diff options
-rw-r--r-- | app/models/gpg_signature.rb | 7 | ||||
-rw-r--r-- | lib/gitlab/gpg/commit.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/gpg/commit_spec.rb | 44 |
3 files changed, 48 insertions, 5 deletions
diff --git a/app/models/gpg_signature.rb b/app/models/gpg_signature.rb index a94c42c5334..1f047a32c84 100644 --- a/app/models/gpg_signature.rb +++ b/app/models/gpg_signature.rb @@ -7,9 +7,10 @@ class GpgSignature < ActiveRecord::Base enum verification_status: { unverified: 0, verified: 1, - other_user: 2, - unverified_key: 3, - unknown_key: 4 + same_user_different_email: 2, + other_user: 3, + unverified_key: 4, + unknown_key: 5 } belongs_to :project diff --git a/lib/gitlab/gpg/commit.rb b/lib/gitlab/gpg/commit.rb index 16c8ef563da..7aaf3f6aa5b 100644 --- a/lib/gitlab/gpg/commit.rb +++ b/lib/gitlab/gpg/commit.rb @@ -85,6 +85,8 @@ module Gitlab def verification_status(gpg_key) if gpg_key && gpg_key.verified_and_belongs_to_email?(@commit.committer_email) && verified_signature.valid? GpgSignature.verification_statuses[:verified] + elsif gpg_key && gpg_key.verified? && verified_signature.valid? && gpg_key.user.all_emails.include?(@commit.committer_email) + GpgSignature.verification_statuses[:same_user_different_email] elsif gpg_key && gpg_key.verified? && verified_signature.valid? GpgSignature.verification_statuses[:other_user] elsif gpg_key diff --git a/spec/lib/gitlab/gpg/commit_spec.rb b/spec/lib/gitlab/gpg/commit_spec.rb index 843418aef6d..40113429d23 100644 --- a/spec/lib/gitlab/gpg/commit_spec.rb +++ b/spec/lib/gitlab/gpg/commit_spec.rb @@ -28,7 +28,7 @@ describe Gitlab::Gpg::Commit do context 'known key' do context 'user matches the key uid' do - context 'user matches the committer' do + context 'user email matches the email committer' do let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User1.emails.first } let!(:user) { create(:user, email: GpgHelpers::User1.emails.first) } @@ -64,7 +64,47 @@ describe Gitlab::Gpg::Commit do it_behaves_like 'returns the cached signature on second call' end - context 'user does not match the committer' do + context 'user email does not match the committer email, but is the same user' do + let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first } + + let(:user) do + create(:user, email: GpgHelpers::User1.emails.first).tap do |user| + create :email, user: user, email: GpgHelpers::User2.emails.first + end + end + + let!(:gpg_key) do + create :gpg_key, key: GpgHelpers::User1.public_key, user: user + end + + before do + allow(Rugged::Commit).to receive(:extract_signature) + .with(Rugged::Repository, commit_sha) + .and_return( + [ + GpgHelpers::User1.signed_commit_signature, + GpgHelpers::User1.signed_commit_base_data + ] + ) + end + + it 'returns an invalid signature' do + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + valid_signature: false, + verification_status: 'same_user_different_email' + ) + end + + it_behaves_like 'returns the cached signature on second call' + end + + context 'user email does not match the committer email' do let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first } let(:user) { create(:user, email: GpgHelpers::User1.emails.first) } |