summaryrefslogtreecommitdiffstats
path: root/models/pull_sign.go
diff options
context:
space:
mode:
Diffstat (limited to 'models/pull_sign.go')
-rw-r--r--models/pull_sign.go121
1 files changed, 121 insertions, 0 deletions
diff --git a/models/pull_sign.go b/models/pull_sign.go
new file mode 100644
index 0000000000..19d8907c3d
--- /dev/null
+++ b/models/pull_sign.go
@@ -0,0 +1,121 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+import (
+ "code.gitea.io/gitea/modules/git"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+)
+
+// SignMerge determines if we should sign a PR merge commit to the base repository
+func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string) {
+ if err := pr.GetBaseRepo(); err != nil {
+ log.Error("Unable to get Base Repo for pull request")
+ return false, ""
+ }
+ repo := pr.BaseRepo
+
+ signingKey := signingKey(repo.RepoPath())
+ if signingKey == "" {
+ return false, ""
+ }
+ rules := signingModeFromStrings(setting.Repository.Signing.Merges)
+
+ var gitRepo *git.Repository
+ var err error
+
+ for _, rule := range rules {
+ switch rule {
+ case never:
+ return false, ""
+ case always:
+ break
+ case pubkey:
+ keys, err := ListGPGKeys(u.ID)
+ if err != nil || len(keys) == 0 {
+ return false, ""
+ }
+ case twofa:
+ twofa, err := GetTwoFactorByUID(u.ID)
+ if err != nil || twofa == nil {
+ return false, ""
+ }
+ case approved:
+ protectedBranch, err := GetProtectedBranchBy(repo.ID, pr.BaseBranch)
+ if err != nil || protectedBranch == nil {
+ return false, ""
+ }
+ if protectedBranch.GetGrantedApprovalsCount(pr) < 1 {
+ return false, ""
+ }
+ case baseSigned:
+ if gitRepo == nil {
+ gitRepo, err = git.OpenRepository(tmpBasePath)
+ if err != nil {
+ return false, ""
+ }
+ defer gitRepo.Close()
+ }
+ commit, err := gitRepo.GetCommit(baseCommit)
+ if err != nil {
+ return false, ""
+ }
+ verification := ParseCommitWithSignature(commit)
+ if !verification.Verified {
+ return false, ""
+ }
+ case headSigned:
+ if gitRepo == nil {
+ gitRepo, err = git.OpenRepository(tmpBasePath)
+ if err != nil {
+ return false, ""
+ }
+ defer gitRepo.Close()
+ }
+ commit, err := gitRepo.GetCommit(headCommit)
+ if err != nil {
+ return false, ""
+ }
+ verification := ParseCommitWithSignature(commit)
+ if !verification.Verified {
+ return false, ""
+ }
+ case commitsSigned:
+ if gitRepo == nil {
+ gitRepo, err = git.OpenRepository(tmpBasePath)
+ if err != nil {
+ return false, ""
+ }
+ defer gitRepo.Close()
+ }
+ commit, err := gitRepo.GetCommit(headCommit)
+ if err != nil {
+ return false, ""
+ }
+ verification := ParseCommitWithSignature(commit)
+ if !verification.Verified {
+ return false, ""
+ }
+ // need to work out merge-base
+ mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit)
+ if err != nil {
+ return false, ""
+ }
+ commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit)
+ if err != nil {
+ return false, ""
+ }
+ for e := commitList.Front(); e != nil; e = e.Next() {
+ commit = e.Value.(*git.Commit)
+ verification := ParseCommitWithSignature(commit)
+ if !verification.Verified {
+ return false, ""
+ }
+ }
+ }
+ }
+ return true, signingKey
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-05 03:51:57 +0000