gitlab-org--gitlab-foss/app/models/gpg_signature.rb

# frozen_string_literal: true

class GpgSignature < ApplicationRecord
  include ShaAttribute

  sha_attribute :commit_sha
  sha_attribute :gpg_key_primary_keyid

  enum verification_status: {
    unverified: 0,
    verified: 1,
    same_user_different_email: 2,
    other_user: 3,
    unverified_key: 4,
    unknown_key: 5
  }

  belongs_to :project
  belongs_to :gpg_key
  belongs_to :gpg_key_subkey

  validates :commit_sha, presence: true
  validates :project_id, presence: true
  validates :gpg_key_primary_keyid, presence: true

  def self.with_key_and_subkeys(gpg_key)
    subkey_ids = gpg_key.subkeys.pluck(:id)

    where(
      arel_table[:gpg_key_id].eq(gpg_key.id).or(
        arel_table[:gpg_key_subkey_id].in(subkey_ids)
      )
    )
  end

  def self.safe_create!(attributes)
    create_with(attributes)
      .safe_find_or_create_by!(commit_sha: attributes[:commit_sha])
  end

  # Find commits that are lacking a signature in the database at present
  def self.unsigned_commit_shas(commit_shas)
    return [] if commit_shas.empty?

    signed = GpgSignature.where(commit_sha: commit_shas).pluck(:commit_sha)

    commit_shas - signed
  end

  def gpg_key=(model)
    case model
    when GpgKey
      super
    when GpgKeySubkey
      self.gpg_key_subkey = model
    when NilClass
      super
      self.gpg_key_subkey = nil
    end
  end

  def gpg_key
    if gpg_key_id
      super
    elsif gpg_key_subkey_id
      gpg_key_subkey
    end
  end

  def gpg_key_primary_keyid
    super&.upcase
  end

  def commit
    project.commit(commit_sha)
  end

  def gpg_commit
    return unless commit

    Gitlab::Gpg::Commit.new(commit)
  end
end
Enable frozen string in app/models/*.rb Partially addresses #47424. 2018-07-25 05:30:33 -04:00			`# frozen_string_literal: true`

Avoid race conditions when creating GpgSignature This avoids race conditions when creating GpgSignature. 2019-02-05 12:22:25 -05:00			`class GpgSignature < ApplicationRecord`
use ShaAttribute for gpg table columns 2017-07-20 09:44:15 -04:00			`include ShaAttribute`

			`sha_attribute :commit_sha`
			`sha_attribute :gpg_key_primary_keyid`

match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails. 2017-08-24 08:21:30 -04:00			`enum verification_status: {`
			`unverified: 0,`
			`verified: 1,`
add verification_status: same_user_different_email this is used to make a difference between a committer email that belongs to user, where the user used a different email for the gpg key. this means that the user is the same, but a different, unverified email is used for the signature. 2017-08-24 08:21:42 -04:00			`same_user_different_email: 2,`
			`other_user: 3,`
			`unverified_key: 4,`
			`unknown_key: 5`
match the committer's email against the gpg key the updated verification of a gpg signature requires the committer's email to also match the user's and the key's emails. 2017-08-24 08:21:30 -04:00			`}`

gpg signature model for gpg verification caching 2017-06-14 03:17:34 -04:00			`belongs_to :project`
			`belongs_to :gpg_key`
Associate GgpSignature with GpgKeySubkey if comes from a subkey Additionally we're delegating missing method calls on GpgKeySubkey to GpgKey since most of the info required when verifying a signature is found on GpgKey which is the parent of GpgKeySubkey 2017-09-27 20:45:19 -04:00			`belongs_to :gpg_key_subkey`
gpg signature model for gpg verification caching 2017-06-14 03:17:34 -04:00
			`validates :commit_sha, presence: true`
validate the foreign_key instead of the relation 2017-07-25 15:20:48 -04:00			`validates :project_id, presence: true`
store gpg_key_primary_keyid for unknown gpg keys we need to store the keyid to be able to update the signature later in case the missing key is added later. 2017-06-15 06:43:04 -04:00			`validates :gpg_key_primary_keyid, presence: true`
simplify fetching of commit 2017-07-06 04:17:09 -04:00
Invalidate GpgSignatures associated to GpgKeySubkeys when revoking the GpgKey 2017-10-04 19:44:49 -04:00			`def self.with_key_and_subkeys(gpg_key)`
Small refactor and fix for RuboCop 2017-10-05 11:17:18 -04:00			`subkey_ids = gpg_key.subkeys.pluck(:id)`
Invalidate GpgSignatures associated to GpgKeySubkeys when revoking the GpgKey 2017-10-04 19:44:49 -04:00
			`where(`
Small refactor and fix for RuboCop 2017-10-05 11:17:18 -04:00			`arel_table[:gpg_key_id].eq(gpg_key.id).or(`
			`arel_table[:gpg_key_subkey_id].in(subkey_ids)`
Invalidate GpgSignatures associated to GpgKeySubkeys when revoking the GpgKey 2017-10-04 19:44:49 -04:00			`)`
			`)`
			`end`

Avoid race conditions when creating GpgSignature This avoids race conditions when creating GpgSignature. 2019-02-05 12:22:25 -05:00			`def self.safe_create!(attributes)`
			`create_with(attributes)`
			`.safe_find_or_create_by!(commit_sha: attributes[:commit_sha])`
			`end`

Extract a Git::{Base,Tag,Branch}HooksService 2019-03-28 10:59:24 -04:00			`# Find commits that are lacking a signature in the database at present`
			`def self.unsigned_commit_shas(commit_shas)`
			`return [] if commit_shas.empty?`

			`signed = GpgSignature.where(commit_sha: commit_shas).pluck(:commit_sha)`

			`commit_shas - signed`
			`end`

Associate GgpSignature with GpgKeySubkey if comes from a subkey Additionally we're delegating missing method calls on GpgKeySubkey to GpgKey since most of the info required when verifying a signature is found on GpgKey which is the parent of GpgKeySubkey 2017-09-27 20:45:19 -04:00			`def gpg_key=(model)`
			`case model`
Address some feedback from last code review 2017-10-04 11:34:50 -04:00			`when GpgKey`
			`super`
			`when GpgKeySubkey`
			`self.gpg_key_subkey = model`
			`when NilClass`
			`super`
			`self.gpg_key_subkey = nil`
Associate GgpSignature with GpgKeySubkey if comes from a subkey Additionally we're delegating missing method calls on GpgKeySubkey to GpgKey since most of the info required when verifying a signature is found on GpgKey which is the parent of GpgKeySubkey 2017-09-27 20:45:19 -04:00			`end`
			`end`

			`def gpg_key`
			`if gpg_key_id`
			`super`
			`elsif gpg_key_subkey_id`
			`gpg_key_subkey`
			`end`
			`end`

upcase in the model instead of in the view 2017-07-25 10:23:52 -04:00			`def gpg_key_primary_keyid`
			`super&.upcase`
			`end`

simplify fetching of commit 2017-07-06 04:17:09 -04:00			`def commit`
			`project.commit(commit_sha)`
			`end`
Only create commit GPG signature when necessary 2017-08-15 07:22:55 -04:00
			`def gpg_commit`
Fix error with GPG signature updater when commit was deleted 2017-10-07 11:47:53 -04:00			`return unless commit`

pass whole commit to Gitlab::Gpg::Commit again we need the commit object for the updated verification that also checks the committer's email to match the gpg key and user's emails. 2017-08-24 08:21:26 -04:00			`Gitlab::Gpg::Commit.new(commit)`
Only create commit GPG signature when necessary 2017-08-15 07:22:55 -04:00			`end`
gpg signature model for gpg verification caching 2017-06-14 03:17:34 -04:00			`end`