gitlab-org--gitlab-foss/lib/gitlab/gpg/commit.rb

module Gitlab
  module Gpg
    class Commit
      attr_reader :commit

      def initialize(commit)
        @commit = commit

        @signature_text, @signed_text = commit.raw.signature(commit.project.repository)
      end

      def has_signature?
        !!(@signature_text && @signed_text)
      end

      def signature
        return unless has_signature?

        cached_signature = GpgSignature.find_by(commit_sha: commit.sha)
        return cached_signature if cached_signature.present?

        using_keychain do |gpg_key|
          if gpg_key
            Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)
            @verified_signature = nil
          end

          create_cached_signature!(gpg_key)
        end
      end

      def update_signature!(cached_signature)
        using_keychain do |gpg_key|
          cached_signature.update_attributes!(
            valid_signature: self.class.gpg_signature_valid_signature_value(gpg_key, verified_signature)
          )
        end
      end

      private

      def using_keychain
        Gitlab::Gpg.using_tmp_keychain do
          # first we need to get the keyid from the signature to query the gpg
          # key belonging to the keyid.
          # This way we can add the key to the temporary keychain and extract
          # the proper signature.
          gpg_key = GpgKey.find_by(primary_keyid: verified_signature.fingerprint)

          if gpg_key
            Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)
          end

          yield gpg_key
        end
      end

      def verified_signature
        @verified_signature ||= GPGME::Crypto.new.verify(@signature_text, signed_text: @signed_text) do |verified_signature|
          return verified_signature
        end
      end

      def create_cached_signature!(gpg_key)
        GpgSignature.create!(
          commit_sha: commit.sha,
          project: commit.project,
          gpg_key: gpg_key,
          gpg_key_primary_keyid: gpg_key&.primary_keyid || verified_signature.fingerprint,
          valid_signature: self.class.gpg_signature_valid_signature_value(gpg_key, verified_signature)
        )
      end

      def self.gpg_signature_valid_signature_value(gpg_key, verified_signature_)
        !!(gpg_key && gpg_key.verified? && verified_signature_.valid?)
      end
    end
  end
end
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`module Gitlab`
			`module Gpg`
			`class Commit`
			`attr_reader :commit`

			`def initialize(commit)`
			`@commit = commit`

			`@signature_text, @signed_text = commit.raw.signature(commit.project.repository)`
			`end`

			`def has_signature?`
bail if the commit has no signature 2017-06-15 07:16:50 +00:00			`!!(@signature_text && @signed_text)`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`end`

			`def signature`
bail if the commit has no signature 2017-06-15 07:16:50 +00:00			`return unless has_signature?`

move signature cache read to Gpg::Commit as we write the cache in the gpg commit class already the read should also happen there. This also removes all logic from the main commit class, which just proxies the call to the Gpg::Commit now. 2017-06-15 08:28:28 +00:00			`cached_signature = GpgSignature.find_by(commit_sha: commit.sha)`
			`return cached_signature if cached_signature.present?`

memoize verified_signature call 2017-06-15 11:37:03 +00:00			`using_keychain do \|gpg_key\|`
			`if gpg_key`
			`Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)`
			`@verified_signature = nil`
			`end`

			`create_cached_signature!(gpg_key)`
			`end`
			`end`

allow updating of gpg signature through gpg commit 2017-06-15 12:18:00 +00:00			`def update_signature!(cached_signature)`
			`using_keychain do \|gpg_key\|`
			`cached_signature.update_attributes!(`
			`valid_signature: self.class.gpg_signature_valid_signature_value(gpg_key, verified_signature)`
			`)`
			`end`
			`end`

memoize verified_signature call 2017-06-15 11:37:03 +00:00			`private`

			`def using_keychain`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`Gitlab::Gpg.using_tmp_keychain do`
			`# first we need to get the keyid from the signature to query the gpg`
			`# key belonging to the keyid.`
			`# This way we can add the key to the temporary keychain and extract`
			`# the proper signature.`
			`gpg_key = GpgKey.find_by(primary_keyid: verified_signature.fingerprint)`

			`if gpg_key`
			`Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)`
			`end`

memoize verified_signature call 2017-06-15 11:37:03 +00:00			`yield gpg_key`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`end`
			`end`

			`def verified_signature`
memoize verified_signature call 2017-06-15 11:37:03 +00:00			`@verified_signature \|\|= GPGME::Crypto.new.verify(@signature_text, signed_text: @signed_text) do \|verified_signature\|`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`return verified_signature`
			`end`
			`end`

			`def create_cached_signature!(gpg_key)`
			`GpgSignature.create!(`
			`commit_sha: commit.sha,`
			`project: commit.project,`
			`gpg_key: gpg_key,`
memoize verified_signature call 2017-06-15 11:37:03 +00:00			`gpg_key_primary_keyid: gpg_key&.primary_keyid \|\| verified_signature.fingerprint,`
allow updating of gpg signature through gpg commit 2017-06-15 12:18:00 +00:00			`valid_signature: self.class.gpg_signature_valid_signature_value(gpg_key, verified_signature)`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`)`
			`end`
allow updating of gpg signature through gpg commit 2017-06-15 12:18:00 +00:00
			`def self.gpg_signature_valid_signature_value(gpg_key, verified_signature_)`
			`!!(gpg_key && gpg_key.verified? && verified_signature_.valid?)`
			`end`
cache the gpg commit signature we store the result of the gpg commit verification in the db because the gpg verification is an expensive operation. 2017-06-14 09:51:34 +00:00			`end`
			`end`
			`end`