Merge branch 'main' into refactor-git-cmd

Author: wxiaoguang

.drone.yml

@@ -25,7 +25,7 @@ steps:
       - make deps-frontend
 
   - name: deps-backend
-    image: golang:1.19
+    image: golang:1.20
     pull: always
     commands:
       - make deps-backend
@@ -88,7 +88,7 @@ steps:
     depends_on: [deps-frontend]
 
   - name: checks-backend
-    image: golang:1.19
+    image: golang:1.20
     commands:
       - make --always-make checks-backend # ensure the 'go-licenses' make target runs
     depends_on: [deps-backend]
@@ -109,7 +109,7 @@ steps:
     depends_on: [deps-frontend]
 
   - name: build-backend-no-gcc
-    image: golang:1.18 # this step is kept as the lowest version of golang that we support
+    image: golang:1.19 # this step is kept as the lowest version of golang that we support
     pull: always
     environment:
       GO111MODULE: on
@@ -122,7 +122,7 @@ steps:
         path: /go
 
   - name: build-backend-arm64
-    image: golang:1.19
+    image: golang:1.20
     environment:
       GO111MODULE: on
       GOPROXY: https://goproxy.io
@@ -138,7 +138,7 @@ steps:
         path: /go
 
   - name: build-backend-windows
-    image: golang:1.19
+    image: golang:1.20
     environment:
       GO111MODULE: on
       GOPROXY: https://goproxy.io
@@ -153,7 +153,7 @@ steps:
         path: /go
 
   - name: build-backend-386
-    image: golang:1.19
+    image: golang:1.20
     environment:
       GO111MODULE: on
       GOPROXY: https://goproxy.io
@@ -247,7 +247,7 @@ steps:
           - pull_request
 
   - name: deps-backend
-    image: golang:1.19
+    image: golang:1.20
     pull: always
     commands:
       - make deps-backend
@@ -364,7 +364,7 @@ steps:
         path: /go
 
   - name: generate-coverage
-    image: golang:1.19
+    image: golang:1.20
     commands:
       - make coverage
     environment:
@@ -440,7 +440,7 @@ steps:
           - pull_request
 
   - name: deps-backend
-    image: golang:1.19
+    image: golang:1.20
     pull: always
     commands:
       - make deps-backend
@@ -557,7 +557,7 @@ steps:
   - name: test-e2e
     image: mcr.microsoft.com/playwright:v1.29.2-focal
     commands:
-      - curl -sLO https://go.dev/dl/go1.19.linux-amd64.tar.gz && tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz
+      - curl -sLO https://go.dev/dl/go1.20.linux-amd64.tar.gz && tar -C /usr/local -xzf go1.20.linux-amd64.tar.gz
       - groupadd --gid 1001 gitea && useradd -m --gid 1001 --uid 1001 gitea
       - apt-get -qq update && apt-get -qqy install build-essential
       - export TEST_PGSQL_SCHEMA=''
@@ -656,7 +656,7 @@ trigger:
 
 steps:
   - name: download
-    image: golang:1.19
+    image: golang:1.20
     pull: always
     commands:
       - timeout -s ABRT 40m make generate-license generate-gitignore
@@ -720,7 +720,7 @@ steps:
       - make deps-frontend
 
   - name: deps-backend
-    image: golang:1.19
+    image: golang:1.20
     pull: always
     commands:
       - make deps-backend
@@ -729,7 +729,7 @@ steps:
         path: /go
 
   - name: static
-    image: techknowlogick/xgo:go-1.19.x
+    image: techknowlogick/xgo:go-1.20.x
     pull: always
     commands:
       # Upgrade to node 18 once https://github.com/techknowlogick/xgo/issues/163 is resolved
@@ -841,7 +841,7 @@ steps:
       - make deps-frontend
 
   - name: deps-backend
-    image: golang:1.19
+    image: golang:1.20
     pull: always
     commands:
       - make deps-backend
@@ -850,7 +850,7 @@ steps:
         path: /go
 
   - name: static
-    image: techknowlogick/xgo:go-1.19.x
+    image: techknowlogick/xgo:go-1.20.x
     pull: always
     commands:
       # Upgrade to node 18 once https://github.com/techknowlogick/xgo/issues/163 is resolved
@@ -932,7 +932,7 @@ trigger:
 
 steps:
   - name: build-docs
-    image: golang:1.19
+    image: golang:1.20
     commands:
       - cd docs
       - make trans-copy clean build

.golangci.yml

@@ -28,7 +28,7 @@ linters:
   fast: false
 
 run:
-  go: 1.19
+  go: 1.20
   timeout: 10m
   skip-dirs:
     - node_modules
@@ -74,7 +74,7 @@ linters-settings:
       - name: modifies-value-receiver
   gofumpt:
     extra-rules: true
-    lang-version: "1.19"
+    lang-version: "1.20"
   depguard:
     list-type: denylist
     # Check the list against standard lib.

Dockerfile

@@ -1,5 +1,5 @@
 #Build stage
-FROM golang:1.19-alpine3.17 AS build-env
+FROM golang:1.20-alpine3.17 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}

Dockerfile.rootless

@@ -1,5 +1,5 @@
 #Build stage
-FROM golang:1.19-alpine3.17 AS build-env
+FROM golang:1.20-alpine3.17 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}

Makefile

@@ -23,13 +23,13 @@ SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 COMMA := ,
 
-XGO_VERSION := go-1.19.x
+XGO_VERSION := go-1.20.x
 
 AIR_PACKAGE ?= github.com/cosmtrek/[email protected]
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/[email protected]
 ERRCHECK_PACKAGE ?= github.com/kisielk/[email protected]
 GOFUMPT_PACKAGE ?= mvdan.cc/[email protected]
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.50.1
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.0
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/[email protected]
 MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/[email protected]
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/[email protected]

docs/config.yaml

@@ -19,8 +19,8 @@ params:
   author: The Gitea Authors
   website: https://docs.gitea.io
   version: 1.18.1
-  minGoVersion: 1.18
-  goVersion: 1.19
+  minGoVersion: 1.19
+  goVersion: 1.20
   minNodeVersion: 16
   search: nav
   repo: "https://github.com/go-gitea/gitea"

docs/content/doc/features/authentication.en-us.md

@@ -329,3 +329,22 @@ Before activating SSPI single sign-on authentication (SSO) you have to prepare y
   - You have added the URL of the web app to the `Local intranet zone`
   - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
   - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
+
+## Reverse Proxy
+
+Gitea supports Reverse Proxy Header authentication, it will read headers as a trusted login user name or user email address. This hasn't been enabled by default, you can enable it with
+
+```ini
+[service]
+ENABLE_REVERSE_PROXY_AUTHENTICATION = true
+```
+
+The default login user name is in the `X-WEBAUTH-USER` header, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_USER` in app.ini. If the user doesn't exist, you can enable automatic registration with `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true`.
+
+The default login user email is `X-WEBAUTH-EMAIL`, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_EMAIL` in app.ini, this could also be disabled with `ENABLE_REVERSE_PROXY_EMAIL`
+
+If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WEBAUTH-FULLNAME` will be assigned to the user when auto creating the user. You can also change the header name with `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`.
+
+You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
+
+Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.

docs/content/doc/features/authentication.zh-cn.md

@@ -15,4 +15,21 @@ menu:
 
 # 认证
 
-## TBD
+## 反向代理认证
+
+Gitea 支持通过读取反向代理传递的 HTTP 头中的登录名或者 email 地址来支持反向代理来认证。默认是不启用的，你可以用以下配置启用。
+
+```ini
+[service]
+ENABLE_REVERSE_PROXY_AUTHENTICATION = true
+```
+
+默认的登录用户名的 HTTP 头是 `X-WEBAUTH-USER`，你可以通过修改 `REVERSE_PROXY_AUTHENTICATION_USER` 来变更它。如果用户不存在，可以自动创建用户，当然你需要修改 `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true` 来启用它。
+
+默认的登录用户 Email 的 HTTP 头是 `X-WEBAUTH-EMAIL`，你可以通过修改 `REVERSE_PROXY_AUTHENTICATION_EMAIL` 来变更它。如果用户不存在，可以自动创建用户，当然你需要修改 `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true` 来启用它。你也可以通过修改 `ENABLE_REVERSE_PROXY_EMAIL` 来启用或停用这个 HTTP 头。
+
+如果设置了 `ENABLE_REVERSE_PROXY_FULL_NAME=true`，则用户的全名会从 `X-WEBAUTH-FULLNAME` 读取，这样在自动创建用户时将使用这个字段作为用户全名，你也可以通过修改 `REVERSE_PROXY_AUTHENTICATION_FULL_NAME` 来变更 HTTP 头。
+
+你也可以通过修改 `REVERSE_PROXY_TRUSTED_PROXIES` 来设置反向代理的IP地址范围，加强安全性，默认值是 `127.0.0.0/8,::1/128`。 通过 `REVERSE_PROXY_LIMIT`， 可以设置最多信任几级反向代理。
+
+注意：反向代理认证不支持认证 API，API 仍旧需要用 access token 来进行认证。

go.mod

@@ -1,6 +1,6 @@
 module code.gitea.io/gitea
 
-go 1.18
+go 1.19
 
 require (
 	code.gitea.io/actions-proto-go v0.2.0

models/db/sql_postgres_with_schema.go

@@ -37,9 +37,7 @@ func (d *postgresSchemaDriver) Open(name string) (driver.Conn, error) {
 	}
 	schemaValue, _ := driver.String.ConvertValue(setting.Database.Schema)
 
-	// golangci lint is incorrect here - there is no benefit to using driver.ExecerContext here
-	// and in any case pq does not implement it
-	if execer, ok := conn.(driver.Execer); ok { //nolint
+	if execer, ok := conn.(driver.Execer); ok {
 		_, err := execer.Exec(`SELECT set_config(
 			'search_path',
 			$1 || ',' || current_setting('search_path'),
@@ -63,8 +61,7 @@ func (d *postgresSchemaDriver) Open(name string) (driver.Conn, error) {
 
 	// driver.String.ConvertValue will never return err for string
 
-	// golangci lint is incorrect here - there is no benefit to using stmt.ExecWithContext here
-	_, err = stmt.Exec([]driver.Value{schemaValue}) //nolint
+	_, err = stmt.Exec([]driver.Value{schemaValue})
 	if err != nil {
 		_ = conn.Close()
 		return nil, err