afan
/
gitea
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
gitea源码
3 коммитов
2 веток
ветка: master
веток Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
gitea/tests/integration/gpg_ssh_git_test.go

gpg_ssh_git_test.go 14KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"crypto/ed25519"

  8. 	"crypto/rand"

  9. 	"encoding/base64"

  10. 	"encoding/pem"

  11. 	"fmt"

  12. 	"net/url"

  13. 	"os"

  14. 	"testing"

  15. 

  16. 	auth_model "code.gitea.io/gitea/models/auth"

  17. 	"code.gitea.io/gitea/models/unittest"

  18. 	user_model "code.gitea.io/gitea/models/user"

  19. 	"code.gitea.io/gitea/modules/process"

  20. 	"code.gitea.io/gitea/modules/setting"

  21. 	api "code.gitea.io/gitea/modules/structs"

  22. 	"code.gitea.io/gitea/modules/test"

  23. 	"code.gitea.io/gitea/tests"

  24. 

  25. 	"github.com/ProtonMail/go-crypto/openpgp"

  26. 	"github.com/ProtonMail/go-crypto/openpgp/armor"

  27. 	"github.com/stretchr/testify/assert"

  28. 	"github.com/stretchr/testify/require"

  29. 	"golang.org/x/crypto/ssh"

  30. )

  31. 

  32. func TestGPGGit(t *testing.T) {

  33. 	tmpDir := t.TempDir() // use a temp dir to avoid messing with the user's GPG keyring

  34. 	err := os.Chmod(tmpDir, 0o700)

  35. 	assert.NoError(t, err)

  36. 

  37. 	t.Setenv("GNUPGHOME", tmpDir)

  38. 

  39. 	// Need to create a root key

  40. 	rootKeyPair, err := importTestingKey()

  41. 	require.NoError(t, err, "importTestingKey")

  42. 

  43. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningKey, rootKeyPair.PrimaryKey.KeyIdShortString())()

  44. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "gitea")()

  45. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "gitea@fake.local")()

  46. 	defer test.MockVariableValue(&setting.Repository.Signing.InitialCommit, []string{"never"})()

  47. 	defer test.MockVariableValue(&setting.Repository.Signing.CRUDActions, []string{"never"})()

  48. 

  49. 	testGitSigning(t)

  50. }

  51. 

  52. func TestSSHGit(t *testing.T) {

  53. 	tmpDir := t.TempDir() // use a temp dir to store the SSH keys

  54. 	err := os.Chmod(tmpDir, 0o700)

  55. 	assert.NoError(t, err)

  56. 

  57. 	pub, priv, err := ed25519.GenerateKey(rand.Reader)

  58. 	require.NoError(t, err, "ed25519.GenerateKey")

  59. 	sshPubKey, err := ssh.NewPublicKey(pub)

  60. 	require.NoError(t, err, "ssh.NewPublicKey")

  61. 

  62. 	err = os.WriteFile(tmpDir+"/id_ed25519.pub", ssh.MarshalAuthorizedKey(sshPubKey), 0o600)

  63. 	require.NoError(t, err, "os.WriteFile id_ed25519.pub")

  64. 	block, err := ssh.MarshalPrivateKey(priv, "")

  65. 	require.NoError(t, err, "ssh.MarshalPrivateKey")

  66. 	err = os.WriteFile(tmpDir+"/id_ed25519", pem.EncodeToMemory(block), 0o600)

  67. 	require.NoError(t, err, "os.WriteFile id_ed25519")

  68. 

  69. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningKey, tmpDir+"/id_ed25519.pub")()

  70. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "gitea")()

  71. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "gitea@fake.local")()

  72. 	defer test.MockVariableValue(&setting.Repository.Signing.SigningFormat, "ssh")()

  73. 	defer test.MockVariableValue(&setting.Repository.Signing.InitialCommit, []string{"never"})()

  74. 	defer test.MockVariableValue(&setting.Repository.Signing.CRUDActions, []string{"never"})()

  75. 

  76. 	testGitSigning(t)

  77. }

  78. 

  79. func testGitSigning(t *testing.T) {

  80. 	username := "user2"

  81. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: username})

  82. 	baseAPITestContext := NewAPITestContext(t, username, "repo1")

  83. 

  84. 	onGiteaRun(t, func(t *testing.T, u *url.URL) {

  85. 		u.Path = baseAPITestContext.GitPath()

  86. 

  87. 		t.Run("Unsigned-Initial", func(t *testing.T) {

  88. 			defer tests.PrintCurrentTest(t)()

  89. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  90. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  91. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  92. 				assert.NotNil(t, branch.Commit)

  93. 				assert.NotNil(t, branch.Commit.Verification)

  94. 				assert.False(t, branch.Commit.Verification.Verified)

  95. 				assert.Empty(t, branch.Commit.Verification.Signature)

  96. 			}))

  97. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  98. 				t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  99. 					assert.False(t, response.Verification.Verified)

  100. 				}))

  101. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  102. 				t, testCtx, user, "never", "never2", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  103. 					assert.False(t, response.Verification.Verified)

  104. 				}))

  105. 		})

  106. 

  107. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  108. 		t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {

  109. 			defer tests.PrintCurrentTest(t)()

  110. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  111. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  112. 				t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  113. 					assert.False(t, response.Verification.Verified)

  114. 				}))

  115. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  116. 				t, testCtx, user, "parentsigned", "parentsigned2", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  117. 					assert.False(t, response.Verification.Verified)

  118. 				}))

  119. 		})

  120. 

  121. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  122. 		t.Run("Unsigned-Initial-CRUD-Never", func(t *testing.T) {

  123. 			defer tests.PrintCurrentTest(t)()

  124. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  125. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  126. 				t, testCtx, user, "parentsigned", "parentsigned-never", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {

  127. 					assert.False(t, response.Verification.Verified)

  128. 				}))

  129. 		})

  130. 

  131. 		setting.Repository.Signing.CRUDActions = []string{"always"}

  132. 		t.Run("Unsigned-Initial-CRUD-Always", func(t *testing.T) {

  133. 			defer tests.PrintCurrentTest(t)()

  134. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  135. 			t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  136. 				t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  137. 					require.NotNil(t, response.Verification, "no verification provided with response! %v", response)

  138. 					require.True(t, response.Verification.Verified)

  139. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  140. 				}))

  141. 			t.Run("CreateCRUDFile-ParentSigned-always", crudActionCreateFile(

  142. 				t, testCtx, user, "parentsigned", "parentsigned-always", "signed-parent2.txt", func(t *testing.T, response api.FileResponse) {

  143. 					require.NotNil(t, response.Verification, "no verification provided with response! %v", response)

  144. 					require.True(t, response.Verification.Verified)

  145. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  146. 				}))

  147. 		})

  148. 

  149. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  150. 		t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {

  151. 			defer tests.PrintCurrentTest(t)()

  152. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  153. 			t.Run("CreateCRUDFile-Always-ParentSigned", crudActionCreateFile(

  154. 				t, testCtx, user, "always", "always-parentsigned", "signed-always-parentsigned.txt", func(t *testing.T, response api.FileResponse) {

  155. 					require.NotNil(t, response.Verification, "no verification provided with response! %v", response)

  156. 					require.True(t, response.Verification.Verified)

  157. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  158. 				}))

  159. 		})

  160. 

  161. 		setting.Repository.Signing.InitialCommit = []string{"always"}

  162. 		t.Run("AlwaysSign-Initial", func(t *testing.T) {

  163. 			defer tests.PrintCurrentTest(t)()

  164. 			testCtx := NewAPITestContext(t, username, "initial-always", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  165. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  166. 			t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  167. 				require.NotNil(t, branch.Commit, "no commit provided with branch! %v", branch)

  168. 				require.NotNil(t, branch.Commit.Verification, "no verification provided with branch commit! %v", branch.Commit)

  169. 				require.True(t, branch.Commit.Verification.Verified)

  170. 				assert.Equal(t, "gitea@fake.local", branch.Commit.Verification.Signer.Email)

  171. 			}))

  172. 		})

  173. 

  174. 		setting.Repository.Signing.CRUDActions = []string{"never"}

  175. 		t.Run("AlwaysSign-Initial-CRUD-Never", func(t *testing.T) {

  176. 			defer tests.PrintCurrentTest(t)()

  177. 			testCtx := NewAPITestContext(t, username, "initial-always-never", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  178. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  179. 			t.Run("CreateCRUDFile-Never", crudActionCreateFile(

  180. 				t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {

  181. 					assert.False(t, response.Verification.Verified)

  182. 				}))

  183. 		})

  184. 

  185. 		setting.Repository.Signing.CRUDActions = []string{"parentsigned"}

  186. 		t.Run("AlwaysSign-Initial-CRUD-ParentSigned-On-Always", func(t *testing.T) {

  187. 			defer tests.PrintCurrentTest(t)()

  188. 			testCtx := NewAPITestContext(t, username, "initial-always-parent", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  189. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  190. 			t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(

  191. 				t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {

  192. 					require.True(t, response.Verification.Verified)

  193. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  194. 				}))

  195. 		})

  196. 

  197. 		setting.Repository.Signing.CRUDActions = []string{"always"}

  198. 		t.Run("AlwaysSign-Initial-CRUD-Always", func(t *testing.T) {

  199. 			defer tests.PrintCurrentTest(t)()

  200. 			testCtx := NewAPITestContext(t, username, "initial-always-always", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  201. 			t.Run("CreateRepository", doAPICreateRepository(testCtx, false))

  202. 			t.Run("CreateCRUDFile-Always", crudActionCreateFile(

  203. 				t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {

  204. 					require.True(t, response.Verification.Verified)

  205. 					assert.Equal(t, "gitea@fake.local", response.Verification.Signer.Email)

  206. 				}))

  207. 		})

  208. 

  209. 		setting.Repository.Signing.Merges = []string{"commitssigned"}

  210. 		t.Run("UnsignedMerging", func(t *testing.T) {

  211. 			defer tests.PrintCurrentTest(t)()

  212. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  213. 			t.Run("CreatePullRequest", func(t *testing.T) {

  214. 				pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "never2")(t)

  215. 				assert.NoError(t, err)

  216. 				t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  217. 			})

  218. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  219. 				assert.NotNil(t, branch.Commit)

  220. 				assert.NotNil(t, branch.Commit.Verification)

  221. 				assert.False(t, branch.Commit.Verification.Verified)

  222. 				assert.Empty(t, branch.Commit.Verification.Signature)

  223. 			}))

  224. 		})

  225. 

  226. 		setting.Repository.Signing.Merges = []string{"basesigned"}

  227. 		t.Run("BaseSignedMerging", func(t *testing.T) {

  228. 			defer tests.PrintCurrentTest(t)()

  229. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  230. 			t.Run("CreatePullRequest", func(t *testing.T) {

  231. 				pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "parentsigned2")(t)

  232. 				assert.NoError(t, err)

  233. 				t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  234. 			})

  235. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  236. 				assert.NotNil(t, branch.Commit)

  237. 				assert.NotNil(t, branch.Commit.Verification)

  238. 				assert.False(t, branch.Commit.Verification.Verified)

  239. 				assert.Empty(t, branch.Commit.Verification.Signature)

  240. 			}))

  241. 		})

  242. 

  243. 		setting.Repository.Signing.Merges = []string{"commitssigned"}

  244. 		t.Run("CommitsSignedMerging", func(t *testing.T) {

  245. 			defer tests.PrintCurrentTest(t)()

  246. 			testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)

  247. 			t.Run("CreatePullRequest", func(t *testing.T) {

  248. 				pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "always-parentsigned")(t)

  249. 				assert.NoError(t, err)

  250. 				t.Run("MergePR", doAPIMergePullRequest(testCtx, testCtx.Username, testCtx.Reponame, pr.Index))

  251. 			})

  252. 			t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {

  253. 				assert.NotNil(t, branch.Commit)

  254. 				assert.NotNil(t, branch.Commit.Verification)

  255. 				assert.True(t, branch.Commit.Verification.Verified)

  256. 			}))

  257. 		})

  258. 	})

  259. }

  260. 

  261. func crudActionCreateFile(_ *testing.T, ctx APITestContext, user *user_model.User, from, to, path string, callback ...func(*testing.T, api.FileResponse)) func(*testing.T) {

  262. 	return doAPICreateFile(ctx, path, &api.CreateFileOptions{

  263. 		FileOptions: api.FileOptions{

  264. 			BranchName:    from,

  265. 			NewBranchName: to,

  266. 			Message:       fmt.Sprintf("from:%s to:%s path:%s", from, to, path),

  267. 			Author: api.Identity{

  268. 				Name:  user.FullName,

  269. 				Email: user.Email,

  270. 			},

  271. 			Committer: api.Identity{

  272. 				Name:  user.FullName,

  273. 				Email: user.Email,

  274. 			},

  275. 		},

  276. 		ContentBase64: base64.StdEncoding.EncodeToString([]byte("This is new text for " + path)),

  277. 	}, callback...)

  278. }

  279. 

  280. func importTestingKey() (*openpgp.Entity, error) {

  281. 	if _, _, err := process.GetManager().Exec("gpg --import tests/integration/private-testing.key", "gpg", "--import", "tests/integration/private-testing.key"); err != nil {

  282. 		return nil, err

  283. 	}

  284. 	keyringFile, err := os.Open("tests/integration/private-testing.key")

  285. 	if err != nil {

  286. 		return nil, err

  287. 	}

  288. 	defer keyringFile.Close()

  289. 

  290. 	block, err := armor.Decode(keyringFile)

  291. 	if err != nil {

  292. 		return nil, err

  293. 	}

  294. 

  295. 	keyring, err := openpgp.ReadKeyRing(block.Body)

  296. 	if err != nil {

  297. 		return nil, fmt.Errorf("Keyring access failed: '%w'", err)

  298. 	}

  299. 

  300. 	// There should only be one entity in this file.

  301. 	return keyring[0], nil

  302. }