Commit dd139e65 authored by Rubén Dávila's avatar Rubén Dávila

Invalidate GpgSignatures associated to GpgKeySubkeys when revoking the GpgKey

parent 2577cc99
...@@ -91,10 +91,11 @@ class GpgKey < ActiveRecord::Base ...@@ -91,10 +91,11 @@ class GpgKey < ActiveRecord::Base
def revoke def revoke
GpgSignature GpgSignature
.where(gpg_key: self) .with_key_and_subkeys(self)
.where.not(verification_status: GpgSignature.verification_statuses[:unknown_key]) .where.not(verification_status: GpgSignature.verification_statuses[:unknown_key])
.update_all( .update_all(
gpg_key_id: nil, gpg_key_id: nil,
gpg_key_subkey_id: nil,
verification_status: GpgSignature.verification_statuses[:unknown_key], verification_status: GpgSignature.verification_statuses[:unknown_key],
updated_at: Time.zone.now updated_at: Time.zone.now
) )
......
...@@ -21,6 +21,19 @@ class GpgSignature < ActiveRecord::Base ...@@ -21,6 +21,19 @@ class GpgSignature < ActiveRecord::Base
validates :project_id, presence: true validates :project_id, presence: true
validates :gpg_key_primary_keyid, presence: true validates :gpg_key_primary_keyid, presence: true
def self.with_key_and_subkeys(gpg_key)
return none unless gpg_key
t = arel_table
subkey_ids = gpg_key&.subkeys&.pluck(:id)
where(
t[:gpg_key_id].eq(gpg_key&.id).or(
t[:gpg_key_subkey_id].in(subkey_ids)
)
)
end
def gpg_key=(model) def gpg_key=(model)
case model case model
when GpgKey when GpgKey
......
...@@ -30,7 +30,7 @@ class CreateGpgKeySubkeysForExistingGpgKeys < ActiveRecord::Migration ...@@ -30,7 +30,7 @@ class CreateGpgKeySubkeysForExistingGpgKeys < ActiveRecord::Migration
def up def up
GpgKey.with_subkeys.each_batch do |batch| GpgKey.with_subkeys.each_batch do |batch|
batch.each do |gpg_key| batch.each do |gpg_key|
return if gpg_key.subkeys.any? next if gpg_key.subkeys.any?
create_subkeys(gpg_key) && update_signatures(gpg_key) create_subkeys(gpg_key) && update_signatures(gpg_key)
end end
......
...@@ -5,7 +5,7 @@ FactoryGirl.define do ...@@ -5,7 +5,7 @@ FactoryGirl.define do
commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) } commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
project project
gpg_key gpg_key
gpg_key_primary_keyid { gpg_key.primary_keyid } gpg_key_primary_keyid { gpg_key.keyid }
verification_status :verified verification_status :verified
end end
end end
...@@ -191,5 +191,29 @@ describe GpgKey do ...@@ -191,5 +191,29 @@ describe GpgKey do
expect(unrelated_gpg_key.destroyed?).to be false expect(unrelated_gpg_key.destroyed?).to be false
end end
it 'deletes all the associated subkeys' do
gpg_key = create :gpg_key, key: GpgHelpers::User3.public_key
expect(gpg_key.subkeys).to be_present
gpg_key.revoke
expect(gpg_key.subkeys(true)).to be_blank
end
it 'invalidates all signatures associated to the subkeys' do
gpg_key = create :gpg_key, key: GpgHelpers::User3.public_key
gpg_key_subkey = gpg_key.subkeys.last
gpg_signature = create :gpg_signature, verification_status: :verified, gpg_key: gpg_key_subkey
gpg_key.revoke
expect(gpg_signature.reload).to have_attributes(
verification_status: 'unknown_key',
gpg_key: nil,
gpg_key_subkey: nil
)
end
end end
end end
require 'rails_helper' require 'rails_helper'
RSpec.describe GpgSignature do RSpec.describe GpgSignature do
let(:gpg_key) { create(:gpg_key) }
let(:gpg_key_subkey) { create(:gpg_key_subkey) }
describe 'associations' do describe 'associations' do
it { is_expected.to belong_to(:project) } it { is_expected.to belong_to(:project) }
it { is_expected.to belong_to(:gpg_key) } it { is_expected.to belong_to(:gpg_key) }
...@@ -26,4 +29,26 @@ RSpec.describe GpgSignature do ...@@ -26,4 +29,26 @@ RSpec.describe GpgSignature do
gpg_signature.commit gpg_signature.commit
end end
end end
describe '#gpg_key=' do
it 'supports the assignment of a GpgKey' do
gpg_signature = create(:gpg_signature, gpg_key: gpg_key)
expect(gpg_signature.gpg_key).to be_an_instance_of(GpgKey)
end
it 'supports the assignment of a GpgKeySubkey' do
gpg_signature = create(:gpg_signature, gpg_key: gpg_key_subkey)
expect(gpg_signature.gpg_key).to be_an_instance_of(GpgKeySubkey)
end
it 'clears gpg_key and gpg_key_subkey_id when passing nil' do
gpg_signature = create(:gpg_signature, gpg_key: gpg_key_subkey)
gpg_signature.update_attribute(:gpg_key, nil)
expect(gpg_signature.gpg_key_id).to be_nil
expect(gpg_signature.gpg_key_subkey_id).to be_nil
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment