update invalid gpg signatures when key is created

24671cd6 · Alexis Reigel · d48eb77a · 24671cd6 · 24671cd6 · 24671cd6
Commit 24671cd6 authored Jun 15, 2017 by Alexis Reigel
4 changed files
--- a/app/models/gpg_key.rb
+++ b/app/models/gpg_key.rb
@@ -28,6 +28,7 @@ class GpgKey < ActiveRecord::Base
    unless: -> { errors.has_key?(:key) }

  before_validation :extract_fingerprint, :extract_primary_keyid
+  after_create :update_invalid_gpg_signatures
  after_create :notify_user

  def key=(value)
@@ -66,6 +67,10 @@ class GpgKey < ActiveRecord::Base
    self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first
  end

+  def update_invalid_gpg_signatures
+    run_after_commit { Gitlab::Gpg::InvalidGpgSignatureUpdater.new(self).run }
+  end
+
  def notify_user
    run_after_commit { NotificationService.new.new_gpg_key(self) }
  end

--- a/lib/gitlab/gpg/invalid_gpg_signature_updater.rb
+++ b/lib/gitlab/gpg/invalid_gpg_signature_updater.rb
+module Gitlab
+  module Gpg
+    class InvalidGpgSignatureUpdater
+      def initialize(gpg_key)
+        @gpg_key = gpg_key
+      end
+
+      def run
+        GpgSignature
+          .where(valid_signature: false)
+          .where(gpg_key_primary_keyid: @gpg_key.primary_keyid)
+          .find_each do |gpg_signature|
+            commit = Gitlab::Git::Commit.find(gpg_signature.project.repository, gpg_signature.commit_sha)
+            Gitlab::Gpg::Commit.new(commit).update_signature!(gpg_signature)
+          end
+      end
+    end
+  end
+end
--- a/spec/factories/gpg_signature.rb
+++ b/spec/factories/gpg_signature.rb
+require_relative '../support/gpg_helpers'
+
+FactoryGirl.define do
+  factory :gpg_signature do
+    commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
+    project
+    gpg_key
+    gpg_key_primary_keyid { gpg_key.primary_keyid }
+    valid_signature true
+  end
+end
--- a/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
+++ b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
+require 'rails_helper'
+
+RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
+  describe '#run' do
+    context 'gpg signature did not have an associated gpg key' do
+      let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
+      let!(:project) { create :project, :repository, path: 'sample-project' }
+      let!(:commit) do
+        raw_commit = double(:raw_commit, signature: [
+          GpgHelpers::User1.signed_commit_signature,
+          GpgHelpers::User1.signed_commit_base_data
+        ], sha: commit_sha)
+        allow(raw_commit).to receive :save!
+
+        create :commit, git_commit: raw_commit, project: project
+      end
+
+      let!(:gpg_signature) do
+        create :gpg_signature,
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+          valid_signature: false
+      end
+
+      before do
+        allow(Gitlab::Git::Commit).to receive(:find).with(kind_of(Repository), commit_sha).and_return(commit)
+      end
+
+      it 'updates the signature to being valid when the missing gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: create(:user, email: GpgHelpers::User1.emails.first)
+
+        expect(gpg_signature.reload.valid_signature).to be_truthy
+      end
+
+      it 'keeps the signature at being invalid when an unrelated gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        create :gpg_key,
+          key: GpgHelpers::User2.public_key,
+          user: create(:user, email: GpgHelpers::User2.emails.first)
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+      end
+    end
+  end
+end