc8874864c
Upgrade act (#24298) 2023-04-24 12:46:54 +08:00
Jason Song ac384c4e1d
Support upload outputs and use needs context on Actions (#24230)
See [Defining outputs for
jobs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs)
and [Example usage of the needs
context](https://docs.github.com/en/actions/learn-github-actions/contexts#example-usage-of-the-needs-context).

Related to:
- [actions-proto-def
#5](https://gitea.com/gitea/actions-proto-def/pulls/5)
- [act_runner #133](https://gitea.com/gitea/act_runner/pulls/133)

<details>
<summary>Tests & screenshots</summary>

Test workflow file:
```yaml
name: outputs
on: push

jobs:
  job1:
    runs-on: ubuntu-latest
    outputs:
      output1: ${{ steps.step1.outputs.output1 }}
      output2: ${{ steps.step2.outputs.output2 }}
    steps:
      - name: step1
        id: step1
        run: |
          date -Is > output1
          cat output1
          echo "output1=$(cat output1)" >> $GITHUB_OUTPUT
      - name: step2
        id: step2
        run: |
          cat /proc/sys/kernel/random/uuid > output2
          cat output2
          echo "output2=$(cat output2)" >> $GITHUB_OUTPUT
  job2:
    needs: job1
    runs-on: ubuntu-latest
    steps:
      - run: echo ${{ needs.job1.outputs.output1 }}
      - run: echo ${{ needs.job1.outputs.output2 }}
      - run: echo ${{ needs.job1.result }}
```

<img width="397" alt="image"
src="https://user-images.githubusercontent.com/9418365/233313322-903e7ebf-49a7-48e2-8c17-95a4581b3284.png">
<img width="385" alt="image"
src="https://user-images.githubusercontent.com/9418365/233313442-30909135-1711-4b78-a5c6-133fcc79f47c.png">



</details>

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-04-22 16:12:41 -04:00
JakobDev 65fe0fb22c
Allow webp images as avatars (#24248)
Users can now upload `webp` images.
Browsers supporting webp images then display this as the avatar of this
user (every major browser except IE).

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-04-21 13:15:49 -04:00
techknowlogick 985f76dc4b
Update redis library to support redis v7 (#24114) 2023-04-13 18:41:04 -04:00
harryzcy 1ee45305e0
Update github.com/google/go-github to v51 (#23946)
`github.com/google/go-github` has new major version releases frequently.
It is required to update all import path, in additional to `go.mod`
2023-04-08 19:27:30 +08:00
wxiaoguang 8f00979f73
Drop "unrolled/render" package (#23965)
None of the features of `unrolled/render` package is used. 

The Golang builtin "html/template" just works well. Then we can improve
our HTML render to resolve the "$.root.locale.Tr" problem as much as
possible.

Next step: we can have a template render pool (by Clone), then we can
inject global functions with dynamic context to every `Execute` calls.
Then we can use `{{Locale.Tr ....}}` directly in all templates , no need
to pass the `$.root.locale` again and again.
2023-04-08 14:21:50 +08:00
Jason Song ecf34fcd89
Do not crash when parsing an invalid workflow file (#23972)
Fix #23658.

Related to https://gitea.com/gitea/act/pulls/39
2023-04-07 20:12:10 +08:00
Jason Song 964a057a76
Fix checks for needs in Actions (#23789)
Fix:
- https://gitea.com/gitea/act_runner/issues/77
- https://gitea.com/gitea/act_runner/issues/81

Before:
<img width="1489" alt="image"
src="https://user-images.githubusercontent.com/9418365/228501567-f752cf87-a7ed-42c6-8f3d-ba741795c1fe.png">

Highlights:
- Upgrade act to make things doable, related to
  - https://gitea.com/gitea/act/pulls/32
  - https://gitea.com/gitea/act/pulls/33
  - https://gitea.com/gitea/act/pulls/35
- Make `needs` works
- Sort jobs in the original order in the workflow files
2023-03-30 22:33:17 +08:00
techknowlogick 92c160d8e7
Add meilisearch support (#23136)
Add meilisearch support

Fixes #20665
2023-03-28 22:23:23 -04:00
Jason Song 19bfea6d7d
Update act (#23512)
Update replace:
```diff
- replace github.com/nektos/act => gitea.com/gitea/act v0.234.2-0.20230131074955-e46ede1b1744
+ replace github.com/nektos/act => gitea.com/gitea/act v0.243.1
```

Update require:
```diff
-	github.com/nektos/act v0.0.0
+	github.com/nektos/act v0.2.43
```

Actually, `v0.2.43` doesn't work, it will be replaced by `gitea/act`, so
it's OK to put any version here. But `gitea/act` is based on
`nektos/act`, so keeping the right upstream version will make security
dependabot help.

BTW, the [security
report](https://github.com/go-gitea/gitea/security/dependabot/20) is
false positive, we don't use the artifact server in act, see #22738.
2023-03-16 18:09:11 +08:00
zeripath 740a5ecdd9
Update go.mod dependencies (#23126)
This PR does a bulk update of a lot of our go deps.

I have not included nektos/act and xorm for the following reasons:
* Xorm updates can sometimes be complex and I'd rather do that in a
separate PR
* I think people more update with the actions code should double check
that the latest nektos/act library works correctly.

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-02-24 20:18:49 +00:00
WÁNG Xuěruì e77528baed
Bump go.etcd.io/bbolt and blevesearch deps (#23062)
This notably brings support for GOARCH=loong64, among other fixes.

---------

Signed-off-by: WANG Xuerui <xen0n@gentoo.org>
Co-authored-by: zeripath <art27@cantab.net>
2023-02-24 15:45:28 +00:00
KN4CK3R 0ae1ed749d
Remove all package data after tests (#22984)
Fixes #21020

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
2023-02-23 22:11:56 +08:00
zeripath 1319ba6742
Use minio/sha256-simd for accelerated SHA256 (#23052)
minio/sha256-simd provides additional acceleration for SHA256 using
AVX512, SHA Extensions for x86 and ARM64 for ARM.

It provides a drop-in replacement for crypto/sha256 and if the
extensions are not available it falls back to standard crypto/sha256.

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2023-02-22 14:21:46 -05:00
dependabot[bot] 018815215f
Bump golang.org/x/net from 0.4.0 to 0.7.0 (#22980)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to
0.7.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8e2b117aee"><code>8e2b117</code></a>
http2/hpack: avoid quadratic complexity in hpack decoding</li>
<li><a
href="547e7edf38"><code>547e7ed</code></a>
http2: avoid referencing ResponseWrite.Write parameter after
returning</li>
<li><a
href="39940adcaa"><code>39940ad</code></a>
html: parse comments per HTML spec</li>
<li><a
href="87ce33ecb4"><code>87ce33e</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="415cb6d518"><code>415cb6d</code></a>
all: fix some comments</li>
<li><a
href="7e3c19ca52"><code>7e3c19c</code></a>
all: correct typos in comments</li>
<li><a
href="296f09aa38"><code>296f09a</code></a>
http2: case insensitive handling for 100-continue</li>
<li><a
href="f8411da775"><code>f8411da</code></a>
nettest: fix tests on dragonfly and js/wasm</li>
<li><a
href="8e0e7d8d38"><code>8e0e7d8</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="7805fdc37d"><code>7805fdc</code></a>
http2: rewrite inbound flow control tracking</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.4.0...v0.7.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.4.0&new-version=0.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: delvh <leon@kske.dev>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-20 23:52:21 +08:00
KN4CK3R f8c1e14a13
Use import of OCI structs (#22765)
Fixes #22758

Otherwise we would need to rewrite the structs in `oci.go`.
2023-02-06 10:07:09 +00:00
techknowlogick cfb1cb1168
update to build with go1.20 (#22732)
as title

---------

Co-authored-by: Lauris BH <lauris@nix.lv>
2023-02-03 11:23:52 -05:00
KN4CK3R 6ba9ff7b48
Add Conda package registry (#22262)
This PR adds a [Conda](https://conda.io/) package registry.
2023-02-01 12:30:39 -06:00
Lunny Xiao 2871ea0809
Add more events details supports for actions (#22680)
#21937 implemented only basic events based on name because of `act`'s
limitation. So I sent a PR to parse all possible events details in
https://gitea.com/gitea/act/pulls/11 and it merged. The ref
documentation is
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows

This PR depends on that and make more detail responses for `push` events
and `pull_request` events. And it lefts more events there for future
PRs.

---------

Co-authored-by: Jason Song <i@wolfogre.com>
2023-02-01 13:32:46 +08:00
Jason Song 4011821c94
Implement actions (#21937)
Close #13539.

Co-authored by: @lunny @appleboy @fuxiaohei and others.

Related projects:
- https://gitea.com/gitea/actions-proto-def
- https://gitea.com/gitea/actions-proto-go
- https://gitea.com/gitea/act
- https://gitea.com/gitea/act_runner

### Summary

The target of this PR is to bring a basic implementation of "Actions",
an internal CI/CD system of Gitea. That means even though it has been
merged, the state of the feature is **EXPERIMENTAL**, and please note
that:

- It is disabled by default;
- It shouldn't be used in a production environment currently;
- It shouldn't be used in a public Gitea instance currently;
- Breaking changes may be made before it's stable.

**Please comment on #13539 if you have any different product design
ideas**, all decisions reached there will be adopted here. But in this
PR, we don't talk about **naming, feature-creep or alternatives**.

### ⚠️ Breaking

`gitea-actions` will become a reserved user name. If a user with the
name already exists in the database, it is recommended to rename it.

### Some important reviews

- What is `DEFAULT_ACTIONS_URL` in `app.ini` for?
  - https://github.com/go-gitea/gitea/pull/21937#discussion_r1055954954
- Why the api for runners is not under the normal `/api/v1` prefix?
  - https://github.com/go-gitea/gitea/pull/21937#discussion_r1061173592
- Why DBFS?
  - https://github.com/go-gitea/gitea/pull/21937#discussion_r1061301178
- Why ignore events triggered by `gitea-actions` bot?
  - https://github.com/go-gitea/gitea/pull/21937#discussion_r1063254103
- Why there's no permission control for actions?
  - https://github.com/go-gitea/gitea/pull/21937#discussion_r1090229868

### What it looks like

<details>

#### Manage runners

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205870657-c72f590e-2e08-4cd4-be7f-2e0abb299bbf.png">

#### List runs

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205872794-50fde990-2b45-48c1-a178-908e4ec5b627.png">


#### View logs

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205872501-9b7b9000-9542-4991-8f55-18ccdada77c3.png">



</details>

### How to try it

<details>

#### 1. Start Gitea

Clone this branch and [install from
source](https://docs.gitea.io/en-us/install-from-source).

Add additional configurations in `app.ini` to enable Actions:

```ini
[actions]
ENABLED = true
```

Start it.

If all is well, you'll see the management page of runners:

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205877365-8e30a780-9b10-4154-b3e8-ee6c3cb35a59.png">


#### 2. Start runner

Clone the [act_runner](https://gitea.com/gitea/act_runner), and follow
the
[README](https://gitea.com/gitea/act_runner/src/branch/main/README.md)
to start it.

If all is well, you'll see a new runner has been added:

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205878000-216f5937-e696-470d-b66c-8473987d91c3.png">

#### 3. Enable actions for a repo

Create a new repo or open an existing one, check the `Actions` checkbox
in settings and submit.

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205879705-53e09208-73c0-4b3e-a123-2dcf9aba4b9c.png">
<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205879383-23f3d08f-1a85-41dd-a8b3-54e2ee6453e8.png">

If all is well, you'll see a new tab "Actions":

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205881648-a8072d8c-5803-4d76-b8a8-9b2fb49516c1.png">

#### 4. Upload workflow files

Upload some workflow files to `.gitea/workflows/xxx.yaml`, you can
follow the [quickstart](https://docs.github.com/en/actions/quickstart)
of GitHub Actions. Yes, Gitea Actions is compatible with GitHub Actions
in most cases, you can use the same demo:

```yaml
name: GitHub Actions Demo
run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
on: [push]
jobs:
  Explore-GitHub-Actions:
    runs-on: ubuntu-latest
    steps:
      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
      - name: Check out repository code
        uses: actions/checkout@v3
      - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
      - name: List files in the repository
        run: |
          ls ${{ github.workspace }}
      - run: echo "🍏 This job's status is ${{ job.status }}."
```

If all is well, you'll see a new run in `Actions` tab:

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205884473-79a874bc-171b-4aaf-acd5-0241a45c3b53.png">

#### 5. Check the logs of jobs

Click a run and you'll see the logs:

<img width="1792" alt="image"
src="https://user-images.githubusercontent.com/9418365/205884800-994b0374-67f7-48ff-be9a-4c53f3141547.png">

#### 6. Go on

You can try more examples in [the
documents](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions)
of GitHub Actions, then you might find a lot of bugs.

Come on, PRs are welcome.

</details>

See also: [Feature Preview: Gitea
Actions](https://blog.gitea.io/2022/12/feature-preview-gitea-actions/)

---------

Co-authored-by: a1012112796 <1012112796@qq.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2023-01-31 09:45:19 +08:00
John Olheiser 2052a9e2b4
Consume hcaptcha and pwn deps (#22610)
This PR just consumes the
[hcaptcha](https://gitea.com/jolheiser/hcaptcha) and
[haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into
Gitea.

Also let this serve as a notice that I'm fine with transferring my
license (which was already MIT) from my own name to "The Gitea Authors".

Signed-off-by: jolheiser <john.olheiser@gmail.com>
2023-01-29 09:49:51 -06:00
KN4CK3R fc037b4b82
Add support for incoming emails (#22056)
closes #13585
fixes #9067
fixes #2386
ref #6226
ref #6219
fixes #745

This PR adds support to process incoming emails to perform actions.
Currently I added handling of replies and unsubscribing from
issues/pulls. In contrast to #13585 the IMAP IDLE command is used
instead of polling which results (in my opinion 😉) in cleaner code.

Procedure:
- When sending an issue/pull reply email, a token is generated which is
present in the Reply-To and References header.
- IMAP IDLE waits until a new email arrives
- The token tells which action should be performed

A possible signature and/or reply gets stripped from the content.

I added a new service to the drone pipeline to test the receiving of
incoming mails. If we keep this in, we may test our outgoing emails too
in future.

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-01-14 23:57:10 +08:00
techknowlogick b36854df37
Update golang deps (#22410)
Note, hashicorp's LRU has been updated to v2 which supports generics but
this was left out as it is a more involved upgrade.
2023-01-12 09:21:16 +01:00
techknowlogick 6f231a7980
Replace deprecated Webauthn library (#22400)
Fix #22052

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-01-11 21:51:00 -05:00
Jason Song 9e94346529
Remove satori/go.uuid (#22375)
`github.com/satori/go.uuid` is no longer used, so the `replace` is not
needed now
2023-01-09 01:00:10 -05:00
Lunny Xiao 2bbf9e7302
Upgrade go-chi to v5.0.8 (#22304) 2023-01-01 11:23:26 +01:00
zeripath 8e17fb5c06
Update bleve and zapx to fix unaligned atomic (#22031)
There is an unaligned atomic field in zapx 15.3.5 which should have been
fixed in a subsequent patch

This bug causes issues on 32bit builds.

Update bleve and zapx to account for this.

Fix #21957

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-12-21 19:08:26 -06:00
Meisam f3370eeaee
verify nodeinfo response by schema (#22137)
... using
[github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema)

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-12-17 01:22:34 -05:00
KN4CK3R 0e2d04601a
Update xorm (#22094) 2022-12-10 18:53:32 -05:00
Jason Song f59a74852b
Update gitea-vet to check FSFE REUSE (#22004)
Related to:
- #21840
- https://gitea.com/gitea/gitea-vet/pulls/21

What it looks like when it's working:
https://drone.gitea.io/go-gitea/gitea/64040/1/5

All available SPDX license identifiers: [SPDX License
List](https://spdx.org/licenses/).

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-12-02 22:14:57 +08:00
silverwind f0bd219a5e
Update chroma to v2.4.0 (#22000)
Did a few cursory tests, seems to work well.
2022-12-01 16:44:38 -05:00
Jason Song e4eaa68a2b
Replace yaml.v2 with yaml.v3 (#21832)
I don't see why we have to use two versions of yaml. The difference
between the two versions has nothing to do with our usage.
2022-11-21 16:36:59 +08:00
Gusted bea25d77ce
Upgrade golang.org/x/crypto (#21792)
- Update the crypto dependency to include
6fad3dfc18
- Resolves #17798

Executed: `go get
golang.org/x/crypto@6fad3dfc18918c2ac9c112e46b32473bd2e5e2f9 && rm
go.sum && go mod tidy`
2022-11-12 22:14:35 -06:00
Lunny Xiao 4eeea7b30e
Update binding to fix bugs (#21556)
Fix #19698
2022-10-23 13:50:48 +03:00
Gusted 5ba23066ff
Bump golang.org/x/text (#21412)
- Update the `golang.org/x/text` dependency, this fixes [a security
issue](https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ).
2022-10-11 20:01:07 +01:00
Clark Boylan f1f911df41
Update to go-enry v2.8.3 (#21360)
This fixes an issue with enry's isVendor() method being too greedy. This
lead to gitea classifying unvendored code as vendored. The impact of
this is fairly minimal, but our Gitea users did notice which led me to
fixing this in go-enry. Some files will be tagged with a vendored flag
in the UI. I think it also impacts the calculation of language
statistics in the repo as vendored files are not incorporated into the
stats.

For more information on the issue see the go-enry bug:
  https://github.com/go-enry/go-enry/issues/135
2022-10-06 21:51:38 +01:00
techknowlogick 726afe8a9e
Update Golang deps (#21304) 2022-10-01 08:49:30 -05:00
6543 5a3b9ac875
Update bluemonday (#21281)
https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.20

Co-authored-by: Lauris BH <lauris@nix.lv>
2022-09-27 22:02:41 -04:00
silverwind ec0a06e52c
Upgrade chroma to v2.3.0 (#21259)
The behaviour of `PreventSurroundingPre` has changed in
https://github.com/alecthomas/chroma/pull/618 so that apparently it now
causes line wrapper tags to be no longer emitted, but we need some form
of indication to split the HTML into lines, so I did what
https://github.com/yuin/goldmark-highlighting/pull/33 did and added the
`nopWrapper`.

Maybe there are more elegant solutions but for some reason, just
splitting the HTML string on `\n` did not work.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-26 13:50:03 +08:00
zeripath 88c2e24360
Add KaTeX rendering to Markdown. (#20571)
This PR adds mathematical rendering with KaTeX.

The first step is to add a Goldmark extension that detects the latex
(and tex) mathematics delimiters.

The second step to make this extension only run if math support is
enabled.

The second step is to then add KaTeX CSS and JS to the head which will
load after the dom is rendered.

Fix #3445

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-09-14 00:33:37 +08:00
zeripath 38a4961f9e
Update a few go dependencies (#21022)
There are a lot of go dependencies that appear old and we should update them.

The following packages have been updated:

* codeberg.org/gusted/mcaptcha
* github.com/markbates/goth
* github.com/buildkite/terminal-to-html
* github.com/caddyserver/certmagic
* github.com/denisenkom/go-mssqldb
* github.com/duo-labs/webauthn
* github.com/editorconfig/editorconfig-core-go/v2
* github.com/felixge/fgprof
* github.com/gliderlabs/ssh
* github.com/go-ap/activitypub
* github.com/go-git/go-git/v5
* github.com/go-ldap/ldap/v3
* github.com/go-swagger/go-swagger
* github.com/go-testfixtures/testfixtures/v3
* github.com/golang-jwt/jwt/v4
* github.com/klauspost/compress
* github.com/lib/pq
* gitea.com/lunny/dingtalk_webhook - instead of github.com
* github.com/mattn/go-sqlite3
* github/matn/go-isatty
* github.com/minio/minio-go/v7
* github.com/niklasfasching/go-org
* github.com/prometheus/client_golang
* github.com/stretchr/testify
* github.com/unrolled/render
* github.com/xanzy/go-gitlab
* gopkg.in/ini.v1

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-09-01 23:13:17 +02:00
zeripath bb0ff77e46
Share HTML template renderers and create a watcher framework (#20218)
The recovery, API, Web and package frameworks all create their own HTML
Renderers. This increases the memory requirements of Gitea
unnecessarily with duplicate templates being kept in memory.

Further the reloading framework in dev mode for these involves locking
and recompiling all of the templates on each load. This will potentially
hide concurrency issues and it is inefficient.

This PR stores the templates renderer in the context and stores this
context in the NormalRoutes, it then creates a fsnotify.Watcher
framework to watch files.

The watching framework is then extended to the mailer templates which
were previously not being reloaded in dev.

Then the locales are simplified to a similar structure.

Fix #20210 
Fix #20211
Fix #20217

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-08-28 10:43:25 +01:00
Gusted 58de07e5fd
Add support mCaptcha as captcha provider (#20458)
https://mcaptcha.org/

Co-authored-by: Felipe Leopoldo Sologuren Gutiérrez <fsologureng@users.noreply.github.com>
2022-08-10 15:20:10 +02:00
zeripath 7fe77f0167
Update lunny/levelqueue to prevent NPE when reads are performed after close (#20534) 2022-07-29 13:41:13 +02:00
6543 1818149527
update xorm.io/xorm v1.3.2-0.20220714055524-c3bce556200f (#20371)
Xorm 1.3.2-0.20220714055524 contains a fix for interpreting db column sizes. Prior to this fix xorm would assume that the size of a column was within the range of an `int`. This is correct on 64bit machines where `int` is typical equivalent to `int64` however, on 32bit machines `int` tends to be `int32`. 

Unfortunately the size of a LONGTEXT field is actually `max_uint32`, thus using `strconv.Atoi` on these fields will fail and thus #20161 occurs on 32 bit arm. Xorm 1.3.2-0.20220714055524 changes this field to use int64 instead.

Fix  #20161
2022-07-14 19:40:30 +01:00
Gusted 11c0748146
Update goldmark (#20300)
Update goldmark to v1.4.13 to fix a issue with quotes after a empty
list item(See https://github.com/yuin/goldmark/issues/313) and
downstream issue https://codeberg.org/Codeberg/Community/issues/645
2022-07-09 19:58:22 +01:00
zeripath 9d9bf66c3b
Update Bluemonday to v1.0.19 (#20199)
The current version of bluemonday is double escaping attributes.

This PR updates bluemonday to the version that fixes this.

(See: microcosm-cc/bluemonday#143 )

Fix #19860

Signed-off-by: Andrew Thornton art27@cantab.net
2022-07-01 20:50:06 +02:00
Anthony Wang e86f18a05a
User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133)
* go.mod: add go-fed/{httpsig,activity/pub,activity/streams} dependency

go get github.com/go-fed/activity/streams@master
go get github.com/go-fed/activity/pub@master
go get github.com/go-fed/httpsig@master

* activitypub: implement /api/v1/activitypub/user/{username} (#14186)

Return informations regarding a Person (as defined in ActivityStreams
https://www.w3.org/TR/activitystreams-vocabulary/#dfn-person).

Refs: https://github.com/go-gitea/gitea/issues/14186

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: add the public key to Person (#14186)

Refs: https://github.com/go-gitea/gitea/issues/14186

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: go-fed conformant Clock instance

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: signing http client

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: implement the ReqSignature middleware

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: hack_16834

Signed-off-by: Loïc Dachary <loic@dachary.org>

* Fix CI checks-backend errors with go mod tidy

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Change 2021 to 2022, properly format package imports

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Run make fmt and make generate-swagger

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Use Gitea JSON library, add assert for pkp

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Run make fmt again, fix err var redeclaration

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Remove LogSQL from ActivityPub person test

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Assert if json.Unmarshal succeeds

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Cleanup, handle invalid usernames for ActivityPub person GET request

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Rename hack_16834 to user_settings

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Use the httplib module instead of http for GET requests

* Clean up whitespace with make fmt

* Use time.RFC1123 and make the http.Client proxy-aware

* Check if digest algo is supported in setting module

* Clean up some variable declarations

* Remove unneeded copy

* Use system timezone instead of setting.DefaultUILocation

* Use named constant for httpsigExpirationTime

* Make pubKey IRI #main-key instead of /#main-key

* Move /#main-key to #main-key in tests

* Implemented Webfinger endpoint.

* Add visible check.

* Add user profile as alias.

* Add actor IRI and remote interaction URL to WebFinger response

* fmt

* Fix lint errors

* Use go-ap instead of go-fed

* Run go mod tidy to fix missing modules in go.mod and go.sum

* make fmt

* Convert remaining code to go-ap

* Clean up go.sum

* Fix JSON unmarshall error

* Fix CI errors by adding @context to Person() and making sure types match

* Correctly decode JSON in api_activitypub_person_test.go

* Force CI rerun

* Fix TestActivityPubPersonInbox segfault

* Fix lint error

* Use @mariusor's suggestions for idiomatic go-ap usage

* Correctly add inbox/outbox IRIs to person

* Code cleanup

* Remove another LogSQL from ActivityPub person test

* Move httpsig algos slice to an init() function

* Add actor IRI and remote interaction URL to WebFinger response

* Update TestWebFinger to check for ActivityPub IRI in aliases

* make fmt

* Force CI rerun

* WebFinger: Add CORS header and fix Href -> Template for remote interactions

The CORS header is needed due to https://datatracker.ietf.org/doc/html/rfc7033#section-5 and fixes some Peertube <-> Gitea federation issues

* make lint-backend

* Make sure Person endpoint has Content-Type application/activity+json and includes PreferredUsername, URL, and Icon

Setting the correct Content-Type is essential for federating with Mastodon

* Use UTC instead of GMT

* Rename pkey to pubKey

* Make sure HTTP request Date in GMT

* make fmt

* dont drop err

* Make sure API responses always refer to username in original case

Copied from what I wrote on #19133 discussion: Handling username case is a very tricky issue and I've already encountered a Mastodon <-> Gitea federation bug due to Gitea considering Ta180m and ta180m to be the same user while Mastodon thinks they are two different users. I think the best way forward is for Gitea to only use the original case version of the username for federation so other AP software don't get confused.

* Move httpsig algs constant slice to modules/setting/federation.go

* Add new federation settings to app.example.ini and config-cheat-sheet

* Return if marshalling error

* Make sure Person IRIs are generated correctly

This commit ensures that if the setting.AppURL is something like "http://127.0.0.1:42567" (like in the integration tests), a trailing slash will be added after that URL.

* If httpsig verification fails, fix Host header and try again

This fixes a very rare bug when Gitea and another AP server (confirmed to happen with Mastodon) are running on the same machine, Gitea fails to verify incoming HTTP signatures. This is because the other AP server creates the sig with the public Gitea domain as the Host. However, when Gitea receives the request, the Host header is instead localhost, so the signature verification fails. Manually changing the host header to the correct value and trying the veification again fixes the bug.


* Revert "If httpsig verification fails, fix Host header and try again"

This reverts commit f53e46c721a037c55facb9200106a6b491bf834c.

The bug was actually caused by nginx messing up the Host header when reverse-proxying since I didn't have the line `proxy_set_header Host $host;` in my nginx config for Gitea.

* Go back to using ap.IRI to generate inbox and outbox IRIs

* use const for key values

* Update routers/web/webfinger.go

* Use ctx.JSON in Person response to make code cleaner

* Revert "Use ctx.JSON in Person response to make code cleaner"

This doesn't work because the ctx.JSON() function already sends the response out and it's too late to edit the headers.

This reverts commit 95aad988975be3393c76094864ed6ba962157e0c.

* Use activitypub.ActivityStreamsContentType for Person response Content Type

* Limit maximum ActivityPub request and response sizes to a configurable setting

* Move setting key constants to models/user/setting_keys.go

* Fix failing ActivityPubPerson integration test by checking the correct field for username

* Add a warning about changing settings that can break federation

* Add better comments

* Don't multiply Federation.MaxSize by 1<<20 twice

* Add more better comments

* Fix failing ActivityPubMissingPerson test

We now use ctx.ContextUser so the message printed out when a user does not exist is slightly different

* make generate-swagger

For some reason I didn't realize that /templates/swagger/v1_json.tmpl was machine-generated by make generate-swagger... I've been editing it by hand for three months! 🤦

* Move getting the RFC 2616 time to a separate function

* More code cleanup

* Update go-ap to fix empty liked collection and removed unneeded HTTP headers

* go mod tidy

* Add ed25519 to httpsig algorithms

* Use go-ap/jsonld to add @context and marshal JSON

* Change Gitea user agent from the default to Gitea/Version

* Use ctx.ServerError and remove all remote interaction code from webfinger.go
2022-06-19 07:25:12 +02:00
zeripath 90f3365d93
Add fgprof pprof profiler (#20005)
fgprof is a sampling Go profiler that allows you to analyze On-CPU as
well as Off-CPU (e.g. I/O) time together.

Go's builtin sampling CPU profiler can only show On-CPU time, but it's
better than fgprof at that. Go also includes tracing profilers that can
analyze I/O, but they can't be combined with the CPU profiler.

fgprof is designed for analyzing applications with mixed I/O and CPU
workloads. This kind of profiling is also known as wall-clock profiling.

Whilst fgprof can cause significant STW latencies in applications with a
lot of goroutines (> 1-10k), these latencies only occur if the profile
is requested - it doesn't cause a delay by simply being available.

The fgprof profile is mounted on
`http://localhost:6060/debug/fgprof?seconds=3`

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-06-18 11:04:52 +01:00
wxiaoguang 5f618248a9
Use Golang 1.18 for Gitea 1.17 release (#19918)
Use Golang 1.18 (as minimal requirement) for Gitea 1.17 release, make sure the Golang version is still actively supported during Gitea 1.17 lifecycle.

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
2022-06-10 05:34:41 +02:00
zeripath 7948cb3149
Prevent NPE whilst migrating if there is a team request review (#19855)
A pr.Reviewer may be nil when migrating from Gitea if this is a team
request review.

We do not migrate teams therefore we cannot map these requests, but we can
migrate user requests.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-06-09 10:50:05 +08:00
Lauris BH f92b7a6331
Add support for rendering terminal output with colors (#19497) 2022-06-09 00:46:39 +03:00
Wim e528e2b435
Implement http signatures support for the API (#17565)
Fixes #12338

This allows use to talk to the API with our ssh certificate (and/or ssh-agent) without needing to fetch an API key or tokens.
It will just automatically work when users have added their ssh principal in gitea.

This needs client code in tea
Update: also support normal pubkeys

ref: https://tools.ietf.org/html/draft-cavage-http-signatures

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-06-05 08:16:14 +01:00
Lunny Xiao 12c742f8dc
Fix order by parameter (#19849)
Upgrade builder to v0.3.11
Upgrade xorm to v1.3.1 and fixed some hidden bugs.

Replace #19821
Replace #19834
Included #19850

Co-authored-by: zeripath <art27@cantab.net>
2022-06-04 20:18:50 +01:00
6543 00a981d341
Update go-chi/cache to utilize Ping() (#19719)
* update gitea.com/go-chi/cache -> v0.2.0

* ajust to new interface

* refactor
2022-05-15 20:43:27 +02:00
6543 65ccff54ef
Update go deps (#19665)
* update gitea.com/go-chi/binding
* update github.com/42wim/sshsig
* update github.com/PuerkitoBio/goquery
* update github.com/blevesearch/bleve/v2
* update github.com/caddyserver/certmagic
* update github.com/duo-labs/webauthn
* update github.com/editorconfig/editorconfig-core-go/v2
* update github.com/emirpasic/gods
* update github.com/gliderlabs/ssh
* update github.com/go-chi/cors
* update github.com/go-enry/go-enry/v2
* update github.com/go-git/go-git/v5
* update github.com/go-ldap/ldap/v3
* update github.com/golang-jwt/jwt/v4
* update github.com/google/pprof
* update github.com/klauspost/compress
* update github.com/lib/pq
* update github.com/markbates/goth
* update github.com/minio/minio-go/v7
* update github.com/olivere/elastic/v7
* update github.com/unrolled/render
* update github.com/urfave/cli
* update github.com/xanzy/go-gitlab
* update github.com/yuin/goldmark
* adopt breaking changes of certmagic
2022-05-10 12:32:42 +02:00
wxiaoguang d242511e86
Remove legacy unmaintained packages, refactor to support change default locale (#19308)
Remove two unmaintained vendor packages `i18n` and `paginater`. Changes:
* Rewrite `i18n` package with a more clear fallback mechanism. Fix an unstable `Tr` behavior, add more tests.
* Refactor the legacy `Paginater` to `Paginator`, test cases are kept unchanged.

Trivial enhancement (no breaking for end users):
* Use the first locale in LANGS setting option as the default, add a log to prevent from surprising users.
2022-04-03 17:46:48 +08:00
Lunny Xiao cf5d4a7230
Upgrade xorm/builder from v0.3.9 to v0.3.10 (#19296)
xorm/builder v0.3.10 add support to EXISTS and NOT EXISTS.
2022-04-02 04:14:14 +08:00
wxiaoguang 4f27c28947
Remove legacy unknwon/com package (#19298)
Follows: #19284
* The `CopyDir` is only used inside test code
* Rewrite `ToSnakeCase` with more test cases
* The `RedisCacher` only put strings into cache, here we use internal `toStr` to replace the legacy `ToStr`
* The `UniqueQueue` can use string as ID directly, no need to call `ToStr`
2022-04-02 00:34:57 +08:00
Kevin Burke 242d71035a
go.mod: update kevinburke/ssh_config to v1.2.0 (#19286)
Previously if you tried to read a HostName in a config file that
looked like this:

```
Host github
    HostName github.com        # This is the host for code review
```

DefaultUserSettings.Get("HostName") would return "github.com        ",
which I think is unintuitive and unexpected.

This behavior is fixed in v1.2 which would return "github.com" in the
above example.
2022-04-01 00:05:57 +02:00
zeripath c88547ce71
Add Goroutine stack inspector to admin/monitor (#19207)
Continues on from #19202.

Following the addition of pprof labels we can now more easily understand the relationship between a goroutine and the requests that spawn them. 

This PR takes advantage of the labels and adds a few others, then provides a mechanism for the monitoring page to query the pprof goroutine profile.

The binary profile that results from this profile is immediately piped in to the google library for parsing this and then stack traces are formed for the goroutines.

If the goroutine is within a context or has been created from a goroutine within a process context it will acquire the process description labels for that process. 

The goroutines are mapped with there associate pids and any that do not have an associated pid are placed in a group at the bottom as unbound.

In this way we should be able to more easily examine goroutines that have been stuck.

A manager command `gitea manager processes` is also provided that can export the processes (with or without stacktraces) to the command line.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-31 19:01:43 +02:00
Justin Sievenpiper a2c20a6cab
Add Redis Sentinel Authentication Support (#19213)
Gitea was not able to supply any authentication parameters to it. So this brings support to do that, along with some light extraction of a couple of bits into some separate functions for easier testing.

I looked at other libraries supporting similar RedisUri-style connection strings (e.g. Lettuce), but it looks like this type of configuration is beyond what would typically be done in a connection string. Since gitea doesn't have configuration options for manually specifying all this redis connection detail, I went ahead and just chose straightforward names for these new parameters.
2022-03-30 21:12:02 +02:00
Robert Kaussow 909804b717
Bump goldmark to v1.4.11 (#19201)
* Bump goldmark to v1.4.11

* add testcase

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Andrew Thornton <art27@cantab.net>
2022-03-24 11:47:37 -04:00
techknowlogick ed1d95c55d
use go1.18 to build gitea (#19099)
* use go1.18 to build gitea& update min go version to 1.17

* bump in a few more places

* add a few simple tests for isipprivate

* update go.mod

* update URL to https://go.dev/dl/

* golangci-lint

* attempt golangci-lint workaround

* change version

* bump fumpt version

* skip strings.title test

* go mod tidy

* update tests as some aren't private??

* update tests
2022-03-16 00:08:31 -04:00
silverwind fe9626af29
Use go run for tool dependencies, require go 1.17 (#18874)
This ensures the tools only run in the versions we've tested and it also
does not polute PATH with those tools so they are truly isolated. This
syntax of `go run` requires go 1.17, so the minimum version is set
accordingly.

Fixes: https://github.com/go-gitea/gitea/issues/18867

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-03-15 22:50:26 -04:00
Gusted 6ab4a96855
Update golang.org/x/crypto (#19097)
* Update golang.org/x/crypto

- Update dependency to include fix for CVE.
- See https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ?utm_medium=email&utm_source=footer

* Fix deprecation notice

* Remove workaround

- Introduced in https://github.com/go-gitea/gitea/pull/17281
- Fixed in x/crypto:
- 5d542ad81a
- & 3147a52a75

* Update Kex Algorithms

- Use standardized name for curve22519-sha256. 9b076918e3
- Prefer SHA256 version over SHA1 version. e4b3678e5f
2022-03-16 02:59:53 +01:00
Lunny Xiao 2448c5ad8b
Upgrading binding package (#19034)
Fix #18855
2022-03-09 18:06:58 +00:00
techknowlogick 1546580f9e
bump go deps (#19021)
* update gitea.com/go-chi/binding

* update gitea.com/go-chi/cache

* update github.com/42wim/sshsig

* update github.com/PuerkitoBio/goquery

* update github.com/blevesearch/bleve/v2

* update github.com/caddyserver/certmagic

* update github.com/denisenkom/go-mssqldb

* update github.com/duo-labs/webauthn

* update github.com/dustin/go-humanize

* update github.com/editorconfig/editorconfig-core-go/v2

* update github.com/ethantkoenig/rupture

* update github.com/go-chi/chi/v5

* update github.com/go-git/go-git/v5

* update github.com/go-ldap/ldap/v3

* update github.com/go-redis/redis/v8

* update github.com/go-swagger/go-swagger

* update github.com/gogs/chardet

* update github.com/golang-jwt/jwt/v4

* update github.com/hashicorp/go-version

* update github.com/jaytaylor/html2text

* update github.com/klauspost/compress

* update github.com/lib/pq

* update github.com/markbates/goth

* update github.com/mattn/go-sqlite3

* update github.com/mholt/archiver/v3

* update github.com/microcosm-cc/bluemonday

* update github.com/minio/minio-go/v7

* update github.com/msteinert/pam

* update github.com/niklasfasching/go-org

* update github.com/olivere/elastic/v7

* update github.com/prometheus/client_golang

* update github.com/quasoft/websspi

* update github.com/stretchr/testify

* update github.com/unknwon/i18n

* update github.com/unrolled/render

* update github.com/xanzy/go-gitlab

* update github.com/yuin/goldmark

* update github.com/yuin/goldmark-highlighting

* update github.com/yuin/goldmark-meta

* post make vendor

Signed-off-by: Andrew Thornton <art27@cantab.net>

* add make vendor back into update_dependencies.sh

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update update_dependencies.sh

* Update contrib/update_dependencies.sh

Co-authored-by: zeripath <art27@cantab.net>

* update mvdan.cc/xurls/v2

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-03-08 19:15:30 +08:00
Gusted 3c7201682c
Update go-enry to v2.8.0 (#18993)
- It was reported in the Matrix channel that Chroma [has support](d402102976)
for the Fennel language, go-enry only added detection support for this
[in v2.7.2](0affa3ccca).

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-03-04 01:56:31 +01:00
Gusted 79c7219be8
Update go-org to v1.6.1 (#18932)
- v1.6.0 has a inconsistency with the proxy and github's tagged version,
updating to v1.6.1 should fix this issue.
- Resolves #18864
2022-02-27 16:56:44 +00:00
zeripath e039b76a6f
Update go-org to 1.6.0 (#18824)
Fix #14074

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-20 13:01:35 +00:00
Gusted f393bc82cb
Update gitea-vet (#18640)
* Update gitea-vet

- Update gitea-vet to include latest 2 changes
7c98703580...master

* Tidy up go.sum

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
2022-02-06 21:45:00 +00:00
Gusted 9712f7d622
Future proof for 1.18 (#18644)
- Update json-iterator/go to handle 1.18's new memory model with slices.
- Don't panic while running gitea with go 1.18
2022-02-06 20:38:14 +00:00
zeripath b34923d919
Update Goldmark to Goldmark 1.4.4 (#18420)
* Update Goldmark to Goldmark 1.4.4
* nolint the deprecation

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-29 21:17:21 +08:00
zeripath 9a75c2741d
Only view milestones from current repo (#18414)
The endpoint /{username}/{reponame}/milestone/{id} is not currently restricted to
the repo. This PR restricts the milestones to those within the repo.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-26 20:01:35 +00:00
Aravinth Manivannan 3bb028cc46
Validate migration files (#18203)
JSON Schema validation for data used by Gitea during migrations

Discussion at https://forum.forgefriends.org/t/common-json-schema-for-repository-information/563

Co-authored-by: Loïc Dachary <loic@dachary.org>
2022-01-26 10:45:51 +01:00
6543 6ad7a5376a
Update github.com/duo-labs/webauthn (#18357) 2022-01-22 18:01:40 +01:00
Jelle Hulter bbd30787d3
Updated Chroma to v0.10.0 (#18270) 2022-01-20 17:59:15 +08:00
zeripath 68b59d8966
replace satori/go.uuid with gofrs/uuid (#18311)
Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-18 11:04:24 +00:00
Lunny Xiao 35c3553870
Support webauthn (#17957)
Migrate from U2F to Webauthn

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-14 16:03:31 +01:00
Lunny Xiao a1c12fb0b3
Don't store assets modified time into generated files (#18193) 2022-01-06 21:33:17 -05:00
6543 ec6cc38c6c
code.gitea.io/sdk/gitea v0.14.0 -> v0.15.1 (#18186) 2022-01-05 05:51:12 +01:00
Lunny Xiao e9c9a35a61
Upgrade certmagic from v0.14.1 to v0.15.2 (#18138) 2022-01-01 17:43:28 +08:00
Lunny Xiao 25a290e320
Upgrade bleve from v2.0.6 to v2.3.0 (#18132) 2022-01-01 16:26:27 +08:00
zeripath bcc13f3889
Reset Session ID on login (#18018)
* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update go-chi/session

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* placate lint

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-20 22:12:26 +08:00
zeripath 25677cdc5b
Update chroma (#18033)
Update chroma to 0.9.4

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-20 02:49:38 +00:00
Wim 6fe756dc93
Add support for ssh commit signing (#17743)
* Add support for ssh commit signing

* Split out ssh verification to separate file

* Show ssh key fingerprint on commit page

* Update sshsig lib

* Make sure we verify against correct namespace

* Add ssh public key verification via ssh signatures

When adding a public ssh key also validate that this user actually
owns the key by signing a token with the private key.

* Remove some gpg references and make verify key optional

* Fix spaces indentation

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update templates/user/settings/keys_ssh.tmpl

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update models/ssh_key_commit_verification.go

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Reword ssh/gpg_key_success message

* Change Badsignature to NoKeyFound

* Add sign/verify tests

* Fix upstream api changes to user_model User

* Match exact on SSH signature

* Fix code review remarks

Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-12-19 00:37:18 -05:00
zeripath 957c3fcb59
Update chi/middleware to chi/v5/middleware (#17888)
Fix #17880


Co-authored-by: Lauris BH <lauris@nix.lv>
2021-12-02 21:58:08 +01:00
zeripath c96be0cd98
Make SSL cipher suite configurable (#17440) 2021-11-20 01:12:43 -05:00
wxiaoguang a8fd76557b
Better builtin avatar generator (#17707)
This PR fixes the builtin avatar generator.

1. The random background color makes some images very dirty. So now we only use white background for avatars.
2. We use left-right mirror avatars to satisfy #14799
3. Fix a small padding error in the algorithm
2021-11-20 01:10:41 +08:00
zeripath 9d855bd6a1
Simplify Gothic to use our session store instead of creating a different store (#17507)
* Simplify Gothic to use our session store instead of creating a different store

We have been using xormstore to provide a separate session store for our OAuth2 logins
however, this relies on using gorilla context and some doubling of our session storing.
We can however, simplify and simply use our own chi-based session store. Thus removing
a cookie and some of the weirdness with missing contexts.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Handle MaxTokenLength

Signed-off-by: Andrew Thornton <art27@cantab.net>

* oops

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-11-03 08:33:54 +08:00
Lunny Xiao 812a9daab9
Upgrade go-github to v39 (#17437) 2021-10-26 08:19:21 +01:00
zeripath c5a408df05
Upgrade Bluemonday to v1.0.16 (#17372)
Upgrade Bluemonday to latest version

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-10-20 16:58:39 -04:00
6543 3728f1daa0
Add RSS/Atom feed support for user actions (#16002)
Return rss/atom feed for user based on rss url suffix or Content-Type header.
2021-10-16 16:21:16 +02:00
Lunny Xiao d47798ccc7
Upgrade chi to v5 (#17298) 2021-10-13 22:50:23 -04:00