commit.rb 4 KB
Newer Older
1 2
# frozen_string_literal: true

3 4 5
module Gitlab
  module Gpg
    class Commit
6 7
      include Gitlab::Utils::StrongMemoize

8 9
      def initialize(commit)
        @commit = commit
10

11
        repo = commit.project.repository.raw_repository
12 13 14 15 16 17 18 19 20 21 22 23 24
        @signature_data = Gitlab::Git::Commit.extract_signature_lazily(repo, commit.sha || commit.id)
      end

      def signature_text
        strong_memoize(:signature_text) do
          @signature_data&.itself && @signature_data[0]
        end
      end

      def signed_text
        strong_memoize(:signed_text) do
          @signature_data&.itself && @signature_data[1]
        end
25 26 27
      end

      def has_signature?
28
        !!(signature_text && signed_text)
29 30
      end

31
      # rubocop: disable CodeReuse/ActiveRecord
32
      def signature
33 34
        return unless has_signature?

35
        return @signature if @signature
36

37
        cached_signature = GpgSignature.find_by(commit_sha: @commit.sha)
38 39 40
        return @signature = cached_signature if cached_signature.present?

        @signature = create_cached_signature!
41
      end
42
      # rubocop: enable CodeReuse/ActiveRecord
43

44 45
      def update_signature!(cached_signature)
        using_keychain do |gpg_key|
Lin Jen-Shin's avatar
Lin Jen-Shin committed
46
          cached_signature.update!(attributes(gpg_key))
47
          @signature = cached_signature
48 49 50
        end
      end

51 52 53
      private

      def using_keychain
54 55 56 57 58
        Gitlab::Gpg.using_tmp_keychain do
          # first we need to get the keyid from the signature to query the gpg
          # key belonging to the keyid.
          # This way we can add the key to the temporary keychain and extract
          # the proper signature.
59 60
          # NOTE: the invoked method is #fingerprint but it's only returning
          # 16 characters (the format used by keyid) instead of 40.
61 62 63 64 65
          fingerprint = verified_signature&.fingerprint

          break unless fingerprint

          gpg_key = find_gpg_key(fingerprint)
66 67 68

          if gpg_key
            Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)
69
            clear_memoization(:verified_signature)
70 71
          end

72
          yield gpg_key
73 74 75 76
        end
      end

      def verified_signature
77 78 79 80 81 82
        strong_memoize(:verified_signature) { gpgme_signature }
      end

      def gpgme_signature
        GPGME::Crypto.new.verify(signature_text, signed_text: signed_text) do |verified_signature|
          # Return the first signature for now: https://gitlab.com/gitlab-org/gitlab-ce/issues/54932
Alexis Reigel's avatar
Alexis Reigel committed
83
          break verified_signature
84
        end
85 86
      rescue GPGME::Error
        nil
87 88
      end

89 90
      def create_cached_signature!
        using_keychain do |gpg_key|
91 92 93 94
          attributes = attributes(gpg_key)
          break GpgSignature.new(attributes) if Gitlab::Database.read_only?

          GpgSignature.safe_create!(attributes)
95
        end
96 97 98 99
      end

      def attributes(gpg_key)
        user_infos = user_infos(gpg_key)
100
        verification_status = verification_status(gpg_key)
101 102

        {
103 104
          commit_sha: @commit.sha,
          project: @commit.project,
105
          gpg_key: gpg_key,
106
          gpg_key_primary_keyid: gpg_key&.keyid || verified_signature&.fingerprint,
107 108
          gpg_key_user_name: user_infos[:name],
          gpg_key_user_email: user_infos[:email],
109
          verification_status: verification_status
110
        }
111
      end
112

113
      def verification_status(gpg_key)
114 115
        return :unknown_key unless gpg_key
        return :unverified_key unless gpg_key.verified?
116
        return :unverified unless verified_signature&.valid?
117 118

        if gpg_key.verified_and_belongs_to_email?(@commit.committer_email)
119
          :verified
120
        elsif gpg_key.user.all_emails.include?(@commit.committer_email)
121
          :same_user_different_email
122
        else
123
          :other_user
124
        end
125
      end
126 127 128 129

      def user_infos(gpg_key)
        gpg_key&.verified_user_infos&.first || gpg_key&.user_infos&.first || {}
      end
130

131
      # rubocop: disable CodeReuse/ActiveRecord
132 133 134
      def find_gpg_key(keyid)
        GpgKey.find_by(primary_keyid: keyid) || GpgKeySubkey.find_by(keyid: keyid)
      end
135
      # rubocop: enable CodeReuse/ActiveRecord
136 137 138
    end
  end
end