Merge branch 'feature/gpg-signed-commits' into 'master'

GPG signed commits Closes #20268 See merge request !9546
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2017-07-27 15:29:39 +0000
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2017-07-27 15:29:39 +0000
commit: ac0cbe69706a2d3013d37adda7514824a2d06ed4 (patch)
tree: 7730163984394f4e79711c609a2d1da2bb4f807e /spec/lib
parent: 9981814514742a2ee507d4dcc2fd71099fd96585 (diff)
parent: 5ebccab1eb74f7bf9f7f9d4f2d9a56fb81754cbe (diff)
download: gitlab-ce-ac0cbe69706a2d3013d37adda7514824a2d06ed4.tar.gz
3 files changed, 383 insertions, 0 deletions
diff --git a/spec/lib/gitlab/gpg/commit_spec.rb b/spec/lib/gitlab/gpg/commit_spec.rb
new file mode 100644
index 00000000000..ddb8dd9f0f4
--- /dev/null
+++ b/spec/lib/gitlab/gpg/commit_spec.rb
@@ -0,0 +1,127 @@
+require 'rails_helper'
+
+RSpec.describe Gitlab::Gpg::Commit do
+  describe '#signature' do
+    let!(:project) { create :project, :repository, path: 'sample-project' }
+    let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33'  }
+
+    context 'unisgned commit' do
+      it 'returns nil' do
+        expect(described_class.new(project.commit).signature).to be_nil
+      end
+    end
+
+    context 'known and verified public key' do
+      let!(:gpg_key) do
+        create :gpg_key, key: GpgHelpers::User1.public_key, user: create(:user, email: GpgHelpers::User1.emails.first)
+      end
+
+      let!(:commit) do
+        raw_commit = double(:raw_commit, signature: [
+          GpgHelpers::User1.signed_commit_signature,
+          GpgHelpers::User1.signed_commit_base_data
+        ], sha: commit_sha)
+        allow(raw_commit).to receive :save!
+
+        create :commit, git_commit: raw_commit, project: project
+      end
+
+      it 'returns a valid signature' do
+        expect(described_class.new(commit).signature).to have_attributes(
+          commit_sha: commit_sha,
+          project: project,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          gpg_key_user_name: GpgHelpers::User1.names.first,
+          gpg_key_user_email: GpgHelpers::User1.emails.first,
+          valid_signature: true
+        )
+      end
+
+      it 'returns the cached signature on second call' do
+        gpg_commit = described_class.new(commit)
+
+        expect(gpg_commit).to receive(:using_keychain).and_call_original
+        gpg_commit.signature
+
+        # consecutive call
+        expect(gpg_commit).not_to receive(:using_keychain).and_call_original
+        gpg_commit.signature
+      end
+    end
+
+    context 'known but unverified public key' do
+      let!(:gpg_key) { create :gpg_key, key: GpgHelpers::User1.public_key }
+
+      let!(:commit) do
+        raw_commit = double(:raw_commit, signature: [
+          GpgHelpers::User1.signed_commit_signature,
+          GpgHelpers::User1.signed_commit_base_data
+        ], sha: commit_sha)
+        allow(raw_commit).to receive :save!
+
+        create :commit, git_commit: raw_commit, project: project
+      end
+
+      it 'returns an invalid signature' do
+        expect(described_class.new(commit).signature).to have_attributes(
+          commit_sha: commit_sha,
+          project: project,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          gpg_key_user_name: GpgHelpers::User1.names.first,
+          gpg_key_user_email: GpgHelpers::User1.emails.first,
+          valid_signature: false
+        )
+      end
+
+      it 'returns the cached signature on second call' do
+        gpg_commit = described_class.new(commit)
+
+        expect(gpg_commit).to receive(:using_keychain).and_call_original
+        gpg_commit.signature
+
+        # consecutive call
+        expect(gpg_commit).not_to receive(:using_keychain).and_call_original
+        gpg_commit.signature
+      end
+    end
+
+    context 'unknown public key' do
+      let!(:commit) do
+        raw_commit = double(:raw_commit, signature: [
+          GpgHelpers::User1.signed_commit_signature,
+          GpgHelpers::User1.signed_commit_base_data
+        ], sha: commit_sha)
+        allow(raw_commit).to receive :save!
+
+        create :commit,
+          git_commit: raw_commit,
+          project: project
+      end
+
+      it 'returns an invalid signature' do
+        expect(described_class.new(commit).signature).to have_attributes(
+          commit_sha: commit_sha,
+          project: project,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          gpg_key_user_name: nil,
+          gpg_key_user_email: nil,
+          valid_signature: false
+        )
+      end
+
+      it 'returns the cached signature on second call' do
+        gpg_commit = described_class.new(commit)
+
+        expect(gpg_commit).to receive(:using_keychain).and_call_original
+        gpg_commit.signature
+
+        # consecutive call
+        expect(gpg_commit).not_to receive(:using_keychain).and_call_original
+        gpg_commit.signature
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
new file mode 100644
index 00000000000..c4e04ee46a2
--- /dev/null
+++ b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
@@ -0,0 +1,173 @@
+require 'rails_helper'
+
+RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
+  describe '#run' do
+    let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
+    let!(:project) { create :project, :repository, path: 'sample-project' }
+    let!(:raw_commit) do
+      raw_commit = double(:raw_commit, signature: [
+        GpgHelpers::User1.signed_commit_signature,
+        GpgHelpers::User1.signed_commit_base_data
+      ], sha: commit_sha)
+
+      allow(raw_commit).to receive :save!
+
+      raw_commit
+    end
+
+    let!(:commit) do
+      create :commit, git_commit: raw_commit, project: project
+    end
+
+    before do
+      allow_any_instance_of(Project).to receive(:commit).and_return(commit)
+    end
+
+    context 'gpg signature did have an associated gpg key which was removed later' do
+      let!(:user) { create :user, email: GpgHelpers::User1.emails.first }
+
+      let!(:valid_gpg_signature) do
+        create :gpg_signature,
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: true
+      end
+
+      it 'assigns the gpg key to the signature when the missing gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        gpg_key = create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(valid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: true
+        )
+      end
+
+      it 'does not assign the gpg key when an unrelated gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        create :gpg_key,
+          key: GpgHelpers::User2.public_key,
+          user: user
+
+        expect(valid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: true
+        )
+      end
+    end
+
+    context 'gpg signature did not have an associated gpg key' do
+      let!(:user) { create :user, email: GpgHelpers::User1.emails.first }
+
+      let!(:invalid_gpg_signature) do
+        create :gpg_signature,
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+      end
+
+      it 'updates the signature to being valid when the missing gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        gpg_key = create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(invalid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: true
+        )
+      end
+
+      it 'keeps the signature at being invalid when an unrelated gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        create :gpg_key,
+          key: GpgHelpers::User2.public_key,
+          user: user
+
+        expect(invalid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+        )
+      end
+    end
+
+    context 'gpg signature did have an associated unverified gpg key' do
+      let!(:user) do
+        create(:user, email: 'unrelated@example.com').tap do |user|
+          user.skip_reconfirmation!
+        end
+      end
+
+      let!(:invalid_gpg_signature) do
+        create :gpg_signature,
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+      end
+
+      it 'updates the signature to being valid when the user updates the email address' do
+        gpg_key = create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(invalid_gpg_signature.reload.valid_signature).to be_falsey
+
+        # InvalidGpgSignatureUpdater is called by the after_update hook
+        user.update_attributes!(email: GpgHelpers::User1.emails.first)
+
+        expect(invalid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: true
+        )
+      end
+
+      it 'keeps the signature at being invalid when the changed email address is still unrelated' do
+        gpg_key = create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(invalid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+        )
+
+        # InvalidGpgSignatureUpdater is called by the after_update hook
+        user.update_attributes!(email: 'still.unrelated@example.com')
+
+        expect(invalid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: gpg_key,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+        )
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/gpg_spec.rb b/spec/lib/gitlab/gpg_spec.rb
new file mode 100644
index 00000000000..8041518117d
--- /dev/null
+++ b/spec/lib/gitlab/gpg_spec.rb
@@ -0,0 +1,83 @@
+require 'rails_helper'
+
+describe Gitlab::Gpg do
+  describe '.fingerprints_from_key' do
+    before do
+      # make sure that each method is using the temporary keychain
+      expect(described_class).to receive(:using_tmp_keychain).and_call_original
+    end
+
+    it 'returns CurrentKeyChain.fingerprints_from_key' do
+      expect(Gitlab::Gpg::CurrentKeyChain).to receive(:fingerprints_from_key).with(GpgHelpers::User1.public_key)
+
+      described_class.fingerprints_from_key(GpgHelpers::User1.public_key)
+    end
+  end
+
+  describe '.primary_keyids_from_key' do
+    it 'returns the keyid' do
+      expect(
+        described_class.primary_keyids_from_key(GpgHelpers::User1.public_key)
+      ).to eq [GpgHelpers::User1.primary_keyid]
+    end
+
+    it 'returns an empty array when the key is invalid' do
+      expect(
+        described_class.primary_keyids_from_key('bogus')
+      ).to eq []
+    end
+  end
+
+  describe '.user_infos_from_key' do
+    it 'returns the names and emails' do
+      user_infos = described_class.user_infos_from_key(GpgHelpers::User1.public_key)
+      expect(user_infos).to eq([{
+        name: GpgHelpers::User1.names.first,
+        email: GpgHelpers::User1.emails.first
+      }])
+    end
+
+    it 'returns an empty array when the key is invalid' do
+      expect(
+        described_class.user_infos_from_key('bogus')
+      ).to eq []
+    end
+  end
+end
+
+describe Gitlab::Gpg::CurrentKeyChain do
+  around do |example|
+    Gitlab::Gpg.using_tmp_keychain do
+      example.run
+    end
+  end
+
+  describe '.add' do
+    it 'stores the key in the keychain' do
+      expect(GPGME::Key.find(:public, GpgHelpers::User1.fingerprint)).to eq []
+
+      described_class.add(GpgHelpers::User1.public_key)
+
+      keys = GPGME::Key.find(:public, GpgHelpers::User1.fingerprint)
+      expect(keys.count).to eq 1
+      expect(keys.first).to have_attributes(
+        email: GpgHelpers::User1.emails.first,
+        fingerprint: GpgHelpers::User1.fingerprint
+      )
+    end
+  end
+
+  describe '.fingerprints_from_key' do
+    it 'returns the fingerprint' do
+      expect(
+        described_class.fingerprints_from_key(GpgHelpers::User1.public_key)
+      ).to eq [GpgHelpers::User1.fingerprint]
+    end
+
+    it 'returns an empty array when the key is invalid' do
+      expect(
+        described_class.fingerprints_from_key('bogus')
+      ).to eq []
+    end
+  end
+end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2017-07-27 15:29:39 +0000
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2017-07-27 15:29:39 +0000
commit	ac0cbe69706a2d3013d37adda7514824a2d06ed4 (patch)
tree	7730163984394f4e79711c609a2d1da2bb4f807e /spec/lib
parent	9981814514742a2ee507d4dcc2fd71099fd96585 (diff)
parent	5ebccab1eb74f7bf9f7f9d4f2d9a56fb81754cbe (diff)
download	gitlab-ce-ac0cbe69706a2d3013d37adda7514824a2d06ed4.tar.gz