mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8148 Commits
17 Branches
Tree: fcb535c5c3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fcb535c5c3'
${ noResults }
gitea/integrations/gpg_git_test.go

gpg_git_test.go 10KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package integrations

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"io/ioutil"

  11. 	"net/url"

  12. 	"os"

  13. 	"path/filepath"

  14. 	"testing"

  15. 

  16. 	"code.gitea.io/gitea/models"

  17. 	"code.gitea.io/gitea/modules/process"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	api "code.gitea.io/gitea/modules/structs"

  20. 	"github.com/stretchr/testify/assert"

  21. 	"golang.org/x/crypto/openpgp"

  22. 	"golang.org/x/crypto/openpgp/armor"

  23. )

  24. 

  25. func TestGPGGit(t *testing.T) {

  26. 	onGiteaRun(t, testGPGGit)

  27. }

  28. 

  29. func testGPGGit(t *testing.T, u *url.URL) {

  30. 	username := "user2"

  31. 	baseAPITestContext := NewAPITestContext(t, username, "repo1")

  32. 

  33. 	u.Path = baseAPITestContext.GitPath()

  34. 

  35. 	// OK Set a new GPG home

  36. 	tmpDir, err := ioutil.TempDir("", "temp-gpg")

  37. 	assert.NoError(t, err)

  38. 	defer os.RemoveAll(tmpDir)

  39. 

  40. 	err = os.Chmod(tmpDir, 0700)

  41. 	assert.NoError(t, err)

  42. 

  43. 	oldGNUPGHome := os.Getenv("GNUPGHOME")

  44. 	err = os.Setenv("GNUPGHOME", tmpDir)

  45. 	assert.NoError(t, err)

  46. 	defer os.Setenv("GNUPGHOME", oldGNUPGHome)

  47. 

  48. 	// Need to create a root key

  49. 	rootKeyPair, err := createGPGKey(tmpDir, "gitea", "gitea@fake.local")

  50. 	assert.NoError(t, err)

  51. 

  52. 	rootKeyID := rootKeyPair.PrimaryKey.KeyIdShortString()

  53. 

  54. 	oldKeyID := setting.Repository.Signing.SigningKey

  55. 	oldName := setting.Repository.Signing.SigningName

  56. 	oldEmail := setting.Repository.Signing.SigningEmail

  57. 	defer func() {

  58. 		setting.Repository.Signing.SigningKey = oldKeyID

  59. 		setting.Repository.Signing.SigningName = oldName

  60. 		setting.Repository.Signing.SigningEmail = oldEmail

  61. 	}()

  62. 

  63. 	setting.Repository.Signing.SigningKey = rootKeyID

  64. 	setting.Repository.Signing.SigningName = "gitea"

  65. 	setting.Repository.Signing.SigningEmail = "gitea@fake.local"

  66. 	user := models.AssertExistsAndLoadBean(t, &models.User{Name: username}).(*models.User)

  67. 

  68. 	t.Run("Unsigned-Initial", func(t *testing.T) {

  69. 		PrintCurrentTest(t)

  70. 		setting.Repository.Signing.InitialCommit = []string{"never"}

  71. 		testCtx := NewAPITestContext(t, username, "initial-unsigned")

  72. 		t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  73. 		t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  74. 			assert.NotNil(t, branch.Commit)

  75. 			assert.NotNil(t, branch.Commit.Verification)

  76. 			assert.False(t, branch.Commit.Verification.Verified)

  77. 			assert.Empty(t, branch.Commit.Verification.Signature)

  78. 		}))

  79. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  80. 		t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  81. 			t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  82. 				assert.False(t, response.Verification.Verified)

  83. 			}))

  84. 		t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  85. 			t, testCtx, user, "never", "never2", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  86. 				assert.False(t, response.Verification.Verified)

  87. 			}))

  88. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  89. 		t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  90. 			t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  91. 				assert.False(t, response.Verification.Verified)

  92. 			}))

  93. 		t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  94. 			t, testCtx, user, "parentsigned", "parentsigned2", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  95. 				assert.False(t, response.Verification.Verified)

  96. 			}))

  97. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  98. 		t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  99. 			t, testCtx, user, "parentsigned", "parentsigned-never", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  100. 				assert.False(t, response.Verification.Verified)

  101. 			}))

  102. 		setting.Repository.Signing.CRUDActions = []string{"always"}

  103. 		t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  104. 			t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  105. 				assert.True(t, response.Verification.Verified)

  106. 				assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  107. 			}))

  108. 		t.Run("CreateCRUDFile-ParentSigned-always", crudActionCreateFile(

  109. 			t, testCtx, user, "parentsigned", "parentsigned-always", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  110. 				assert.True(t, response.Verification.Verified)

  111. 				assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  112. 			}))

  113. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  114. 		t.Run("CreateCRUDFile-Always-ParentSigned", crudActionCreateFile(

  115. 			t, testCtx, user, "always", "always-parentsigned", "signed-always-parentsigned.txt", func(t *testing.T, response api.FileResponse) {

  116. 				assert.True(t, response.Verification.Verified)

  117. 				assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  118. 			}))

  119. 	})

  120. 	t.Run("AlwaysSign-Initial", func(t *testing.T) {

  121. 		PrintCurrentTest(t)

  122. 		setting.Repository.Signing.InitialCommit = []string{"always"}

  123. 		testCtx := NewAPITestContext(t, username, "initial-always")

  124. 		t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  125. 		t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  126. 			assert.NotNil(t, branch.Commit)

  127. 			assert.NotNil(t, branch.Commit.Verification)

  128. 			assert.True(t, branch.Commit.Verification.Verified)

  129. 			assert.Equal(t, "gitea@fake.local", branch.Commit.Verification.Signer.Email)

  130. 		}))

  131. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  132. 		t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  133. 			t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  134. 				assert.False(t, response.Verification.Verified)

  135. 			}))

  136. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  137. 		t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  138. 			t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  139. 				assert.True(t, response.Verification.Verified)

  140. 				assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  141. 			}))

  142. 		setting.Repository.Signing.CRUDActions = []string{"always"}

  143. 		t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  144. 			t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  145. 				assert.True(t, response.Verification.Verified)

  146. 				assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  147. 			}))

  148. 

  149. 	})

  150. 	t.Run("UnsignedMerging", func(t *testing.T) {

  151. 		PrintCurrentTest(t)

  152. 		testCtx := NewAPITestContext(t, username, "initial-unsigned")

  153. 		var pr api.PullRequest

  154. 		var err error

  155. 		t.Run("CreatePullRequest", func(t *testing.T) {

  156. 			pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "never2")(t)

  157. 			assert.NoError(t, err)

  158. 		})

  159. 		setting.Repository.Signing.Merges = []string{"commitssigned"}

  160. 		t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  161. 		t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  162. 			assert.NotNil(t, branch.Commit)

  163. 			assert.NotNil(t, branch.Commit.Verification)

  164. 			assert.False(t, branch.Commit.Verification.Verified)

  165. 			assert.Empty(t, branch.Commit.Verification.Signature)

  166. 		}))

  167. 		setting.Repository.Signing.Merges = []string{"basesigned"}

  168. 		t.Run("CreatePullRequest", func(t *testing.T) {

  169. 			pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "parentsigned2")(t)

  170. 			assert.NoError(t, err)

  171. 		})

  172. 		t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  173. 		t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  174. 			assert.NotNil(t, branch.Commit)

  175. 			assert.NotNil(t, branch.Commit.Verification)

  176. 			assert.False(t, branch.Commit.Verification.Verified)

  177. 			assert.Empty(t, branch.Commit.Verification.Signature)

  178. 		}))

  179. 		setting.Repository.Signing.Merges = []string{"commitssigned"}

  180. 		t.Run("CreatePullRequest", func(t *testing.T) {

  181. 			pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "always-parentsigned")(t)

  182. 			assert.NoError(t, err)

  183. 		})

  184. 		t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  185. 		t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  186. 			assert.NotNil(t, branch.Commit)

  187. 			assert.NotNil(t, branch.Commit.Verification)

  188. 			assert.True(t, branch.Commit.Verification.Verified)

  189. 		}))

  190. 

  191. 	})

  192. }

  193. 

  194. func crudActionCreateFile(t *testing.T, ctx APITestContext, user *models.User, from, to, path string, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {

  195. 	return doAPICreateFile(ctx, path, &api.CreateFileOptions{

  196. 		FileOptions: api.FileOptions{

  197. 			BranchName:    from,

  198. 			NewBranchName: to,

  199. 			Message:       fmt.Sprintf("from:%s to:%s path:%s", from, to, path),

  200. 			Author: api.Identity{

  201. 				Name:  user.FullName,

  202. 				Email: user.Email,

  203. 			},

  204. 			Committer: api.Identity{

  205. 				Name:  user.FullName,

  206. 				Email: user.Email,

  207. 			},

  208. 		},

  209. 		Content: base64.StdEncoding.EncodeToString([]byte("This is new text")),

  210. 	}, callback...)

  211. }

  212. 

  213. func createGPGKey(tmpDir, name, email string) (*openpgp.Entity, error) {

  214. 	keyPair, err := openpgp.NewEntity(name, "test", email, nil)

  215. 	if err != nil {

  216. 		return nil, err

  217. 	}

  218. 

  219. 	for _, id := range keyPair.Identities {

  220. 		err := id.SelfSignature.SignUserId(id.UserId.Id, keyPair.PrimaryKey, keyPair.PrivateKey, nil)

  221. 		if err != nil {

  222. 			return nil, err

  223. 		}

  224. 	}

  225. 

  226. 	keyFile := filepath.Join(tmpDir, "temporary.key")

  227. 	keyWriter, err := os.Create(keyFile)

  228. 	if err != nil {

  229. 		return nil, err

  230. 	}

  231. 	defer keyWriter.Close()

  232. 	defer os.Remove(keyFile)

  233. 

  234. 	w, err := armor.Encode(keyWriter, openpgp.PrivateKeyType, nil)

  235. 	if err != nil {

  236. 		return nil, err

  237. 	}

  238. 	defer w.Close()

  239. 

  240. 	keyPair.SerializePrivate(w, nil)

  241. 	if err := w.Close(); err != nil {

  242. 		return nil, err

  243. 	}

  244. 	if err := keyWriter.Close(); err != nil {

  245. 		return nil, err

  246. 	}

  247. 

  248. 	if _, _, err := process.GetManager().Exec("gpg --import temporary.key", "gpg", "--import", keyFile); err != nil {

  249. 		return nil, err

  250. 	}

  251. 	return keyPair, nil

  252. }