Commit 0d1bae05 authored by Thong Kuah's avatar Thong Kuah

Merge branch 'feat/x509-update-signatures-rake-task' into 'master'

Add rake task to update x509 signatures

See merge request gitlab-org/gitlab!28406
parents e4eae4ab 235a8d33
---
title: Add rake task to update x509 signatures
merge_request: 28406
author: Roger Meier
type: added
...@@ -36,3 +36,4 @@ The following are available Rake tasks: ...@@ -36,3 +36,4 @@ The following are available Rake tasks:
| [Uploads sanitize](../administration/raketasks/uploads/sanitize.md) | Remove EXIF data from images uploaded to earlier versions of GitLab. | | [Uploads sanitize](../administration/raketasks/uploads/sanitize.md) | Remove EXIF data from images uploaded to earlier versions of GitLab. |
| [User management](user_management.md) | Perform user management tasks. | | [User management](user_management.md) | Perform user management tasks. |
| [Webhooks administration](web_hooks.md) | Maintain project Webhooks. | | [Webhooks administration](web_hooks.md) | Maintain project Webhooks. |
| [X509 signatures](x509_signatures.md) | Update x509 commit signatures, useful if certificate store has changed. |
# X509 signatures
When [signing commits with x509](../user/project/repository/x509_signed_commits/index.md)
the trust anchor might change and the signatures stored within the database have
to be updated.
## Update all x509 signatures
This task loops through all X509 signed commits and updates their verification
based on current certificate store.
**Omnibus Installation**
```shell
sudo gitlab-rake gitlab:x509:update_signatures
```
**Source Installation**
```shell
sudo -u git -H bundle exec rake gitlab:x509:update_signatures RAILS_ENV=production
```
require 'logger'
desc "GitLab | X509 | Update signatures when certificate store has changed"
namespace :gitlab do
namespace :x509 do
task update_signatures: :environment do
update_certificates
end
def update_certificates
logger = Logger.new(STDOUT)
unless X509CommitSignature.exists?
logger.info("Unable to find any x509 commit signatures. Exiting.")
return
end
logger.info("Start to update x509 commit signatures")
X509CommitSignature.find_each do |sig|
sig.x509_commit&.update_signature!(sig)
end
logger.info("End update x509 commit signatures")
end
end
end
# frozen_string_literal: true
require 'rake_helper'
describe 'gitlab:x509 namespace rake task' do
before :all do
Rake.application.rake_require 'tasks/gitlab/x509/update'
end
describe 'update_signatures' do
subject { run_rake_task('gitlab:x509:update_signatures') }
let(:project) { create :project, :repository, path: X509Helpers::User1.path }
let(:x509_signed_commit) { project.commit_by(oid: '189a6c924013fc3fe40d6f1ec1dc20214183bc97') }
let(:x509_commit) { Gitlab::X509::Commit.new(x509_signed_commit).signature }
it 'changes from unverified to verified if the certificate store contains the root certificate' do
x509_commit
store = OpenSSL::X509::Store.new
certificate = OpenSSL::X509::Certificate.new X509Helpers::User1.trust_cert
store.add_cert(certificate)
allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
expect(x509_commit.verification_status).to eq('unverified')
expect_any_instance_of(Gitlab::X509::Commit).to receive(:update_signature!).and_call_original
subject
x509_commit.reload
expect(x509_commit.verification_status).to eq('verified')
end
it 'returns if no signature is available' do
expect_any_instance_of(Gitlab::X509::Commit) do |x509_commit|
expect(x509_commit).not_to receive(:update_signature!)
subject
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment