Merge branch 'main' into wip-dumprestore-test

Author: lunny

cmd/web.go

@@ -222,18 +222,19 @@ func listen(m http.Handler, handleRedirector bool) error {
 		}
 		err = runHTTP("tcp", listenAddr, "Web", m)
 	case setting.HTTPS:
-		if setting.EnableLetsEncrypt {
-			err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, m)
+		if setting.EnableAcme {
+			err = runACME(listenAddr, m)
 			break
-		}
-		if handleRedirector {
-			if setting.RedirectOtherPort {
-				go runHTTPRedirector()
-			} else {
-				NoHTTPRedirector()
+		} else {
+			if handleRedirector {
+				if setting.RedirectOtherPort {
+					go runHTTPRedirector()
+				} else {
+					NoHTTPRedirector()
+				}
 			}
+			err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m)
 		}
-		err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m)
 	case setting.FCGI:
 		if handleRedirector {
 			NoHTTPRedirector()

cmd/web_letsencrypt.go renamed to cmd/web_acme.go

@@ -5,7 +5,11 @@
 package cmd
 
 import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 
@@ -16,7 +20,25 @@ import (
 	"github.com/caddyserver/certmagic"
 )
 
-func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
+func getCARoot(path string) (*x509.CertPool, error) {
+	r, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	block, _ := pem.Decode(r)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM found in the file %s", path)
+	}
+	caRoot, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	certPool := x509.NewCertPool()
+	certPool.AddCert(caRoot)
+	return certPool, nil
+}
+
+func runACME(listenAddr string, m http.Handler) error {
 	// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
 	// Due to docker port mapping this can't be checked programmatically
 	// TODO: these are placeholders until we add options for each in settings with appropriate warning
@@ -33,10 +55,21 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	}
 
 	magic := certmagic.NewDefault()
-	magic.Storage = &certmagic.FileStorage{Path: directory}
+	magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}
+	// Try to use private CA root if provided, otherwise defaults to system's trust
+	var certPool *x509.CertPool
+	if setting.AcmeCARoot != "" {
+		var err error
+		certPool, err = getCARoot(setting.AcmeCARoot)
+		if err != nil {
+			log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
+		}
+	}
 	myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
-		Email:                   email,
-		Agreed:                  setting.LetsEncryptTOS,
+		CA:                      setting.AcmeURL,
+		TrustedRoots:            certPool,
+		Email:                   setting.AcmeEmail,
+		Agreed:                  setting.AcmeTOS,
 		DisableHTTPChallenge:    !enableHTTPChallenge,
 		DisableTLSALPNChallenge: !enableTLSALPNChallenge,
 		ListenHost:              setting.HTTPAddr,
@@ -47,7 +80,7 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	magic.Issuers = []certmagic.Issuer{myACME}
 
 	// this obtains certificates or renews them if necessary
-	err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{domain})
+	err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{setting.Domain})
 	if err != nil {
 		return err
 	}

custom/conf/app.example.ini

@@ -82,12 +82,15 @@ RUN_MODE = ; prod
 ;; Whether to use the builtin SSH server or not.
 ;START_SSH_SERVER = false
 ;;
-;; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
-;BUILTIN_SSH_SERVER_USER =
+;; Username to use for the builtin SSH server.
+;BUILTIN_SSH_SERVER_USER = %(RUN_USER)s
 ;;
 ;; Domain name to be exposed in clone URL
 ;SSH_DOMAIN = %(DOMAIN)s
 ;;
+;; SSH username displayed in clone URLs.
+;SSH_USER = %(BUILTIN_SSH_SERVER_USER)s
+;;
 ;; The network interface the builtin SSH server should listen on
 ;SSH_LISTEN_HOST =
 ;;
@@ -175,6 +178,36 @@ RUN_MODE = ; prod
 ;OFFLINE_MODE = false
 ;DISABLE_ROUTER_LOG = false
 ;;
+;; TLS Settings: Either ACME or manual
+;; (Other common TLS configuration are found before)
+;ENABLE_ACME = false
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; ACME automatic TLS settings
+;;
+;; ACME directory URL (e.g. LetsEncrypt's staging/testing URL: https://acme-staging-v02.api.letsencrypt.org/directory)
+;; Leave empty to default to LetsEncrypt's (production) URL
+;ACME_URL =
+;;
+;; Explicitly accept the ACME's TOS. The specific TOS cannot be retrieved at the moment.
+;ACME_ACCEPTTOS = false
+;;
+;; If the ACME CA is not in your system's CA trust chain, it can be manually added here
+;ACME_CA_ROOT =
+;;
+;; Email used for the ACME registration service
+;; Can be left blank to initialize at first run and use the cached value
+;ACME_EMAIL =
+;;
+;; ACME live directory (not to be confused with ACME directory URL: ACME_URL)
+;; (Refer to caddy's ACME manager https://github.com/caddyserver/certmagic)
+;ACME_DIRECTORY = https
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;;  Manual TLS settings: (Only applicable if ENABLE_ACME=false)
+;;
 ;; Generate steps:
 ;; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
 ;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -265,6 +265,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `DISABLE_SSH`: **false**: Disable SSH feature when it's not available.
 - `START_SSH_SERVER`: **false**: When enabled, use the built-in SSH server.
 - `BUILTIN_SSH_SERVER_USER`: **%(RUN_USER)s**: Username to use for the built-in SSH Server.
+- `SSH_USER`: **%(BUILTIN_SSH_SERVER_USER)**: SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify the `BUILTIN_SSH_SERVER_USER`.
 - `SSH_DOMAIN`: **%(DOMAIN)s**: Domain name of this server, used for displayed clone URL.
 - `SSH_PORT`: **22**: SSH port displayed in clone URL.
 - `SSH_LISTEN_HOST`: **0.0.0.0**: Listen address for the built-in SSH server.
@@ -291,8 +292,8 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `MINIMUM_KEY_SIZE_CHECK`: **true**: Indicate whether to check minimum key size with corresponding type.
 
 - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
-- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). From 1.11 paths are relative to `CUSTOM_PATH`.
-- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
+- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if `ENABLE_ACME=true`. From 1.11 paths are relative to `CUSTOM_PATH`.
+- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. This is ignored if `ENABLE_ACME=true`. From 1.11 paths are relative to `CUSTOM_PATH`.
 - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
 - `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data.
 - `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. Note that this cache is disabled when `RUN_MODE` is "dev".
@@ -346,11 +347,12 @@ The following configuration set `Content-Type: application/vnd.android.package-a
     - Aliased names
       - "ecdhe_rsa_with_chacha20_poly1305" is an alias for "ecdhe_rsa_with_chacha20_poly1305_sha256"
       - "ecdhe_ecdsa_with_chacha20_poly1305" is alias for "ecdhe_ecdsa_with_chacha20_poly1305_sha256"
-- `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server).
-   By using Lets Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
-- `LETSENCRYPT_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service for Let's Encrypt.
-- `LETSENCRYPT_DIRECTORY`: **https**: Directory that Letsencrypt will use to cache information such as certs and private keys.
-- `LETSENCRYPT_EMAIL`: **[email protected]**: Email used by Letsencrypt to notify about problems with issued certificates. (No default)
+- `ENABLE_ACME`: **false**: Flag to enable automatic certificate management via an ACME capable Certificate Authority (CA) server (default: Lets Encrypt). If enabled, `CERT_FILE` and `KEY_FILE` are ignored, and the CA must resolve `DOMAIN` to this gitea server. Ensure that DNS records are set and either port `80` or port `443` are accessible by the CA server (the public internet by default), and redirected to the appropriate ports `PORT_TO_REDIRECT` or `HTTP_PORT` respectively.
+- `ACME_URL`: **\<empty\>**: The CA's ACME directory URL, e.g. for a self-hosted [smallstep CA server](https://github.com/smallstep/certificates), it can look like `https://ca.example.com/acme/acme/directory`. If left empty, it defaults to using Let's Encerypt's production CA (check `LETSENCRYPT_ACCEPTTOS` as well).
+- `ACME_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service of the ACME provider. The default is Lets Encrypt [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
+- `ACME_DIRECTORY`: **https**: Directory that the certificate manager will use to cache information such as certs and private keys.
+- `ACME_EMAIL`: **\<empty\>**: Email used for the ACME registration. Usually it is to notify about problems with issued certificates.
+- `ACME_CA_ROOT`: **\<empty\>**: The CA's root certificate. If left empty, it defaults to using the system's trust chain.
 - `ALLOW_GRACEFUL_RESTARTS`: **true**: Perform a graceful restart on SIGHUP
 - `GRACEFUL_HAMMER_TIME`: **60s**: After a restart the parent process will stop accepting new connections and will allow requests to finish before stopping. Shutdown will be forced if it takes longer than this time.
 - `STARTUP_TIMEOUT`: **0**: Shutsdown the server if startup takes longer than the provided time. On Windows setting this sends a waithint to the SVC host to tell the SVC host startup may take some time. Please note startup is determined by the opening of the listeners - HTTP/HTTPS/SSH. Indexers may take longer to startup and can have their own timeouts.

docs/content/doc/features/comparison.en-us.md

@@ -50,7 +50,7 @@ _Symbols used in table:_
 | Repository Tokens with write rights | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓              | ✓            |
 | Built-in Container Registry         | [✘](https://github.com/go-gitea/gitea/issues/2316) | ✘    | ✘         | ✓         | ✓         | ✘              | ✘            |
 | External git mirroring              | ✓                                                  | ✓    | ✘         | ✘         | ✓         | ✓              | ✓            |
-| FIDO U2F (2FA)                      | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓              | ✘            |
+| WebAuthn (2FA)                      | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓              | ?            |
 | Built-in CI/CD                      | ✘                                                  | ✘    | ✓         | ✓         | ✓         | ✘              | ✘            |
 | Subgroups: groups within groups     | ✘                                                  | ✘    | ✘         | ✓         | ✓         | ✘              | ✓            |
 
@@ -66,6 +66,7 @@ _Symbols used in table:_
 | Granular user roles (Code, Issues, Wiki etc) | ✓                                                | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |
 | Verified Committer                           | ⁄                                                | ✘    | ?         | ✓         | ✓         | ✓         | ✘            |
 | GPG Signed Commits                           | ✓                                                | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
+| SSH Signed Commits                           | ✓                                                | ✘    | ✘         | ✘         | ✘         | ?         | ?            |
 | Reject unsigned commits                      | [✓](https://github.com/go-gitea/gitea/pull/9708) | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | Repository Activity page                     | ✓                                                | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | Branch manager                               | ✓                                                | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |

docs/content/doc/features/comparison.zh-cn.md

@@ -48,7 +48,7 @@ _表格中的符号含义:_
 | 仓库写权限令牌        | ✓     | ✘    | ✓         | ✓         | ✓         | ✘         | ✓            |
 | 内置容器 Registry     | ✘     | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |
 | 外部 Git 镜像         | ✓     | ✓    | ✘         | ✘         | ✓         | ✓         | ✓            |
-| FIDO U2F (2FA)        | ✓     | ✘    | ✓         | ✓         | ✓         | ✓         | ✘            |
+| WebAuthn (2FA)       | ✓       | ✘    | ✓         | ✓         | ✓         | ✓              | ?            |
 | 内置 CI/CD            | ✘     | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |
 | 子组织：组织内的组织  | ✘     | ✘    | ✘         | ✓         | ✓         | ✘         | ✓            |
 
@@ -64,6 +64,7 @@ _表格中的符号含义:_
 | 细粒度用户角色 (例如 Code, Issues, Wiki) | ✓     | ✘    | ✘         | ✓         | ✓         | ✘         | ✘            |
 | 提交人的身份验证                         | ✘     | ✘    | ?         | ✓         | ✓         | ✓         | ✘            |
 | GPG 签名的提交                           | ✓     | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
+| SSH 签名的提交                           | ✓      | ✘    | ✘         | ✘         | ✘         | ?         | ?            |
 | 拒绝未用通过验证的提交                   | ✓     | ✘    | ✓         | ✓         | ✓         | ✘         | ✓            |
 | 仓库活跃度页面                           | ✓     | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | 分支管理                                 | ✓     | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |

docs/content/doc/usage/https-support.md

@@ -55,20 +55,34 @@ PORT_TO_REDIRECT = 3080
 
 If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.
 
-## Using Let's Encrypt
+## Using ACME (Default: Let's Encrypt)
 
-[Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates, Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain.
+[ACME](https://tools.ietf.org/html/rfc8555) is a Certificate Authority standard protocol that allows you to automatically request and renew SSL/TLS certificates. [Let's Encrypt](https://letsencrypt.org/) is a free publicly trusted Certificate Authority server using this standard. Only `HTTP-01` and `TLS-ALPN-01` challenges are implemented. In order for ACME challenges to pass and verify your domain ownership, external traffic to the gitea domain on port `80` (`HTTP-01`) or port `443` (`TLS-ALPN-01`) has to be served by the gitea instance. Setting up [HTTP redirection](#setting-up-http-redirection) and port-forwards might be needed for external traffic to route correctly. Normal traffic to port `80` will otherwise be automatically redirected to HTTPS. **You must consent** to the ACME provider's terms of service (default Let's Encrypt's [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)).
 
-By using Let's Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
+Minimum setup using the default Let's Encrypt:
+```ini
+[server]
+PROTOCOL=https
+DOMAIN=git.example.com
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_DIRECTORY=https
+;; Email can be omitted here and provided manually at first run, after which it is cached
+ACME_EMAIL[email protected]
+```
 
+Minimumg setup using a [smallstep CA](https://github.com/smallstep/certificates), refer to [their tutorial](https://smallstep.com/docs/tutorials/acme-challenge) for more information.
 ```ini
 [server]
 PROTOCOL=https
 DOMAIN=git.example.com
-ENABLE_LETSENCRYPT=true
-LETSENCRYPT_ACCEPTTOS=true
-LETSENCRYPT_DIRECTORY=https
-LETSENCRYPT_EMAIL[email protected]
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_URL=https://ca.example.com/acme/acme/directory
+;; Can be omitted if using the system's trust is preferred
+;ACME_CA_ROOT=/path/to/root_ca.crt
+ACME_DIRECTORY=https
+ACME_EMAIL[email protected]
 ```
 
 To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).

integrations/repo_test.go

@@ -135,7 +135,7 @@ func TestViewRepo1CloneLinkAuthorized(t *testing.T) {
 	assert.Equal(t, setting.AppURL+"user2/repo1.git", link)
 	link, exists = htmlDoc.doc.Find("#repo-clone-ssh").Attr("data-link")
 	assert.True(t, exists, "The template has changed")
-	sshURL := fmt.Sprintf("ssh://%s@%s:%d/user2/repo1.git", setting.SSH.BuiltinServerUser, setting.SSH.Domain, setting.SSH.Port)
+	sshURL := fmt.Sprintf("ssh://%s@%s:%d/user2/repo1.git", setting.SSH.User, setting.SSH.Domain, setting.SSH.Port)
 	assert.Equal(t, sshURL, link)
 }
 

models/issue_label.go

@@ -22,7 +22,7 @@ import (
 )
 
 // LabelColorPattern is a regexp witch can validate LabelColor
-var LabelColorPattern = regexp.MustCompile("^#[0-9a-fA-F]{6}$")
+var LabelColorPattern = regexp.MustCompile("^#?(?:[0-9a-fA-F]{6}|[0-9a-fA-F]{3})$")
 
 // Label represents a label of repository for issues.
 type Label struct {
@@ -258,6 +258,23 @@ func NewLabel(label *Label) error {
 	if !LabelColorPattern.MatchString(label.Color) {
 		return fmt.Errorf("bad color code: %s", label.Color)
 	}
+
+	// normalize case
+	label.Color = strings.ToLower(label.Color)
+
+	// add leading hash
+	if label.Color[0] != '#' {
+		label.Color = "#" + label.Color
+	}
+
+	// convert 3-character shorthand into 6-character version
+	if len(label.Color) == 4 {
+		r := label.Color[1]
+		g := label.Color[2]
+		b := label.Color[3]
+		label.Color = fmt.Sprintf("#%c%c%c%c%c%c", r, r, g, g, b, b)
+	}
+
 	return newLabel(db.GetEngine(db.DefaultContext), label)
 }
 

models/issue_label_test.go

@@ -38,11 +38,15 @@ func TestNewLabels(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	labels := []*Label{
 		{RepoID: 2, Name: "labelName2", Color: "#123456"},
-		{RepoID: 3, Name: "labelName3", Color: "#23456F"},
+		{RepoID: 3, Name: "labelName3", Color: "#123"},
+		{RepoID: 4, Name: "labelName4", Color: "ABCDEF"},
+		{RepoID: 5, Name: "labelName5", Color: "DEF"},
 	}
 	assert.Error(t, NewLabel(&Label{RepoID: 3, Name: "invalid Color", Color: ""}))
-	assert.Error(t, NewLabel(&Label{RepoID: 3, Name: "invalid Color", Color: "123456"}))
+	assert.Error(t, NewLabel(&Label{RepoID: 3, Name: "invalid Color", Color: "#45G"}))
 	assert.Error(t, NewLabel(&Label{RepoID: 3, Name: "invalid Color", Color: "#12345G"}))
+	assert.Error(t, NewLabel(&Label{RepoID: 3, Name: "invalid Color", Color: "45G"}))
+	assert.Error(t, NewLabel(&Label{RepoID: 3, Name: "invalid Color", Color: "12345G"}))
 	for _, label := range labels {
 		unittest.AssertNotExistsBean(t, label)
 	}