mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-20 23:49:23 +00:00
fcb535c5c3
This PR fixes #7598 by providing a configurable way of signing commits across the Gitea instance. Per repository configurability and import/generation of trusted secure keys is not provided by this PR - from a security PoV that's probably impossible to do properly. Similarly web-signing, that is asking the user to sign something, is not implemented - this could be done at a later stage however. ## Features - [x] If commit.gpgsign is set in .gitconfig sign commits and files created through repofiles. (merges should already have been signed.) - [x] Verify commits signed with the default gpg as valid - [x] Signer, Committer and Author can all be different - [x] Allow signer to be arbitrarily different - We still require the key to have an activated email on Gitea. A more complete implementation would be to use a keyserver and mark external-or-unactivated with an "unknown" trust level icon. - [x] Add a signing-key.gpg endpoint to get the default gpg pub key if available - Rather than add a fake web-flow user I've added this as an endpoint on /api/v1/signing-key.gpg - [x] Try to match the default key with a user on gitea - this is done at verification time - [x] Make things configurable? - app.ini configuration done - [x] when checking commits are signed need to check if they're actually verifiable too - [x] Add documentation I have decided that adjusting the docker to create a default gpg key is not the correct thing to do and therefore have not implemented this.
269 lines
8 KiB
Go
269 lines
8 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package integrations
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"testing"
|
|
|
|
"code.gitea.io/gitea/models"
|
|
"code.gitea.io/gitea/modules/auth"
|
|
api "code.gitea.io/gitea/modules/structs"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
type APITestContext struct {
|
|
Reponame string
|
|
Session *TestSession
|
|
Token string
|
|
Username string
|
|
ExpectedCode int
|
|
}
|
|
|
|
func NewAPITestContext(t *testing.T, username, reponame string) APITestContext {
|
|
session := loginUser(t, username)
|
|
token := getTokenForLoggedInUser(t, session)
|
|
return APITestContext{
|
|
Session: session,
|
|
Token: token,
|
|
Username: username,
|
|
Reponame: reponame,
|
|
}
|
|
}
|
|
|
|
func (ctx APITestContext) GitPath() string {
|
|
return fmt.Sprintf("%s/%s.git", ctx.Username, ctx.Reponame)
|
|
}
|
|
|
|
func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
createRepoOption := &api.CreateRepoOption{
|
|
AutoInit: !empty,
|
|
Description: "Temporary repo",
|
|
Name: ctx.Reponame,
|
|
Private: true,
|
|
Gitignores: "",
|
|
License: "WTFPL",
|
|
Readme: "Default",
|
|
}
|
|
req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+ctx.Token, createRepoOption)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
|
|
|
|
var repository api.Repository
|
|
DecodeJSON(t, resp, &repository)
|
|
if len(callback) > 0 {
|
|
callback[0](t, repository)
|
|
}
|
|
}
|
|
}
|
|
|
|
func doAPIAddCollaborator(ctx APITestContext, username string, mode models.AccessMode) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
permission := "read"
|
|
|
|
if mode == models.AccessModeAdmin {
|
|
permission = "admin"
|
|
} else if mode > models.AccessModeRead {
|
|
permission = "write"
|
|
}
|
|
addCollaboratorOption := &api.AddCollaboratorOption{
|
|
Permission: &permission,
|
|
}
|
|
req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("/api/v1/repos/%s/%s/collaborators/%s?token=%s", ctx.Username, ctx.Reponame, username, ctx.Token), addCollaboratorOption)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
ctx.Session.MakeRequest(t, req, http.StatusNoContent)
|
|
}
|
|
}
|
|
|
|
func doAPIForkRepository(ctx APITestContext, username string, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
createForkOption := &api.CreateForkOption{}
|
|
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks?token=%s", username, ctx.Reponame, ctx.Token), createForkOption)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, http.StatusAccepted)
|
|
var repository api.Repository
|
|
DecodeJSON(t, resp, &repository)
|
|
if len(callback) > 0 {
|
|
callback[0](t, repository)
|
|
}
|
|
}
|
|
}
|
|
|
|
func doAPIGetRepository(ctx APITestContext, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
|
|
|
|
req := NewRequest(t, "GET", urlStr)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
var repository api.Repository
|
|
DecodeJSON(t, resp, &repository)
|
|
if len(callback) > 0 {
|
|
callback[0](t, repository)
|
|
}
|
|
}
|
|
}
|
|
|
|
func doAPIDeleteRepository(ctx APITestContext) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
|
|
|
|
req := NewRequest(t, "DELETE", urlStr)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
ctx.Session.MakeRequest(t, req, http.StatusNoContent)
|
|
}
|
|
}
|
|
|
|
func doAPICreateUserKey(ctx APITestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
urlStr := fmt.Sprintf("/api/v1/user/keys?token=%s", ctx.Token)
|
|
|
|
dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
|
|
assert.NoError(t, err)
|
|
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateKeyOption{
|
|
Title: keyname,
|
|
Key: string(dataPubKey),
|
|
})
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
|
|
var publicKey api.PublicKey
|
|
DecodeJSON(t, resp, &publicKey)
|
|
if len(callback) > 0 {
|
|
callback[0](t, publicKey)
|
|
}
|
|
}
|
|
}
|
|
|
|
func doAPIDeleteUserKey(ctx APITestContext, keyID int64) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
urlStr := fmt.Sprintf("/api/v1/user/keys/%d?token=%s", keyID, ctx.Token)
|
|
|
|
req := NewRequest(t, "DELETE", urlStr)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
ctx.Session.MakeRequest(t, req, http.StatusNoContent)
|
|
}
|
|
}
|
|
|
|
func doAPICreateDeployKey(ctx APITestContext, keyname, keyFile string, readOnly bool) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
|
|
|
|
dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
|
|
assert.NoError(t, err)
|
|
req := NewRequestWithJSON(t, "POST", urlStr, api.CreateKeyOption{
|
|
Title: keyname,
|
|
Key: string(dataPubKey),
|
|
ReadOnly: readOnly,
|
|
})
|
|
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
ctx.Session.MakeRequest(t, req, http.StatusCreated)
|
|
}
|
|
}
|
|
|
|
func doAPICreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBranch string) func(*testing.T) (api.PullRequest, error) {
|
|
return func(t *testing.T) (api.PullRequest, error) {
|
|
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s",
|
|
owner, repo, ctx.Token)
|
|
req := NewRequestWithJSON(t, http.MethodPost, urlStr, &api.CreatePullRequestOption{
|
|
Head: headBranch,
|
|
Base: baseBranch,
|
|
Title: fmt.Sprintf("create a pr from %s to %s", headBranch, baseBranch),
|
|
})
|
|
|
|
expected := 201
|
|
if ctx.ExpectedCode != 0 {
|
|
expected = ctx.ExpectedCode
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, expected)
|
|
decoder := json.NewDecoder(resp.Body)
|
|
pr := api.PullRequest{}
|
|
err := decoder.Decode(&pr)
|
|
return pr, err
|
|
}
|
|
}
|
|
|
|
func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
|
|
owner, repo, index, ctx.Token)
|
|
req := NewRequestWithJSON(t, http.MethodPost, urlStr, &auth.MergePullRequestForm{
|
|
MergeMessageField: "doAPIMergePullRequest Merge",
|
|
Do: string(models.MergeStyleMerge),
|
|
})
|
|
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
ctx.Session.MakeRequest(t, req, 200)
|
|
}
|
|
}
|
|
|
|
func doAPIGetBranch(ctx APITestContext, branch string, callback ...func(*testing.T, api.Branch)) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/branches/%s?token=%s", ctx.Username, ctx.Reponame, branch, ctx.Token)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
|
|
|
|
var branch api.Branch
|
|
DecodeJSON(t, resp, &branch)
|
|
if len(callback) > 0 {
|
|
callback[0](t, branch)
|
|
}
|
|
}
|
|
}
|
|
|
|
func doAPICreateFile(ctx APITestContext, treepath string, options *api.CreateFileOptions, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {
|
|
return func(t *testing.T) {
|
|
url := fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?token=%s", ctx.Username, ctx.Reponame, treepath, ctx.Token)
|
|
req := NewRequestWithJSON(t, "POST", url, &options)
|
|
if ctx.ExpectedCode != 0 {
|
|
ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
|
|
return
|
|
}
|
|
resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
|
|
|
|
var contents api.FileResponse
|
|
DecodeJSON(t, resp, &contents)
|
|
if len(callback) > 0 {
|
|
callback[0](t, contents)
|
|
}
|
|
}
|
|
}
|