Move macaron to chi (#14293)

Use [chi](https://github.com/go-chi/chi) instead of the forked [macaron](https://gitea.com/macaron/macaron). Since macaron and chi have conflicts with session share, this big PR becomes a have-to thing. According my previous idea, we can replace macaron step by step but I'm wrong. :( Below is a list of big changes on this PR.

- [x] Define `context.ResponseWriter` interface with an implementation `context.Response`.
- [x] Use chi instead of macaron, and also a customize `Route` to wrap chi so that the router usage is similar as before.
- [x] Create different routers for `web`, `api`, `internal` and `install` so that the codes will be more clear and no magic .
- [x] Use https://github.com/unrolled/render instead of macaron's internal render
- [x] Use https://github.com/NYTimes/gziphandler instead of https://gitea.com/macaron/gzip
- [x] Use https://gitea.com/go-chi/session which is a modified version of https://gitea.com/macaron/session and removed `nodb` support since it will not be maintained. **BREAK**
- [x] Use https://gitea.com/go-chi/captcha which is a modified version of https://gitea.com/macaron/captcha
- [x] Use https://gitea.com/go-chi/cache which is a modified version of https://gitea.com/macaron/cache
- [x] Use https://gitea.com/go-chi/binding which is a modified version of https://gitea.com/macaron/binding
- [x] Use https://github.com/go-chi/cors instead of https://gitea.com/macaron/cors
- [x] Dropped https://gitea.com/macaron/i18n and make a new one in `code.gitea.io/gitea/modules/translation`
- [x] Move validation form structs from `code.gitea.io/gitea/modules/auth` to `code.gitea.io/gitea/modules/forms` to avoid dependency cycle.
- [x] Removed macaron log service because it's not need any more. **BREAK**
- [x] All form structs have to be get by `web.GetForm(ctx)` in the route function but not as a function parameter on routes definition.
- [x] Move Git HTTP protocol implementation to use routers directly.
- [x] Fix the problem that chi routes don't support trailing slash but macaron did.
- [x] `/api/v1/swagger` now will be redirect to `/api/swagger` but not render directly so that `APIContext` will not create a html render. 

Notices:
- Chi router don't support request with trailing slash
- Integration test `TestUserHeatmap` maybe mysql version related. It's failed on my macOS(mysql 5.7.29 installed via brew) but succeed on CI.

Co-authored-by: 6543 <6543@obermui.de>

1 files changed, 265 insertions, 0 deletions

diff --git a/modules/context/csrf.go b/modules/context/csrf.go
new file mode 100644
index 0000000000..4a26664bf3
--- /dev/null
+++ b/modules/context/csrf.go
@@ -0,0 +1,265 @@
+// Copyright 2013 Martini Authors
+// Copyright 2014 The Macaron Authors
+// Copyright 2021 The Gitea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+// a middleware that generates and validates CSRF tokens.
+
+package context
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/unknwon/com"
+)
+
+// CSRF represents a CSRF service and is used to get the current token and validate a suspect token.
+type CSRF interface {
+	// Return HTTP header to search for token.
+	GetHeaderName() string
+	// Return form value to search for token.
+	GetFormName() string
+	// Return cookie name to search for token.
+	GetCookieName() string
+	// Return cookie path
+	GetCookiePath() string
+	// Return the flag value used for the csrf token.
+	GetCookieHTTPOnly() bool
+	// Return the token.
+	GetToken() string
+	// Validate by token.
+	ValidToken(t string) bool
+	// Error replies to the request with a custom function when ValidToken fails.
+	Error(w http.ResponseWriter)
+}
+
+type csrf struct {
+	// Header name value for setting and getting csrf token.
+	Header string
+	// Form name value for setting and getting csrf token.
+	Form string
+	// Cookie name value for setting and getting csrf token.
+	Cookie string
+	//Cookie domain
+	CookieDomain string
+	//Cookie path
+	CookiePath string
+	// Cookie HttpOnly flag value used for the csrf token.
+	CookieHTTPOnly bool
+	// Token generated to pass via header, cookie, or hidden form value.
+	Token string
+	// This value must be unique per user.
+	ID string
+	// Secret used along with the unique id above to generate the Token.
+	Secret string
+	// ErrorFunc is the custom function that replies to the request when ValidToken fails.
+	ErrorFunc func(w http.ResponseWriter)
+}
+
+// GetHeaderName returns the name of the HTTP header for csrf token.
+func (c *csrf) GetHeaderName() string {
+	return c.Header
+}
+
+// GetFormName returns the name of the form value for csrf token.
+func (c *csrf) GetFormName() string {
+	return c.Form
+}
+
+// GetCookieName returns the name of the cookie for csrf token.
+func (c *csrf) GetCookieName() string {
+	return c.Cookie
+}
+
+// GetCookiePath returns the path of the cookie for csrf token.
+func (c *csrf) GetCookiePath() string {
+	return c.CookiePath
+}
+
+// GetCookieHTTPOnly returns the flag value used for the csrf token.
+func (c *csrf) GetCookieHTTPOnly() bool {
+	return c.CookieHTTPOnly
+}
+
+// GetToken returns the current token. This is typically used
+// to populate a hidden form in an HTML template.
+func (c *csrf) GetToken() string {
+	return c.Token
+}
+
+// ValidToken validates the passed token against the existing Secret and ID.
+func (c *csrf) ValidToken(t string) bool {
+	return ValidToken(t, c.Secret, c.ID, "POST")
+}
+
+// Error replies to the request when ValidToken fails.
+func (c *csrf) Error(w http.ResponseWriter) {
+	c.ErrorFunc(w)
+}
+
+// CsrfOptions maintains options to manage behavior of Generate.
+type CsrfOptions struct {
+	// The global secret value used to generate Tokens.
+	Secret string
+	// HTTP header used to set and get token.
+	Header string
+	// Form value used to set and get token.
+	Form string
+	// Cookie value used to set and get token.
+	Cookie string
+	// Cookie domain.
+	CookieDomain string
+	// Cookie path.
+	CookiePath     string
+	CookieHTTPOnly bool
+	// SameSite set the cookie SameSite type
+	SameSite http.SameSite
+	// Key used for getting the unique ID per user.
+	SessionKey string
+	// oldSessionKey saves old value corresponding to SessionKey.
+	oldSessionKey string
+	// If true, send token via X-CSRFToken header.
+	SetHeader bool
+	// If true, send token via _csrf cookie.
+	SetCookie bool
+	// Set the Secure flag to true on the cookie.
+	Secure bool
+	// Disallow Origin appear in request header.
+	Origin bool
+	// The function called when Validate fails.
+	ErrorFunc func(w http.ResponseWriter)
+	// Cookie life time. Default is 0
+	CookieLifeTime int
+}
+
+func prepareOptions(options []CsrfOptions) CsrfOptions {
+	var opt CsrfOptions
+	if len(options) > 0 {
+		opt = options[0]
+	}
+
+	// Defaults.
+	if len(opt.Secret) == 0 {
+		opt.Secret = string(com.RandomCreateBytes(10))
+	}
+	if len(opt.Header) == 0 {
+		opt.Header = "X-CSRFToken"
+	}
+	if len(opt.Form) == 0 {
+		opt.Form = "_csrf"
+	}
+	if len(opt.Cookie) == 0 {
+		opt.Cookie = "_csrf"
+	}
+	if len(opt.CookiePath) == 0 {
+		opt.CookiePath = "/"
+	}
+	if len(opt.SessionKey) == 0 {
+		opt.SessionKey = "uid"
+	}
+	opt.oldSessionKey = "_old_" + opt.SessionKey
+	if opt.ErrorFunc == nil {
+		opt.ErrorFunc = func(w http.ResponseWriter) {
+			http.Error(w, "Invalid csrf token.", http.StatusBadRequest)
+		}
+	}
+
+	return opt
+}
+
+// Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token.
+// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.
+func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
+	opt = prepareOptions([]CsrfOptions{opt})
+	x := &csrf{
+		Secret:         opt.Secret,
+		Header:         opt.Header,
+		Form:           opt.Form,
+		Cookie:         opt.Cookie,
+		CookieDomain:   opt.CookieDomain,
+		CookiePath:     opt.CookiePath,
+		CookieHTTPOnly: opt.CookieHTTPOnly,
+		ErrorFunc:      opt.ErrorFunc,
+	}
+
+	if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {
+		return x
+	}
+
+	x.ID = "0"
+	uid := ctx.Session.Get(opt.SessionKey)
+	if uid != nil {
+		x.ID = com.ToStr(uid)
+	}
+
+	needsNew := false
+	oldUID := ctx.Session.Get(opt.oldSessionKey)
+	if oldUID == nil || oldUID.(string) != x.ID {
+		needsNew = true
+		_ = ctx.Session.Set(opt.oldSessionKey, x.ID)
+	} else {
+		// If cookie present, map existing token, else generate a new one.
+		if val := ctx.GetCookie(opt.Cookie); len(val) > 0 {
+			// FIXME: test coverage.
+			x.Token = val
+		} else {
+			needsNew = true
+		}
+	}
+
+	if needsNew {
+		// FIXME: actionId.
+		x.Token = GenerateToken(x.Secret, x.ID, "POST")
+		if opt.SetCookie {
+			var expires interface{}
+			if opt.CookieLifeTime == 0 {
+				expires = time.Now().AddDate(0, 0, 1)
+			}
+			ctx.SetCookie(opt.Cookie, x.Token, opt.CookieLifeTime, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHTTPOnly, expires,
+				func(c *http.Cookie) {
+					c.SameSite = opt.SameSite
+				},
+			)
+		}
+	}
+
+	if opt.SetHeader {
+		ctx.Resp.Header().Add(opt.Header, x.Token)
+	}
+	return x
+}
+
+// Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken"
+// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated
+// using ValidToken. If this validation fails, custom Error is sent in the reply.
+// If neither a header or form value is found, http.StatusBadRequest is sent.
+func Validate(ctx *Context, x CSRF) {
+	if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
+		if !x.ValidToken(token) {
+			ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath())
+			x.Error(ctx.Resp)
+		}
+		return
+	}
+	if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
+		if !x.ValidToken(token) {
+			ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath())
+			x.Error(ctx.Resp)
+		}
+		return
+	}
+
+	http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
+}