gitlab-org--gitlab-foss/spec/features/signed_commits_spec.rb

# frozen_string_literal: true

require 'spec_helper'

describe 'GPG signed commits' do
  let(:project) { create(:project, :public, :repository) }

  it 'changes from unverified to verified when the user changes his email to match the gpg key' do
    ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA
    user = create(:user, email: 'unrelated.user@example.org')

    perform_enqueued_jobs do
      create :gpg_key, key: GpgHelpers::User1.public_key, user: user
    end

    visit project_commit_path(project, ref)

    expect(page).to have_button 'Unverified'
    expect(page).not_to have_button 'Verified'

    # user changes his email which makes the gpg key verified
    perform_enqueued_jobs do
      user.skip_reconfirmation!
      user.update!(email: GpgHelpers::User1.emails.first)
    end

    visit project_commit_path(project, ref)

    expect(page).not_to have_button 'Unverified'
    expect(page).to have_button 'Verified'
  end

  it 'changes from unverified to verified when the user adds the missing gpg key' do
    ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA
    user = create(:user, email: GpgHelpers::User1.emails.first)

    visit project_commit_path(project, ref)

    expect(page).to have_button 'Unverified'
    expect(page).not_to have_button 'Verified'

    # user adds the gpg key which makes the signature valid
    perform_enqueued_jobs do
      create :gpg_key, key: GpgHelpers::User1.public_key, user: user
    end

    visit project_commit_path(project, ref)

    expect(page).not_to have_button 'Unverified'
    expect(page).to have_button 'Verified'
  end

  context 'shows popover badges', :js do
    let(:user_1) do
      create :user, email: GpgHelpers::User1.emails.first, username: 'nannie.bernhard', name: 'Nannie Bernhard'
    end

    let(:user_1_key) do
      perform_enqueued_jobs do
        create :gpg_key, key: GpgHelpers::User1.public_key, user: user_1
      end
    end

    let(:user_2) do
      create(:user, email: GpgHelpers::User2.emails.first, username: 'bette.cartwright', name: 'Bette Cartwright').tap do |user|
        # secondary, unverified email
        create :email, user: user, email: GpgHelpers::User2.emails.last
      end
    end

    let(:user_2_key) do
      perform_enqueued_jobs do
        create :gpg_key, key: GpgHelpers::User2.public_key, user: user_2
      end
    end

    it 'unverified signature' do
      visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)

      click_on 'Unverified'

      within '.popover' do
        expect(page).to have_content 'This commit was signed with an unverified signature.'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"
      end
    end

    it 'unverified signature: user email does not match the committer email, but is the same user' do
      user_2_key

      visit project_commit_path(project, GpgHelpers::DIFFERING_EMAIL_SHA)

      click_on 'Unverified'

      within '.popover' do
        expect(page).to have_content 'This commit was signed with a verified signature, but the committer email is not verified to belong to the same user.'
        expect(page).to have_content 'Bette Cartwright'
        expect(page).to have_content '@bette.cartwright'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"
      end
    end

    it 'unverified signature: user email does not match the committer email' do
      user_2_key

      visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)

      click_on 'Unverified'

      within '.popover' do
        expect(page).to have_content "This commit was signed with a different user's verified signature."
        expect(page).to have_content 'Bette Cartwright'
        expect(page).to have_content '@bette.cartwright'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"
      end
    end

    it 'verified and the gpg user has a gitlab profile' do
      user_1_key

      visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)

      click_on 'Verified'

      within '.popover' do
        expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'
        expect(page).to have_content 'Nannie Bernhard'
        expect(page).to have_content '@nannie.bernhard'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"
      end
    end

    it "verified and the gpg user's profile doesn't exist anymore" do
      user_1_key

      visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)

      # wait for the signature to get generated
      expect(page).to have_button 'Verified'

      user_1.destroy!

      refresh

      click_on 'Verified'

      within '.popover' do
        expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'
        expect(page).to have_content 'Nannie Bernhard'
        expect(page).to have_content 'nannie.bernhard@example.com'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"
      end
    end
  end

  context 'view signed commit on the tree view', :js do
    shared_examples 'a commit with a signature' do
      before do
        visit project_tree_path(project, 'signed-commits')
      end

      it 'displays commit signature' do
        expect(page).to have_button 'Unverified'

        click_on 'Unverified'

        within '.popover' do
          expect(page).to have_content 'This commit was signed with an unverified signature'
        end
      end
    end

    context 'with vue tree view enabled' do
      it_behaves_like 'a commit with a signature'
    end

    context 'with vue tree view disabled' do
      before do
        stub_feature_flags(vue_file_list: false)
      end

      it_behaves_like 'a commit with a signature'
    end
  end
end
Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`# frozen_string_literal: true`

extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`require 'spec_helper'`

Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`describe 'GPG signed commits' do`
Speed up "show GPG badge" feature specs Previously, this group of specs would create a new user, add them as a maintainer, sign them in, load the project's commit list, click a specific GPG key badge, and then verify the content in the popover. Now, we make the project public in order to skip the user setup and login, and load a specific commit page because it loads faster than the commit list while still showing the GPG badge. 2018-11-21 18:00:04 +00:00			`let(:project) { create(:project, :public, :repository) }`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
			`it 'changes from unverified to verified when the user changes his email to match the gpg key' do`
Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA`
			`user = create(:user, email: 'unrelated.user@example.org')`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Replace 'Sidekiq::Testing.inline!' with 'perform_enqueued_jobs' `perform_enqueued_jobs` is a Sidekiq method. Using this method violates the Dependency inversion principle[0]. This commit replaces `perform_enqueued_jobs` with ActiveJob's abstract method `perform_enqueued_jobs` in specs. [0]: https://en.wikipedia.org/wiki/Dependency_inversion_principle 2018-07-23 04:34:54 +00:00			`perform_enqueued_jobs do`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`create :gpg_key, key: GpgHelpers::User1.public_key, user: user`
			`end`

Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`visit project_commit_path(project, ref)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Replace inline scripts in links to prevent default Use buttons instead of links with javascript:void(0) 2019-08-15 06:27:55 +00:00			`expect(page).to have_button 'Unverified'`
			`expect(page).not_to have_button 'Verified'`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
			`# user changes his email which makes the gpg key verified`
Replace 'Sidekiq::Testing.inline!' with 'perform_enqueued_jobs' `perform_enqueued_jobs` is a Sidekiq method. Using this method violates the Dependency inversion principle[0]. This commit replaces `perform_enqueued_jobs` with ActiveJob's abstract method `perform_enqueued_jobs` in specs. [0]: https://en.wikipedia.org/wiki/Dependency_inversion_principle 2018-07-23 04:34:54 +00:00			`perform_enqueued_jobs do`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`user.skip_reconfirmation!`
Updates from `rubocop -a` 2018-07-02 10:43:06 +00:00			`user.update!(email: GpgHelpers::User1.emails.first)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`

Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`visit project_commit_path(project, ref)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Replace inline scripts in links to prevent default Use buttons instead of links with javascript:void(0) 2019-08-15 06:27:55 +00:00			`expect(page).not_to have_button 'Unverified'`
			`expect(page).to have_button 'Verified'`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`

			`it 'changes from unverified to verified when the user adds the missing gpg key' do`
Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA`
			`user = create(:user, email: GpgHelpers::User1.emails.first)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`visit project_commit_path(project, ref)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Replace inline scripts in links to prevent default Use buttons instead of links with javascript:void(0) 2019-08-15 06:27:55 +00:00			`expect(page).to have_button 'Unverified'`
			`expect(page).not_to have_button 'Verified'`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
			`# user adds the gpg key which makes the signature valid`
Replace 'Sidekiq::Testing.inline!' with 'perform_enqueued_jobs' `perform_enqueued_jobs` is a Sidekiq method. Using this method violates the Dependency inversion principle[0]. This commit replaces `perform_enqueued_jobs` with ActiveJob's abstract method `perform_enqueued_jobs` in specs. [0]: https://en.wikipedia.org/wiki/Dependency_inversion_principle 2018-07-23 04:34:54 +00:00			`perform_enqueued_jobs do`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`create :gpg_key, key: GpgHelpers::User1.public_key, user: user`
			`end`

Simplify "changes to verified" GPG feature specs Previously, we wasted time creating a maintainer and signing them in, then loaded the entire commit list just to verify the GPG status of a single commit. Now, we rely on the project being public so no user needs to be authenticated, and load just the page for the commit we care about. 2018-11-21 18:33:36 +00:00			`visit project_commit_path(project, ref)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Replace inline scripts in links to prevent default Use buttons instead of links with javascript:void(0) 2019-08-15 06:27:55 +00:00			`expect(page).not_to have_button 'Unverified'`
			`expect(page).to have_button 'Verified'`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`

Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`context 'shows popover badges', :js do`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`let(:user_1) do`
			`create :user, email: GpgHelpers::User1.emails.first, username: 'nannie.bernhard', name: 'Nannie Bernhard'`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`

update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`let(:user_1_key) do`
Replace 'Sidekiq::Testing.inline!' with 'perform_enqueued_jobs' `perform_enqueued_jobs` is a Sidekiq method. Using this method violates the Dependency inversion principle[0]. This commit replaces `perform_enqueued_jobs` with ActiveJob's abstract method `perform_enqueued_jobs` in specs. [0]: https://en.wikipedia.org/wiki/Dependency_inversion_principle 2018-07-23 04:34:54 +00:00			`perform_enqueued_jobs do`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`create :gpg_key, key: GpgHelpers::User1.public_key, user: user_1`
			`end`
			`end`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`let(:user_2) do`
			`create(:user, email: GpgHelpers::User2.emails.first, username: 'bette.cartwright', name: 'Bette Cartwright').tap do \|user\|`
			`# secondary, unverified email`
			`create :email, user: user, email: GpgHelpers::User2.emails.last`
			`end`
			`end`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`let(:user_2_key) do`
Replace 'Sidekiq::Testing.inline!' with 'perform_enqueued_jobs' `perform_enqueued_jobs` is a Sidekiq method. Using this method violates the Dependency inversion principle[0]. This commit replaces `perform_enqueued_jobs` with ActiveJob's abstract method `perform_enqueued_jobs` in specs. [0]: https://en.wikipedia.org/wiki/Dependency_inversion_principle 2018-07-23 04:34:54 +00:00			`perform_enqueued_jobs do`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`create :gpg_key, key: GpgHelpers::User2.public_key, user: user_2`
			`end`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`

update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`it 'unverified signature' do`
Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Speed up "show GPG badge" feature specs Previously, this group of specs would create a new user, add them as a maintainer, sign them in, load the project's commit list, click a specific GPG key badge, and then verify the content in the popover. Now, we make the project public in order to skip the user setup and login, and load a specific commit page because it loads faster than the commit list while still showing the GPG badge. 2018-11-21 18:00:04 +00:00			`click_on 'Unverified'`
Fix signed commits spec 2018-04-23 21:23:18 +00:00
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with an unverified signature.'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`end`
			`end`

			`it 'unverified signature: user email does not match the committer email, but is the same user' do`
			`user_2_key`

Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`visit project_commit_path(project, GpgHelpers::DIFFERING_EMAIL_SHA)`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00
Speed up "show GPG badge" feature specs Previously, this group of specs would create a new user, add them as a maintainer, sign them in, load the project's commit list, click a specific GPG key badge, and then verify the content in the popover. Now, we make the project public in order to skip the user setup and login, and load a specific commit page because it loads faster than the commit list while still showing the GPG badge. 2018-11-21 18:00:04 +00:00			`click_on 'Unverified'`
Fix signed commits spec 2018-04-23 21:23:18 +00:00
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with a verified signature, but the committer email is not verified to belong to the same user.'`
			`expect(page).to have_content 'Bette Cartwright'`
			`expect(page).to have_content '@bette.cartwright'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`end`
			`end`

			`it 'unverified signature: user email does not match the committer email' do`
			`user_2_key`

Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00
Speed up "show GPG badge" feature specs Previously, this group of specs would create a new user, add them as a maintainer, sign them in, load the project's commit list, click a specific GPG key badge, and then verify the content in the popover. Now, we make the project public in order to skip the user setup and login, and load a specific commit page because it loads faster than the commit list while still showing the GPG badge. 2018-11-21 18:00:04 +00:00			`click_on 'Unverified'`
Fix signed commits spec 2018-04-23 21:23:18 +00:00
			`within '.popover' do`
			`expect(page).to have_content "This commit was signed with a different user's verified signature."`
			`expect(page).to have_content 'Bette Cartwright'`
			`expect(page).to have_content '@bette.cartwright'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`end`
			`end`

			`it 'verified and the gpg user has a gitlab profile' do`
			`user_1_key`

Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00
Speed up "show GPG badge" feature specs Previously, this group of specs would create a new user, add them as a maintainer, sign them in, load the project's commit list, click a specific GPG key badge, and then verify the content in the popover. Now, we make the project public in order to skip the user setup and login, and load a specific commit page because it loads faster than the commit list while still showing the GPG badge. 2018-11-21 18:00:04 +00:00			`click_on 'Verified'`
Fix signed commits spec 2018-04-23 21:23:18 +00:00
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'`
			`expect(page).to have_content 'Nannie Bernhard'`
			`expect(page).to have_content '@nannie.bernhard'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`end`
			`end`

			`it "verified and the gpg user's profile doesn't exist anymore" do`
			`user_1_key`

Remove magic SHAs from GPG badge feature spec We're trying to give the arbitrary SHAs required by each spec a meaningful name. This also adds an explicit `ref` definition to each spec so we're not dealing with a mystery guest. 2018-11-21 18:32:04 +00:00			`visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00
			`# wait for the signature to get generated`
Replace inline scripts in links to prevent default Use buttons instead of links with javascript:void(0) 2019-08-15 06:27:55 +00:00			`expect(page).to have_button 'Verified'`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00
			`user_1.destroy!`

			`refresh`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00
Speed up "show GPG badge" feature specs Previously, this group of specs would create a new user, add them as a maintainer, sign them in, load the project's commit list, click a specific GPG key badge, and then verify the content in the popover. Now, we make the project public in order to skip the user setup and login, and load a specific commit page because it loads faster than the commit list while still showing the GPG badge. 2018-11-21 18:00:04 +00:00			`click_on 'Verified'`
Fix signed commits spec 2018-04-23 21:23:18 +00:00
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'`
			`expect(page).to have_content 'Nannie Bernhard'`
			`expect(page).to have_content 'nannie.bernhard@example.com'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"`
update signature badges to reflect new states 2017-08-30 12:27:33 +00:00			`end`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`
			`end`
Add latest changes from gitlab-org/gitlab@master 2019-10-21 15:05:58 +00:00
			`context 'view signed commit on the tree view', :js do`
			`shared_examples 'a commit with a signature' do`
			`before do`
			`visit project_tree_path(project, 'signed-commits')`
			`end`

			`it 'displays commit signature' do`
			`expect(page).to have_button 'Unverified'`

			`click_on 'Unverified'`

			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with an unverified signature'`
			`end`
			`end`
			`end`

			`context 'with vue tree view enabled' do`
			`it_behaves_like 'a commit with a signature'`
			`end`

			`context 'with vue tree view disabled' do`
			`before do`
			`stub_feature_flags(vue_file_list: false)`
			`end`

			`it_behaves_like 'a commit with a signature'`
			`end`
			`end`
extract gpg commit specs to their own file 2017-08-28 13:05:18 +00:00			`end`