Merge branch 'main' into lunny/fix_hunk_missing_at

Author: wxiaoguang

Dockerfile

@@ -39,7 +39,6 @@ RUN chmod 755 /tmp/local/usr/bin/entrypoint \
               /tmp/local/etc/s6/.s6-svscan/* \
               /go/src/code.gitea.io/gitea/gitea \
               /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
 
 FROM docker.io/library/alpine:3.22
 LABEL maintainer="[email protected]"
@@ -83,4 +82,3 @@ CMD ["/usr/bin/s6-svscan", "/etc/s6"]
 COPY --from=build-env /tmp/local /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh

Dockerfile.rootless

@@ -37,7 +37,6 @@ RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
               /tmp/local/usr/local/bin/gitea \
               /go/src/code.gitea.io/gitea/gitea \
               /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
 
 FROM docker.io/library/alpine:3.22
 LABEL maintainer="[email protected]"
@@ -72,7 +71,6 @@ RUN chown git:git /var/lib/gitea /etc/gitea
 COPY --from=build-env /tmp/local /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 
 # git:git
 USER 1000:1000

cmd/admin_auth_oauth.go

@@ -87,6 +87,14 @@ func oauthCLIFlags() []cli.Flag {
 			Value: nil,
 			Usage: "Scopes to request when to authenticate against this OAuth2 source",
 		},
+		&cli.StringFlag{
+			Name:  "ssh-public-key-claim-name",
+			Usage: "Claim name that provides SSH public keys",
+		},
+		&cli.StringFlag{
+			Name:  "full-name-claim-name",
+			Usage: "Claim name that provides user's full name",
+		},
 		&cli.StringFlag{
 			Name:  "required-claim-name",
 			Value: "",
@@ -177,6 +185,8 @@ func parseOAuth2Config(c *cli.Command) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
+		SSHPublicKeyClaimName:         c.String("ssh-public-key-claim-name"),
+		FullNameClaimName:             c.String("full-name-claim-name"),
 	}
 }
 
@@ -268,6 +278,12 @@ func (a *authService) runUpdateOauth(ctx context.Context, c *cli.Command) error
 	if c.IsSet("group-team-map-removal") {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}
+	if c.IsSet("ssh-public-key-claim-name") {
+		oAuth2Config.SSHPublicKeyClaimName = c.String("ssh-public-key-claim-name")
+	}
+	if c.IsSet("full-name-claim-name") {
+		oAuth2Config.FullNameClaimName = c.String("full-name-claim-name")
+	}
 
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}

cmd/admin_auth_oauth_test.go

@@ -88,6 +88,8 @@ func TestAddOauth(t *testing.T) {
 				"--restricted-group", "restricted",
 				"--group-team-map", `{"group1": [1,2]}`,
 				"--group-team-map-removal=true",
+				"--ssh-public-key-claim-name", "attr_ssh_pub_key",
+				"--full-name-claim-name", "attr_full_name",
 			},
 			source: &auth_model.Source{
 				Type:     auth_model.OAuth2,
@@ -104,15 +106,17 @@ func TestAddOauth(t *testing.T) {
 						EmailURL:   "https://example.com/email",
 						Tenant:     "some_tenant",
 					},
-					IconURL:             "https://example.com/icon",
-					Scopes:              []string{"scope1", "scope2"},
-					RequiredClaimName:   "claim_name",
-					RequiredClaimValue:  "claim_value",
-					GroupClaimName:      "group_name",
-					AdminGroup:          "admin",
-					RestrictedGroup:     "restricted",
-					GroupTeamMap:        `{"group1": [1,2]}`,
-					GroupTeamMapRemoval: true,
+					IconURL:               "https://example.com/icon",
+					Scopes:                []string{"scope1", "scope2"},
+					RequiredClaimName:     "claim_name",
+					RequiredClaimValue:    "claim_value",
+					GroupClaimName:        "group_name",
+					AdminGroup:            "admin",
+					RestrictedGroup:       "restricted",
+					GroupTeamMap:          `{"group1": [1,2]}`,
+					GroupTeamMapRemoval:   true,
+					SSHPublicKeyClaimName: "attr_ssh_pub_key",
+					FullNameClaimName:     "attr_full_name",
 				},
 				TwoFactorPolicy: "skip",
 			},
@@ -223,15 +227,17 @@ func TestUpdateOauth(t *testing.T) {
 						EmailURL:   "https://old.example.com/email",
 						Tenant:     "old_tenant",
 					},
-					IconURL:             "https://old.example.com/icon",
-					Scopes:              []string{"old_scope1", "old_scope2"},
-					RequiredClaimName:   "old_claim_name",
-					RequiredClaimValue:  "old_claim_value",
-					GroupClaimName:      "old_group_name",
-					AdminGroup:          "old_admin",
-					RestrictedGroup:     "old_restricted",
-					GroupTeamMap:        `{"old_group1": [1,2]}`,
-					GroupTeamMapRemoval: true,
+					IconURL:               "https://old.example.com/icon",
+					Scopes:                []string{"old_scope1", "old_scope2"},
+					RequiredClaimName:     "old_claim_name",
+					RequiredClaimValue:    "old_claim_value",
+					GroupClaimName:        "old_group_name",
+					AdminGroup:            "old_admin",
+					RestrictedGroup:       "old_restricted",
+					GroupTeamMap:          `{"old_group1": [1,2]}`,
+					GroupTeamMapRemoval:   true,
+					SSHPublicKeyClaimName: "old_ssh_pub_key",
+					FullNameClaimName:     "old_full_name",
 				},
 				TwoFactorPolicy: "",
 			},
@@ -257,6 +263,8 @@ func TestUpdateOauth(t *testing.T) {
 				"--restricted-group", "restricted",
 				"--group-team-map", `{"group1": [1,2]}`,
 				"--group-team-map-removal=false",
+				"--ssh-public-key-claim-name", "new_ssh_pub_key",
+				"--full-name-claim-name", "new_full_name",
 			},
 			authSource: &auth_model.Source{
 				ID:       1,
@@ -274,15 +282,17 @@ func TestUpdateOauth(t *testing.T) {
 						EmailURL:   "https://example.com/email",
 						Tenant:     "new_tenant",
 					},
-					IconURL:             "https://example.com/icon",
-					Scopes:              []string{"scope1", "scope2"},
-					RequiredClaimName:   "claim_name",
-					RequiredClaimValue:  "claim_value",
-					GroupClaimName:      "group_name",
-					AdminGroup:          "admin",
-					RestrictedGroup:     "restricted",
-					GroupTeamMap:        `{"group1": [1,2]}`,
-					GroupTeamMapRemoval: false,
+					IconURL:               "https://example.com/icon",
+					Scopes:                []string{"scope1", "scope2"},
+					RequiredClaimName:     "claim_name",
+					RequiredClaimValue:    "claim_value",
+					GroupClaimName:        "group_name",
+					AdminGroup:            "admin",
+					RestrictedGroup:       "restricted",
+					GroupTeamMap:          `{"group1": [1,2]}`,
+					GroupTeamMapRemoval:   false,
+					SSHPublicKeyClaimName: "new_ssh_pub_key",
+					FullNameClaimName:     "new_full_name",
 				},
 				TwoFactorPolicy: "skip",
 			},

models/asymkey/gpg_key_commit_verification.go

@@ -15,34 +15,15 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 )
 
-//   __________________  ________   ____  __.
-//  /  _____/\______   \/  _____/  |    |/ _|____ ___.__.
-// /   \  ___ |     ___/   \  ___  |      <_/ __ <   |  |
-// \    \_\  \|    |   \    \_\  \ |    |  \  ___/\___  |
-//  \______  /|____|    \______  / |____|__ \___  > ____|
-//         \/                  \/          \/   \/\/
-// _________                        .__  __
-// \_   ___ \  ____   _____   _____ |__|/  |_
-// /    \  \/ /  _ \ /     \ /     \|  \   __\
-// \     \___(  <_> )  Y Y  \  Y Y  \  ||  |
-//  \______  /\____/|__|_|  /__|_|  /__||__|
-//         \/             \/      \/
-// ____   ____           .__  _____.__               __  .__
-// \   \ /   /___________|__|/ ____\__| ____ _____ _/  |_|__| ____   ____
-//  \   Y   // __ \_  __ \  \   __\|  |/ ___\\__  \\   __\  |/  _ \ /    \
-//   \     /\  ___/|  | \/  ||  |  |  \  \___ / __ \|  | |  (  <_> )   |  \
-//    \___/  \___  >__|  |__||__|  |__|\___  >____  /__| |__|\____/|___|  /
-//               \/                        \/     \/                    \/
-
 // This file provides functions relating commit verification
 
 // CommitVerification represents a commit validation of signature
 type CommitVerification struct {
 	Verified       bool
 	Warning        bool
 	Reason         string
-	SigningUser    *user_model.User
-	CommittingUser *user_model.User
+	SigningUser    *user_model.User // if Verified, then SigningUser is non-nil
+	CommittingUser *user_model.User // if Verified, then CommittingUser is non-nil
 	SigningEmail   string
 	SigningKey     *GPGKey
 	SigningSSHKey  *PublicKey

models/asymkey/ssh_key.go

@@ -355,13 +355,13 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
 	return sshKeysNeedUpdate
 }
 
-// SynchronizePublicKeys updates a users public keys. Returns true if there are changes.
+// SynchronizePublicKeys updates a user's public keys. Returns true if there are changes.
 func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
 	var sshKeysNeedUpdate bool
 
 	log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
 
-	// Get Public Keys from DB with current LDAP source
+	// Get Public Keys from DB with the current auth source
 	var giteaKeys []string
 	keys, err := db.Find[PublicKey](ctx, FindPublicKeyOptions{
 		OwnerID:       usr.ID,

models/auth/oauth2.go

@@ -612,8 +612,8 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
 	return util.ErrNotExist
 }
 
-// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
-func GetActiveOAuth2SourceByName(ctx context.Context, name string) (*Source, error) {
+// GetActiveOAuth2SourceByAuthName returns a OAuth2 AuthSource based on the given name
+func GetActiveOAuth2SourceByAuthName(ctx context.Context, name string) (*Source, error) {
 	authSource := new(Source)
 	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
 	if err != nil {

models/auth/source.go

@@ -334,7 +334,7 @@ func UpdateSource(ctx context.Context, source *Source) error {
 
 	err = registerableSource.RegisterSource()
 	if err != nil {
-		// restore original values since we cannot update the provider it self
+		// restore original values since we cannot update the provider itself
 		if _, err := db.GetEngine(ctx).ID(source.ID).AllCols().Update(originalSource); err != nil {
 			log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)
 		}

models/user/user.go

@@ -1166,12 +1166,6 @@ func ValidateCommitsWithEmails(ctx context.Context, oldCommits []*git.Commit) ([
 
 	for _, c := range oldCommits {
 		user := emailUserMap.GetByEmail(c.Author.Email) // FIXME: why ValidateCommitsWithEmails uses "Author", but ParseCommitsWithSignature uses "Committer"?
-		if user == nil {
-			user = &User{
-				Name:  c.Author.Name,
-				Email: c.Author.Email,
-			}
-		}
 		newCommits = append(newCommits, &UserCommit{
 			User:   user,
 			Commit: c,
@@ -1195,12 +1189,14 @@ func GetUsersByEmails(ctx context.Context, emails []string) (*EmailUserMap, erro
 
 	needCheckEmails := make(container.Set[string])
 	needCheckUserNames := make(container.Set[string])
+	noReplyAddressSuffix := "@" + strings.ToLower(setting.Service.NoReplyAddress)
 	for _, email := range emails {
-		if strings.HasSuffix(email, "@"+setting.Service.NoReplyAddress) {
-			username := strings.TrimSuffix(email, "@"+setting.Service.NoReplyAddress)
-			needCheckUserNames.Add(strings.ToLower(username))
+		emailLower := strings.ToLower(email)
+		if noReplyUserNameLower, ok := strings.CutSuffix(emailLower, noReplyAddressSuffix); ok {
+			needCheckUserNames.Add(noReplyUserNameLower)
+			needCheckEmails.Add(emailLower)
 		} else {
-			needCheckEmails.Add(strings.ToLower(email))
+			needCheckEmails.Add(emailLower)
 		}
 	}
 

models/user/user_test.go

@@ -85,6 +85,11 @@ func TestUserEmails(t *testing.T) {
 				testGetUserByEmail(t, c.Email, c.UID)
 			})
 		}
+
+		t.Run("NoReplyConflict", func(t *testing.T) {
+			setting.Service.NoReplyAddress = "example.com"
+			testGetUserByEmail(t, "[email protected]", 1)
+		})
 	})
 }