mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16782 Commits
17 Branches
Tree: f4923854f6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f4923854f6'
${ noResults }
gitea/tests/integration/gpg_git_test.go

gpg_git_test.go 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"encoding/base64"

  8. 	"fmt"

  9. 	"net/url"

  10. 	"os"

  11. 	"testing"

  12. 

  13. 	auth_model "code.gitea.io/gitea/models/auth"

  14. 	"code.gitea.io/gitea/models/unittest"

  15. 	user_model "code.gitea.io/gitea/models/user"

  16. 	"code.gitea.io/gitea/modules/process"

  17. 	"code.gitea.io/gitea/modules/setting"

  18. 	api "code.gitea.io/gitea/modules/structs"

  19. 	"code.gitea.io/gitea/modules/test"

  20. 	"code.gitea.io/gitea/tests"

  21. 

  22. 	"github.com/stretchr/testify/assert"

  23. 	"golang.org/x/crypto/openpgp"

  24. 	"golang.org/x/crypto/openpgp/armor"

  25. )

  26. 

  27. func TestGPGGit(t *testing.T) {

  28. 	tmpDir := t.TempDir() // use a temp dir to avoid messing with the user's GPG keyring

  29. 	err := os.Chmod(tmpDir, 0o700)

  30. 	assert.NoError(t, err)

  31. 

  32. 	oldGNUPGHome := os.Getenv("GNUPGHOME")

  33. 	err = os.Setenv("GNUPGHOME", tmpDir)

  34. 	assert.NoError(t, err)

  35. 	defer os.Setenv("GNUPGHOME", oldGNUPGHome)

  36. 

  37. 	// Need to create a root key

  38. 	rootKeyPair, err := importTestingKey(tmpDir, "gitea", "gitea@fake.local")

  39. 	if !assert.NoError(t, err, "importTestingKey") {

  40. 		return

  41. 	}

  42. 

  43. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningKey, rootKeyPair.PrimaryKey.KeyIdShortString())()

  44. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "gitea")()

  45. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "gitea@fake.local")()

  46. 	defer test.MockVariableValue(&setting.Repository.Signing.InitialCommit, []string{"never"})()

  47. 	defer test.MockVariableValue(&setting.Repository.Signing.CRUDActions, []string{"never"})()

  48. 

  49. 	username := "user2"

  50. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: username})

  51. 	baseAPITestContext := NewAPITestContext(t, username, "repo1")

  52. 

  53. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  54. 		u.Path = baseAPITestContext.GitPath()

  55. 

  56. 		t.Run("Unsigned-Initial", func(t *testing.T) {

  57. 			defer tests.PrintCurrentTest(t)()

  58. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  59. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  60. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  61. 				assert.NotNil(t, branch.Commit)

  62. 				assert.NotNil(t, branch.Commit.Verification)

  63. 				assert.False(t, branch.Commit.Verification.Verified)

  64. 				assert.Empty(t, branch.Commit.Verification.Signature)

  65. 			}))

  66. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  67. 				t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  68. 					assert.False(t, response.Verification.Verified)

  69. 				}))

  70. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  71. 				t, testCtx, user, "never", "never2", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  72. 					assert.False(t, response.Verification.Verified)

  73. 				}))

  74. 		})

  75. 

  76. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  77. 		t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {

  78. 			defer tests.PrintCurrentTest(t)()

  79. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  80. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  81. 				t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  82. 					assert.False(t, response.Verification.Verified)

  83. 				}))

  84. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  85. 				t, testCtx, user, "parentsigned", "parentsigned2", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  86. 					assert.False(t, response.Verification.Verified)

  87. 				}))

  88. 		})

  89. 

  90. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  91. 		t.Run("Unsigned-Initial-CRUD-Never", func(t *testing.T) {

  92. 			defer tests.PrintCurrentTest(t)()

  93. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  94. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  95. 				t, testCtx, user, "parentsigned", "parentsigned-never", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  96. 					assert.False(t, response.Verification.Verified)

  97. 				}))

  98. 		})

  99. 

  100. 		setting.Repository.Signing.CRUDActions = []string{"always"}

  101. 		t.Run("Unsigned-Initial-CRUD-Always", func(t *testing.T) {

  102. 			defer tests.PrintCurrentTest(t)()

  103. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  104. 			t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  105. 				t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  106. 					assert.NotNil(t, response.Verification)

  107. 					if response.Verification == nil {

  108. 						assert.FailNow(t, "no verification provided with response! %v", response)

  109. 						return

  110. 					}

  111. 					assert.True(t, response.Verification.Verified)

  112. 					if !response.Verification.Verified {

  113. 						t.FailNow()

  114. 						return

  115. 					}

  116. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  117. 				}))

  118. 			t.Run("CreateCRUDFile-ParentSigned-always", crudActionCreateFile(

  119. 				t, testCtx, user, "parentsigned", "parentsigned-always", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  120. 					assert.NotNil(t, response.Verification)

  121. 					if response.Verification == nil {

  122. 						assert.FailNow(t, "no verification provided with response! %v", response)

  123. 						return

  124. 					}

  125. 					assert.True(t, response.Verification.Verified)

  126. 					if !response.Verification.Verified {

  127. 						t.FailNow()

  128. 						return

  129. 					}

  130. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  131. 				}))

  132. 		})

  133. 

  134. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  135. 		t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {

  136. 			defer tests.PrintCurrentTest(t)()

  137. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  138. 			t.Run("CreateCRUDFile-Always-ParentSigned", crudActionCreateFile(

  139. 				t, testCtx, user, "always", "always-parentsigned", "signed-always-parentsigned.txt", func(t *testing.T, response api.FileResponse) {

  140. 					assert.NotNil(t, response.Verification)

  141. 					if response.Verification == nil {

  142. 						assert.FailNow(t, "no verification provided with response! %v", response)

  143. 						return

  144. 					}

  145. 					assert.True(t, response.Verification.Verified)

  146. 					if !response.Verification.Verified {

  147. 						t.FailNow()

  148. 						return

  149. 					}

  150. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  151. 				}))

  152. 		})

  153. 

  154. 		setting.Repository.Signing.InitialCommit = []string{"always"}

  155. 		t.Run("AlwaysSign-Initial", func(t *testing.T) {

  156. 			defer tests.PrintCurrentTest(t)()

  157. 			testCtx := NewAPITestContext(t, username, "initial-always", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  158. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  159. 			t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  160. 				assert.NotNil(t, branch.Commit)

  161. 				if branch.Commit == nil {

  162. 					assert.FailNow(t, "no commit provided with branch! %v", branch)

  163. 					return

  164. 				}

  165. 				assert.NotNil(t, branch.Commit.Verification)

  166. 				if branch.Commit.Verification == nil {

  167. 					assert.FailNow(t, "no verification provided with branch commit! %v", branch.Commit)

  168. 					return

  169. 				}

  170. 				assert.True(t, branch.Commit.Verification.Verified)

  171. 				if !branch.Commit.Verification.Verified {

  172. 					t.FailNow()

  173. 					return

  174. 				}

  175. 				assert.Equal(t, "gitea@fake.local", branch.Commit.Verification.Signer.Email)

  176. 			}))

  177. 		})

  178. 

  179. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  180. 		t.Run("AlwaysSign-Initial-CRUD-Never", func(t *testing.T) {

  181. 			defer tests.PrintCurrentTest(t)()

  182. 			testCtx := NewAPITestContext(t, username, "initial-always-never", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  183. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  184. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  185. 				t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  186. 					assert.False(t, response.Verification.Verified)

  187. 				}))

  188. 		})

  189. 

  190. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  191. 		t.Run("AlwaysSign-Initial-CRUD-ParentSigned-On-Always", func(t *testing.T) {

  192. 			defer tests.PrintCurrentTest(t)()

  193. 			testCtx := NewAPITestContext(t, username, "initial-always-parent", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  194. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  195. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  196. 				t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  197. 					assert.True(t, response.Verification.Verified)

  198. 					if !response.Verification.Verified {

  199. 						t.FailNow()

  200. 						return

  201. 					}

  202. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  203. 				}))

  204. 		})

  205. 

  206. 		setting.Repository.Signing.CRUDActions = []string{"always"}

  207. 		t.Run("AlwaysSign-Initial-CRUD-Always", func(t *testing.T) {

  208. 			defer tests.PrintCurrentTest(t)()

  209. 			testCtx := NewAPITestContext(t, username, "initial-always-always", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  210. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  211. 			t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  212. 				t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  213. 					assert.True(t, response.Verification.Verified)

  214. 					if !response.Verification.Verified {

  215. 						t.FailNow()

  216. 						return

  217. 					}

  218. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  219. 				}))

  220. 		})

  221. 

  222. 		setting.Repository.Signing.Merges = []string{"commitssigned"}

  223. 		t.Run("UnsignedMerging", func(t *testing.T) {

  224. 			defer tests.PrintCurrentTest(t)()

  225. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  226. 			t.Run("CreatePullRequest", func(t *testing.T) {

  227. 				pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "never2")(t)

  228. 				assert.NoError(t, err)

  229. 				t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  230. 			})

  231. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  232. 				assert.NotNil(t, branch.Commit)

  233. 				assert.NotNil(t, branch.Commit.Verification)

  234. 				assert.False(t, branch.Commit.Verification.Verified)

  235. 				assert.Empty(t, branch.Commit.Verification.Signature)

  236. 			}))

  237. 		})

  238. 

  239. 		setting.Repository.Signing.Merges = []string{"basesigned"}

  240. 		t.Run("BaseSignedMerging", func(t *testing.T) {

  241. 			defer tests.PrintCurrentTest(t)()

  242. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  243. 			t.Run("CreatePullRequest", func(t *testing.T) {

  244. 				pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "parentsigned2")(t)

  245. 				assert.NoError(t, err)

  246. 				t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  247. 			})

  248. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  249. 				assert.NotNil(t, branch.Commit)

  250. 				assert.NotNil(t, branch.Commit.Verification)

  251. 				assert.False(t, branch.Commit.Verification.Verified)

  252. 				assert.Empty(t, branch.Commit.Verification.Signature)

  253. 			}))

  254. 		})

  255. 

  256. 		setting.Repository.Signing.Merges = []string{"commitssigned"}

  257. 		t.Run("CommitsSignedMerging", func(t *testing.T) {

  258. 			defer tests.PrintCurrentTest(t)()

  259. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  260. 			t.Run("CreatePullRequest", func(t *testing.T) {

  261. 				pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "always-parentsigned")(t)

  262. 				assert.NoError(t, err)

  263. 				t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  264. 			})

  265. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  266. 				assert.NotNil(t, branch.Commit)

  267. 				assert.NotNil(t, branch.Commit.Verification)

  268. 				assert.True(t, branch.Commit.Verification.Verified)

  269. 			}))

  270. 		})

  271. 	})

  272. }

  273. 

  274. func crudActionCreateFile(t *testing.T, ctx APITestContext, user *user_model.User, from, to, path string, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {

  275. 	return doAPICreateFile(ctx, path, &api.CreateFileOptions{

  276. 		FileOptions: api.FileOptions{

  277. 			BranchName:    from,

  278. 			NewBranchName: to,

  279. 			Message:       fmt.Sprintf("from:%s to:%s path:%s", from, to, path),

  280. 			Author: api.Identity{

  281. 				Name:  user.FullName,

  282. 				Email: user.Email,

  283. 			},

  284. 			Committer: api.Identity{

  285. 				Name:  user.FullName,

  286. 				Email: user.Email,

  287. 			},

  288. 		},

  289. 		ContentBase64: base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("This is new text for %s", path))),

  290. 	}, callback...)

  291. }

  292. 

  293. func importTestingKey(tmpDir, name, email string) (*openpgp.Entity, error) {

  294. 	if _, _, err := process.GetManager().Exec("gpg --import tests/integration/private-testing.key", "gpg", "--import", "tests/integration/private-testing.key"); err != nil {

  295. 		return nil, err

  296. 	}

  297. 	keyringFile, err := os.Open("tests/integration/private-testing.key")

  298. 	if err != nil {

  299. 		return nil, err

  300. 	}

  301. 	defer keyringFile.Close()

  302. 

  303. 	block, err := armor.Decode(keyringFile)

  304. 	if err != nil {

  305. 		return nil, err

  306. 	}

  307. 

  308. 	keyring, err := openpgp.ReadKeyRing(block.Body)

  309. 	if err != nil {

  310. 		return nil, fmt.Errorf("Keyring access failed: '%w'", err)

  311. 	}

  312. 

  313. 	// There should only be one entity in this file.

  314. 	return keyring[0], nil

  315. }