Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main: (28 commits)
  Added auto-save whitespace behavior if it changed manually (go-gitea#15566)
  Support custom ACME provider (go-gitea#18340)
  Refactor i18n, use Locale to provide i18n/translation related functions (go-gitea#18648)
  Only request write when necessary (go-gitea#18657)
  [skip ci] Updated translations via Crowdin
  Add separate SSH_USER config option (go-gitea#17584)
  Be more lenient with label colors (go-gitea#17752)
  remove redundant call to UpdateRepoStats during migration (go-gitea#18591)
  more repo dump/restore tests, including pull requests (go-gitea#18621)
  No longer show the db-downgrade SQL in production (go-gitea#18653)
  Fix the missing i18n key for update checker (go-gitea#18646)
  Update gitea-vet (go-gitea#18640)
  Future proof for 1.18 (go-gitea#18644)
  Add `contrib/upgrade.sh` (go-gitea#18286)
  If rendering has failed due to a net.OpError stop rendering (go-gitea#18642)
  Delete old git.NewCommand() and use it as git.NewCommandContext() (go-gitea#18552)
  Update JS dependencies (go-gitea#18636)
  fix commits_list_small.tmpl (go-gitea#18641)
  Fix `make fmt` and `make fmt-check` (go-gitea#18633)
  Frontport of changelog for v1.16.1 (go-gitea#18615)
  ...

CHANGELOG.md

@@ -4,6 +4,35 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
+## [1.16.1](https://github.com/go-gitea/gitea/releases/tag/v1.16.1) - 2022-02-06
+
+* SECURITY
+  * Update JS dependencies, fix lint (#18389) (#18540)
+* ENHANCEMENTS
+  * Add dropdown icon to label set template dropdown (#18564) (#18571)
+* BUGFIXES
+  * comments on migrated issues/prs must link to the comment ID (#18630) (#18637)
+  * Stop logging an error when notes are not found (#18626) (#18635)
+  * Ensure that blob-excerpt links work for wiki (#18587) (#18624)
+  * Only attempt to flush queue if the underlying worker pool is not finished (#18593) (#18620)
+  * Ensure commit-statuses box is sized correctly in headers (#18538) (#18606)
+  * Prevent merge messages from being sorted to the top of email chains (#18566) (#18588)
+  * Prevent panic on prohibited user login with oauth2 (#18562) (#18563)
+  * Collaborator trust model should trust collaborators (#18539) (#18557)
+  * Detect conflicts with 3way merge (#18536) (#18537)
+  * In docker rootless use $GITEA_APP_INI if provided (#18524) (#18535)
+  * Add `GetUserTeams` (#18499) (#18531)
+  * Fix review excerpt (#18502) (#18530)
+  * Fix for AvatarURL database type (#18487) (#18529)
+  * Use `ImagedProvider` for gplus oauth2 provider (#18504) (#18505)
+  * Fix OAuth Source Edit Page (#18495) (#18503)
+  * Use "read" value for General Access (#18496) (#18500)
+  * Prevent NPE on partial match of compare URL and allow short SHA1 compare URLs (#18472) (#18473)
+* BUILD
+  * Make docker gitea/gitea:v1.16-dev etc refer to the latest build on that branch (#18551) (#18569)
+* DOCS
+  * Update 1.16.0 changelog to set #17846 as breaking (#18533) (#18534)
+
 ## [1.16.0](https://github.com/go-gitea/gitea/releases/tag/v1.16.0) - 2022-01-30
 
 * BREAKING

Makefile

@@ -60,7 +60,7 @@ endif
 
 EXTRA_GOFLAGS ?=
 
-MAKE_VERSION := $(shell $(MAKE) -v | head -n 1)
+MAKE_VERSION := $(shell "$(MAKE)" -v | head -n 1)
 MAKE_EVIDENCE_DIR := .make_evidence
 
 ifeq ($(RACE_ENABLED),true)
@@ -231,13 +231,11 @@ clean:
 
 .PHONY: fmt
 fmt:
-	@echo "Running gitea-fmt(with gofmt)..."
-	@$(GO) run build/code-batch-process.go gitea-fmt -s -w '{file-list}'
-	@echo "Running gofumpt"
 	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		$(GO) install mvdan.cc/gofumpt@latest; \
 	fi
-	@gofumpt -w -l -extra -lang 1.16 .
+	@echo "Running gitea-fmt (with gofumpt)..."
+	@$(GO) run build/code-batch-process.go gitea-fmt -w '{file-list}'
 
 .PHONY: vet
 vet:
@@ -285,8 +283,11 @@ errcheck:
 
 .PHONY: fmt-check
 fmt-check:
+	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GO) install mvdan.cc/gofumpt@latest; \
+	fi
 	# get all go files and run gitea-fmt (with gofmt) on them
-	@diff=$$($(GO) run build/code-batch-process.go gitea-fmt -s -d '{file-list}'); \
+	@diff=$$($(GO) run build/code-batch-process.go gitea-fmt -l '{file-list}'); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make fmt' and commit the result:"; \
 		echo "$${diff}"; \

build/code-batch-process.go

@@ -229,9 +229,9 @@ func containsString(a []string, s string) bool {
 	return false
 }
 
-func giteaFormatGoImports(files []string) error {
+func giteaFormatGoImports(files []string, hasChangedFiles, doWriteFile bool) error {
 	for _, file := range files {
-		if err := codeformat.FormatGoImports(file); err != nil {
+		if err := codeformat.FormatGoImports(file, hasChangedFiles, doWriteFile); err != nil {
 			log.Printf("failed to format go imports: %s, err=%v", file, err)
 			return err
 		}
@@ -267,10 +267,11 @@ func main() {
 		logVerbose("batch cmd: %s %v", subCmd, substArgs)
 		switch subCmd {
 		case "gitea-fmt":
-			if containsString(subArgs, "-w") {
-				cmdErrors = append(cmdErrors, giteaFormatGoImports(files))
+			if containsString(subArgs, "-d") {
+				log.Print("the -d option is not supported by gitea-fmt")
 			}
-			cmdErrors = append(cmdErrors, passThroughCmd("gofmt", substArgs))
+			cmdErrors = append(cmdErrors, giteaFormatGoImports(files, containsString(subArgs, "-l"), containsString(subArgs, "-w")))
+			cmdErrors = append(cmdErrors, passThroughCmd("gofumpt", append([]string{"-extra", "-lang", "1.16"}, substArgs...)))
 		case "misspell":
 			cmdErrors = append(cmdErrors, passThroughCmd("misspell", substArgs))
 		default:

build/codeformat/formatimports.go

@@ -7,6 +7,7 @@ package codeformat
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"sort"
@@ -158,7 +159,7 @@ func formatGoImports(contentBytes []byte) ([]byte, error) {
 }
 
 // FormatGoImports format the imports by our rules (see unit tests)
-func FormatGoImports(file string) error {
+func FormatGoImports(file string, doChangedFiles, doWriteFile bool) error {
 	f, err := os.Open(file)
 	if err != nil {
 		return err
@@ -181,11 +182,20 @@ func FormatGoImports(file string) error {
 	if bytes.Equal(contentBytes, formattedBytes) {
 		return nil
 	}
-	f, err = os.OpenFile(file, os.O_TRUNC|os.O_WRONLY, 0o644)
-	if err != nil {
+
+	if doChangedFiles {
+		fmt.Println(file)
+	}
+
+	if doWriteFile {
+		f, err = os.OpenFile(file, os.O_TRUNC|os.O_WRONLY, 0o644)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		_, err = f.Write(formattedBytes)
 		return err
 	}
-	defer f.Close()
-	_, err = f.Write(formattedBytes)
+
 	return err
 }

cmd/hook.go

@@ -309,7 +309,7 @@ func runHookPostReceive(c *cli.Context) error {
 	defer cancel()
 
 	// First of all run update-server-info no matter what
-	if _, err := git.NewCommandContext(ctx, "update-server-info").Run(); err != nil {
+	if _, err := git.NewCommand(ctx, "update-server-info").Run(); err != nil {
 		return fmt.Errorf("Failed to call 'git update-server-info': %v", err)
 	}
 

cmd/web.go

@@ -222,18 +222,19 @@ func listen(m http.Handler, handleRedirector bool) error {
 		}
 		err = runHTTP("tcp", listenAddr, "Web", m)
 	case setting.HTTPS:
-		if setting.EnableLetsEncrypt {
-			err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, m)
+		if setting.EnableAcme {
+			err = runACME(listenAddr, m)
 			break
-		}
-		if handleRedirector {
-			if setting.RedirectOtherPort {
-				go runHTTPRedirector()
-			} else {
-				NoHTTPRedirector()
+		} else {
+			if handleRedirector {
+				if setting.RedirectOtherPort {
+					go runHTTPRedirector()
+				} else {
+					NoHTTPRedirector()
+				}
 			}
+			err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m)
 		}
-		err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m)
 	case setting.FCGI:
 		if handleRedirector {
 			NoHTTPRedirector()

cmd/web_letsencrypt.go → cmd/web_acme.go

@@ -5,7 +5,11 @@
 package cmd
 
 import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 
@@ -16,7 +20,25 @@ import (
 	"github.com/caddyserver/certmagic"
 )
 
-func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
+func getCARoot(path string) (*x509.CertPool, error) {
+	r, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	block, _ := pem.Decode(r)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM found in the file %s", path)
+	}
+	caRoot, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	certPool := x509.NewCertPool()
+	certPool.AddCert(caRoot)
+	return certPool, nil
+}
+
+func runACME(listenAddr string, m http.Handler) error {
 	// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
 	// Due to docker port mapping this can't be checked programmatically
 	// TODO: these are placeholders until we add options for each in settings with appropriate warning
@@ -33,10 +55,21 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	}
 
 	magic := certmagic.NewDefault()
-	magic.Storage = &certmagic.FileStorage{Path: directory}
+	magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}
+	// Try to use private CA root if provided, otherwise defaults to system's trust
+	var certPool *x509.CertPool
+	if setting.AcmeCARoot != "" {
+		var err error
+		certPool, err = getCARoot(setting.AcmeCARoot)
+		if err != nil {
+			log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
+		}
+	}
 	myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
-		Email:                   email,
-		Agreed:                  setting.LetsEncryptTOS,
+		CA:                      setting.AcmeURL,
+		TrustedRoots:            certPool,
+		Email:                   setting.AcmeEmail,
+		Agreed:                  setting.AcmeTOS,
 		DisableHTTPChallenge:    !enableHTTPChallenge,
 		DisableTLSALPNChallenge: !enableTLSALPNChallenge,
 		ListenHost:              setting.HTTPAddr,
@@ -47,7 +80,7 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	magic.Issuers = []certmagic.Issuer{myACME}
 
 	// this obtains certificates or renews them if necessary
-	err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{domain})
+	err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{setting.Domain})
 	if err != nil {
 		return err
 	}

contrib/upgrade.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This is an update script for gitea installed via the binary distribution
+# from dl.gitea.io on linux as systemd service. It performs a backup and updates
+# Gitea in place.
+# NOTE: This adds the GPG Signing Key of the Gitea maintainers to the keyring.
+# Depends on: bash, curl, xz, sha256sum, gpg. optionally jq.
+# Usage:      [environment vars] upgrade.sh [version]
+#   See section below for available environment vars.
+#   When no version is specified, updates to the latest release.
+# Examples:
+#   upgrade.sh 1.15.10
+#   giteahome=/opt/gitea giteaconf=$giteahome/app.ini upgrade.sh
+
+# apply variables from environment
+: "${giteabin:="/usr/local/bin/gitea"}"
+: "${giteahome:="/var/lib/gitea"}"
+: "${giteaconf:="/etc/gitea/app.ini"}"
+: "${giteauser:="git"}"
+: "${sudocmd:="sudo"}"
+: "${arch:="linux-amd64"}"
+: "${backupopts:=""}" # see `gitea dump --help` for available options
+
+function giteacmd {
+  "$sudocmd" --user "$giteauser" "$giteabin" --config "$giteaconf" --work-path "$giteahome" "$@"
+}
+
+function require {
+  for exe in "$@"; do
+    command -v "$exe" &>/dev/null || (echo "missing dependency '$exe'"; exit 1)
+  done
+}
+require systemctl curl xz sha256sum gpg "$sudocmd"
+
+# select version to install
+if [[ -z "${1:-}" ]]; then
+  require jq
+  giteaversion=$(curl --connect-timeout 10 -sL https://dl.gitea.io/gitea/version.json | jq -r .latest.version)
+else
+  giteaversion="$1"
+fi
+
+# confirm update
+current=$(giteacmd --version | cut --delimiter=' ' --fields=3)
+[[ "$current" == "$giteaversion" ]] && echo "$current is already installed, stopping." && exit 1
+echo "Make sure to read the changelog first: https://github.com/go-gitea/gitea/blob/main/CHANGELOG.md"
+echo "Are you ready to update Gitea from ${current} to ${giteaversion}? (y/N)"
+read -r confirm
+[[ "$confirm" == "y" ]] || [[ "$confirm" == "Y" ]] || exit 1
+
+pushd "$(pwd)" &>/dev/null
+cd "$giteahome" # needed for gitea dump later
+
+# download new binary
+binname="gitea-${giteaversion}-${arch}"
+binurl="https://dl.gitea.io/gitea/${giteaversion}/${binname}.xz"
+echo "Downloading $binurl..."
+curl --connect-timeout 10 --silent --show-error --fail --location -O "$binurl{,.sha256,.asc}"
+
+# validate checksum & gpg signature (exit script if error)
+sha256sum --check "${binname}.xz.sha256"
+gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
+gpg --verify "${binname}.xz.asc" "${binname}.xz" || { echo 'Signature does not match'; exit 1; }
+rm "${binname}".xz.{sha256,asc}
+
+# unpack binary + make executable
+xz --decompress "${binname}.xz"
+chown "$giteauser" "$binname"
+chmod +x "$binname"
+
+# stop gitea, create backup, replace binary, restart gitea
+echo "Stopping gitea at $(date)"
+giteacmd manager flush-queues
+$sudocmd systemctl stop gitea
+echo "Creating backup in $giteahome"
+giteacmd dump $backupopts
+echo "Updating binary at $giteabin"
+mv --force --backup "$binname" "$giteabin"
+$sudocmd systemctl start gitea
+$sudocmd systemctl status gitea
+
+popd

custom/conf/app.example.ini

@@ -82,12 +82,15 @@ RUN_MODE = ; prod
 ;; Whether to use the builtin SSH server or not.
 ;START_SSH_SERVER = false
 ;;
-;; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
-;BUILTIN_SSH_SERVER_USER =
+;; Username to use for the builtin SSH server.
+;BUILTIN_SSH_SERVER_USER = %(RUN_USER)s
 ;;
 ;; Domain name to be exposed in clone URL
 ;SSH_DOMAIN = %(DOMAIN)s
 ;;
+;; SSH username displayed in clone URLs.
+;SSH_USER = %(BUILTIN_SSH_SERVER_USER)s
+;;
 ;; The network interface the builtin SSH server should listen on
 ;SSH_LISTEN_HOST =
 ;;
@@ -175,6 +178,36 @@ RUN_MODE = ; prod
 ;OFFLINE_MODE = false
 ;DISABLE_ROUTER_LOG = false
 ;;
+;; TLS Settings: Either ACME or manual
+;; (Other common TLS configuration are found before)
+;ENABLE_ACME = false
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; ACME automatic TLS settings
+;;
+;; ACME directory URL (e.g. LetsEncrypt's staging/testing URL: https://acme-staging-v02.api.letsencrypt.org/directory)
+;; Leave empty to default to LetsEncrypt's (production) URL
+;ACME_URL =
+;;
+;; Explicitly accept the ACME's TOS. The specific TOS cannot be retrieved at the moment.
+;ACME_ACCEPTTOS = false
+;;
+;; If the ACME CA is not in your system's CA trust chain, it can be manually added here
+;ACME_CA_ROOT =
+;;
+;; Email used for the ACME registration service
+;; Can be left blank to initialize at first run and use the cached value
+;ACME_EMAIL =
+;;
+;; ACME live directory (not to be confused with ACME directory URL: ACME_URL)
+;; (Refer to caddy's ACME manager https://github.com/caddyserver/certmagic)
+;ACME_DIRECTORY = https
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;;  Manual TLS settings: (Only applicable if ENABLE_ACME=false)
+;;
 ;; Generate steps:
 ;; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
 ;;