Commit 7b616d39 authored by Alexis Reigel's avatar Alexis Reigel

gpg signature is only valid when key is verified

parent 8c4b6a32
......@@ -48,6 +48,10 @@ class GpgKey < ActiveRecord::Base
end
end
def verified?
emails_with_verified_status.any? { |_email, verified| verified }
end
private
def extract_fingerprint
......
......@@ -45,7 +45,7 @@ module Gitlab
project: commit.project,
gpg_key: gpg_key,
gpg_key_primary_keyid: gpg_key&.primary_keyid,
valid_signature: !!(gpg_key && verified_signature.valid?)
valid_signature: !!(gpg_key && gpg_key.verified? && verified_signature.valid?)
)
end
end
......
......@@ -10,9 +10,9 @@ RSpec.describe Gitlab::Gpg::Commit do
end
end
context 'known public key' do
context 'known and verified public key' do
it 'returns a valid signature' do
gpg_key = create :gpg_key, key: GpgHelpers::User1.public_key
gpg_key = create :gpg_key, key: GpgHelpers::User1.public_key, user: create(:user, email: GpgHelpers::User1.emails.first)
raw_commit = double(:raw_commit, signature: [
GpgHelpers::User1.signed_commit_signature,
......@@ -34,6 +34,30 @@ RSpec.describe Gitlab::Gpg::Commit do
end
end
context 'known but unverified public key' do
it 'returns an invalid signature' do
gpg_key = create :gpg_key, key: GpgHelpers::User1.public_key
raw_commit = double(:raw_commit, signature: [
GpgHelpers::User1.signed_commit_signature,
GpgHelpers::User1.signed_commit_base_data
], sha: '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33')
allow(raw_commit).to receive :save!
commit = create :commit,
git_commit: raw_commit,
project: project
expect(described_class.new(commit).signature).to have_attributes(
commit_sha: '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33',
project: project,
gpg_key: gpg_key,
gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
valid_signature: false
)
end
end
context 'unknown public key' do
it 'returns an invalid signature', :gpg do
raw_commit = double(:raw_commit, signature: [
......
......@@ -65,6 +65,22 @@ describe GpgKey do
end
end
describe '#verified?' do
it 'returns true one of the email addresses in the key belongs to the user' do
user = create :user, email: 'bette.cartwright@example.com'
gpg_key = create :gpg_key, key: GpgHelpers::User2.public_key, user: user
expect(gpg_key.verified?).to be_truthy
end
it 'returns false if one of the email addresses in the key does not belong to the user' do
user = create :user, email: 'someone.else@example.com'
gpg_key = create :gpg_key, key: GpgHelpers::User2.public_key, user: user
expect(gpg_key.verified?).to be_falsey
end
end
describe 'notification' do
include EmailHelpers
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment