mirror of
https://codeberg.org/forgejo/forgejo
synced 2024-12-11 05:51:57 +01:00
fcb535c5c3
This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
101 lines
3.1 KiB
Go
101 lines
3.1 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package repofiles
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"code.gitea.io/gitea/models"
|
|
"code.gitea.io/gitea/modules/git"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
api "code.gitea.io/gitea/modules/structs"
|
|
"code.gitea.io/gitea/modules/test"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func getExpectedFileResponse() *api.FileResponse {
|
|
treePath := "README.md"
|
|
sha := "4b4851ad51df6a7d9f25c979345979eaeb5b349f"
|
|
encoding := "base64"
|
|
content := "IyByZXBvMQoKRGVzY3JpcHRpb24gZm9yIHJlcG8x"
|
|
selfURL := setting.AppURL + "api/v1/repos/user2/repo1/contents/" + treePath + "?ref=master"
|
|
htmlURL := setting.AppURL + "user2/repo1/src/branch/master/" + treePath
|
|
gitURL := setting.AppURL + "api/v1/repos/user2/repo1/git/blobs/" + sha
|
|
downloadURL := setting.AppURL + "user2/repo1/raw/branch/master/" + treePath
|
|
return &api.FileResponse{
|
|
Content: &api.ContentsResponse{
|
|
Name: treePath,
|
|
Path: treePath,
|
|
SHA: sha,
|
|
Type: "file",
|
|
Size: 30,
|
|
Encoding: &encoding,
|
|
Content: &content,
|
|
URL: &selfURL,
|
|
HTMLURL: &htmlURL,
|
|
GitURL: &gitURL,
|
|
DownloadURL: &downloadURL,
|
|
Links: &api.FileLinksResponse{
|
|
Self: &selfURL,
|
|
GitURL: &gitURL,
|
|
HTMLURL: &htmlURL,
|
|
},
|
|
},
|
|
Commit: &api.FileCommitResponse{
|
|
CommitMeta: api.CommitMeta{
|
|
URL: "https://try.gitea.io/api/v1/repos/user2/repo1/git/commits/65f1bf27bc3bf70f64657658635e66094edbcb4d",
|
|
SHA: "65f1bf27bc3bf70f64657658635e66094edbcb4d",
|
|
},
|
|
HTMLURL: "https://try.gitea.io/user2/repo1/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d",
|
|
Author: &api.CommitUser{
|
|
Identity: api.Identity{
|
|
Name: "user1",
|
|
Email: "address1@example.com",
|
|
},
|
|
Date: "2017-03-19T20:47:59Z",
|
|
},
|
|
Committer: &api.CommitUser{
|
|
Identity: api.Identity{
|
|
Name: "Ethan Koenig",
|
|
Email: "ethantkoenig@gmail.com",
|
|
},
|
|
Date: "2017-03-19T20:47:59Z",
|
|
},
|
|
Parents: []*api.CommitMeta{},
|
|
Message: "Initial commit\n",
|
|
Tree: &api.CommitMeta{
|
|
URL: "https://try.gitea.io/api/v1/repos/user2/repo1/git/trees/2a2f1d4670728a2e10049e345bd7a276468beab6",
|
|
SHA: "2a2f1d4670728a2e10049e345bd7a276468beab6",
|
|
},
|
|
},
|
|
Verification: &api.PayloadCommitVerification{
|
|
Verified: false,
|
|
Reason: "gpg.error.not_signed_commit",
|
|
Signature: "",
|
|
Payload: "",
|
|
},
|
|
}
|
|
}
|
|
|
|
func TestGetFileResponseFromCommit(t *testing.T) {
|
|
models.PrepareTestEnv(t)
|
|
ctx := test.MockContext(t, "user2/repo1")
|
|
ctx.SetParams(":id", "1")
|
|
test.LoadRepo(t, ctx, 1)
|
|
test.LoadRepoCommit(t, ctx)
|
|
test.LoadUser(t, ctx, 2)
|
|
test.LoadGitRepo(t, ctx)
|
|
repo := ctx.Repo.Repository
|
|
branch := repo.DefaultBranch
|
|
treePath := "README.md"
|
|
gitRepo, _ := git.OpenRepository(repo.RepoPath())
|
|
commit, _ := gitRepo.GetBranchCommit(branch)
|
|
expectedFileResponse := getExpectedFileResponse()
|
|
|
|
fileResponse, err := GetFileResponseFromCommit(repo, commit, branch, treePath)
|
|
assert.Nil(t, err)
|
|
assert.EqualValues(t, expectedFileResponse, fileResponse)
|
|
}
|