From 24671cd601e93133787ff9746fcacc3cf5d3fbf4 Mon Sep 17 00:00:00 2001
From: Alexis Reigel <mail@koffeinfrei.org>
Date: Thu, 15 Jun 2017 14:22:37 +0200
Subject: [PATCH] update invalid gpg signatures when key is created

---
 app/models/gpg_key.rb                         |  5 ++
 .../gpg/invalid_gpg_signature_updater.rb      | 19 +++++++
 spec/factories/gpg_signature.rb               | 11 ++++
 .../gpg/invalid_gpg_signature_updater_spec.rb | 50 +++++++++++++++++++
 4 files changed, 85 insertions(+)
 create mode 100644 lib/gitlab/gpg/invalid_gpg_signature_updater.rb
 create mode 100644 spec/factories/gpg_signature.rb
 create mode 100644 spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb

diff --git a/app/models/gpg_key.rb b/app/models/gpg_key.rb
index 137abb60ddc..6ca108d6b87 100644
--- a/app/models/gpg_key.rb
+++ b/app/models/gpg_key.rb
@@ -28,6 +28,7 @@ class GpgKey < ActiveRecord::Base
     unless: -> { errors.has_key?(:key) }
 
   before_validation :extract_fingerprint, :extract_primary_keyid
+  after_create :update_invalid_gpg_signatures
   after_create :notify_user
 
   def key=(value)
@@ -66,6 +67,10 @@ class GpgKey < ActiveRecord::Base
     self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first
   end
 
+  def update_invalid_gpg_signatures
+    run_after_commit { Gitlab::Gpg::InvalidGpgSignatureUpdater.new(self).run }
+  end
+
   def notify_user
     run_after_commit { NotificationService.new.new_gpg_key(self) }
   end
diff --git a/lib/gitlab/gpg/invalid_gpg_signature_updater.rb b/lib/gitlab/gpg/invalid_gpg_signature_updater.rb
new file mode 100644
index 00000000000..6511a8f8285
--- /dev/null
+++ b/lib/gitlab/gpg/invalid_gpg_signature_updater.rb
@@ -0,0 +1,19 @@
+module Gitlab
+  module Gpg
+    class InvalidGpgSignatureUpdater
+      def initialize(gpg_key)
+        @gpg_key = gpg_key
+      end
+
+      def run
+        GpgSignature
+          .where(valid_signature: false)
+          .where(gpg_key_primary_keyid: @gpg_key.primary_keyid)
+          .find_each do |gpg_signature|
+            commit = Gitlab::Git::Commit.find(gpg_signature.project.repository, gpg_signature.commit_sha)
+            Gitlab::Gpg::Commit.new(commit).update_signature!(gpg_signature)
+          end
+      end
+    end
+  end
+end
diff --git a/spec/factories/gpg_signature.rb b/spec/factories/gpg_signature.rb
new file mode 100644
index 00000000000..a5aeffbe12d
--- /dev/null
+++ b/spec/factories/gpg_signature.rb
@@ -0,0 +1,11 @@
+require_relative '../support/gpg_helpers'
+
+FactoryGirl.define do
+  factory :gpg_signature do
+    commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
+    project
+    gpg_key
+    gpg_key_primary_keyid { gpg_key.primary_keyid }
+    valid_signature true
+  end
+end
diff --git a/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
new file mode 100644
index 00000000000..48f8fa285aa
--- /dev/null
+++ b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
@@ -0,0 +1,50 @@
+require 'rails_helper'
+
+RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
+  describe '#run' do
+    context 'gpg signature did not have an associated gpg key' do
+      let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
+      let!(:project) { create :project, :repository, path: 'sample-project' }
+      let!(:commit) do
+        raw_commit = double(:raw_commit, signature: [
+          GpgHelpers::User1.signed_commit_signature,
+          GpgHelpers::User1.signed_commit_base_data
+        ], sha: commit_sha)
+        allow(raw_commit).to receive :save!
+
+        create :commit, git_commit: raw_commit, project: project
+      end
+
+      let!(:gpg_signature) do
+        create :gpg_signature,
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+      end
+
+      before do
+        allow(Gitlab::Git::Commit).to receive(:find).with(kind_of(Repository), commit_sha).and_return(commit)
+      end
+
+      it 'updates the signature to being valid when the missing gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: create(:user, email: GpgHelpers::User1.emails.first)
+
+        expect(gpg_signature.reload.valid_signature).to be_truthy
+      end
+
+      it 'keeps the signature at being invalid when an unrelated gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        create :gpg_key,
+          key: GpgHelpers::User2.public_key,
+          user: create(:user, email: GpgHelpers::User2.emails.first)
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+      end
+    end
+  end
+end