gitlab-org--gitlab-foss/app/models/gpg_key.rb

class GpgKey < ActiveRecord::Base
  KEY_PREFIX = '-----BEGIN PGP PUBLIC KEY BLOCK-----'.freeze

  include ShaAttribute

  sha_attribute :primary_keyid
  sha_attribute :fingerprint

  belongs_to :user
  has_many :gpg_signatures, dependent: :nullify

  validates :user, presence: true

  validates :key,
    presence: true,
    uniqueness: true,
    format: {
      with: /\A#{KEY_PREFIX}((?!#{KEY_PREFIX}).)+\Z/m,
      message: "is invalid. A valid public GPG key begins with '#{KEY_PREFIX}'"
    }

  validates :fingerprint,
    presence: true,
    uniqueness: true,
    # only validate when the `key` is valid, as we don't want the user to show
    # the error about the fingerprint
    unless: -> { errors.has_key?(:key) }

  validates :primary_keyid,
    presence: true,
    uniqueness: true,
    # only validate when the `key` is valid, as we don't want the user to show
    # the error about the fingerprint
    unless: -> { errors.has_key?(:key) }

  before_validation :extract_fingerprint, :extract_primary_keyid
  after_commit :update_invalid_gpg_signatures, on: :create
  after_commit :notify_user, on: :create

  def key=(value)
    value.strip! unless value.blank?
    write_attribute(:key, value)
  end

  def user_infos
    @user_infos ||= Gitlab::Gpg.user_infos_from_key(key)
  end

  def verified_user_infos
    user_infos.select do |user_info|
      user_info[:email] == user.email
    end
  end

  def emails_with_verified_status
    user_infos.map do |user_info|
      [
        user_info[:email],
        user_info[:email] == user.email
      ]
    end.to_h
  end

  def verified?
    emails_with_verified_status.any? { |_email, verified| verified }
  end

  def update_invalid_gpg_signatures
    InvalidGpgSignatureUpdateWorker.perform_async(self.id)
  end

  def revoke
    GpgSignature.where(gpg_key: self, valid_signature: true).find_each do |gpg_signature|
      gpg_signature.update_attributes!(
        gpg_key: nil,
        valid_signature: false
      )
    end

    destroy
  end

  private

  def extract_fingerprint
    # we can assume that the result only contains one item as the validation
    # only allows one key
    self.fingerprint = Gitlab::Gpg.fingerprints_from_key(key).first
  end

  def extract_primary_keyid
    # we can assume that the result only contains one item as the validation
    # only allows one key
    self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first
  end

  def notify_user
    NotificationService.new.new_gpg_key(self)
  end
end
add gpg key model 2017-02-22 11:49:17 +00:00			`class GpgKey < ActiveRecord::Base`
			`KEY_PREFIX = '-----BEGIN PGP PUBLIC KEY BLOCK-----'.freeze`

use ShaAttribute for gpg table columns 2017-07-20 13:44:15 +00:00			`include ShaAttribute`

			`sha_attribute :primary_keyid`
			`sha_attribute :fingerprint`

add gpg key model 2017-02-22 11:49:17 +00:00			`belongs_to :user`
allow removal of gpg key by nullifying signatures 2017-06-22 15:21:03 +00:00			`has_many :gpg_signatures, dependent: :nullify`
add gpg key model 2017-02-22 11:49:17 +00:00
validate presence of user on gpg_key 2017-07-05 12:03:36 +00:00			`validates :user, presence: true`

add gpg key model 2017-02-22 11:49:17 +00:00			`validates :key,`
			`presence: true,`
			`uniqueness: true,`
			`format: {`
only validate gpg_key#fingerprint "internally" 2017-02-22 15:22:39 +00:00			`with: /\A#{KEY_PREFIX}((?!#{KEY_PREFIX}).)+\Z/m,`
			`message: "is invalid. A valid public GPG key begins with '#{KEY_PREFIX}'"`
add gpg key model 2017-02-22 11:49:17 +00:00			`}`

only validate gpg_key#fingerprint "internally" 2017-02-22 15:22:39 +00:00			`validates :fingerprint,`
			`presence: true,`
			`uniqueness: true,`
			# only validate when the `key` is valid, as we don't want the user to show
			`# the error about the fingerprint`
			`unless: -> { errors.has_key?(:key) }`

add primary keyid attribute to gpg keys 2017-06-13 11:46:43 +00:00			`validates :primary_keyid,`
			`presence: true,`
			`uniqueness: true,`
			# only validate when the `key` is valid, as we don't want the user to show
			`# the error about the fingerprint`
			`unless: -> { errors.has_key?(:key) }`

			`before_validation :extract_fingerprint, :extract_primary_keyid`
use after_commit instead of AfterCommitQueue 2017-07-05 12:23:23 +00:00			`after_commit :update_invalid_gpg_signatures, on: :create`
			`after_commit :notify_user, on: :create`
add gpg key model 2017-02-22 11:49:17 +00:00
			`def key=(value)`
			`value.strip! unless value.blank?`
			`write_attribute(:key, value)`
			`end`

store gpg user name and email on the signature 2017-07-13 13:22:15 +00:00			`def user_infos`
			`@user_infos \|\|= Gitlab::Gpg.user_infos_from_key(key)`
			`end`

			`def verified_user_infos`
			`user_infos.select do \|user_info\|`
			`user_info[:email] == user.email`
			`end`
add emails method to GgpKey 2017-02-22 14:37:49 +00:00			`end`

remove gpg from keychain when user's email changes 2017-02-28 14:25:12 +00:00			`def emails_with_verified_status`
store gpg user name and email on the signature 2017-07-13 13:22:15 +00:00			`user_infos.map do \|user_info\|`
gpg email verification 2017-02-24 20:28:26 +00:00			`[`
store gpg user name and email on the signature 2017-07-13 13:22:15 +00:00			`user_info[:email],`
			`user_info[:email] == user.email`
gpg email verification 2017-02-24 20:28:26 +00:00			`]`
use hash instead of 2d array 2017-07-05 11:16:50 +00:00			`end.to_h`
gpg email verification 2017-02-24 20:28:26 +00:00			`end`

gpg signature is only valid when key is verified 2017-06-15 07:57:50 +00:00			`def verified?`
			`emails_with_verified_status.any? { \|_email, verified\| verified }`
			`end`

update invalid gpg signatures when email changes 2017-06-15 13:07:44 +00:00			`def update_invalid_gpg_signatures`
perform signature update in sidekiq worker 2017-06-22 12:18:01 +00:00			`InvalidGpgSignatureUpdateWorker.perform_async(self.id)`
update invalid gpg signatures when email changes 2017-06-15 13:07:44 +00:00			`end`

user may now revoke a gpg key other than just removing a key, which doesn't affect the verified state of a commit, revoking a key unverifies all signed commits. 2017-07-12 05:59:28 +00:00			`def revoke`
			`GpgSignature.where(gpg_key: self, valid_signature: true).find_each do \|gpg_signature\|`
			`gpg_signature.update_attributes!(`
			`gpg_key: nil,`
			`valid_signature: false`
			`)`
			`end`

			`destroy`
			`end`

add gpg key model 2017-02-22 11:49:17 +00:00			`private`

			`def extract_fingerprint`
			`# we can assume that the result only contains one item as the validation`
			`# only allows one key`
extract gpg functionality to lib class 2017-02-22 16:20:42 +00:00			`self.fingerprint = Gitlab::Gpg.fingerprints_from_key(key).first`
add gpg key model 2017-02-22 11:49:17 +00:00			`end`
add / remove gpg keys to / from system keychain 2017-02-22 17:36:25 +00:00
add primary keyid attribute to gpg keys 2017-06-13 11:46:43 +00:00			`def extract_primary_keyid`
			`# we can assume that the result only contains one item as the validation`
			`# only allows one key`
			`self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first`
			`end`

notification email on add new gpg key 2017-02-28 09:49:59 +00:00			`def notify_user`
use after_commit instead of AfterCommitQueue 2017-07-05 12:23:23 +00:00			`NotificationService.new.new_gpg_key(self)`
perform signature update in sidekiq worker 2017-06-22 12:18:01 +00:00			`end`
add gpg key model 2017-02-22 11:49:17 +00:00			`end`