Merge branch 'main' into wip-links

Author: jpraet

.drone.yml

@@ -153,7 +153,7 @@ services:
       MYSQL_DATABASE: test
 
   - name: mysql8
-    image: mysql:8.0
+    image: mysql:8
     environment:
       MYSQL_ALLOW_EMPTY_PASSWORD: yes
       MYSQL_DATABASE: testgitea
@@ -319,7 +319,7 @@ trigger:
 services:
   - name: pgsql
     pull: default
-    image: postgres:9.5
+    image: postgres:10
     environment:
       POSTGRES_DB: test
       POSTGRES_PASSWORD: postgres
@@ -503,7 +503,7 @@ steps:
     pull: always
     image: techknowlogick/xgo:go-1.16.x
     commands:
-      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt-get install -y nodejs
+      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs
       - export PATH=$PATH:$GOPATH/bin
       - make release
     environment:
@@ -599,7 +599,7 @@ steps:
     pull: always
     image: techknowlogick/xgo:go-1.16.x
     commands:
-      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt-get install -y nodejs
+      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs
       - export PATH=$PATH:$GOPATH/bin
       - make release
     environment:

.github/pull_request_template.md

@@ -1,6 +1,6 @@
 Please check the following:
 
-1. Make sure you are targeting the `master` branch, pull requests on release branches are only allowed for bug fixes.
+1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
 2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md
 3. Describe what your pull request does and which issue you're targeting (if any)
 

Dockerfile.rootless

@@ -35,6 +35,7 @@ RUN apk --no-cache add \
     ca-certificates \
     gettext \
     git \
+    curl \
     gnupg
 
 RUN addgroup \

cmd/serv.go

@@ -81,6 +81,10 @@ func fail(userMessage, logMessage string, args ...interface{}) {
 		}
 	}
 
+	if len(logMessage) > 0 {
+		_ = private.SSHLog(true, fmt.Sprintf(logMessage+": ", args...))
+	}
+
 	os.Exit(1)
 }
 

contrib/systemd/gitea.service

@@ -3,14 +3,23 @@ Description=Gitea (Git with a cup of tea)
 After=syslog.target
 After=network.target
 ###
-# Don't forget to add the database service requirements
+# Don't forget to add the database service dependencies
 ###
 #
-#Requires=mysql.service
-#Requires=mariadb.service
-#Requires=postgresql.service
-#Requires=memcached.service
-#Requires=redis.service
+#Wants=mysql.service
+#After=mysql.service
+#
+#Wants=mariadb.service
+#After=mariadb.service
+#
+#Wants=postgresql.service
+#After=postgresql.service
+#
+#Wants=memcached.service
+#After=memcached.service
+#
+#Wants=redis.service
+#After=redis.service
 #
 ###
 # If using socket activation for main http/s

custom/conf/app.example.ini

@@ -444,6 +444,11 @@ ROUTER = console
 ;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; SSH log (Creates log from ssh git request)
+;;
+;ENABLE_SSH_LOG = false
+;;
 ;; Other Settings
 ;;
 ;; Print Stacktraces with logs. (Rarely helpful.) Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -657,6 +657,7 @@ Default templates for project boards:
 - `ROUTER`: **console**: The mode or name of the log the router should log to. (If you set this to `,` it will log to default gitea logger.)
 NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.
 - `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template
+- `ENABLE_SSH_LOG`: **false**: save ssh log to log file
 - `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default gitea logger.)
 - `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log.
   - The following variables are available:

docs/content/doc/developers/api-usage.en-us.md

@@ -40,8 +40,42 @@ better understand this by looking at the code -- as of this writing,
 Gitea parses queries and headers to find the token in
 [modules/auth/auth.go](https://github.com/go-gitea/gitea/blob/6efdcaed86565c91a3dc77631372a9cc45a58e89/modules/auth/auth.go#L47).
 
-You can create an API key token via your Gitea installation's web interface:
-`Settings | Applications | Generate New Token`.
+## Generating and listing API tokens
+
+A new token can be generated with a `POST` request to
+`/users/:name/tokens`.
+
+Note that `/users/:name/tokens` is a special endpoint and requires you
+to authenticate using `BasicAuth` and a password, as follows:
+
+
+```sh
+$ curl -XPOST -H "Content-Type: application/json"  -k -d '{"name":"test"}' -u username:password https://gitea.your.host/api/v1/users/<username>/tokens
+{"id":1,"name":"test","sha1":"9fcb1158165773dd010fca5f0cf7174316c3e37d","token_last_eight":"16c3e37d"}
+```
+
+The ``sha1`` (the token) is only returned once and is not stored in
+plain-text.  It will not be displayed when listing tokens with a `GET`
+request; e.g.
+
+```sh
+$ curl --request GET --url https://yourusername:[email protected]/api/v1/users/<username>/tokens
+[{"name":"test","sha1":"","token_last_eight:"........":},{"name":"dev","sha1":"","token_last_eight":"........"}]
+```
+
+To use the API with basic authentication with two factor authentication
+enabled, you'll need to send an additional header that contains the one
+time password (6 digitrotating token).
+An example of the header is `X-Gitea-OTP: 123456` where `123456`
+is where you'd place the code from your authenticator.
+Here is how the request would look like in curl:
+
+```sh
+$ curl -H "X-Gitea-OTP: 123456" --request GET --url https://yourusername:[email protected]/api/v1/users/yourusername/tokens
+```
+
+You can also create an API key token via your Gitea installation's web
+interface: `Settings | Applications | Generate New Token`.
 
 ## OAuth2 Provider
 
@@ -82,26 +116,6 @@ or on
 The OpenAPI document is at:
 `https://gitea.your.host/swagger.v1.json`
 
-## Listing your issued tokens via the API
-
-As mentioned in
-[#3842](https://github.com/go-gitea/gitea/issues/3842#issuecomment-397743346),
-`/users/:name/tokens` is special and requires you to authenticate
-using BasicAuth, as follows:
-
-### Using basic authentication:
-
-```sh
-$ curl --request GET --url https://yourusername:[email protected]/api/v1/users/yourusername/tokens
-[{"name":"test","sha1":"..."},{"name":"dev","sha1":"..."}]
-```
-
-As of v1.8.0 of Gitea, if using basic authentication with the API and your user has two factor authentication enabled, you'll need to send an additional header that contains the one time password (6 digit rotating token). An example of the header is `X-Gitea-OTP: 123456` where `123456` is where you'd place the code from your authenticator. Here is how the request would look like in curl:
-
-```sh
-$ curl -H "X-Gitea-OTP: 123456" --request GET --url https://yourusername:[email protected]/api/v1/users/yourusername/tokens
-```
-
 ## Sudo
 
 The API allows admin users to sudo API requests as another user. Simply add either a `sudo=` parameter or `Sudo:` request header with the username of the user to sudo.

docs/content/doc/developers/hacking-on-gitea.en-us.md

@@ -127,7 +127,7 @@ See `make help` for all available `make` targets. Also see [`.drone.yml`](https:
 
 ## Building continuously
 
-To run and continously rebuild when source files change:
+To run and continuously rebuild when source files change:
 
 ```bash
 make watch
@@ -216,7 +216,7 @@ You should validate your generated Swagger file and spell-check it with:
 make swagger-validate misspell-check
 ```
 
-You should commit the changed swagger JSON file. The continous integration
+You should commit the changed swagger JSON file. The continuous integration
 server will check that this has been done using:
 
 ```bash
@@ -315,7 +315,7 @@ branches as we will need to update it to main before merging and/or may be
 able to help fix issues directly.
 
 Any PR requires two approvals from the Gitea maintainers and needs to pass the
-continous integration. Take a look at our
+continuous integration. Take a look at our
 [`CONTRIBUTING.md`](https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md)
 document.
 

docs/content/doc/features/authentication.en-us.md

@@ -88,8 +88,8 @@ Adds the following fields:
 - Bind Password (optional)
 
   - The password for the Bind DN specified above, if any. _Note: The password
-    is stored in plaintext at the server. As such, ensure that the Bind DN
-    has as few privileges as possible._
+    is stored encrypted with the SECRET_KEY on the server. It is still recommended
+    to ensure that the Bind DN has as few privileges as possible._
 
 - User Search Base **(required)**