Fix lint

.golangci.yml

@@ -86,6 +86,7 @@ linters-settings:
       - io/ioutil: "use os or io instead"
       - golang.org/x/exp: "it's experimental and unreliable."
       - code.gitea.io/gitea/modules/git/internal: "do not use the internal package, use AddXxx function instead"
+      - gopkg.in/ini.v1: "do not use the ini package, use gitea's config system instead"
 
 issues:
   max-issues-per-linter: 0

build/backport-locales.go

@@ -12,7 +12,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"gopkg.in/ini.v1"
+	"code.gitea.io/gitea/modules/setting"
 )
 
 func main() {
@@ -22,25 +22,21 @@ func main() {
 		os.Exit(1)
 	}
 
-	ini.PrettyFormat = false
 	mustNoErr := func(err error) {
 		if err != nil {
 			panic(err)
 		}
 	}
-	collectInis := func(ref string) map[string]*ini.File {
-		inis := map[string]*ini.File{}
+	collectInis := func(ref string) map[string]setting.ConfigProvider {
+		inis := map[string]setting.ConfigProvider{}
 		err := filepath.WalkDir("options/locale", func(path string, d os.DirEntry, err error) error {
 			if err != nil {
 				return err
 			}
 			if d.IsDir() || !strings.HasSuffix(d.Name(), ".ini") {
 				return nil
 			}
-			cfg, err := ini.LoadSources(ini.LoadOptions{
-				IgnoreInlineComment:         true,
-				UnescapeValueCommentSymbols: true,
-			}, path)
+			cfg, err := setting.NewConfigProviderForLocale(path)
 			mustNoErr(err)
 			inis[path] = cfg
 			fmt.Printf("collecting: %s @ %s\n", path, ref)

contrib/environment-to-ini/environment-to-ini.go

@@ -9,10 +9,8 @@ import (
 
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
 
 	"github.com/urfave/cli"
-	"gopkg.in/ini.v1"
 )
 
 // EnvironmentPrefix environment variables prefixed with this represent ini values to write
@@ -97,19 +95,10 @@ func runEnvironmentToIni(c *cli.Context) error {
 	providedWorkPath := c.String("work-path")
 	setting.SetCustomPathAndConf(providedCustom, providedConf, providedWorkPath)
 
-	cfg := ini.Empty()
-	confFileExists, err := util.IsFile(setting.CustomConf)
+	cfg, err := setting.NewConfigProviderFromFile(&setting.Options{CustomConf: setting.CustomConf, AllowEmpty: true})
 	if err != nil {
-		log.Fatal("Unable to check if %s is a file. Error: %v", setting.CustomConf, err)
+		log.Fatal("Failed to load custom conf '%s': %v", setting.CustomConf, err)
 	}
-	if confFileExists {
-		if err := cfg.Append(setting.CustomConf); err != nil {
-			log.Fatal("Failed to load custom conf '%s': %v", setting.CustomConf, err)
-		}
-	} else {
-		log.Warn("Custom config '%s' not found, ignore this if you're running first time", setting.CustomConf)
-	}
-	cfg.NameMapper = ini.SnackCase
 
 	prefixGitea := c.String("prefix") + "__"
 	suffixFile := "__FILE"

docs/content/doc/development/oauth2-provider.en-us.md

@@ -1,5 +1,5 @@
 ---
-date: "2019-04-19:44:00+01:00"
+date: "2023-06-01T08:40:00+08:00"
 title: "OAuth2 provider"
 slug: "oauth2-provider"
 weight: 41
@@ -40,7 +40,7 @@ At the moment Gitea only supports the [**Authorization Code Grant**](https://too
 - [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636)
 - [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
 
-To use the Authorization Code Grant as a third party application it is required to register a new application via the "Settings" (`/user/settings/applications`) section of the settings.
+To use the Authorization Code Grant as a third party application it is required to register a new application via the "Settings" (`/user/settings/applications`) section of the settings. To test or debug you can use the web-tool https://oauthdebugger.com/.
 
 ## Scopes
 
@@ -87,17 +87,19 @@ Gitea supports both confidential and public client types, [as defined by RFC 674
 
 For public clients, a redirect URI of a loopback IP address such as `http://127.0.0.1/` allows any port. Avoid using `localhost`, [as recommended by RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3).
 
-## Example
+## Examples
+
+### Confidential client
 
 **Note:** This example does not use PKCE.
 
-1. Redirect to user to the authorization endpoint in order to get their consent for accessing the resources:
+1. Redirect the user to the authorization endpoint in order to get their consent for accessing the resources:
 
    ```curl
    https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE
    ```
 
-   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be send back to your application after the user authorizes. The `state` parameter is optional but should be used to prevent CSRF attacks.
+   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be sent back to your application after the user authorizes. The `state` parameter is optional, but should be used to prevent CSRF attacks.
 
    ![Authorization Page](/authorize.png)
 
@@ -107,7 +109,7 @@ For public clients, a redirect URI of a loopback IP address such as `http://127.
    https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
    ```
 
-2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoints accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
+2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoint accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
 
    ```curl
    POST https://[YOUR-GITEA-URL]/login/oauth/access_token
@@ -134,7 +136,69 @@ For public clients, a redirect URI of a loopback IP address such as `http://127.
    }
    ```
 
-   The `CLIENT_SECRET` is the unique secret code generated for this application. Please note that the secret will only be visible after you created/registered the application with Gitea and cannot be recovered. If you lose the secret you must regenerate the secret via the application's settings.
+   The `CLIENT_SECRET` is the unique secret code generated for this application. Please note that the secret will only be visible after you created/registered the application with Gitea and cannot be recovered. If you lose the secret, you must regenerate the secret via the application's settings.
+
+   The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.
+
+3. Use the `access_token` to make [API requests](https://docs.gitea.io/en-us/api-usage#oauth2) to access the user's resources.
+
+### Public client (PKCE)
+
+PKCE (Proof Key for Code Exchange) is an extension to the OAuth flow which allows for a secure credential exchange without the requirement to provide a client secret.
+
+**Note**: Please ensure you have registered your OAuth application as a public client.
+
+To achieve this, you have to provide a `code_verifier` for every authorization request. A `code_verifier` has to be a random string with a minimum length of 43 characters and a maximum length of 128 characters. It can contain alphanumeric characters as well as the characters `-`, `.`, `_`  and `~`.
+
+Using this `code_verifier` string, a new one called `code_challenge` is created by using one of two methods:
+
+- If you have the required functionality on your client, set `code_challenge` to be a URL-safe base64-encoded string of the SHA256 hash of `code_verifier`. In that case, your `code_challenge_method` becomes `S256`.
+- If you are unable to do so, you can provide your `code_verifier` as a plain string to `code_challenge`. Then you have to set your `code_challenge_method` as `plain`.
+
+After you have generated this values, you can continue with your request.
+
+1. Redirect the user to the authorization endpoint in order to get their consent for accessing the resources:
+
+   ```curl
+   https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&code_challenge_method=CODE_CHALLENGE_METHOD&code_challenge=CODE_CHALLENGE&state=STATE
+   ```
+
+   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be sent back to your application after the user authorizes. The `state` parameter is optional, but should be used to prevent CSRF attacks.
+
+   ![Authorization Page](/authorize.png)
+
+   The user will now be asked to authorize your application. If they authorize it, the user will be redirected to the `REDIRECT_URL`, for example:
+
+   ```curl
+   https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
+   ```
+
+2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoint accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
+
+   ```curl
+   POST https://[YOUR-GITEA-URL]/login/oauth/access_token
+   ```
+
+   ```json
+   {
+     "client_id": "YOUR_CLIENT_ID",
+     "code": "RETURNED_CODE",
+     "grant_type": "authorization_code",
+     "redirect_uri": "REDIRECT_URI",
+     "code_verifier": "CODE_VERIFIER",
+   }
+   ```
+
+   Response:
+
+   ```json
+   {
+     "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",
+     "token_type": "bearer",
+     "expires_in": 3600,
+     "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"
+   }
+   ```
 
    The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.
 

docs/content/doc/usage/labels.en-us.md

@@ -27,7 +27,7 @@ For organizations, you can define organization-wide labels that are shared with
 
 Labels have a mandatory name, a mandatory color, an optional description, and must either be exclusive or not (see `Scoped Labels` below).
 
-When you create a repository, you can ensure certain labels exist by using the `Issue Labels` option. This option lists a number of available label sets that are [configured globally on your instance](../customizing-gitea/#labels). Its contained labels will all be created as well while creating the repository.
+When you create a repository, you can ensure certain labels exist by using the `Issue Labels` option. This option lists a number of available label sets that are [configured globally on your instance](../administration/customizing-gitea/#labels). Its contained labels will all be created as well while creating the repository.
 
 ## Scoped Labels
 

docs/content/doc/usage/labels.zh-cn.md

@@ -27,7 +27,7 @@ menu:
 
 标签具有必填的名称和颜色，可选的描述，以及必须是独占的或非独占的（见下面的“作用域标签”）。
 
-当您创建一个仓库时，可以通过使用 `工单标签（Issue Labels）` 选项来选择标签集。该选项列出了一些在您的实例上 [全局配置的可用标签集](../customizing-gitea/#labels)。在创建仓库时，这些标签也将被创建。
+当您创建一个仓库时，可以通过使用 `工单标签（Issue Labels）` 选项来选择标签集。该选项列出了一些在您的实例上 [全局配置的可用标签集](../administration/customizing-gitea/#labels)。在创建仓库时，这些标签也将被创建。
 
 ## 作用域标签
 

models/activities/statistic.go

@@ -21,7 +21,7 @@ import (
 type Statistic struct {
 	Counter struct {
 		User, Org, PublicKey,
-		Repo, Watch, Star, Action, Access,
+		Repo, Watch, Star, Access,
 		Issue, IssueClosed, IssueOpen,
 		Comment, Oauth, Follow,
 		Mirror, Release, AuthSource, Webhook,
@@ -55,7 +55,6 @@ func GetStatistic() (stats Statistic) {
 	stats.Counter.Repo, _ = repo_model.CountRepositories(db.DefaultContext, repo_model.CountRepositoryOptions{})
 	stats.Counter.Watch, _ = e.Count(new(repo_model.Watch))
 	stats.Counter.Star, _ = e.Count(new(repo_model.Star))
-	stats.Counter.Action, _ = db.EstimateCount(db.DefaultContext, new(Action))
 	stats.Counter.Access, _ = e.Count(new(access_model.Access))
 
 	type IssueCount struct {
@@ -83,7 +82,7 @@ func GetStatistic() (stats Statistic) {
 			Find(&stats.Counter.IssueByRepository)
 	}
 
-	issueCounts := []IssueCount{}
+	var issueCounts []IssueCount
 
 	_ = e.Select("COUNT(*) AS count, is_closed").Table("issue").GroupBy("is_closed").Find(&issueCounts)
 	for _, c := range issueCounts {

models/db/context.go

@@ -9,7 +9,6 @@ import (
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
-	"xorm.io/xorm/schemas"
 )
 
 // DefaultContext is the default context to run xorm queries in
@@ -241,30 +240,6 @@ func TableName(bean interface{}) string {
 	return x.TableName(bean)
 }
 
-// EstimateCount returns an estimate of total number of rows in table
-func EstimateCount(ctx context.Context, bean interface{}) (int64, error) {
-	e := GetEngine(ctx)
-	e.Context(ctx)
-
-	var rows int64
-	var err error
-	tablename := TableName(bean)
-	switch x.Dialect().URI().DBType {
-	case schemas.MYSQL:
-		_, err = e.Context(ctx).SQL("SELECT table_rows FROM information_schema.tables WHERE tables.table_name = ? AND tables.table_schema = ?;", tablename, x.Dialect().URI().DBName).Get(&rows)
-	case schemas.POSTGRES:
-		// the table can live in multiple schemas of a postgres database
-		// See https://wiki.postgresql.org/wiki/Count_estimate
-		tablename = x.TableName(bean, true)
-		_, err = e.Context(ctx).SQL("SELECT reltuples::bigint AS estimate FROM pg_class WHERE oid = ?::regclass;", tablename).Get(&rows)
-	case schemas.MSSQL:
-		_, err = e.Context(ctx).SQL("sp_spaceused ?;", tablename).Get(&rows)
-	default:
-		return e.Context(ctx).Count(tablename)
-	}
-	return rows, err
-}
-
 // InTransaction returns true if the engine is in a transaction otherwise return false
 func InTransaction(ctx context.Context) bool {
 	_, ok := inTransaction(ctx)

models/issues/pull_test.go

@@ -324,5 +324,4 @@ func TestParseCodeOwnersLine(t *testing.T) {
 		tokens := issues_model.TokenizeCodeOwnersLine(g.Line)
 		assert.Equal(t, g.Tokens, tokens, "Codeowners tokenizer failed")
 	}
-
 }

modules/metrics/collector.go

@@ -18,7 +18,6 @@ const namespace = "gitea_"
 // exposes gitea metrics for prometheus
 type Collector struct {
 	Accesses           *prometheus.Desc
-	Actions            *prometheus.Desc
 	Attachments        *prometheus.Desc
 	BuildInfo          *prometheus.Desc
 	Comments           *prometheus.Desc
@@ -56,11 +55,6 @@ func NewCollector() Collector {
 			"Number of Accesses",
 			nil, nil,
 		),
-		Actions: prometheus.NewDesc(
-			namespace+"actions",
-			"Number of Actions",
-			nil, nil,
-		),
 		Attachments: prometheus.NewDesc(
 			namespace+"attachments",
 			"Number of Attachments",
@@ -207,7 +201,6 @@ func NewCollector() Collector {
 // Describe returns all possible prometheus.Desc
 func (c Collector) Describe(ch chan<- *prometheus.Desc) {
 	ch <- c.Accesses
-	ch <- c.Actions
 	ch <- c.Attachments
 	ch <- c.BuildInfo
 	ch <- c.Comments
@@ -246,11 +239,6 @@ func (c Collector) Collect(ch chan<- prometheus.Metric) {
 		prometheus.GaugeValue,
 		float64(stats.Counter.Access),
 	)
-	ch <- prometheus.MustNewConstMetric(
-		c.Actions,
-		prometheus.GaugeValue,
-		float64(stats.Counter.Action),
-	)
 	ch <- prometheus.MustNewConstMetric(
 		c.Attachments,
 		prometheus.GaugeValue,

modules/repository/repo.go

@@ -27,7 +27,7 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
-	"gopkg.in/ini.v1"
+	"gopkg.in/ini.v1" //nolint:depguard
 )
 
 /*
@@ -241,7 +241,7 @@ func MigrateRepositoryGitData(ctx context.Context, u *user_model.User,
 // cleanUpMigrateGitConfig removes mirror info which prevents "push --all".
 // This also removes possible user credentials.
 func cleanUpMigrateGitConfig(configPath string) error {
-	cfg, err := ini.Load(configPath)
+	cfg, err := ini.Load(configPath) // FIXME: the ini package doesn't really work with git config files
 	if err != nil {
 		return fmt.Errorf("open config file: %w", err)
 	}

modules/setting/config_env.go

@@ -10,8 +10,6 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/modules/log"
-
-	"gopkg.in/ini.v1"
 )
 
 const escapeRegexpString = "_0[xX](([0-9a-fA-F][0-9a-fA-F])+)_"
@@ -89,7 +87,7 @@ func decodeEnvironmentKey(prefixGitea, suffixFile, envKey string) (ok bool, sect
 	return ok, section, key, useFileValue
 }
 
-func EnvironmentToConfig(cfg *ini.File, prefixGitea, suffixFile string, envs []string) (changed bool) {
+func EnvironmentToConfig(cfg ConfigProvider, prefixGitea, suffixFile string, envs []string) (changed bool) {
 	for _, kv := range envs {
 		idx := strings.IndexByte(kv, '=')
 		if idx < 0 {

modules/setting/config_env_test.go

@@ -8,7 +8,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"gopkg.in/ini.v1"
 )
 
 func TestDecodeEnvSectionKey(t *testing.T) {
@@ -71,15 +70,15 @@ func TestDecodeEnvironmentKey(t *testing.T) {
 }
 
 func TestEnvironmentToConfig(t *testing.T) {
-	cfg := ini.Empty()
+	cfg, _ := NewConfigProviderFromData("")
 
 	changed := EnvironmentToConfig(cfg, "GITEA__", "__FILE", nil)
 	assert.False(t, changed)
 
-	cfg, err := ini.Load([]byte(`
+	cfg, err := NewConfigProviderFromData(`
 [sec]
 key = old
-`))
+`)
 	assert.NoError(t, err)
 
 	changed = EnvironmentToConfig(cfg, "GITEA__", "__FILE", []string{"GITEA__sec__key=new"})