0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 23:33:15 -05:00
Commit graph

1679 commits

Author SHA1 Message Date
Gusted
e6bbecb02d
fix: disallow basic authorization when security keys are enrolled
- This unifies the security behavior of enrolling security keys with
enrolling TOTP as a 2FA method. When TOTP is enrolled, you cannot use
basic authorization (user:password) to make API request on behalf of the
user, this is now also the case when you enroll security keys.
- The usage of access tokens are the only method to make API requests on
behalf of the user when a 2FA method is enrolled for the user.
- Integration test added.
2024-11-15 10:59:36 +01:00
Gusted
9508aa7713
Improve usage of HMAC output for mailer tokens
- If the incoming mail feature is enabled, tokens are being sent with
outgoing mails. These tokens contains information about what type of
action is allow with such token (such as replying to a certain issue
ID), to verify these tokens the code uses the HMAC-SHA256 construction.
- The output of the HMAC is truncated to 80 bits, because this is
recommended by RFC2104, but RFC2104 actually doesn't recommend this. It
recommends, if truncation should need to take place, it should use
max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out
to 128 bits instead of the currently used 80 bits.
- Update to token version 2 and disallow any usage of token version 1,
token version 2 are generated with 128 bits of HMAC output.
- Add test to verify the deprecation of token version 1 and a general
MAC check test.
2024-11-15 10:59:36 +01:00
Gusted
1ce33aa38d
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.
2024-11-15 10:59:36 +01:00
Otto
3531710dc6 Merge pull request 'fix: Proper parsing of date for git commits' (#5892) from gusted/forgejo-port-32409 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5892
Reviewed-by: Otto <otto@codeberg.org>
2024-11-11 14:22:32 +00:00
Michael Kriese
c33cbae7cc
test: fix test linting
See forgejo/forgejo#5911
2024-11-11 12:44:36 +01:00
wxiaoguang
7e1aa8a5cd
[PORT] Refactor DateUtils and merge TimeSince (gitea#32409)
Follow #32383 and #32402

---
Conflict resolution: Magic, painful.

(cherry picked from commit b068dbd40ee3b4dc7d18cdcf168f0c24cea234c0)
2024-11-10 22:23:27 +01:00
Lunny Xiao
2efc1f5686
[PORT] Fix code owners will not be mentioned when a pull request comes from a forked repository (gitea#30476)
Fix #30277
Caused by #29783

---

- Resolves #5842
- Regression from #2855

(cherry picked from commit c63060b130d34e3f03f28f4dccbf04d381a95c17)
2024-11-09 00:46:48 +01:00
Otto
0fb48872ac Merge pull request '[FEAT] Trim spaces from repo names on form submission' (#5822) from gusted/forgejo-trim-spaces-form into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5822
Reviewed-by: Otto <otto@codeberg.org>
2024-11-06 09:16:17 +00:00
Earl Warren
36b18fb6cc Merge pull request '[gitea] week 2024-45 cherry pick (gitea/main -> forgejo)' (#5789) from algernon/wcp/2024-45 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5789
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-06 08:57:43 +00:00
Gusted
4952747699
[FEAT] Trim spaces from repository name
- This uses the `TrimSpace` preprocessing of the binding library to
remove any accidental spaces from the input.
- Integration test added.
- Resolves #4309
2024-11-05 23:13:17 +01:00
Gusted
310376525b
[CHORE] Use forked binding library
- Use the forked [binding](https://code.forgejo.org/go-chi/binding)
library. This library has two benefits, it removes the usage of
`github.com/goccy/go-json` (has no benefit as the minimo library is also
using it). It adds the `TrimSpace` feature, which will during the
binding part trim the spaces around the value it got from the form, this
is done before validation.
2024-11-05 22:47:34 +01:00
Otto
f28e728317 Merge pull request '[PORT] Replace DateTime with proper functions (gitea#32402)' (#5796) from gusted/forgejo-port-dateutils into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5796
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-05 21:46:29 +00:00
Gusted
25c7c531f5 Merge pull request '[PORT] Refactor the DB migration system slightly (gitea#32344)' (#5793) from gusted/forgejo-port-32344 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5793
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-05 20:15:11 +00:00
Michael Kriese
c8ba330833 Merge pull request 'test: enable gitea migration tests' (#5817) from viceice/test/migrations/gitea into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5817
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-05 10:55:30 +00:00
Michael Kriese
64bf7f3696
test: enable gitea migration tests 2024-11-05 11:16:19 +01:00
Michael Kriese
c68fcaf53d
test: enable github migration tests 2024-11-05 10:37:28 +01:00
Rowan Bohde
befafe9a05
improve performance of diffs (#32393)
This has two major changes that significantly reduce the amount of work
done for large diffs:

* Kill a running git process when reaching the maximum number of files
in a diff, preventing it from processing the entire diff.
* When loading a diff with the URL param `file-only=true`, skip loading
stats. This speeds up loading both hidden files of a diff and sections
of a diff when clicking the "Show More" button.

A couple of minor things from profiling are also included:

* Reuse existing repo in `PrepareViewPullInfo` if head and base are the
same.

The performance impact is going to depend heavily on the individual diff
and the hardware it runs on, but when testing locally on a diff changing
100k+ lines over hundreds of files, I'm seeing a roughly 75% reduction
in time to load the result of "Show More"

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 7dcccc3bb19655a6f83dd495ffc332708d0c8678)
2024-11-05 09:39:21 +01:00
Zettat123
6b74043b85
Fix missing signature key error when pulling Docker images with SERVE_DIRECT enabled (#32365)
Fix #28121

I did some tests and found that the `missing signature key` error is
caused by an incorrect `Content-Type` header. Gitea correctly sets the
`Content-Type` header when serving files.

348d1d0f32/routers/api/packages/container/container.go (L712-L717)
However, when `SERVE_DIRECT` is enabled, the `Content-Type` header may
be set to an incorrect value by the storage service. To fix this issue,
we can use query parameters to override response header values.

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
<img width="600px"
src="https://github.com/user-attachments/assets/f2ff90f0-f1df-46f9-9680-b8120222c555"
/>

In this PR, I introduced a new parameter to the `URL` method to support
additional parameters.

```
URL(path, name string, reqParams url.Values) (*url.URL, error)
```

---

Most S3-like services support specifying the content type when storing
objects. However, Gitea always use `application/octet-stream`.
Therefore, I believe we also need to improve the `Save` method to
support storing objects with the correct content type.

b7fb20e73e/modules/storage/minio.go (L214-L221)
(cherry picked from commit 0690cb076bf63f71988a709f62a9c04660b51a4f)

Conflicts:
	- modules/storage/azureblob.go
	  Dropped the change, as we do not support Azure blob storage.
	- modules/storage/helper.go
	  Resolved by adjusting their `discardStorage` to our
	  `DiscardStorage`
	- routers/api/actions/artifacts.go
	  routers/api/actions/artifactsv4.go
	  routers/web/repo/actions/view.go
	  routers/web/repo/download.go
	  Resolved the conflicts by manually adding the new `nil`
	  parameter to the `storage.Attachments.URL()` calls.

	  Originally conflicted due to differences in the if expression
	  above these calls.
2024-11-05 09:33:15 +01:00
Oleksandr Redko
4aa61601c3
refactor: remove redundant err declarations (#32381)
(cherry picked from commit f4d3aaeeb9e1b11c5495e4608a3f52f316c35758)

Conflicts:
	- modules/charset/charset_test.go
	  Resolved by manually changing a `=` to `:=`, as per the
	  original patch. Conflict was due to `require.NoError`.
2024-11-05 09:33:15 +01:00
Royce Remer
fe5adbbbdc
Add new [lfs_client].BATCH_SIZE and [server].LFS_MAX_BATCH_SIZE config settings. (#32307)
This contains two backwards-compatible changes:
* in the lfs http_client, the number of lfs oids requested per batch is
loaded from lfs_client#BATCH_SIZE and defaulted to the previous value of
20
* in the lfs server/service, the max number of lfs oids allowed in a
batch api request is loaded from server#LFS_MAX_BATCH_SIZE and defaults
to 'nil' which equates to the previous behavior of 'infinite'

This fixes #32306

---------

Signed-off-by: Royce Remer <royceremer@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit c60e4dc1095ef90a790582cacfad27c972637bb2)

Conflicts:
	- services/lfs/server.go
	  Conflict due to our Quota implementation. Resolved by manually
	  adding the change after the quota check.
2024-11-05 09:33:15 +01:00
Earl Warren
407396cde0 Merge pull request 'Add label to Forgejo Actions PR labeled/unlabeled events and update the commit status' (#5778) from earl-warren/forgejo:wip-label-status into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5778
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-04 14:09:23 +00:00
Otto
1418ac176d Merge pull request '[PORT] Fix git error handling (gitea#32401)' (#5794) from gusted/forgejo-port-32401 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5794
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-04 10:40:07 +00:00
Earl Warren
66c85b7d8b
fix: Actions PR workflows must update the commit status
When a workflow has

on:
  pull_request:
    types:
      - labeled
      - unlabeled

The outcome of the workflow (success or failure) must be associated
with the head sha commit status. Otherwise it cannot be used as a
requirement for merging the pull request (branch protections).
2024-11-04 11:27:14 +01:00
Earl Warren
58e3c1fbdb
fix: add label to issues and PR labeled/unlabeled events
When a workflow has

on:
  pull_request:
    types:
      - labeled
      - unlabeled

The payload misses the label field describing the added or removed
label.

The unlabeled event type was also incorrectly mapped to the labeled
event type.
2024-11-04 10:41:11 +01:00
wxiaoguang
498b5f9867
[PORT] Refactor the DB migration system slightly (gitea#32344)
Introduce "idNumber" for each migration, and clarify the difference
between the migration ID number and database version.

---
Conflict resolution: trivial

(cherry picked from commit d70af38447a759d4a935e315e18efa4dd625f655)
2024-11-03 17:00:48 +01:00
wxiaoguang
171de4d107
[PORT] Fix git error handling (gitea#32401)
---
Conflict resolution: Trivial, for `repo_attributes.go` move where the
`IsErrCanceledOrKilled` needs to happen because of other changes that
happened in this file.

To add some words to this change: It seems to be mostly simplifying the
error handling of git operations.

(cherry picked from commit e524f63d58900557d7d57fc3bcd19d9facc8b8ee)
2024-11-03 16:47:44 +01:00
wxiaoguang
f2eabf6308
[PORT] Replace DateTime with DateUtils (gitea#32383)
(cherry picked from commit fec6b3d50072e48bb51c18c5c4ea682dc6319573)
2024-11-03 16:37:01 +01:00
Michael Kriese
284ffe4e00
fix: support www.github.com for migrations 2024-11-03 16:08:58 +01:00
Gusted
4c67023c7e
tests: improve actvititypub integration test code
- Make use of `test.MockVariableValue` to override variables for the
duration of the test.
- Don't needlessly call `onGiteaRun`, its only needed when a HTTP server
needs to be called by the code.
- When `onGiteaRun` is used, make use of the passed parameters, such as
the passed `*testing.T` variable and `*url.URL` (this also avoids
needing to serve the routers in the test code again).
- Use `(*url.URL).JoinPath` to craft new URLs.
- Don't override `setting.AppURL` & `setting.Database.LogSQL` when its
does not affect the test.
- Add empty fixture files for `FederatedUser` & `FederationHost` so they
are truncated and do not persist between tests.
2024-11-01 22:39:49 +01:00
Tom Neuber
68d5cf0e92
Add branch auto deletion for scheduled PRs 2024-10-31 03:49:15 +01:00
Tom Neuber
3f01fb31d9
create "shared" package to workaround import loop issues 2024-10-31 03:49:14 +01:00
Earl Warren
485db0a3ba Merge pull request '[gitea] week 2024-44 cherry pick (gitea/main -> forgejo)' (#5714) from algernon/wcp/2024-44 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5714
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-29 09:05:27 +00:00
Gusted
266e0b2ce9
security: add permission check to 'delete branch after merge'
- Add a permission check that the doer has write permissions to the head
repository if the the 'delete branch after merge' is enabled when
merging a pull request.
- Unify the checks in the web and API router to `DeleteBranchAfterMerge`.
- Added integration tests.
2024-10-28 05:48:10 +01:00
Lunny Xiao
261c0a95b4
Add warn log when deleting inactive users (#32318)
Add log for the problem #31480

(cherry picked from commit a264c46fb04112c5ec2c1b2acd523a2e4450da40)

Conflicts:
	- services/user/user.go
	  Resolved by manually adding the log line.
2024-10-27 11:27:40 +01:00
Renovate Bot
b597725fa0 Update module github.com/jhillyerd/enmime to v2 2024-10-23 06:04:11 +00:00
Earl Warren
c1a08156f8 Merge pull request '[gitea] week 2024-43 cherry pick (gitea/main -> forgejo)' (#5621) from algernon/wcp/2024-43 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5621
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-22 17:37:03 +00:00
Gusted
f298bf125a Merge pull request 'fix: use ValidateEmail as binding across web forms' (#5158) from solomonv/consolidate-email-validation into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5158
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-21 14:31:32 +00:00
dragon
95c7599db5 fix arch pkg 2024-10-21 10:08:57 +08:00
谈笑风生间
c3741d7fb0
Support requested_reviewers data in comment webhook events (#26178)
close #25833

Currently, the information for "requested_reviewers" is only included in
the webhook event for reviews. I would like to suggest adding this
information to the webhook event for "PullRequest comment" as well, as
they both pertain to the "PullRequest" event.

Also, The reviewer information for the Pull Request is not displayed
when it is approved or rejected.

(cherry picked from commit d50ed0abf731a10741831d4b6dd54791e3e567ec)
2024-10-20 09:34:46 +02:00
Zettat123
e8700cee61
Update scheduled tasks even if changes are pushed by "ActionsUser" (#32246)
Fix #32219

---------

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 81aec6d621a3ea0dfb02d3b4d20b9be77c30c6ab)
2024-10-20 09:24:58 +02:00
Zettat123
89446e60a6
Support migrating GitHub/GitLab PR draft status (#32242)
Resolve #32196

(cherry picked from commit 74664b08a004393ce013e872e47901f52645b65a)
2024-10-20 09:24:25 +02:00
Gusted
cd7c015dd3 Merge pull request 'mail issue: Display issue type in email header' (#5389) from xenrox/forgejo:mail-issue into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5389
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-19 21:54:56 +00:00
Thorben Günther
74403d1f0f
mail issue: Display issue type in email header
Currently notification emails for Pull Requests or Issues are
indistinguishable at first glance. This adds the type ("PR" or "Issue")
before the index number.
2024-10-19 21:25:54 +02:00
Earl Warren
e2354703ed Merge pull request '[gitea] week 2024-42 cherry pick (gitea/main -> forgejo)' (#5543) from earl-warren/wcp/2024-42 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5543
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-19 13:54:24 +00:00
Earl Warren
69bedb8933 Merge pull request 'fix: correct documentation for non 200 responses in swagger' (#5491) from JakobDev/forgejo:fixswagger into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5491
Reviewed-by: Otto <otto@codeberg.org>
2024-10-15 11:34:35 +00:00
Otto
1d13249e17 Merge pull request '[BUG] Don't allow owner team with incorrect unit access' (#5529) from gusted/forgejo-owners-team-description into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5529
Reviewed-by: Otto <otto@codeberg.org>
2024-10-14 19:56:58 +00:00
Earl Warren
e299a7f4cd Merge pull request 'fix: don't cancel schedule workflows on push to main branch' (#5470) from Kwonunn/forgejo:dont-cancel-schedule-workflow into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5470
2024-10-13 12:06:02 +00:00
Lunny Xiao
8f61fce938
Only rename a user when they should receive a different name (#32247)
Fix #31996

(cherry picked from commit 9df5ddaf44aa5a3f319acba7b18645b7b1d4d8a2)
2024-10-13 14:17:08 +03:00
Earl Warren
7855e4bb56
Improve the maintainblity of the reserved username list (#32229)
(cherry picked from commit 6029d78ab5006e8fb4f42adb5a8c491f19fa7b0a)

Conflicts:
  models/user/user.go
	services/user/user_test.go
    trivial context conflict
	tests/integration/user_test.go
    discarded entirely because dot may be allowed in Forgejo under
    some conditions
2024-10-13 14:17:08 +03:00
Gusted
9de9034400
[BUG] Don't allow owner team with incorrect unit access
- On editting a team, only update the units if the team isn't the
'Owners' team. Otherwise the 'Owners' team end up having all of their
unit access modes set to 'None'; because the request form doesn't send
over any units, as it's simply not shown in the UI.
- Adds a database inconstency check and fix for the case where the
'Owners' team is affected by this bug.
- Adds unit test.
- Adds integration test.
- Resolves #5528
- Regression of https://github.com/go-gitea/gitea/pull/24012
2024-10-11 14:48:47 +02:00