Add Debian Distribution Key models

e915de2c · Mathieu Parent · b10b06d8 · e915de2c · e915de2c · e915de2c
Commit e915de2c authored May 05, 2021 by Mathieu Parent
9 changed files
--- a/app/models/concerns/packages/debian/distribution.rb
+++ b/app/models/concerns/packages/debian/distribution.rb
@@ -18,6 +18,10 @@ module Packages
        belongs_to container_type
        belongs_to :creator, class_name: 'User'

+        has_one :key,
+          class_name: "Packages::Debian::#{container_type.capitalize}DistributionKey",
+          foreign_key: :distribution_id,
+          inverse_of: :distribution
        # component_files must be destroyed by ruby code in order to properly remove carrierwave uploads
        has_many :components,
          class_name: "Packages::Debian::#{container_type.capitalize}Component",

--- a/app/models/concerns/packages/debian/distribution_key.rb
+++ b/app/models/concerns/packages/debian/distribution_key.rb
+# frozen_string_literal: true
+
+module Packages
+  module Debian
+    module DistributionKey
+      extend ActiveSupport::Concern
+
+      included do
+        belongs_to :distribution, class_name: "Packages::Debian::#{container_type.capitalize}Distribution", inverse_of: :key
+        validates :distribution,
+          presence: true
+
+        validates :private_key, presence: true, length: { maximum: 512.kilobytes }
+        validates :passphrase, presence: true, length: { maximum: 255 }
+        validates :public_key, presence: true, length: { maximum: 512.kilobytes }
+        validates :fingerprint, presence: true, length: { maximum: 255 }
+
+        validate :private_key_armored, :public_key_armored
+
+        attr_encrypted :private_key,
+          mode: :per_attribute_iv,
+          key: Settings.attr_encrypted_db_key_base_32,
+          algorithm: 'aes-256-gcm'
+        attr_encrypted :passphrase,
+          mode: :per_attribute_iv,
+          key: Settings.attr_encrypted_db_key_base_32,
+          algorithm: 'aes-256-gcm'
+
+        private
+
+        def private_key_armored
+          if private_key.present? && !private_key.start_with?('-----BEGIN PGP PRIVATE KEY BLOCK-----')
+            errors.add(:private_key, 'must be ASCII armored')
+          end
+        end
+
+        def public_key_armored
+          if public_key.present? && !public_key.start_with?('-----BEGIN PGP PUBLIC KEY BLOCK-----')
+            errors.add(:public_key, 'must be ASCII armored')
+          end
+        end
+      end
+    end
+  end
+end
--- a/app/models/packages/debian/group_distribution_key.rb
+++ b/app/models/packages/debian/group_distribution_key.rb
+# frozen_string_literal: true
+
+class Packages::Debian::GroupDistributionKey < ApplicationRecord
+  def self.container_type
+    :group
+  end
+
+  include Packages::Debian::DistributionKey
+end
--- a/app/models/packages/debian/project_distribution_key.rb
+++ b/app/models/packages/debian/project_distribution_key.rb
+# frozen_string_literal: true
+
+class Packages::Debian::ProjectDistributionKey < ApplicationRecord
+  def self.container_type
+    :project
+  end
+
+  include Packages::Debian::DistributionKey
+end
--- a/spec/factories/packages/debian/distribution_key.rb
+++ b/spec/factories/packages/debian/distribution_key.rb
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :debian_project_distribution_key, class: 'Packages::Debian::ProjectDistributionKey' do
+    distribution { association(:debian_project_distribution) }
+
+    private_key { '-----BEGIN PGP PRIVATE KEY BLOCK-----' }
+    passphrase { '12345' }
+    public_key { '-----BEGIN PGP PUBLIC KEY BLOCK-----' }
+    fingerprint { '12345' }
+
+    factory :debian_group_distribution_key, class: 'Packages::Debian::GroupDistributionKey' do
+      distribution { association(:debian_group_distribution) }
+    end
+  end
+end
--- a/spec/models/packages/debian/group_distribution_key_spec.rb
+++ b/spec/models/packages/debian/group_distribution_key_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Packages::Debian::GroupDistributionKey do
+  it_behaves_like 'Debian Distribution Key', :group
+end
--- a/spec/models/packages/debian/project_distribution_key_spec.rb
+++ b/spec/models/packages/debian/project_distribution_key_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Packages::Debian::ProjectDistributionKey do
+  it_behaves_like 'Debian Distribution Key', :project
+end
--- a/spec/support/shared_examples/models/packages/debian/distribution_key_shared_examples.rb
+++ b/spec/support/shared_examples/models/packages/debian/distribution_key_shared_examples.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.shared_examples 'Debian Distribution Key' do |container|
+  let_it_be_with_refind(:distribution_key) { create("debian_#{container}_distribution_key") } # rubocop:disable Rails/SaveBang
+
+  subject { distribution_key }
+
+  describe 'relationships' do
+    it { is_expected.to belong_to(:distribution).class_name("Packages::Debian::#{container.capitalize}Distribution").inverse_of(:key) }
+  end
+
+  describe 'validations' do
+    describe "#distribution" do
+      it { is_expected.to validate_presence_of(:distribution) }
+    end
+
+    describe '#private_key' do
+      it { is_expected.to validate_presence_of(:private_key) }
+
+      it { is_expected.to allow_value("-----BEGIN PGP PRIVATE KEY BLOCK-----\n...").for(:private_key) }
+      it { is_expected.not_to allow_value('A').for(:private_key).with_message('must be ASCII armored') }
+    end
+
+    describe '#passphrase' do
+      it { is_expected.to validate_presence_of(:passphrase) }
+
+      it { is_expected.to allow_value('P@$$w0rd').for(:passphrase) }
+      it { is_expected.to allow_value('A' * 255).for(:passphrase) }
+      it { is_expected.not_to allow_value('A' * 256).for(:passphrase) }
+    end
+
+    describe '#public_key' do
+      it { is_expected.to validate_presence_of(:public_key) }
+
+      it { is_expected.to allow_value("-----BEGIN PGP PUBLIC KEY BLOCK-----\n...").for(:public_key) }
+      it { is_expected.not_to allow_value('A').for(:public_key).with_message('must be ASCII armored') }
+    end
+
+    describe '#fingerprint' do
+      it { is_expected.to validate_presence_of(:passphrase) }
+
+      it { is_expected.to allow_value('abc').for(:passphrase) }
+      it { is_expected.to allow_value('A' * 255).for(:passphrase) }
+      it { is_expected.not_to allow_value('A' * 256).for(:passphrase) }
+    end
+  end
+end
--- a/spec/support/shared_examples/models/packages/debian/distribution_shared_examples.rb
+++ b/spec/support/shared_examples/models/packages/debian/distribution_shared_examples.rb
@@ -17,6 +17,7 @@ RSpec.shared_examples 'Debian Distribution' do |factory, container, can_freeze|
    it { is_expected.to belong_to(container) }
    it { is_expected.to belong_to(:creator).class_name('User') }

+    it { is_expected.to have_one(:key).class_name("Packages::Debian::#{container.capitalize}DistributionKey").with_foreign_key(:distribution_id).inverse_of(:distribution) }
    it { is_expected.to have_many(:components).class_name("Packages::Debian::#{container.capitalize}Component").inverse_of(:distribution) }
    it { is_expected.to have_many(:architectures).class_name("Packages::Debian::#{container.capitalize}Architecture").inverse_of(:distribution) }
  end