Sign protected branches (#8993)
* Move SignMerge to PullRequest * Add approved signing mode * As per @guillep2k commenttokarchuk/v1.17
parent
e3c3b33ea7
commit
3abe17f9e0
@ -0,0 +1,121 @@ |
|||||||
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package models |
||||||
|
|
||||||
|
import ( |
||||||
|
"code.gitea.io/gitea/modules/git" |
||||||
|
"code.gitea.io/gitea/modules/log" |
||||||
|
"code.gitea.io/gitea/modules/setting" |
||||||
|
) |
||||||
|
|
||||||
|
// SignMerge determines if we should sign a PR merge commit to the base repository
|
||||||
|
func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string) { |
||||||
|
if err := pr.GetBaseRepo(); err != nil { |
||||||
|
log.Error("Unable to get Base Repo for pull request") |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
repo := pr.BaseRepo |
||||||
|
|
||||||
|
signingKey := signingKey(repo.RepoPath()) |
||||||
|
if signingKey == "" { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
rules := signingModeFromStrings(setting.Repository.Signing.Merges) |
||||||
|
|
||||||
|
var gitRepo *git.Repository |
||||||
|
var err error |
||||||
|
|
||||||
|
for _, rule := range rules { |
||||||
|
switch rule { |
||||||
|
case never: |
||||||
|
return false, "" |
||||||
|
case always: |
||||||
|
break |
||||||
|
case pubkey: |
||||||
|
keys, err := ListGPGKeys(u.ID) |
||||||
|
if err != nil || len(keys) == 0 { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
case twofa: |
||||||
|
twofa, err := GetTwoFactorByUID(u.ID) |
||||||
|
if err != nil || twofa == nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
case approved: |
||||||
|
protectedBranch, err := GetProtectedBranchBy(repo.ID, pr.BaseBranch) |
||||||
|
if err != nil || protectedBranch == nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
if protectedBranch.GetGrantedApprovalsCount(pr) < 1 { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
case baseSigned: |
||||||
|
if gitRepo == nil { |
||||||
|
gitRepo, err = git.OpenRepository(tmpBasePath) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
defer gitRepo.Close() |
||||||
|
} |
||||||
|
commit, err := gitRepo.GetCommit(baseCommit) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
verification := ParseCommitWithSignature(commit) |
||||||
|
if !verification.Verified { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
case headSigned: |
||||||
|
if gitRepo == nil { |
||||||
|
gitRepo, err = git.OpenRepository(tmpBasePath) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
defer gitRepo.Close() |
||||||
|
} |
||||||
|
commit, err := gitRepo.GetCommit(headCommit) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
verification := ParseCommitWithSignature(commit) |
||||||
|
if !verification.Verified { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
case commitsSigned: |
||||||
|
if gitRepo == nil { |
||||||
|
gitRepo, err = git.OpenRepository(tmpBasePath) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
defer gitRepo.Close() |
||||||
|
} |
||||||
|
commit, err := gitRepo.GetCommit(headCommit) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
verification := ParseCommitWithSignature(commit) |
||||||
|
if !verification.Verified { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
// need to work out merge-base
|
||||||
|
mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit) |
||||||
|
if err != nil { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
for e := commitList.Front(); e != nil; e = e.Next() { |
||||||
|
commit = e.Value.(*git.Commit) |
||||||
|
verification := ParseCommitWithSignature(commit) |
||||||
|
if !verification.Verified { |
||||||
|
return false, "" |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
return true, signingKey |
||||||
|
} |
Loading…
Reference in new issue