diff options
| author | Alexis Reigel <mail@koffeinfrei.org> | 2017-06-15 09:57:50 +0200 |
|---|---|---|
| committer | Alexis Reigel <mail@koffeinfrei.org> | 2017-07-27 15:42:53 +0200 |
| commit | 7b616d39efaa7cba933d17dfae010d393c18d057 (patch) | |
| tree | f476d5ac7ef39ba01c77983e91315758eff54ddd | |
| parent | 8c4b6a32fcc5786383904fa1d5cf8b317bec7a7f (diff) | |
| download | gitlab-ce-7b616d39efaa7cba933d17dfae010d393c18d057.tar.gz | |
gpg signature is only valid when key is verified
| -rw-r--r-- | app/models/gpg_key.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/gpg/commit.rb | 2 | ||||
| -rw-r--r-- | spec/lib/gitlab/gpg/commit_spec.rb | 28 | ||||
| -rw-r--r-- | spec/models/gpg_key_spec.rb | 16 |
4 files changed, 47 insertions, 3 deletions
diff --git a/app/models/gpg_key.rb b/app/models/gpg_key.rb index 26f9a3975c9..137abb60ddc 100644 --- a/app/models/gpg_key.rb +++ b/app/models/gpg_key.rb @@ -48,6 +48,10 @@ class GpgKey < ActiveRecord::Base end end + def verified? + emails_with_verified_status.any? { |_email, verified| verified } + end + private def extract_fingerprint diff --git a/lib/gitlab/gpg/commit.rb b/lib/gitlab/gpg/commit.rb index f363652745f..d65a20f08f9 100644 --- a/lib/gitlab/gpg/commit.rb +++ b/lib/gitlab/gpg/commit.rb @@ -45,7 +45,7 @@ module Gitlab project: commit.project, gpg_key: gpg_key, gpg_key_primary_keyid: gpg_key&.primary_keyid, - valid_signature: !!(gpg_key && verified_signature.valid?) + valid_signature: !!(gpg_key && gpg_key.verified? && verified_signature.valid?) ) end end diff --git a/spec/lib/gitlab/gpg/commit_spec.rb b/spec/lib/gitlab/gpg/commit_spec.rb index c4d92b8bbbf..2a583dc1bd5 100644 --- a/spec/lib/gitlab/gpg/commit_spec.rb +++ b/spec/lib/gitlab/gpg/commit_spec.rb @@ -10,9 +10,9 @@ RSpec.describe Gitlab::Gpg::Commit do end end - context 'known public key' do + context 'known and verified public key' do it 'returns a valid signature' do - gpg_key = create :gpg_key, key: GpgHelpers::User1.public_key + gpg_key = create :gpg_key, key: GpgHelpers::User1.public_key, user: create(:user, email: GpgHelpers::User1.emails.first) raw_commit = double(:raw_commit, signature: [ GpgHelpers::User1.signed_commit_signature, @@ -34,6 +34,30 @@ RSpec.describe Gitlab::Gpg::Commit do end end + context 'known but unverified public key' do + it 'returns an invalid signature' do + gpg_key = create :gpg_key, key: GpgHelpers::User1.public_key + + raw_commit = double(:raw_commit, signature: [ + GpgHelpers::User1.signed_commit_signature, + GpgHelpers::User1.signed_commit_base_data + ], sha: '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33') + allow(raw_commit).to receive :save! + + commit = create :commit, + git_commit: raw_commit, + project: project + + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + valid_signature: false + ) + end + end + context 'unknown public key' do it 'returns an invalid signature', :gpg do raw_commit = double(:raw_commit, signature: [ diff --git a/spec/models/gpg_key_spec.rb b/spec/models/gpg_key_spec.rb index ac446fca819..3cb1723cc12 100644 --- a/spec/models/gpg_key_spec.rb +++ b/spec/models/gpg_key_spec.rb @@ -65,6 +65,22 @@ describe GpgKey do end end + describe '#verified?' do + it 'returns true one of the email addresses in the key belongs to the user' do + user = create :user, email: 'bette.cartwright@example.com' + gpg_key = create :gpg_key, key: GpgHelpers::User2.public_key, user: user + + expect(gpg_key.verified?).to be_truthy + end + + it 'returns false if one of the email addresses in the key does not belong to the user' do + user = create :user, email: 'someone.else@example.com' + gpg_key = create :gpg_key, key: GpgHelpers::User2.public_key, user: user + + expect(gpg_key.verified?).to be_falsey + end + end + describe 'notification' do include EmailHelpers |