From 8d68f1525da218776e6d24f2ec700d86d254c2cb Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 14 Nov 2019 14:32:48 +0000 Subject: [PATCH 1/3] Move SignMerge to PullRequest --- models/pull_sign.go | 112 +++++++++++++++++++++++++++++++++++++++++ models/repo_sign.go | 95 ---------------------------------- services/pull/merge.go | 2 +- 3 files changed, 113 insertions(+), 96 deletions(-) create mode 100644 models/pull_sign.go diff --git a/models/pull_sign.go b/models/pull_sign.go new file mode 100644 index 0000000000000..f094665b8d6db --- /dev/null +++ b/models/pull_sign.go @@ -0,0 +1,112 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "code.gitea.io/gitea/modules/git" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" +) + +// SignMerge determines if we should sign a PR merge commit to the base repository +func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string) { + if err := pr.GetBaseRepo(); err != nil { + log.Error("Unable to get Base Repo for pull request") + return false, "" + } + repo := pr.BaseRepo + + rules := signingModeFromStrings(setting.Repository.Signing.Merges) + signingKey := signingKey(repo.RepoPath()) + if signingKey == "" { + return false, "" + } + var gitRepo *git.Repository + var err error + + for _, rule := range rules { + switch rule { + case never: + return false, "" + case always: + break + case pubkey: + keys, err := ListGPGKeys(u.ID) + if err != nil || len(keys) == 0 { + return false, "" + } + case twofa: + twofa, err := GetTwoFactorByUID(u.ID) + if err != nil || twofa == nil { + return false, "" + } + case baseSigned: + if gitRepo == nil { + gitRepo, err = git.OpenRepository(tmpBasePath) + if err != nil { + return false, "" + } + defer gitRepo.Close() + } + commit, err := gitRepo.GetCommit(baseCommit) + if err != nil { + return false, "" + } + verification := ParseCommitWithSignature(commit) + if !verification.Verified { + return false, "" + } + case headSigned: + if gitRepo == nil { + gitRepo, err = git.OpenRepository(tmpBasePath) + if err != nil { + return false, "" + } + defer gitRepo.Close() + } + commit, err := gitRepo.GetCommit(headCommit) + if err != nil { + return false, "" + } + verification := ParseCommitWithSignature(commit) + if !verification.Verified { + return false, "" + } + case commitsSigned: + if gitRepo == nil { + gitRepo, err = git.OpenRepository(tmpBasePath) + if err != nil { + return false, "" + } + defer gitRepo.Close() + } + commit, err := gitRepo.GetCommit(headCommit) + if err != nil { + return false, "" + } + verification := ParseCommitWithSignature(commit) + if !verification.Verified { + return false, "" + } + // need to work out merge-base + mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit) + if err != nil { + return false, "" + } + commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit) + if err != nil { + return false, "" + } + for e := commitList.Front(); e != nil; e = e.Next() { + commit = e.Value.(*git.Commit) + verification := ParseCommitWithSignature(commit) + if !verification.Verified { + return false, "" + } + } + } + } + return true, signingKey +} diff --git a/models/repo_sign.go b/models/repo_sign.go index a02b027f89f89..b22b85854fb4b 100644 --- a/models/repo_sign.go +++ b/models/repo_sign.go @@ -211,98 +211,3 @@ func (repo *Repository) SignCRUDAction(u *User, tmpBasePath, parentCommit string } return true, signingKey } - -// SignMerge determines if we should sign a merge commit to this repository -func (repo *Repository) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string) { - rules := signingModeFromStrings(setting.Repository.Signing.Merges) - signingKey := signingKey(repo.RepoPath()) - if signingKey == "" { - return false, "" - } - var gitRepo *git.Repository - var err error - - for _, rule := range rules { - switch rule { - case never: - return false, "" - case always: - break - case pubkey: - keys, err := ListGPGKeys(u.ID) - if err != nil || len(keys) == 0 { - return false, "" - } - case twofa: - twofa, err := GetTwoFactorByUID(u.ID) - if err != nil || twofa == nil { - return false, "" - } - case baseSigned: - if gitRepo == nil { - gitRepo, err = git.OpenRepository(tmpBasePath) - if err != nil { - return false, "" - } - defer gitRepo.Close() - } - commit, err := gitRepo.GetCommit(baseCommit) - if err != nil { - return false, "" - } - verification := ParseCommitWithSignature(commit) - if !verification.Verified { - return false, "" - } - case headSigned: - if gitRepo == nil { - gitRepo, err = git.OpenRepository(tmpBasePath) - if err != nil { - return false, "" - } - defer gitRepo.Close() - } - commit, err := gitRepo.GetCommit(headCommit) - if err != nil { - return false, "" - } - verification := ParseCommitWithSignature(commit) - if !verification.Verified { - return false, "" - } - case commitsSigned: - if gitRepo == nil { - gitRepo, err = git.OpenRepository(tmpBasePath) - if err != nil { - return false, "" - } - defer gitRepo.Close() - } - commit, err := gitRepo.GetCommit(headCommit) - if err != nil { - return false, "" - } - verification := ParseCommitWithSignature(commit) - if !verification.Verified { - return false, "" - } - // need to work out merge-base - mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit) - if err != nil { - return false, "" - } - commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit) - if err != nil { - return false, "" - } - for e := commitList.Front(); e != nil; e = e.Next() { - commit = e.Value.(*git.Commit) - verification := ParseCommitWithSignature(commit) - if !verification.Verified { - return false, "" - } - } - } - } - return true, signingKey -} diff --git a/services/pull/merge.go b/services/pull/merge.go index 5fbf550ad2cb7..7b26364d3d722 100644 --- a/services/pull/merge.go +++ b/services/pull/merge.go @@ -232,7 +232,7 @@ func Merge(pr *models.PullRequest, doer *models.User, baseGitRepo *git.Repositor // Determine if we should sign signArg := "" if version.Compare(binVersion, "1.7.9", ">=") { - sign, keyID := pr.BaseRepo.SignMerge(doer, tmpBasePath, "HEAD", trackingBranch) + sign, keyID := pr.SignMerge(doer, tmpBasePath, "HEAD", trackingBranch) if sign { signArg = "-S" + keyID } else if version.Compare(binVersion, "2.0.0", ">=") { From ca50579d91f76efe082016f28ccb437c4ed81808 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 14 Nov 2019 15:00:27 +0000 Subject: [PATCH 2/3] Add approved signing mode --- custom/conf/app.ini.sample | 7 ++++--- docs/content/doc/advanced/config-cheat-sheet.en-us.md | 3 ++- docs/content/doc/advanced/signing.en-us.md | 1 + models/pull_sign.go | 8 ++++++++ models/repo_sign.go | 3 +++ 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 5e26171d9e1d5..5233544dd7699 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -107,6 +107,7 @@ WIKI = never ; Determines when to sign on merges ; - basesigned: require that the parent of commit on the base repo is signed. ; - commitssigned: require that all the commits in the head branch are signed. +; - approved: only sign when merging an approved pr to a protected branch MERGES = pubkey, twofa, basesigned, commitssigned [cors] @@ -190,7 +191,7 @@ PROTOCOL = http DOMAIN = localhost ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ ; when STATIC_URL_PREFIX is empty it will follow APP_URL -STATIC_URL_PREFIX = +STATIC_URL_PREFIX = ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. HTTP_ADDR = 0.0.0.0 HTTP_PORT = 3000 @@ -515,9 +516,9 @@ SKIP_TLS_VERIFY = false ; Number of history information in each page PAGING_NUM = 10 ; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy -PROXY_URL = +PROXY_URL = ; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. -PROXY_HOSTS = +PROXY_HOSTS = [mailer] ENABLED = false diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index e5236205fe2db..c915179e7d4a1 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -94,7 +94,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `CRUD_ACTIONS`: **pubkey, twofa, parentsigned**: \[never, pubkey, twofa, parentsigned, always\]: Sign CRUD actions. - Options as above, with the addition of: - `parentsigned`: Only sign if the parent commit is signed. -- `MERGES`: **pubkey, twofa, basesigned, commitssigned**: \[never, pubkey, twofa, basesigned, commitssigned, always\]: Sign merges. +- `MERGES`: **pubkey, twofa, basesigned, commitssigned**: \[never, pubkey, twofa, approved, basesigned, commitssigned, always\]: Sign merges. + - `approved`: Only sign approved merges to a protected branch. - `basesigned`: Only sign if the parent commit in the base repo is signed. - `headsigned`: Only sign if the head commit in the head branch is signed. - `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed. diff --git a/docs/content/doc/advanced/signing.en-us.md b/docs/content/doc/advanced/signing.en-us.md index b6c99e269e09b..72d294e7bd62a 100644 --- a/docs/content/doc/advanced/signing.en-us.md +++ b/docs/content/doc/advanced/signing.en-us.md @@ -136,6 +136,7 @@ The possible options are: * `basesigned`: Only sign if the parent commit in the base repo is signed. * `headsigned`: Only sign if the head commit in the head branch is signed. * `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed. +* `approved`: Only sign approved merges to a protected branch. * `always`: Always sign Options other than `never` and `always` can be combined as a comma diff --git a/models/pull_sign.go b/models/pull_sign.go index f094665b8d6db..73983f6d2bda1 100644 --- a/models/pull_sign.go +++ b/models/pull_sign.go @@ -42,6 +42,14 @@ func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit st if err != nil || twofa == nil { return false, "" } + case approved: + protectedBranch, err := GetProtectedBranchBy(repo.ID, pr.BaseBranch) + if err != nil || protectedBranch == nil { + return false, "" + } + if protectedBranch.GetGrantedApprovalsCount(pr) < 1 { + return false, "" + } case baseSigned: if gitRepo == nil { gitRepo, err = git.OpenRepository(tmpBasePath) diff --git a/models/repo_sign.go b/models/repo_sign.go index b22b85854fb4b..a684efb55fc44 100644 --- a/models/repo_sign.go +++ b/models/repo_sign.go @@ -24,6 +24,7 @@ const ( baseSigned signingMode = "basesigned" headSigned signingMode = "headsigned" commitsSigned signingMode = "commitssigned" + approved signingMode = "approved" ) func signingModeFromStrings(modeStrings []string) []signingMode { @@ -45,6 +46,8 @@ func signingModeFromStrings(modeStrings []string) []signingMode { fallthrough case headSigned: fallthrough + case approved: + fallthrough case commitsSigned: returnable = append(returnable, signMode) } From 70ab01c05c6d206ba9fa038127ebed997256c7ea Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Fri, 13 Dec 2019 16:29:00 +0000 Subject: [PATCH 3/3] As per @guillep2k comment --- models/pull_sign.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/models/pull_sign.go b/models/pull_sign.go index 73983f6d2bda1..19d8907c3dbfe 100644 --- a/models/pull_sign.go +++ b/models/pull_sign.go @@ -18,11 +18,12 @@ func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit st } repo := pr.BaseRepo - rules := signingModeFromStrings(setting.Repository.Signing.Merges) signingKey := signingKey(repo.RepoPath()) if signingKey == "" { return false, "" } + rules := signingModeFromStrings(setting.Repository.Signing.Merges) + var gitRepo *git.Repository var err error