Add api endpoint to get x509 signature

611e32ef · Roger Meier · Nick Thomas · 87111a8c · 611e32ef · 611e32ef
Commit 611e32ef authored Apr 03, 2020 by Roger Meier Committed by Nick Thomas Apr 03, 2020
9 changed files
--- a/changelogs/unreleased/feat-x509-signatures-api-endpoint.yml
+++ b/changelogs/unreleased/feat-x509-signatures-api-endpoint.yml
+---
+title: Add api endpoint to get x509 signature
+merge_request: 28590
+author: Roger Meier
+type: added
--- a/doc/api/commits.md
+++ b/doc/api/commits.md
@@ -741,19 +741,43 @@ Parameters:
 curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/repository/commits/da738facbc19eb2fc2cef57c49be0e6038570352/signature"
 ```

-Example response if commit is signed:
+Example response if commit is GPG signed:

 ```json
 {
+  "signature_type": "PGP",
+  "verification_status": "verified",
  "gpg_key_id": 1,
  "gpg_key_primary_keyid": "8254AAB3FBD54AC9",
  "gpg_key_user_name": "John Doe",
  "gpg_key_user_email": "johndoe@example.com",
-  "verification_status": "verified",
  "gpg_key_subkey_id": null
 }
 ```

+Example response if commit is x509 signed:
+
+```json
+{
+  "signature_type": "X509",
+  "verification_status": "unverified",
+  "x509_certificate": {
+    "id": 1,
+    "subject": "CN=gitlab@example.org,OU=Example,O=World",
+    "subject_key_identifier": "BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC",
+    "email": "gitlab@example.org",
+    "serial_number": 278969561018901340486471282831158785578,
+    "certificate_status": "good",
+    "x509_issuer": {
+      "id": 1,
+      "subject": "CN=PKI,OU=Example,O=World",
+      "subject_key_identifier": "AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB",
+      "crl_url": "http://example.com/pki.crl"
+    }
+  }
+}
+```
+
 Example response if commit is unsigned:

 ```json

--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -356,7 +356,7 @@ module API
        present paginate(commit_merge_requests), with: Entities::MergeRequestBasic
      end

-      desc "Get a commit's GPG signature" do
+      desc "Get a commit's signature" do
        success Entities::CommitSignature
      end
      params do
@@ -365,11 +365,9 @@ module API
      get ':id/repository/commits/:sha/signature', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
        commit = user_project.commit(params[:sha])
        not_found! 'Commit' unless commit
+        not_found! 'Signature' unless commit.has_signature?

-        signature = commit.signature
-        not_found! 'GPG Signature' unless signature
-
-        present signature, with: Entities::CommitSignature
+        present commit, with: Entities::CommitSignature
      end
    end
  end

--- a/lib/api/entities/commit_signature.rb
+++ b/lib/api/entities/commit_signature.rb
@@ -3,10 +3,14 @@
 module API
  module Entities
    class CommitSignature < Grape::Entity
-      expose :gpg_key_id
-      expose :gpg_key_primary_keyid, :gpg_key_user_name, :gpg_key_user_email
-      expose :verification_status
-      expose :gpg_key_subkey_id
+      expose :signature_type
+      expose :signature, merge: true do |commit, options|
+        if commit.signature.is_a?(GpgSignature)
+          ::API::Entities::GpgCommitSignature.represent commit.signature, options
+        elsif commit.signature.is_a?(X509CommitSignature)
+          ::API::Entities::X509Signature.represent commit.signature, options
+        end
+      end
    end
  end
 end
--- a/lib/api/entities/gpg_commit_signature.rb
+++ b/lib/api/entities/gpg_commit_signature.rb
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class GpgCommitSignature < Grape::Entity
+      expose :verification_status
+      expose :gpg_key_id
+      expose :gpg_key_primary_keyid, :gpg_key_user_name, :gpg_key_user_email
+      expose :gpg_key_subkey_id
+    end
+  end
+end
--- a/lib/api/entities/x509_certificate.rb
+++ b/lib/api/entities/x509_certificate.rb
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class X509Certificate < Grape::Entity
+      expose :id
+      expose :subject
+      expose :subject_key_identifier
+      expose :email
+      expose :serial_number
+      expose :certificate_status
+      expose :x509_issuer, using: 'API::Entities::X509Issuer'
+    end
+  end
+end
--- a/lib/api/entities/x509_issuer.rb
+++ b/lib/api/entities/x509_issuer.rb
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class X509Issuer < Grape::Entity
+      expose :id
+      expose :subject
+      expose :subject_key_identifier
+      expose :crl_url
+    end
+  end
+end
--- a/lib/api/entities/x509_signature.rb
+++ b/lib/api/entities/x509_signature.rb
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class X509Signature < Grape::Entity
+      expose :verification_status
+      expose :x509_certificate, using: 'API::Entities::X509Certificate'
+    end
+  end
+end
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -1889,11 +1889,11 @@ describe API::Commits do
    context 'unsigned commit' do
      it_behaves_like '404 response' do
        let(:request) { get api(route, current_user) }
-        let(:message) { '404 GPG Signature Not Found'}
+        let(:message) { '404 Signature Not Found'}
      end
    end

-    context 'signed commit' do
+    context 'gpg signed commit' do
      let(:commit) { project.repository.commit(GpgHelpers::SIGNED_COMMIT_SHA) }
      let(:commit_id) { commit.id }

@@ -1901,11 +1901,35 @@ describe API::Commits do
        get api(route, current_user)

        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['signature_type']).to eq('PGP')
        expect(json_response['gpg_key_id']).to eq(commit.signature.gpg_key_id)
        expect(json_response['gpg_key_subkey_id']).to eq(commit.signature.gpg_key_subkey_id)
        expect(json_response['gpg_key_primary_keyid']).to eq(commit.signature.gpg_key_primary_keyid)
        expect(json_response['verification_status']).to eq(commit.signature.verification_status)
      end
    end
+
+    context 'x509 signed commit' do
+      let(:commit) { project.repository.commit_by(oid: '189a6c924013fc3fe40d6f1ec1dc20214183bc97') }
+      let(:commit_id) { commit.id }
+
+      it 'returns correct JSON' do
+        get api(route, current_user)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['signature_type']).to eq('X509')
+        expect(json_response['verification_status']).to eq(commit.signature.verification_status)
+        expect(json_response['x509_certificate']['id']).to eq(commit.signature.x509_certificate.id)
+        expect(json_response['x509_certificate']['subject']).to eq(commit.signature.x509_certificate.subject)
+        expect(json_response['x509_certificate']['subject_key_identifier']).to eq(commit.signature.x509_certificate.subject_key_identifier)
+        expect(json_response['x509_certificate']['email']).to eq(commit.signature.x509_certificate.email)
+        expect(json_response['x509_certificate']['serial_number']).to eq(commit.signature.x509_certificate.serial_number)
+        expect(json_response['x509_certificate']['certificate_status']).to eq(commit.signature.x509_certificate.certificate_status)
+        expect(json_response['x509_certificate']['x509_issuer']['id']).to eq(commit.signature.x509_certificate.x509_issuer.id)
+        expect(json_response['x509_certificate']['x509_issuer']['subject']).to eq(commit.signature.x509_certificate.x509_issuer.subject)
+        expect(json_response['x509_certificate']['x509_issuer']['subject_key_identifier']).to eq(commit.signature.x509_certificate.x509_issuer.subject_key_identifier)
+        expect(json_response['x509_certificate']['x509_issuer']['crl_url']).to eq(commit.signature.x509_certificate.x509_issuer.crl_url)
+      end
+    end
  end
 end