2019-12-15 20:06:31 +09:00
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a MIT-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package models
|
|
|
|
|
|
|
|
import (
|
2021-09-24 20:32:56 +09:00
|
|
|
"code.gitea.io/gitea/models/db"
|
2019-12-15 20:06:31 +09:00
|
|
|
"code.gitea.io/gitea/modules/git"
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SignMerge determines if we should sign a PR merge commit to the base repository
|
2020-09-20 01:44:55 +09:00
|
|
|
func (pr *PullRequest) SignMerge(u *User, tmpBasePath, baseCommit, headCommit string) (bool, string, *git.Signature, error) {
|
2020-03-03 07:31:55 +09:00
|
|
|
if err := pr.LoadBaseRepo(); err != nil {
|
2019-12-15 20:06:31 +09:00
|
|
|
log.Error("Unable to get Base Repo for pull request")
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
repo := pr.BaseRepo
|
|
|
|
|
2020-09-20 01:44:55 +09:00
|
|
|
signingKey, signer := SigningKey(repo.RepoPath())
|
2019-12-15 20:06:31 +09:00
|
|
|
if signingKey == "" {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{noKey}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
rules := signingModeFromStrings(setting.Repository.Signing.Merges)
|
|
|
|
|
|
|
|
var gitRepo *git.Repository
|
|
|
|
var err error
|
|
|
|
|
2020-07-31 22:26:47 +09:00
|
|
|
Loop:
|
2019-12-15 20:06:31 +09:00
|
|
|
for _, rule := range rules {
|
|
|
|
switch rule {
|
|
|
|
case never:
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{never}
|
2019-12-15 20:06:31 +09:00
|
|
|
case always:
|
2020-07-31 22:26:47 +09:00
|
|
|
break Loop
|
2019-12-15 20:06:31 +09:00
|
|
|
case pubkey:
|
2021-09-24 20:32:56 +09:00
|
|
|
keys, err := ListGPGKeys(u.ID, db.ListOptions{})
|
2020-01-15 17:32:57 +09:00
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2020-01-15 17:32:57 +09:00
|
|
|
}
|
|
|
|
if len(keys) == 0 {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{pubkey}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
case twofa:
|
2020-01-15 17:32:57 +09:00
|
|
|
twofaModel, err := GetTwoFactorByUID(u.ID)
|
2020-01-27 08:44:12 +09:00
|
|
|
if err != nil && !IsErrTwoFactorNotEnrolled(err) {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2020-01-15 17:32:57 +09:00
|
|
|
}
|
|
|
|
if twofaModel == nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{twofa}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
case approved:
|
|
|
|
protectedBranch, err := GetProtectedBranchBy(repo.ID, pr.BaseBranch)
|
2020-01-15 17:32:57 +09:00
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2020-01-15 17:32:57 +09:00
|
|
|
}
|
|
|
|
if protectedBranch == nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{approved}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
if protectedBranch.GetGrantedApprovalsCount(pr) < 1 {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{approved}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
case baseSigned:
|
|
|
|
if gitRepo == nil {
|
|
|
|
gitRepo, err = git.OpenRepository(tmpBasePath)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
defer gitRepo.Close()
|
|
|
|
}
|
|
|
|
commit, err := gitRepo.GetCommit(baseCommit)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
verification := ParseCommitWithSignature(commit)
|
|
|
|
if !verification.Verified {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{baseSigned}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
case headSigned:
|
|
|
|
if gitRepo == nil {
|
|
|
|
gitRepo, err = git.OpenRepository(tmpBasePath)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
defer gitRepo.Close()
|
|
|
|
}
|
|
|
|
commit, err := gitRepo.GetCommit(headCommit)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
verification := ParseCommitWithSignature(commit)
|
|
|
|
if !verification.Verified {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{headSigned}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
case commitsSigned:
|
|
|
|
if gitRepo == nil {
|
|
|
|
gitRepo, err = git.OpenRepository(tmpBasePath)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
defer gitRepo.Close()
|
|
|
|
}
|
|
|
|
commit, err := gitRepo.GetCommit(headCommit)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
verification := ParseCommitWithSignature(commit)
|
|
|
|
if !verification.Verified {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{commitsSigned}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
// need to work out merge-base
|
|
|
|
mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit)
|
|
|
|
if err != nil {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, err
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
2021-08-10 03:08:51 +09:00
|
|
|
for _, commit := range commitList {
|
2019-12-15 20:06:31 +09:00
|
|
|
verification := ParseCommitWithSignature(commit)
|
|
|
|
if !verification.Verified {
|
2020-09-20 01:44:55 +09:00
|
|
|
return false, "", nil, &ErrWontSign{commitsSigned}
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-09-20 01:44:55 +09:00
|
|
|
return true, signingKey, signer, nil
|
2019-12-15 20:06:31 +09:00
|
|
|
}
|