mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8453 Commits
17 Branches
Tree: 9d9e6ac411
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9d9e6ac411'
${ noResults }
gitea/integrations/gpg_git_test.go

gpg_git_test.go 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package integrations

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"io/ioutil"

  11. 	"net/url"

  12. 	"os"

  13. 	"path/filepath"

  14. 	"testing"

  15. 

  16. 	"code.gitea.io/gitea/models"

  17. 	"code.gitea.io/gitea/modules/process"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	api "code.gitea.io/gitea/modules/structs"

  20. 	"github.com/stretchr/testify/assert"

  21. 	"golang.org/x/crypto/openpgp"

  22. 	"golang.org/x/crypto/openpgp/armor"

  23. )

  24. 

  25. func TestGPGGit(t *testing.T) {

  26. 	prepareTestEnv(t)

  27. 	username := "user2"

  28. 

  29. 	// OK Set a new GPG home

  30. 	tmpDir, err := ioutil.TempDir("", "temp-gpg")

  31. 	assert.NoError(t, err)

  32. 	defer os.RemoveAll(tmpDir)

  33. 

  34. 	err = os.Chmod(tmpDir, 0700)

  35. 	assert.NoError(t, err)

  36. 

  37. 	oldGNUPGHome := os.Getenv("GNUPGHOME")

  38. 	err = os.Setenv("GNUPGHOME", tmpDir)

  39. 	assert.NoError(t, err)

  40. 	defer os.Setenv("GNUPGHOME", oldGNUPGHome)

  41. 

  42. 	// Need to create a root key

  43. 	rootKeyPair, err := createGPGKey(tmpDir, "gitea", "gitea@fake.local")

  44. 	assert.NoError(t, err)

  45. 

  46. 	rootKeyID := rootKeyPair.PrimaryKey.KeyIdShortString()

  47. 

  48. 	oldKeyID := setting.Repository.Signing.SigningKey

  49. 	oldName := setting.Repository.Signing.SigningName

  50. 	oldEmail := setting.Repository.Signing.SigningEmail

  51. 	defer func() {

  52. 		setting.Repository.Signing.SigningKey = oldKeyID

  53. 		setting.Repository.Signing.SigningName = oldName

  54. 		setting.Repository.Signing.SigningEmail = oldEmail

  55. 	}()

  56. 

  57. 	setting.Repository.Signing.SigningKey = rootKeyID

  58. 	setting.Repository.Signing.SigningName = "gitea"

  59. 	setting.Repository.Signing.SigningEmail = "gitea@fake.local"

  60. 	user := models.AssertExistsAndLoadBean(t, &models.User{Name: username}).(*models.User)

  61. 

  62. 	setting.Repository.Signing.InitialCommit = []string{"never"}

  63. 	setting.Repository.Signing.CRUDActions = []string{"never"}

  64. 

  65. 	baseAPITestContext := NewAPITestContext(t, username, "repo1")

  66. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  67. 		u.Path = baseAPITestContext.GitPath()

  68. 

  69. 		t.Run("Unsigned-Initial", func(t *testing.T) {

  70. 			defer PrintCurrentTest(t)()

  71. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  72. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  73. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  74. 				assert.NotNil(t, branch.Commit)

  75. 				assert.NotNil(t, branch.Commit.Verification)

  76. 				assert.False(t, branch.Commit.Verification.Verified)

  77. 				assert.Empty(t, branch.Commit.Verification.Signature)

  78. 			}))

  79. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  80. 				t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  81. 					assert.False(t, response.Verification.Verified)

  82. 				}))

  83. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  84. 				t, testCtx, user, "never", "never2", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  85. 					assert.False(t, response.Verification.Verified)

  86. 				}))

  87. 		})

  88. 	}, false)

  89. 	setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  90. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  91. 		u.Path = baseAPITestContext.GitPath()

  92. 

  93. 		t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {

  94. 			defer PrintCurrentTest(t)()

  95. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  96. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  97. 				t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  98. 					assert.False(t, response.Verification.Verified)

  99. 				}))

  100. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  101. 				t, testCtx, user, "parentsigned", "parentsigned2", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  102. 					assert.False(t, response.Verification.Verified)

  103. 				}))

  104. 		})

  105. 	}, false)

  106. 	setting.Repository.Signing.CRUDActions = []string{"never"}

  107. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  108. 		u.Path = baseAPITestContext.GitPath()

  109. 

  110. 		t.Run("Unsigned-Initial-CRUD-Never", func(t *testing.T) {

  111. 			defer PrintCurrentTest(t)()

  112. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  113. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  114. 				t, testCtx, user, "parentsigned", "parentsigned-never", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  115. 					assert.False(t, response.Verification.Verified)

  116. 				}))

  117. 		})

  118. 	}, false)

  119. 	setting.Repository.Signing.CRUDActions = []string{"always"}

  120. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  121. 		u.Path = baseAPITestContext.GitPath()

  122. 

  123. 		t.Run("Unsigned-Initial-CRUD-Always", func(t *testing.T) {

  124. 			defer PrintCurrentTest(t)()

  125. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  126. 			t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  127. 				t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  128. 					assert.True(t, response.Verification.Verified)

  129. 					if !response.Verification.Verified {

  130. 						t.FailNow()

  131. 						return

  132. 					}

  133. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  134. 				}))

  135. 			t.Run("CreateCRUDFile-ParentSigned-always", crudActionCreateFile(

  136. 				t, testCtx, user, "parentsigned", "parentsigned-always", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  137. 					assert.True(t, response.Verification.Verified)

  138. 					if !response.Verification.Verified {

  139. 						t.FailNow()

  140. 						return

  141. 					}

  142. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  143. 				}))

  144. 		})

  145. 	}, false)

  146. 	setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  147. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  148. 		u.Path = baseAPITestContext.GitPath()

  149. 

  150. 		t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {

  151. 			defer PrintCurrentTest(t)()

  152. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  153. 			t.Run("CreateCRUDFile-Always-ParentSigned", crudActionCreateFile(

  154. 				t, testCtx, user, "always", "always-parentsigned", "signed-always-parentsigned.txt", func(t *testing.T, response api.FileResponse) {

  155. 					assert.True(t, response.Verification.Verified)

  156. 					if !response.Verification.Verified {

  157. 						t.FailNow()

  158. 						return

  159. 					}

  160. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  161. 				}))

  162. 		})

  163. 	}, false)

  164. 	setting.Repository.Signing.InitialCommit = []string{"always"}

  165. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  166. 		u.Path = baseAPITestContext.GitPath()

  167. 

  168. 		t.Run("AlwaysSign-Initial", func(t *testing.T) {

  169. 			defer PrintCurrentTest(t)()

  170. 			testCtx := NewAPITestContext(t, username, "initial-always")

  171. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  172. 			t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  173. 				assert.NotNil(t, branch.Commit)

  174. 				assert.NotNil(t, branch.Commit.Verification)

  175. 				assert.True(t, branch.Commit.Verification.Verified)

  176. 				if !branch.Commit.Verification.Verified {

  177. 					t.FailNow()

  178. 					return

  179. 				}

  180. 				assert.Equal(t, "gitea@fake.local", branch.Commit.Verification.Signer.Email)

  181. 			}))

  182. 		})

  183. 	}, false)

  184. 	setting.Repository.Signing.CRUDActions = []string{"never"}

  185. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  186. 		u.Path = baseAPITestContext.GitPath()

  187. 

  188. 		t.Run("AlwaysSign-Initial-CRUD-Never", func(t *testing.T) {

  189. 			defer PrintCurrentTest(t)()

  190. 			testCtx := NewAPITestContext(t, username, "initial-always-never")

  191. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  192. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  193. 				t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  194. 					assert.False(t, response.Verification.Verified)

  195. 				}))

  196. 		})

  197. 	}, false)

  198. 	setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  199. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  200. 		u.Path = baseAPITestContext.GitPath()

  201. 		t.Run("AlwaysSign-Initial-CRUD-ParentSigned-On-Always", func(t *testing.T) {

  202. 			defer PrintCurrentTest(t)()

  203. 			testCtx := NewAPITestContext(t, username, "initial-always-parent")

  204. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  205. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  206. 				t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  207. 					assert.True(t, response.Verification.Verified)

  208. 					if !response.Verification.Verified {

  209. 						t.FailNow()

  210. 						return

  211. 					}

  212. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  213. 				}))

  214. 		})

  215. 	}, false)

  216. 	setting.Repository.Signing.CRUDActions = []string{"always"}

  217. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  218. 		u.Path = baseAPITestContext.GitPath()

  219. 

  220. 		t.Run("AlwaysSign-Initial-CRUD-Always", func(t *testing.T) {

  221. 			defer PrintCurrentTest(t)()

  222. 			testCtx := NewAPITestContext(t, username, "initial-always-always")

  223. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  224. 			t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  225. 				t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  226. 					assert.True(t, response.Verification.Verified)

  227. 					if !response.Verification.Verified {

  228. 						t.FailNow()

  229. 						return

  230. 					}

  231. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  232. 				}))

  233. 

  234. 		})

  235. 	}, false)

  236. 	var pr api.PullRequest

  237. 	setting.Repository.Signing.Merges = []string{"commitssigned"}

  238. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  239. 		u.Path = baseAPITestContext.GitPath()

  240. 

  241. 		t.Run("UnsignedMerging", func(t *testing.T) {

  242. 			defer PrintCurrentTest(t)()

  243. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  244. 			var err error

  245. 			t.Run("CreatePullRequest", func(t *testing.T) {

  246. 				pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "never2")(t)

  247. 				assert.NoError(t, err)

  248. 			})

  249. 			t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  250. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  251. 				assert.NotNil(t, branch.Commit)

  252. 				assert.NotNil(t, branch.Commit.Verification)

  253. 				assert.False(t, branch.Commit.Verification.Verified)

  254. 				assert.Empty(t, branch.Commit.Verification.Signature)

  255. 			}))

  256. 		})

  257. 	}, false)

  258. 	setting.Repository.Signing.Merges = []string{"basesigned"}

  259. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  260. 		u.Path = baseAPITestContext.GitPath()

  261. 

  262. 		t.Run("BaseSignedMerging", func(t *testing.T) {

  263. 			defer PrintCurrentTest(t)()

  264. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  265. 			var err error

  266. 			t.Run("CreatePullRequest", func(t *testing.T) {

  267. 				pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "parentsigned2")(t)

  268. 				assert.NoError(t, err)

  269. 			})

  270. 			t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  271. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  272. 				assert.NotNil(t, branch.Commit)

  273. 				assert.NotNil(t, branch.Commit.Verification)

  274. 				assert.False(t, branch.Commit.Verification.Verified)

  275. 				assert.Empty(t, branch.Commit.Verification.Signature)

  276. 			}))

  277. 		})

  278. 	}, false)

  279. 	setting.Repository.Signing.Merges = []string{"commitssigned"}

  280. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  281. 		u.Path = baseAPITestContext.GitPath()

  282. 

  283. 		t.Run("CommitsSignedMerging", func(t *testing.T) {

  284. 			defer PrintCurrentTest(t)()

  285. 			testCtx := NewAPITestContext(t, username, "initial-unsigned")

  286. 			var err error

  287. 			t.Run("CreatePullRequest", func(t *testing.T) {

  288. 				pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "always-parentsigned")(t)

  289. 				assert.NoError(t, err)

  290. 			})

  291. 			t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  292. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  293. 				assert.NotNil(t, branch.Commit)

  294. 				assert.NotNil(t, branch.Commit.Verification)

  295. 				assert.True(t, branch.Commit.Verification.Verified)

  296. 			}))

  297. 

  298. 		})

  299. 	}, false)

  300. }

  301. 

  302. func crudActionCreateFile(t *testing.T, ctx APITestContext, user *models.User, from, to, path string, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {

  303. 	return doAPICreateFile(ctx, path, &api.CreateFileOptions{

  304. 		FileOptions: api.FileOptions{

  305. 			BranchName:    from,

  306. 			NewBranchName: to,

  307. 			Message:       fmt.Sprintf("from:%s to:%s path:%s", from, to, path),

  308. 			Author: api.Identity{

  309. 				Name:  user.FullName,

  310. 				Email: user.Email,

  311. 			},

  312. 			Committer: api.Identity{

  313. 				Name:  user.FullName,

  314. 				Email: user.Email,

  315. 			},

  316. 		},

  317. 		Content: base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("This is new text for %s", path))),

  318. 	}, callback...)

  319. }

  320. 

  321. func createGPGKey(tmpDir, name, email string) (*openpgp.Entity, error) {

  322. 	keyPair, err := openpgp.NewEntity(name, "test", email, nil)

  323. 	if err != nil {

  324. 		return nil, err

  325. 	}

  326. 

  327. 	for _, id := range keyPair.Identities {

  328. 		err := id.SelfSignature.SignUserId(id.UserId.Id, keyPair.PrimaryKey, keyPair.PrivateKey, nil)

  329. 		if err != nil {

  330. 			return nil, err

  331. 		}

  332. 	}

  333. 

  334. 	keyFile := filepath.Join(tmpDir, "temporary.key")

  335. 	keyWriter, err := os.Create(keyFile)

  336. 	if err != nil {

  337. 		return nil, err

  338. 	}

  339. 	defer keyWriter.Close()

  340. 	defer os.Remove(keyFile)

  341. 

  342. 	w, err := armor.Encode(keyWriter, openpgp.PrivateKeyType, nil)

  343. 	if err != nil {

  344. 		return nil, err

  345. 	}

  346. 	defer w.Close()

  347. 

  348. 	keyPair.SerializePrivate(w, nil)

  349. 	if err := w.Close(); err != nil {

  350. 		return nil, err

  351. 	}

  352. 	if err := keyWriter.Close(); err != nil {

  353. 		return nil, err

  354. 	}

  355. 

  356. 	if _, _, err := process.GetManager().Exec("gpg --import temporary.key", "gpg", "--import", keyFile); err != nil {

  357. 		return nil, err

  358. 	}

  359. 	return keyPair, nil

  360. }