Merge branch 'main' into sync-doc-to-zh-cn

Author: CaiCandong

custom/conf/app.example.ini

@@ -544,6 +544,11 @@ ENABLE = true
 ;;
 ;; Maximum length of oauth2 token/cookie stored on server
 ;MAX_TOKEN_LENGTH = 32767
+;;
+;; Pre-register OAuth2 applications for some universally useful services
+;; * https://github.com/hickford/git-credential-oauth
+;; * https://github.com/git-ecosystem/git-credential-manager
+;DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docs/content/administration/config-cheat-sheet.en-us.md

@@ -1100,6 +1100,7 @@ This section only does "set" config, a removed config key from this section won'
 - `JWT_SECRET_URI`: **_empty_**: Instead of defining JWT_SECRET in the configuration, this configuration option can be used to give Gitea a path to a file that contains the secret (example value: `file:/etc/gitea/oauth2_jwt_secret`)
 - `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
 - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider
+- `DEFAULT_APPLICATIONS`: **git-credential-oauth, git-credential-manager**: Pre-register OAuth applications for some services on startup. See the [OAuth2 documentation](/development/oauth2-provider.md) for the list of available options.
 
 ## i18n (`i18n`)
 

docs/content/development/oauth2-provider.en-us.md

@@ -78,6 +78,17 @@ Gitea token scopes are as follows:
 |     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings.                                                    |
 |     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings.                     |
 
+## Pre-configured Applications
+
+Gitea creates OAuth applications for the following services by default on startup, as we assume that these are universally useful.
+
+|Application|Description|Client ID|
+|-----------|-----------|---------|
+|[git-credential-oauth](https://github.com/hickford/git-credential-oauth)|Git credential helper|`a4792ccc-144e-407e-86c9-5e7d8d9c3269`|
+|[Git Credential Manager](https://github.com/git-ecosystem/git-credential-manager)|Git credential helper|`e90ee53c-94e2-48ac-9358-a874fb9e0662`|
+
+To prevent unexpected behavior, they are being displayed as locked in the UI and their creation can instead be controlled by the `DEFAULT_APPLICATIONS` parameter in `app.ini`.
+
 ## Client types
 
 Gitea supports both confidential and public client types, [as defined by RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).

models/auth/oauth2.go

@@ -13,6 +13,8 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
@@ -46,6 +48,83 @@ func init() {
 	db.RegisterModel(new(OAuth2Grant))
 }
 
+type BuiltinOAuth2Application struct {
+	ConfigName   string
+	DisplayName  string
+	RedirectURIs []string
+}
+
+func BuiltinApplications() map[string]*BuiltinOAuth2Application {
+	m := make(map[string]*BuiltinOAuth2Application)
+	m["a4792ccc-144e-407e-86c9-5e7d8d9c3269"] = &BuiltinOAuth2Application{
+		ConfigName:   "git-credential-oauth",
+		DisplayName:  "git-credential-oauth",
+		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
+	}
+	m["e90ee53c-94e2-48ac-9358-a874fb9e0662"] = &BuiltinOAuth2Application{
+		ConfigName:   "git-credential-manager",
+		DisplayName:  "Git Credential Manager",
+		RedirectURIs: []string{"http://127.0.0.1", "https://127.0.0.1"},
+	}
+	return m
+}
+
+func Init(ctx context.Context) error {
+	builtinApps := BuiltinApplications()
+	var builtinAllClientIDs []string
+	for clientID := range builtinApps {
+		builtinAllClientIDs = append(builtinAllClientIDs, clientID)
+	}
+
+	var registeredApps []*OAuth2Application
+	if err := db.GetEngine(ctx).In("client_id", builtinAllClientIDs).Find(&registeredApps); err != nil {
+		return err
+	}
+
+	clientIDsToAdd := container.Set[string]{}
+	for _, configName := range setting.OAuth2.DefaultApplications {
+		found := false
+		for clientID, builtinApp := range builtinApps {
+			if builtinApp.ConfigName == configName {
+				clientIDsToAdd.Add(clientID) // add all user-configured apps to the "add" list
+				found = true
+			}
+		}
+		if !found {
+			return fmt.Errorf("unknown oauth2 application: %q", configName)
+		}
+	}
+	clientIDsToDelete := container.Set[string]{}
+	for _, app := range registeredApps {
+		if !clientIDsToAdd.Contains(app.ClientID) {
+			clientIDsToDelete.Add(app.ClientID) // if a registered app is not in the "add" list, it should be deleted
+		}
+	}
+	for _, app := range registeredApps {
+		clientIDsToAdd.Remove(app.ClientID) // no need to re-add existing (registered) apps, so remove them from the set
+	}
+
+	for _, app := range registeredApps {
+		if clientIDsToDelete.Contains(app.ClientID) {
+			if err := deleteOAuth2Application(ctx, app.ID, 0); err != nil {
+				return err
+			}
+		}
+	}
+	for clientID := range clientIDsToAdd {
+		builtinApp := builtinApps[clientID]
+		if err := db.Insert(ctx, &OAuth2Application{
+			Name:         builtinApp.DisplayName,
+			ClientID:     clientID,
+			RedirectURIs: builtinApp.RedirectURIs,
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // TableName sets the table name to `oauth2_application`
 func (app *OAuth2Application) TableName() string {
 	return "oauth2_application"
@@ -205,6 +284,10 @@ func UpdateOAuth2Application(opts UpdateOAuth2ApplicationOptions) (*OAuth2Applic
 	if app.UID != opts.UserID {
 		return nil, fmt.Errorf("UID mismatch")
 	}
+	builtinApps := BuiltinApplications()
+	if _, builtin := builtinApps[app.ClientID]; builtin {
+		return nil, fmt.Errorf("failed to edit OAuth2 application: application is locked: %s", app.ClientID)
+	}
 
 	app.Name = opts.Name
 	app.RedirectURIs = opts.RedirectURIs
@@ -261,6 +344,14 @@ func DeleteOAuth2Application(id, userid int64) error {
 		return err
 	}
 	defer committer.Close()
+	app, err := GetOAuth2ApplicationByID(ctx, id)
+	if err != nil {
+		return err
+	}
+	builtinApps := BuiltinApplications()
+	if _, builtin := builtinApps[app.ClientID]; builtin {
+		return fmt.Errorf("failed to delete OAuth2 application: application is locked: %s", app.ClientID)
+	}
 	if err := deleteOAuth2Application(ctx, id, userid); err != nil {
 		return err
 	}

models/issues/pull.go

@@ -533,13 +533,12 @@ func (pr *PullRequest) SetMerged(ctx context.Context) (bool, error) {
 }
 
 // NewPullRequest creates new pull request with labels for repository.
-func NewPullRequest(outerCtx context.Context, repo *repo_model.Repository, issue *Issue, labelIDs []int64, uuids []string, pr *PullRequest) (err error) {
-	ctx, committer, err := db.TxContext(outerCtx)
+func NewPullRequest(ctx context.Context, repo *repo_model.Repository, issue *Issue, labelIDs []int64, uuids []string, pr *PullRequest) (err error) {
+	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return err
 	}
 	defer committer.Close()
-	ctx.WithContext(outerCtx)
 
 	idx, err := db.GetNextResourceIndex(ctx, "issue_index", repo.ID)
 	if err != nil {
@@ -948,14 +947,14 @@ func PullRequestCodeOwnersReview(ctx context.Context, pull *Issue, pr *PullReque
 
 	for _, u := range uniqUsers {
 		if u.ID != pull.Poster.ID {
-			if _, err := AddReviewRequest(pull, u, pull.Poster); err != nil {
+			if _, err := AddReviewRequest(ctx, pull, u, pull.Poster); err != nil {
 				log.Warn("Failed add assignee user: %s to PR review: %s#%d, error: %s", u.Name, pr.BaseRepo.Name, pr.ID, err)
 				return err
 			}
 		}
 	}
 	for _, t := range uniqTeams {
-		if _, err := AddTeamReviewRequest(pull, t, pull.Poster); err != nil {
+		if _, err := AddTeamReviewRequest(ctx, pull, t, pull.Poster); err != nil {
 			log.Warn("Failed add assignee team: %s to PR review: %s#%d, error: %s", t.Name, pr.BaseRepo.Name, pr.ID, err)
 			return err
 		}

models/issues/pull_test.go

@@ -88,14 +88,14 @@ func TestLoadRequestedReviewers(t *testing.T) {
 	user1, err := user_model.GetUserByID(db.DefaultContext, 1)
 	assert.NoError(t, err)
 
-	comment, err := issues_model.AddReviewRequest(issue, user1, &user_model.User{})
+	comment, err := issues_model.AddReviewRequest(db.DefaultContext, issue, user1, &user_model.User{})
 	assert.NoError(t, err)
 	assert.NotNil(t, comment)
 
 	assert.NoError(t, pull.LoadRequestedReviewers(db.DefaultContext))
 	assert.Len(t, pull.RequestedReviewers, 1)
 
-	comment, err = issues_model.RemoveReviewRequest(issue, user1, &user_model.User{})
+	comment, err = issues_model.RemoveReviewRequest(db.DefaultContext, issue, user1, &user_model.User{})
 	assert.NoError(t, err)
 	assert.NotNil(t, comment)
 

models/issues/review.go

@@ -560,8 +560,8 @@ func InsertReviews(reviews []*Review) error {
 }
 
 // AddReviewRequest add a review request from one reviewer
-func AddReviewRequest(issue *Issue, reviewer, doer *user_model.User) (*Comment, error) {
-	ctx, committer, err := db.TxContext(db.DefaultContext)
+func AddReviewRequest(ctx context.Context, issue *Issue, reviewer, doer *user_model.User) (*Comment, error) {
+	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -615,8 +615,8 @@ func AddReviewRequest(issue *Issue, reviewer, doer *user_model.User) (*Comment,
 }
 
 // RemoveReviewRequest remove a review request from one reviewer
-func RemoveReviewRequest(issue *Issue, reviewer, doer *user_model.User) (*Comment, error) {
-	ctx, committer, err := db.TxContext(db.DefaultContext)
+func RemoveReviewRequest(ctx context.Context, issue *Issue, reviewer, doer *user_model.User) (*Comment, error) {
+	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -676,8 +676,8 @@ func restoreLatestOfficialReview(ctx context.Context, issueID, reviewerID int64)
 }
 
 // AddTeamReviewRequest add a review request from one team
-func AddTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *user_model.User) (*Comment, error) {
-	ctx, committer, err := db.TxContext(db.DefaultContext)
+func AddTeamReviewRequest(ctx context.Context, issue *Issue, reviewer *organization.Team, doer *user_model.User) (*Comment, error) {
+	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -735,8 +735,8 @@ func AddTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *user_
 }
 
 // RemoveTeamReviewRequest remove a review request from one team
-func RemoveTeamReviewRequest(issue *Issue, reviewer *organization.Team, doer *user_model.User) (*Comment, error) {
-	ctx, committer, err := db.TxContext(db.DefaultContext)
+func RemoveTeamReviewRequest(ctx context.Context, issue *Issue, reviewer *organization.Team, doer *user_model.User) (*Comment, error) {
+	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return nil, err
 	}

modules/context/base.go

@@ -147,6 +147,10 @@ func (b *Base) Params(p string) string {
 	return s
 }
 
+func (b *Base) PathParamRaw(p string) string {
+	return chi.URLParam(b.Req, strings.TrimPrefix(p, ":"))
+}
+
 // ParamsInt64 returns the param on route as int64
 func (b *Base) ParamsInt64(p string) int64 {
 	v, _ := strconv.ParseInt(b.Params(p), 10, 64)

modules/context/context.go

@@ -141,6 +141,7 @@ func Contexter() func(next http.Handler) http.Handler {
 			// TODO: "install.go" also shares the same logic, which should be refactored to a general function
 			ctx.TemplateContext = NewTemplateContext(ctx)
 			ctx.TemplateContext["Locale"] = ctx.Locale
+			ctx.TemplateContext["AvatarUtils"] = templates.NewAvatarUtils(ctx)
 
 			ctx.Data.MergeFrom(middleware.CommonTemplateContextData())
 			ctx.Data["Context"] = ctx // TODO: use "ctx" in template and remove this

modules/markup/common/footnote.go

@@ -29,17 +29,12 @@ func CleanValue(value []byte) []byte {
 	value = bytes.TrimSpace(value)
 	rs := bytes.Runes(value)
 	result := make([]rune, 0, len(rs))
-	needsDash := false
 	for _, r := range rs {
-		switch {
-		case unicode.IsLetter(r) || unicode.IsNumber(r) || r == '_':
-			if needsDash && len(result) > 0 {
-				result = append(result, '-')
-			}
-			needsDash = false
+		if unicode.IsLetter(r) || unicode.IsNumber(r) || r == '_' || r == '-' {
 			result = append(result, unicode.ToLower(r))
-		default:
-			needsDash = true
+		}
+		if unicode.IsSpace(r) {
+			result = append(result, '-')
 		}
 	}
 	return []byte(string(result))

modules/markup/common/footnote_test.go

@@ -0,0 +1,60 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+package common
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCleanValue(t *testing.T) {
+	tests := []struct {
+		param  string
+		expect string
+	}{
+		// Github behavior test cases
+		{"", ""},
+		{"test(0)", "test0"},
+		{"test!1", "test1"},
+		{"test:2", "test2"},
+		{"test*3", "test3"},
+		{"test！4", "test4"},
+		{"test：5", "test5"},
+		{"test*6", "test6"},
+		{"test：6 a", "test6-a"},
+		{"test：6 !b", "test6-b"},
+		{"test：ad # df", "testad--df"},
+		{"test：ad #23 df 2*/*", "testad-23-df-2"},
+		{"test：ad 23 df 2*/*", "testad-23-df-2"},
+		{"test：ad # 23 df 2*/*", "testad--23-df-2"},
+		{"Anchors in Markdown", "anchors-in-markdown"},
+		{"a_b_c", "a_b_c"},
+		{"a-b-c", "a-b-c"},
+		{"a-b-c----", "a-b-c----"},
+		{"test：6a", "test6a"},
+		{"test：a6", "testa6"},
+		{"tes a a   a  a", "tes-a-a---a--a"},
+		{"  tes a a   a  a  ", "tes-a-a---a--a"},
+		{"Header with \"double quotes\"", "header-with-double-quotes"},
+		{"Placeholder to force scrolling on link's click", "placeholder-to-force-scrolling-on-links-click"},
+		{"tes（）", "tes"},
+		{"tes（0）", "tes0"},
+		{"tes{0}", "tes0"},
+		{"tes[0]", "tes0"},
+		{"test【0】", "test0"},
+		{"tes…@a", "tesa"},
+		{"tes￥& a", "tes-a"},
+		{"tes= a", "tes-a"},
+		{"tes|a", "tesa"},
+		{"tes\\a", "tesa"},
+		{"tes/a", "tesa"},
+		{"a啊啊b", "a啊啊b"},
+		{"c🤔️🤔️d", "cd"},
+		{"a⚡a", "aa"},
+		{"e.~f", "ef"},
+	}
+	for _, test := range tests {
+		assert.Equal(t, []byte(test.expect), CleanValue([]byte(test.param)), test.param)
+	}
+}

modules/setting/oauth2.go

@@ -100,6 +100,7 @@ var OAuth2 = struct {
 	JWTSecretBase64            string `ini:"JWT_SECRET"`
 	JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
 	MaxTokenLength             int
+	DefaultApplications        []string
 }{
 	Enable:                     true,
 	AccessTokenExpirationTime:  3600,
@@ -108,6 +109,7 @@ var OAuth2 = struct {
 	JWTSigningAlgorithm:        "RS256",
 	JWTSigningPrivateKeyFile:   "jwt/private.pem",
 	MaxTokenLength:             math.MaxInt16,
+	DefaultApplications:        []string{"git-credential-oauth", "git-credential-manager"},
 }
 
 func loadOAuth2From(rootCfg ConfigProvider) {