Invalidate GpgSignatures associated to GpgKeySubkeys when revoking the GpgKey

app/models/gpg_key.rb

@@ -91,10 +91,11 @@ class GpgKey < ActiveRecord::Base
 
   def revoke
     GpgSignature
-      .where(gpg_key: self)
+      .with_key_and_subkeys(self)
       .where.not(verification_status: GpgSignature.verification_statuses[:unknown_key])
       .update_all(
         gpg_key_id: nil,
+        gpg_key_subkey_id: nil,
         verification_status: GpgSignature.verification_statuses[:unknown_key],
         updated_at: Time.zone.now
       )

app/models/gpg_signature.rb

@@ -21,6 +21,19 @@ class GpgSignature < ActiveRecord::Base
   validates :project_id, presence: true
   validates :gpg_key_primary_keyid, presence: true
 
+  def self.with_key_and_subkeys(gpg_key)
+    return none unless gpg_key
+
+    t = arel_table
+    subkey_ids = gpg_key&.subkeys&.pluck(:id)
+
+    where(
+      t[:gpg_key_id].eq(gpg_key&.id).or(
+        t[:gpg_key_subkey_id].in(subkey_ids)
+      )
+    )
+  end
+
   def gpg_key=(model)
     case model
     when GpgKey

db/post_migrate/20171002161539_create_gpg_key_subkeys_for_existing_gpg_keys.rb

@@ -30,7 +30,7 @@ class CreateGpgKeySubkeysForExistingGpgKeys < ActiveRecord::Migration
   def up
     GpgKey.with_subkeys.each_batch do |batch|
       batch.each do |gpg_key|
-        return if gpg_key.subkeys.any?
+        next if gpg_key.subkeys.any?
 
         create_subkeys(gpg_key) && update_signatures(gpg_key)
       end

spec/factories/gpg_signature.rb

@@ -5,7 +5,7 @@ FactoryGirl.define do
     commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
     project
     gpg_key
-    gpg_key_primary_keyid { gpg_key.primary_keyid }
+    gpg_key_primary_keyid { gpg_key.keyid }
     verification_status :verified
   end
 end

spec/models/gpg_key_spec.rb

@@ -191,5 +191,29 @@ describe GpgKey do
 
       expect(unrelated_gpg_key.destroyed?).to be false
     end
+
+    it 'deletes all the associated subkeys' do
+      gpg_key = create :gpg_key, key: GpgHelpers::User3.public_key
+
+      expect(gpg_key.subkeys).to be_present
+
+      gpg_key.revoke
+
+      expect(gpg_key.subkeys(true)).to be_blank
+    end
+
+    it 'invalidates all signatures associated to the subkeys' do
+      gpg_key = create :gpg_key, key: GpgHelpers::User3.public_key
+      gpg_key_subkey = gpg_key.subkeys.last
+      gpg_signature = create :gpg_signature, verification_status: :verified, gpg_key: gpg_key_subkey
+
+      gpg_key.revoke
+
+      expect(gpg_signature.reload).to have_attributes(
+        verification_status: 'unknown_key',
+        gpg_key: nil,
+        gpg_key_subkey: nil
+      )
+    end
   end
 end

spec/models/gpg_signature_spec.rb

 require 'rails_helper'
 
 RSpec.describe GpgSignature do
+  let(:gpg_key) { create(:gpg_key) }
+  let(:gpg_key_subkey) { create(:gpg_key_subkey) }
+
   describe 'associations' do
     it { is_expected.to belong_to(:project) }
     it { is_expected.to belong_to(:gpg_key) }
@@ -26,4 +29,26 @@ RSpec.describe GpgSignature do
       gpg_signature.commit
     end
   end
+
+  describe '#gpg_key=' do
+    it 'supports the assignment of a GpgKey' do
+      gpg_signature = create(:gpg_signature, gpg_key: gpg_key)
+
+      expect(gpg_signature.gpg_key).to be_an_instance_of(GpgKey)
+    end
+
+    it 'supports the assignment of a GpgKeySubkey' do
+      gpg_signature = create(:gpg_signature, gpg_key: gpg_key_subkey)
+
+      expect(gpg_signature.gpg_key).to be_an_instance_of(GpgKeySubkey)
+    end
+
+    it 'clears gpg_key and gpg_key_subkey_id when passing nil' do
+      gpg_signature = create(:gpg_signature, gpg_key: gpg_key_subkey)
+      gpg_signature.update_attribute(:gpg_key, nil)
+
+      expect(gpg_signature.gpg_key_id).to be_nil
+      expect(gpg_signature.gpg_key_subkey_id).to be_nil
+    end
+  end
 end