add verification_status: same_user_different_email

this is used to make a difference between a committer email that belongs to user, where the user used a different email for the gpg key. this means that the user is the same, but a different, unverified email is used for the signature.
2017-08-24 14:21:42 +02:00 · 2017-08-24 14:21:42 +02:00 · 00392d929b
parent 2a89037b63
commit 00392d929b
3 changed files with 48 additions and 5 deletions
--- a/app/models/gpg_signature.rb
+++ b/app/models/gpg_signature.rb
@ -7,9 +7,10 @@ class GpgSignature < ActiveRecord::Base
  enum verification_status: {
    unverified: 0,
    verified: 1,
-    other_user: 2,
-    unverified_key: 3,
-    unknown_key: 4
+    same_user_different_email: 2,
+    other_user: 3,
+    unverified_key: 4,
+    unknown_key: 5
  }

  belongs_to :project
--- a/lib/gitlab/gpg/commit.rb
+++ b/lib/gitlab/gpg/commit.rb
@ -85,6 +85,8 @@ module Gitlab
      def verification_status(gpg_key)
        if gpg_key && gpg_key.verified_and_belongs_to_email?(@commit.committer_email) && verified_signature.valid?
          GpgSignature.verification_statuses[:verified]
+        elsif gpg_key && gpg_key.verified? && verified_signature.valid? && gpg_key.user.all_emails.include?(@commit.committer_email)
+          GpgSignature.verification_statuses[:same_user_different_email]
        elsif gpg_key && gpg_key.verified? && verified_signature.valid?
          GpgSignature.verification_statuses[:other_user]
        elsif gpg_key
--- a/spec/lib/gitlab/gpg/commit_spec.rb
+++ b/spec/lib/gitlab/gpg/commit_spec.rb
@ -28,7 +28,7 @@ describe Gitlab::Gpg::Commit do

    context 'known key' do
      context 'user matches the key uid' do
-        context 'user matches the committer' do
+        context 'user email matches the email committer' do
          let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User1.emails.first }

          let!(:user) { create(:user, email: GpgHelpers::User1.emails.first) }
@ -64,7 +64,47 @@ describe Gitlab::Gpg::Commit do
          it_behaves_like 'returns the cached signature on second call'
        end

-        context 'user does not match the committer' do
+        context 'user email does not match the committer email, but is the same user' do
+          let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first }
+
+          let(:user) do
+            create(:user, email: GpgHelpers::User1.emails.first).tap do |user|
+              create :email, user: user, email: GpgHelpers::User2.emails.first
+            end
+          end
+
+          let!(:gpg_key) do
+            create :gpg_key, key: GpgHelpers::User1.public_key, user: user
+          end
+
+          before do
+            allow(Rugged::Commit).to receive(:extract_signature)
+            .with(Rugged::Repository, commit_sha)
+            .and_return(
+              [
+                GpgHelpers::User1.signed_commit_signature,
+                GpgHelpers::User1.signed_commit_base_data
+              ]
+            )
+          end
+
+          it 'returns an invalid signature' do
+            expect(described_class.new(commit).signature).to have_attributes(
+              commit_sha: commit_sha,
+              project: project,
+              gpg_key: gpg_key,
+              gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+              gpg_key_user_name: GpgHelpers::User1.names.first,
+              gpg_key_user_email: GpgHelpers::User1.emails.first,
+              valid_signature: false,
+              verification_status: 'same_user_different_email'
+            )
+          end
+
+          it_behaves_like 'returns the cached signature on second call'
+        end
+
+        context 'user email does not match the committer email' do
          let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first }

          let(:user) { create(:user, email: GpgHelpers::User1.emails.first) }