Merge branch 'main' into develop

Author: zeripath

.drone.yml

@@ -717,7 +717,7 @@ steps:
 
   - name: publish
     pull: always
-    image: plugins/docker:linux-amd64
+    image: techknowlogick/drone-docker:latest
     settings:
       auto_tag: true
       auto_tag_suffix: linux-amd64
@@ -734,7 +734,7 @@ steps:
         - pull_request
 
   - name: publish-rootless
-    image: plugins/docker:linux-amd64
+    image: techknowlogick/drone-docker:latest
     settings:
       dockerfile: Dockerfile.rootless
       auto_tag: true
@@ -772,7 +772,7 @@ trigger:
 steps:
   - name: dryrun
     pull: always
-    image: plugins/docker:linux-arm64
+    image: techknowlogick/drone-docker:latest
     settings:
       dry_run: true
       repo: gitea/gitea
@@ -814,7 +814,7 @@ steps:
 
   - name: publish
     pull: always
-    image: plugins/docker:linux-arm64
+    image: techknowlogick/drone-docker:latest
     settings:
       auto_tag: true
       auto_tag_suffix: linux-arm64
@@ -834,7 +834,7 @@ steps:
         - pull_request
 
   - name: publish-rootless
-    image: plugins/docker:linux-arm64
+    image: techknowlogick/drone-docker:latest
     settings:
       dockerfile: Dockerfile.rootless
       auto_tag: true

cmd/web_letsencrypt.go

@@ -54,6 +54,7 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	}
 
 	tlsConfig := magic.TLSConfig()
+	tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
 
 	if enableHTTPChallenge {
 		go func() {

docs/content/doc/usage/email-setup.en-us.md

@@ -19,12 +19,15 @@ menu:
 
 {{< toc >}}
 
-To use Gitea's built-in Email support, update the `app.ini` config file [mailer] section:
+Gitea has mailer functionality for sending transactional emails (such as registration confirmation). It can be configured to either use Sendmail (or compatible MTAs like Postfix and msmtp) or directly use SMTP server.
 
-## Sendmail version
+## Using Sendmail
 
-Use the operating system’s sendmail command instead of SMTP. This is common on Linux servers.  
-Note: For use in the official Gitea Docker image, please configure with the SMTP version.
+Use `sendmail` command as mailer.
+
+Note: For use in the official Gitea Docker image, please configure with the SMTP version (see the following section).
+
+Note: For Internet-facing sites consult documentation of your MTA for instructions to send emails over TLS. Also set up SPF, DMARC, and DKIM DNS records to make emails sent be accepted as legitimate by various email providers.
 
 ```ini
 [mailer]
@@ -34,7 +37,9 @@ MAILER_TYPE   = sendmail
 SENDMAIL_PATH = /usr/sbin/sendmail
 ```
 
-## SMTP version
+## Using SMTP
+
+Directly use SMTP server as relay. This option is useful if you don't want to set up MTA on your instance but you have an account at email provider.
 
 ```ini
 [mailer]
@@ -47,17 +52,19 @@ USER           = [email protected]
 PASSWD         = `password`
 ```
 
-- Restart Gitea for the configuration changes to take effect.
+Restart Gitea for the configuration changes to take effect.
 
-- To send a test email to validate the settings, go to Gitea > Site Administration > Configuration > SMTP Mailer Configuration.
+To send a test email to validate the settings, go to Gitea > Site Administration > Configuration > SMTP Mailer Configuration.
 
 For the full list of options check the [Config Cheat Sheet]({{< relref "doc/advanced/config-cheat-sheet.en-us.md" >}})
 
-- Please note: authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. TLS encryption can be through:
-  - Via the server supporting TLS through STARTTLS - usually provided on port 587. (Also known as Opportunistic TLS.)
-  - SMTPS connection (SMTP over transport layer security) via the default port 465.
+Please note: authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. TLS encryption can be through:
+  - STARTTLS (also known as Opportunistic TLS) via port 587. Initial connection is done over cleartext, but then be upgraded over TLS if the server supports it.
+  - SMTPS connection (SMTP over TLS) via the default port 465. Connection to the server use TLS from the beginning.
   - Forced SMTPS connection with `IS_TLS_ENABLED=true`. (These are both known as Implicit TLS.)
-- This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
+This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
+
+Note that Implicit TLS is recommended by [RFC8314](https://tools.ietf.org/html/rfc8314#section-3) since 2018.
 
 ### Gmail
 
@@ -74,3 +81,4 @@ MAILER_TYPE    = smtp
 IS_TLS_ENABLED = true
 HELO_HOSTNAME  = example.com
 ```
+

integrations/api_gpg_keys_test.go

@@ -29,10 +29,10 @@ func TestGPGKeys(t *testing.T) {
 		results     []int
 	}{
 		{name: "NoLogin", makeRequest: MakeRequest, token: "",
-			results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
+			results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
 		},
 		{name: "LoggedAsUser2", makeRequest: session.MakeRequest, token: token,
-			results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusUnprocessableEntity, http.StatusNotFound, http.StatusCreated, http.StatusCreated}},
+			results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusUnprocessableEntity, http.StatusNotFound, http.StatusCreated, http.StatusNotFound, http.StatusCreated}},
 	}
 
 	for _, tc := range tt {
@@ -60,7 +60,7 @@ func TestGPGKeys(t *testing.T) {
 			t.Run("CreateValidGPGKey", func(t *testing.T) {
 				testCreateValidGPGKey(t, tc.makeRequest, tc.token, tc.results[6])
 			})
-			t.Run("CreateValidSecondaryEmailGPGKey", func(t *testing.T) {
+			t.Run("CreateValidSecondaryEmailGPGKeyNotActivated", func(t *testing.T) {
 				testCreateValidSecondaryEmailGPGKey(t, tc.makeRequest, tc.token, tc.results[7])
 			})
 		})
@@ -74,6 +74,7 @@ func TestGPGKeys(t *testing.T) {
 		req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+token) //GET all keys
 		resp := session.MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &keys)
+		assert.Len(t, keys, 1)
 
 		primaryKey1 := keys[0] //Primary key 1
 		assert.EqualValues(t, "38EA3BCED732982C", primaryKey1.KeyID)
@@ -85,12 +86,6 @@ func TestGPGKeys(t *testing.T) {
 		assert.EqualValues(t, "70D7C694D17D03AD", subKey.KeyID)
 		assert.Empty(t, subKey.Emails)
 
-		primaryKey2 := keys[1] //Primary key 2
-		assert.EqualValues(t, "3CEF46EF40BEFC3E", primaryKey2.KeyID)
-		assert.Len(t, primaryKey2.Emails, 1)
-		assert.EqualValues(t, "[email protected]", primaryKey2.Emails[0].Email)
-		assert.False(t, primaryKey2.Emails[0].Verified)
-
 		var key api.GPGKey
 		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)+"?token="+token) //Primary key 1
 		resp = session.MakeRequest(t, req, http.StatusOK)
@@ -105,15 +100,6 @@ func TestGPGKeys(t *testing.T) {
 		DecodeJSON(t, resp, &key)
 		assert.EqualValues(t, "70D7C694D17D03AD", key.KeyID)
 		assert.Empty(t, key.Emails)
-
-		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey2.ID, 10)+"?token="+token) //Primary key 2
-		resp = session.MakeRequest(t, req, http.StatusOK)
-		DecodeJSON(t, resp, &key)
-		assert.EqualValues(t, "3CEF46EF40BEFC3E", key.KeyID)
-		assert.Len(t, key.Emails, 1)
-		assert.EqualValues(t, "[email protected]", key.Emails[0].Email)
-		assert.False(t, key.Emails[0].Verified)
-
 	})
 
 	//Check state after basic add

integrations/repo_commits_test.go

@@ -73,26 +73,36 @@ func doTestRepoCommitWithStatus(t *testing.T, state string, classes ...string) {
 
 	//By SHA
 	req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1/commits/"+path.Base(commitURL)+"/statuses")
-	testRepoCommitsWithStatus(t, session.MakeRequest(t, req, http.StatusOK), state)
+	reqOne := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/commits/"+path.Base(commitURL)+"/status")
+	testRepoCommitsWithStatus(t, session.MakeRequest(t, req, http.StatusOK), session.MakeRequest(t, reqOne, http.StatusOK), state)
+
 	//By Ref
 	req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1/commits/master/statuses")
-	testRepoCommitsWithStatus(t, session.MakeRequest(t, req, http.StatusOK), state)
+	reqOne = NewRequest(t, "GET", "/api/v1/repos/user2/repo1/commits/master/status")
+	testRepoCommitsWithStatus(t, session.MakeRequest(t, req, http.StatusOK), session.MakeRequest(t, reqOne, http.StatusOK), state)
 	req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1/commits/v1.1/statuses")
-	testRepoCommitsWithStatus(t, session.MakeRequest(t, req, http.StatusOK), state)
+	reqOne = NewRequest(t, "GET", "/api/v1/repos/user2/repo1/commits/v1.1/status")
+	testRepoCommitsWithStatus(t, session.MakeRequest(t, req, http.StatusOK), session.MakeRequest(t, reqOne, http.StatusOK), state)
 }
 
-func testRepoCommitsWithStatus(t *testing.T, resp *httptest.ResponseRecorder, state string) {
+func testRepoCommitsWithStatus(t *testing.T, resp, respOne *httptest.ResponseRecorder, state string) {
 	json := jsoniter.ConfigCompatibleWithStandardLibrary
-	decoder := json.NewDecoder(resp.Body)
-	statuses := []*api.CommitStatus{}
-	assert.NoError(t, decoder.Decode(&statuses))
-	assert.Len(t, statuses, 1)
-	for _, s := range statuses {
-		assert.Equal(t, api.CommitStatusState(state), s.State)
-		assert.Equal(t, setting.AppURL+"api/v1/repos/user2/repo1/statuses/65f1bf27bc3bf70f64657658635e66094edbcb4d", s.URL)
-		assert.Equal(t, "http://test.ci/", s.TargetURL)
-		assert.Equal(t, "", s.Description)
-		assert.Equal(t, "testci", s.Context)
+	var statuses []*api.CommitStatus
+	assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), &statuses))
+	var status api.CombinedStatus
+	assert.NoError(t, json.Unmarshal(respOne.Body.Bytes(), &status))
+	assert.NotNil(t, status)
+
+	if assert.Len(t, statuses, 1) {
+		assert.Equal(t, api.CommitStatusState(state), statuses[0].State)
+		assert.Equal(t, setting.AppURL+"api/v1/repos/user2/repo1/statuses/65f1bf27bc3bf70f64657658635e66094edbcb4d", statuses[0].URL)
+		assert.Equal(t, "http://test.ci/", statuses[0].TargetURL)
+		assert.Equal(t, "", statuses[0].Description)
+		assert.Equal(t, "testci", statuses[0].Context)
+
+		assert.Len(t, status.Statuses, 1)
+		assert.Equal(t, statuses[0], status.Statuses[0])
+		assert.Equal(t, "65f1bf27bc3bf70f64657658635e66094edbcb4d", status.SHA)
 	}
 }
 

models/error.go

@@ -451,6 +451,7 @@ func (err ErrKeyNameAlreadyUsed) Error() string {
 // ErrGPGNoEmailFound represents a "ErrGPGNoEmailFound" kind of error.
 type ErrGPGNoEmailFound struct {
 	FailedEmails []string
+	ID           string
 }
 
 // IsErrGPGNoEmailFound checks if an error is a ErrGPGNoEmailFound.
@@ -463,6 +464,22 @@ func (err ErrGPGNoEmailFound) Error() string {
 	return fmt.Sprintf("none of the emails attached to the GPG key could be found: %v", err.FailedEmails)
 }
 
+// ErrGPGInvalidTokenSignature represents a "ErrGPGInvalidTokenSignature" kind of error.
+type ErrGPGInvalidTokenSignature struct {
+	Wrapped error
+	ID      string
+}
+
+// IsErrGPGInvalidTokenSignature checks if an error is a ErrGPGInvalidTokenSignature.
+func IsErrGPGInvalidTokenSignature(err error) bool {
+	_, ok := err.(ErrGPGInvalidTokenSignature)
+	return ok
+}
+
+func (err ErrGPGInvalidTokenSignature) Error() string {
+	return "the provided signature does not sign the token with the provided key"
+}
+
 // ErrGPGKeyParsing represents a "ErrGPGKeyParsing" kind of error.
 type ErrGPGKeyParsing struct {
 	ParseError error