diff options
| author | zeripath <art27@cantab.net> | 2020-01-15 08:32:57 +0000 |
|---|---|---|
| committer | Antoine GIRARD <sapk@users.noreply.github.com> | 2020-01-15 09:32:57 +0100 |
| commit | 66ee9b87f9aaabef836ec72bfaf8032b359b29c1 (patch) | |
| tree | b6d134fb5ccc83c4b7ddad6a0eb6206496cc8b76 /models/pull_sign.go | |
| parent | 6b1fa1235904947187266789b204f19bc03872be (diff) | |
| download | gitea-66ee9b87f9aaabef836ec72bfaf8032b359b29c1.tar.gz gitea-66ee9b87f9aaabef836ec72bfaf8032b359b29c1.zip | |
Add require signed commit for protected branch (#9708)
* Add require signed commit for protected branch
* Fix fmt
* Make editor show if they will be signed
* bugfix
* Add basic merge check and better information for CRUD
* linting comment
* Add descriptors to merge signing
* Slight refactor
* Slight improvement to appearances
* Handle Merge API
* manage CRUD API
* Move error to error.go
* Remove fix to delete.go
* prep for merge
* need to tolerate \r\n in message
* check protected branch before trying to load it
* Apply suggestions from code review
Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>
* fix commit-reader
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
Diffstat (limited to 'models/pull_sign.go')
| -rw-r--r-- | models/pull_sign.go | 59 |
1 files changed, 34 insertions, 25 deletions
diff --git a/models/pull_sign.go b/models/pull_sign.go index 19d8907c3d..1d3474abe7 100644 --- a/models/pull_sign.go +++ b/models/pull_sign.go @@ -11,16 +11,16 @@ import ( ) // SignMerge determines if we should sign a PR merge commit to the base repository -func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string) { +func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string, error) { if err := pr.GetBaseRepo(); err != nil { log.Error("Unable to get Base Repo for pull request") - return false, "" + return false, "", err } repo := pr.BaseRepo signingKey := signingKey(repo.RepoPath()) if signingKey == "" { - return false, "" + return false, "", &ErrWontSign{noKey} } rules := signingModeFromStrings(setting.Repository.Signing.Merges) @@ -30,92 +30,101 @@ func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit st for _, rule := range rules { switch rule { case never: - return false, "" + return false, "", &ErrWontSign{never} case always: break case pubkey: keys, err := ListGPGKeys(u.ID) - if err != nil || len(keys) == 0 { - return false, "" + if err != nil { + return false, "", err + } + if len(keys) == 0 { + return false, "", &ErrWontSign{pubkey} } case twofa: - twofa, err := GetTwoFactorByUID(u.ID) - if err != nil || twofa == nil { - return false, "" + twofaModel, err := GetTwoFactorByUID(u.ID) + if err != nil { + return false, "", err + } + if twofaModel == nil { + return false, "", &ErrWontSign{twofa} } case approved: protectedBranch, err := GetProtectedBranchBy(repo.ID, pr.BaseBranch) - if err != nil || protectedBranch == nil { - return false, "" + if err != nil { + return false, "", err + } + if protectedBranch == nil { + return false, "", &ErrWontSign{approved} } if protectedBranch.GetGrantedApprovalsCount(pr) < 1 { - return false, "" + return false, "", &ErrWontSign{approved} } case baseSigned: if gitRepo == nil { gitRepo, err = git.OpenRepository(tmpBasePath) if err != nil { - return false, "" + return false, "", err } defer gitRepo.Close() } commit, err := gitRepo.GetCommit(baseCommit) if err != nil { - return false, "" + return false, "", err } verification := ParseCommitWithSignature(commit) if !verification.Verified { - return false, "" + return false, "", &ErrWontSign{baseSigned} } case headSigned: if gitRepo == nil { gitRepo, err = git.OpenRepository(tmpBasePath) if err != nil { - return false, "" + return false, "", err } defer gitRepo.Close() } commit, err := gitRepo.GetCommit(headCommit) if err != nil { - return false, "" + return false, "", err } verification := ParseCommitWithSignature(commit) if !verification.Verified { - return false, "" + return false, "", &ErrWontSign{headSigned} } case commitsSigned: if gitRepo == nil { gitRepo, err = git.OpenRepository(tmpBasePath) if err != nil { - return false, "" + return false, "", err } defer gitRepo.Close() } commit, err := gitRepo.GetCommit(headCommit) if err != nil { - return false, "" + return false, "", err } verification := ParseCommitWithSignature(commit) if !verification.Verified { - return false, "" + return false, "", &ErrWontSign{commitsSigned} } // need to work out merge-base mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit) if err != nil { - return false, "" + return false, "", err } commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit) if err != nil { - return false, "" + return false, "", err } for e := commitList.Front(); e != nil; e = e.Next() { commit = e.Value.(*git.Commit) verification := ParseCommitWithSignature(commit) if !verification.Verified { - return false, "" + return false, "", &ErrWontSign{commitsSigned} } } } } - return true, signingKey + return true, signingKey, nil } |