2 files changed, 46 insertions, 3 deletions

diff --git a/app/services/gpg_keys/create_service.rb b/app/services/gpg_keys/create_service.rb
index ab8b12732d7..c061c92df3e 100644
--- a/app/services/gpg_keys/create_service.rb
+++ b/app/services/gpg_keys/create_service.rb
@@ -3,15 +3,25 @@
 module GpgKeys
   class CreateService < Keys::BaseService
     def execute
-      key = create(params)
+      key = user.gpg_keys.build(params)
+
+      return key unless validate(key)
+
+      create(key)
+
       notification_service.new_gpg_key(key) if key.persisted?
       key
     end
 
     private
 
-    def create(params)
-      user.gpg_keys.create(params)
+    def validate(key)
+      GpgKeys::ValidateIntegrationsService.new(key).execute
+    end
+
+    def create(key)
+      key.save
+      key
     end
   end
 end
diff --git a/app/services/gpg_keys/validate_integrations_service.rb b/app/services/gpg_keys/validate_integrations_service.rb
new file mode 100644
index 00000000000..f593eb6925a
--- /dev/null
+++ b/app/services/gpg_keys/validate_integrations_service.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module GpgKeys
+  class ValidateIntegrationsService < Keys::BaseService
+    ValidationError = Class.new(StandardError)
+
+    def initialize(key)
+      @key = key
+    end
+
+    def execute
+      return false unless key.valid?
+
+      validate_beyond_identity!
+
+      key.errors.empty?
+    end
+
+    private
+
+    attr_reader :key
+
+    def validate_beyond_identity!
+      integration = Integrations::BeyondIdentity.for_instance.first
+
+      return unless integration&.activated?
+
+      integration.execute({ key_id: key.primary_keyid, committer_email: key.user.email })
+    rescue ::Gitlab::BeyondIdentity::Client::Error => e
+      key.errors.add(:base, "BeyondIdentity: #{e.message}")
+    end
+  end
+end