gitlab-org--gitlab-foss/lib/gitlab/gpg/commit.rb

module Gitlab
  module Gpg
    class Commit
      attr_reader :commit

      def initialize(commit)
        @commit = commit

        @signature_text, @signed_text = commit.raw.signature(commit.project.repository)
      end

      def has_signature?
        !!(@signature_text && @signed_text)
      end

      def signature
        return unless has_signature?

        cached_signature = GpgSignature.find_by(commit_sha: commit.sha)
        return cached_signature if cached_signature.present?

        Gitlab::Gpg.using_tmp_keychain do
          # first we need to get the keyid from the signature to query the gpg
          # key belonging to the keyid.
          # This way we can add the key to the temporary keychain and extract
          # the proper signature.
          gpg_key = GpgKey.find_by(primary_keyid: verified_signature.fingerprint)

          if gpg_key
            Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)
          end

          create_cached_signature!(gpg_key)
        end
      end

      private

      def verified_signature
        GPGME::Crypto.new.verify(@signature_text, signed_text: @signed_text) do |verified_signature|
          return verified_signature
        end
      end

      def create_cached_signature!(gpg_key)
        verified_signature_result = verified_signature

        GpgSignature.create!(
          commit_sha: commit.sha,
          project: commit.project,
          gpg_key: gpg_key,
          gpg_key_primary_keyid: gpg_key&.primary_keyid || verified_signature_result.fingerprint,
          valid_signature: !!(gpg_key && gpg_key.verified? && verified_signature_result.valid?)
        )
      end
    end
  end
end
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`module Gitlab`
			`module Gpg`
			`class Commit`
			`attr_reader :commit`

			`def initialize(commit)`
			`@commit = commit`

			`@signature_text, @signed_text = commit.raw.signature(commit.project.repository)`
			`end`

			`def has_signature?`
bail if the commit has no signature 2017-06-15 07:16:50 +00:00			`!!(@signature_text && @signed_text)`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`end`

			`def signature`
bail if the commit has no signature 2017-06-15 07:16:50 +00:00			`return unless has_signature?`

move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now. 2017-06-15 08:28:28 +00:00			`cached_signature = GpgSignature.find_by(commit_sha: commit.sha)`
			`return cached_signature if cached_signature.present?`

cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`Gitlab::Gpg.using_tmp_keychain do`
			`# first we need to get the keyid from the signature to query the gpg`
			`# key belonging to the keyid.`
			`# This way we can add the key to the temporary keychain and extract`
			`# the proper signature.`
			`gpg_key = GpgKey.find_by(primary_keyid: verified_signature.fingerprint)`

			`if gpg_key`
			`Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)`
			`end`

			`create_cached_signature!(gpg_key)`
			`end`
			`end`

			`private`

			`def verified_signature`
			`GPGME::Crypto.new.verify(@signature_text, signed_text: @signed_text) do \|verified_signature\|`
			`return verified_signature`
			`end`
			`end`

			`def create_cached_signature!(gpg_key)`
store gpg_key_primary_keyid for unknown gpg keys we need to store the keyid to be able to update the signature later in case the missing key is added later. 2017-06-15 10:43:04 +00:00			`verified_signature_result = verified_signature`

cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`GpgSignature.create!(`
			`commit_sha: commit.sha,`
			`project: commit.project,`
			`gpg_key: gpg_key,`
store gpg_key_primary_keyid for unknown gpg keys we need to store the keyid to be able to update the signature later in case the missing key is added later. 2017-06-15 10:43:04 +00:00			`gpg_key_primary_keyid: gpg_key&.primary_keyid \|\| verified_signature_result.fingerprint,`
			`valid_signature: !!(gpg_key && gpg_key.verified? && verified_signature_result.valid?)`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`)`
			`end`
			`end`
			`end`
			`end`