kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/lib/gitlab/gpg/commit_spec.rb

212 lines
7.2 KiB
Ruby
Raw Normal View History

cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
require 'rails_helper'
Only create commit GPG signature when necessary
2017-08-15 07:22:55 -04:00
describe Gitlab::Gpg::Commit do
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
describe '#signature' do
extract shared example
2017-08-24 08:21:34 -04:00
shared_examples 'returns the cached signature on second call' do
it 'returns the cached signature on second call' do
gpg_commit = described_class.new(commit)
expect(gpg_commit).to receive(:using_keychain).and_call_original
gpg_commit.signature
# consecutive call
expect(gpg_commit).not_to receive(:using_keychain).and_call_original
gpg_commit.signature
end
end
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
let!(:project) { create :project, :repository, path: 'sample-project' }
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
Only create commit GPG signature when necessary
2017-08-15 07:22:55 -04:00
context 'unsigned commit' do
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
let!(:commit) { create :commit, project: project, sha: commit_sha }
bail if the commit has no signature
2017-06-15 03:16:50 -04:00
it 'returns nil' do
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
expect(described_class.new(commit).signature).to be_nil
bail if the commit has no signature
2017-06-15 03:16:50 -04:00
end
end
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
context 'known key' do
context 'user matches the key uid' do
add verification_status: same_user_different_email this is used to make a difference between a committer email that belongs to user, where the user used a different email for the gpg key. this means that the user is the same, but a different, unverified email is used for the signature.
2017-08-24 08:21:42 -04:00
context 'user email matches the email committer' do
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User1.emails.first }
let!(:user) { create(:user, email: GpgHelpers::User1.emails.first) }
let!(:gpg_key) do
create :gpg_key, key: GpgHelpers::User1.public_key, user: user
end
before do
allow(Rugged::Commit).to receive(:extract_signature)
.with(Rugged::Repository, commit_sha)
.and_return(
[
GpgHelpers::User1.signed_commit_signature,
GpgHelpers::User1.signed_commit_base_data
]
)
end
it 'returns a valid signature' do
expect(described_class.new(commit).signature).to have_attributes(
commit_sha: commit_sha,
project: project,
gpg_key: gpg_key,
gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
gpg_key_user_name: GpgHelpers::User1.names.first,
gpg_key_user_email: GpgHelpers::User1.emails.first,
valid_signature: true,
verification_status: 'verified'
)
end
extract shared example
2017-08-24 08:21:34 -04:00
it_behaves_like 'returns the cached signature on second call'
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
end
add verification_status: same_user_different_email this is used to make a difference between a committer email that belongs to user, where the user used a different email for the gpg key. this means that the user is the same, but a different, unverified email is used for the signature.
2017-08-24 08:21:42 -04:00
context 'user email does not match the committer email, but is the same user' do
let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first }
let(:user) do
create(:user, email: GpgHelpers::User1.emails.first).tap do |user|
create :email, user: user, email: GpgHelpers::User2.emails.first
end
end
let!(:gpg_key) do
create :gpg_key, key: GpgHelpers::User1.public_key, user: user
end
before do
allow(Rugged::Commit).to receive(:extract_signature)
.with(Rugged::Repository, commit_sha)
.and_return(
[
GpgHelpers::User1.signed_commit_signature,
GpgHelpers::User1.signed_commit_base_data
]
)
end
it 'returns an invalid signature' do
expect(described_class.new(commit).signature).to have_attributes(
commit_sha: commit_sha,
project: project,
gpg_key: gpg_key,
gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
gpg_key_user_name: GpgHelpers::User1.names.first,
gpg_key_user_email: GpgHelpers::User1.emails.first,
valid_signature: false,
verification_status: 'same_user_different_email'
)
end
it_behaves_like 'returns the cached signature on second call'
end
context 'user email does not match the committer email' do
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first }
let(:user) { create(:user, email: GpgHelpers::User1.emails.first) }
let!(:gpg_key) do
create :gpg_key, key: GpgHelpers::User1.public_key, user: user
end
before do
allow(Rugged::Commit).to receive(:extract_signature)
.with(Rugged::Repository, commit_sha)
.and_return(
[
GpgHelpers::User1.signed_commit_signature,
GpgHelpers::User1.signed_commit_base_data
]
)
end
it 'returns an invalid signature' do
expect(described_class.new(commit).signature).to have_attributes(
commit_sha: commit_sha,
project: project,
gpg_key: gpg_key,
gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
gpg_key_user_name: GpgHelpers::User1.names.first,
gpg_key_user_email: GpgHelpers::User1.emails.first,
valid_signature: false,
verification_status: 'other_user'
)
end
extract shared example
2017-08-24 08:21:34 -04:00
it_behaves_like 'returns the cached signature on second call'
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
end
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
end
move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now.
2017-06-15 04:28:28 -04:00
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
context 'user does not match the key uid' do
let!(:commit) { create :commit, project: project, sha: commit_sha }
move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now.
2017-06-15 04:28:28 -04:00
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
let(:user) { create(:user, email: GpgHelpers::User2.emails.first) }
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
let!(:gpg_key) do
create :gpg_key, key: GpgHelpers::User1.public_key, user: user
end
gpg signature is only valid when key is verified
2017-06-15 03:57:50 -04:00
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
before do
allow(Rugged::Commit).to receive(:extract_signature)
Only create commit GPG signature when necessary
2017-08-15 07:22:55 -04:00
.with(Rugged::Repository, commit_sha)
.and_return(
[
GpgHelpers::User1.signed_commit_signature,
GpgHelpers::User1.signed_commit_base_data
]
)
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
end
it 'returns an invalid signature' do
expect(described_class.new(commit).signature).to have_attributes(
commit_sha: commit_sha,
project: project,
gpg_key: gpg_key,
gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
gpg_key_user_name: GpgHelpers::User1.names.first,
gpg_key_user_email: GpgHelpers::User1.emails.first,
valid_signature: false,
verification_status: 'unverified_key'
)
end
extract shared example
2017-08-24 08:21:34 -04:00
it_behaves_like 'returns the cached signature on second call'
move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now.
2017-06-15 04:28:28 -04:00
end
gpg signature is only valid when key is verified
2017-06-15 03:57:50 -04:00
end
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
context 'unknown key' do
let!(:commit) { create :commit, project: project, sha: commit_sha }
Only create commit GPG signature when necessary
2017-08-15 07:22:55 -04:00
before do
allow(Rugged::Commit).to receive(:extract_signature)
.with(Rugged::Repository, commit_sha)
.and_return(
[
GpgHelpers::User1.signed_commit_signature,
GpgHelpers::User1.signed_commit_base_data
]
)
move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now.
2017-06-15 04:28:28 -04:00
end
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now.
2017-06-15 04:28:28 -04:00
it 'returns an invalid signature' do
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
expect(described_class.new(commit).signature).to have_attributes(
extract variable
2017-06-26 03:13:36 -04:00
commit_sha: commit_sha,
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
project: project,
gpg_key: nil,
store gpg_key_primary_keyid for unknown gpg keys we need to store the keyid to be able to update the signature later in case the missing key is added later.
2017-06-15 06:43:04 -04:00
gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
store gpg user name and email on the signature
2017-07-13 09:22:15 -04:00
gpg_key_user_name: nil,
gpg_key_user_email: nil,
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails.
2017-08-24 08:21:30 -04:00
valid_signature: false,
verification_status: 'unknown_key'
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
)
end
move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now.
2017-06-15 04:28:28 -04:00
extract shared example
2017-08-24 08:21:34 -04:00
it_behaves_like 'returns the cached signature on second call'
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation.
2017-06-14 05:51:34 -04:00
end
end
end
Copy permalink