federation with allow lists (#5393)

## Description

This addresses Issue #5379.
The email validation was extended.
Additionally to checking whether the email domain is in the block list or in the allow list now we also check if the email domain is the servers own FQDN.
Tests have been written for the correct function of the allow list and if the local FQDN is admitted as email domain.

Edit: Clarifications, Typos

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.

### Documentation

- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] I want the title to show in the release notes with a link to this pull request.

Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-authored-by: patdyn <erik.seiert@meissa-gmbh.de>
Co-authored-by: Mirco <mirco.zachmann@meissa.de>
Co-authored-by: jerger <jerger@noreply.codeberg.org>
Co-authored-by: zam <mirco.zachmann@meissa.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5393
Reviewed-by: jerger <jerger@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: patdyn <patdyn@noreply.codeberg.org>
Co-committed-by: patdyn <patdyn@noreply.codeberg.org>

modules/setting/setting_test.go

@@ -1,4 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package setting
@@ -9,6 +10,7 @@ import (
 	"code.gitea.io/gitea/modules/json"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestMakeAbsoluteAssetURL(t *testing.T) {
@@ -30,3 +32,84 @@ func TestMakeManifestData(t *testing.T) {
 	jsonBytes := MakeManifestData(`Example App '\"`, "https://example.com", "https://example.com/foo/bar")
 	assert.True(t, json.Valid(jsonBytes))
 }
+
+func TestLoadServiceDomainListsForFederation(t *testing.T) {
+	oldAppURL := AppURL
+	oldFederation := Federation
+	oldService := Service
+
+	defer func() {
+		AppURL = oldAppURL
+		Federation = oldFederation
+		Service = oldService
+	}()
+
+	cfg, err := NewConfigProviderFromData(`
+[federation]
+ENABLED = true
+[service]
+EMAIL_DOMAIN_ALLOWLIST = *.allow.random
+EMAIL_DOMAIN_BLOCKLIST = *.block.random
+`)
+
+	require.NoError(t, err)
+	loadServerFrom(cfg)
+	loadFederationFrom(cfg)
+	loadServiceFrom(cfg)
+
+	assert.True(t, match(Service.EmailDomainAllowList, "d1.allow.random"))
+	assert.True(t, match(Service.EmailDomainAllowList, "localhost"))
+}
+
+func TestLoadServiceDomainListsNoFederation(t *testing.T) {
+	oldAppURL := AppURL
+	oldFederation := Federation
+	oldService := Service
+
+	defer func() {
+		AppURL = oldAppURL
+		Federation = oldFederation
+		Service = oldService
+	}()
+
+	cfg, err := NewConfigProviderFromData(`
+[federation]
+ENABLED = false
+[service]
+EMAIL_DOMAIN_ALLOWLIST = *.allow.random
+EMAIL_DOMAIN_BLOCKLIST = *.block.random
+`)
+
+	require.NoError(t, err)
+	loadServerFrom(cfg)
+	loadFederationFrom(cfg)
+	loadServiceFrom(cfg)
+
+	assert.True(t, match(Service.EmailDomainAllowList, "d1.allow.random"))
+}
+
+func TestLoadServiceDomainListsFederationEmptyAllowList(t *testing.T) {
+	oldAppURL := AppURL
+	oldFederation := Federation
+	oldService := Service
+
+	defer func() {
+		AppURL = oldAppURL
+		Federation = oldFederation
+		Service = oldService
+	}()
+
+	cfg, err := NewConfigProviderFromData(`
+[federation]
+ENABLED = true
+[service]
+EMAIL_DOMAIN_BLOCKLIST = *.block.random
+`)
+
+	require.NoError(t, err)
+	loadServerFrom(cfg)
+	loadFederationFrom(cfg)
+	loadServiceFrom(cfg)
+
+	assert.Empty(t, Service.EmailDomainAllowList)
+}