From 30cb91b35dc99b091ac603af81b42e537ba71e19 Mon Sep 17 00:00:00 2001 From: Jerry Seto Date: Tue, 30 Sep 2025 14:53:12 -0400 Subject: [PATCH] Cleanup gpg_commit_delegate_to_signature feature flag Changelog: other --- .../gpg_commit_delegate_to_signature.yml | 10 - lib/gitlab/gpg/commit.rb | 43 +- spec/lib/gitlab/gpg/commit_spec.rb | 563 +++++++++--------- 3 files changed, 276 insertions(+), 340 deletions(-) delete mode 100644 config/feature_flags/gitlab_com_derisk/gpg_commit_delegate_to_signature.yml diff --git a/config/feature_flags/gitlab_com_derisk/gpg_commit_delegate_to_signature.yml b/config/feature_flags/gitlab_com_derisk/gpg_commit_delegate_to_signature.yml deleted file mode 100644 index cd18f7b9984cd4..00000000000000 --- a/config/feature_flags/gitlab_com_derisk/gpg_commit_delegate_to_signature.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -name: gpg_commit_delegate_to_signature -description: -feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/19260 -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200870 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/560641 -milestone: '18.4' -group: group::source code -type: gitlab_com_derisk -default_enabled: false diff --git a/lib/gitlab/gpg/commit.rb b/lib/gitlab/gpg/commit.rb index 568b8d9836a20d..df5fa5cfc92cda 100644 --- a/lib/gitlab/gpg/commit.rb +++ b/lib/gitlab/gpg/commit.rb @@ -4,13 +4,7 @@ module Gitlab module Gpg class Commit < Gitlab::Repositories::BaseSignedCommit def update_signature!(cached_signature) - if using_signature_class? - update_signature_with_keychain!(cached_signature, gpg_signature.gpg_key) - else - using_keychain do |gpg_key| - update_signature_with_keychain!(cached_signature, gpg_key) - end - end + update_signature_with_keychain!(cached_signature, gpg_signature.gpg_key) end def update_signature_with_keychain!(cached_signature, gpg_key) @@ -57,21 +51,12 @@ def verified_signature end def create_cached_signature! - if using_signature_class? - return unless gpg_signature.fingerprint + return unless gpg_signature.fingerprint - attributes = attributes(gpg_signature.gpg_key) - return CommitSignatures::GpgSignature.new(attributes) if Gitlab::Database.read_only? + attributes = attributes(gpg_signature.gpg_key) + return CommitSignatures::GpgSignature.new(attributes) if Gitlab::Database.read_only? - CommitSignatures::GpgSignature.safe_create!(attributes) - else - using_keychain do |gpg_key| - attributes = attributes(gpg_key) - break CommitSignatures::GpgSignature.new(attributes) if Gitlab::Database.read_only? - - CommitSignatures::GpgSignature.safe_create!(attributes) - end - end + CommitSignatures::GpgSignature.safe_create!(attributes) end def gpg_signatures @@ -101,16 +86,10 @@ def attributes(gpg_key) project: project, gpg_key: gpg_key, gpg_key_user_name: user_infos[:name], - gpg_key_user_email: gpg_key_user_email(user_infos, verification_status) - }.tap do |attrs| - if using_signature_class? - attrs[:gpg_key_primary_keyid] = gpg_key&.keyid || gpg_signature.fingerprint - attrs[:verification_status] = gpg_signature.verification_status - else - attrs[:gpg_key_primary_keyid] = gpg_key&.keyid || verified_signature&.fingerprint - attrs[:verification_status] = verification_status - end - end + gpg_key_user_email: gpg_key_user_email(user_infos, verification_status), + gpg_key_primary_keyid: gpg_key&.keyid || gpg_signature.fingerprint, + verification_status: gpg_signature.verification_status + } end def verification_status(gpg_key) @@ -161,10 +140,6 @@ def gpg_signature ::Gitlab::Gpg::Signature.new(signature_text, signed_text, signer, @commit.committer_email) end strong_memoize_attr :gpg_signature - - def using_signature_class? - Feature.enabled?(:gpg_commit_delegate_to_signature, project) - end end end end diff --git a/spec/lib/gitlab/gpg/commit_spec.rb b/spec/lib/gitlab/gpg/commit_spec.rb index 16b3cfe84b2dd4..856a90b75e387f 100644 --- a/spec/lib/gitlab/gpg/commit_spec.rb +++ b/spec/lib/gitlab/gpg/commit_spec.rb @@ -26,8 +26,6 @@ } end - let(:use_signature_class) { true } - before do if mock_signature_data? allow(Gitlab::Git::Commit).to receive(:extract_signature_lazily) @@ -36,114 +34,70 @@ end end - shared_examples_for 'gpg commit' do |use_signature_class| - before do - stub_feature_flags(gpg_commit_delegate_to_signature: use_signature_class) - end - - describe '#signature' do - shared_examples 'returns the cached signature on second call' do |testing_signature_class| - if testing_signature_class - it 'returns the cached signature on second call' do - gpg_commit = described_class.new(commit) - - expect_next_instance_of(Gitlab::Gpg::Signature) do |signature| - expect(signature).to receive(:using_keychain).once.and_call_original - end - - 2.times do - gpg_commit.signature - end - end - else - context 'when the gpg_commit_delegate_to_signature feature flag is not enabled' do - it 'returns the cached signature on second call' do - gpg_commit = described_class.new(commit) + describe '#signature' do + shared_examples 'returns the cached signature on second call' do |_testing_signature_class| + it 'returns the cached signature on second call' do + gpg_commit = described_class.new(commit) - expect(gpg_commit).to receive(:using_keychain).and_call_original - gpg_commit.signature + expect_next_instance_of(Gitlab::Gpg::Signature) do |signature| + expect(signature).to receive(:using_keychain).once.and_call_original + end - # consecutive call - expect(gpg_commit).not_to receive(:using_keychain).and_call_original - gpg_commit.signature - end - end + 2.times do + gpg_commit.signature end end + end - context 'unsigned commit' do - let(:signature_data) { nil } + context 'unsigned commit' do + let(:signature_data) { nil } - it 'returns nil' do - expect(described_class.new(commit).signature).to be_nil - end + it 'returns nil' do + expect(described_class.new(commit).signature).to be_nil end + end - context 'invalid signature' do - let(:signature_data) do - { - # Corrupt the key - signature: GpgHelpers::User1.signed_commit_signature.tr('=', 'a'), - signed_text: GpgHelpers::User1.signed_commit_base_data, - signer: signer - } - end - - it 'returns nil' do - expect(described_class.new(commit).signature).to be_nil - end + context 'invalid signature' do + let(:signature_data) do + { + # Corrupt the key + signature: GpgHelpers::User1.signed_commit_signature.tr('=', 'a'), + signed_text: GpgHelpers::User1.signed_commit_base_data, + signer: signer + } end - context 'known key' do - context 'user matches the key uid' do - context 'user email matches the email committer' do - it 'returns a valid signature' do - signature = described_class.new(commit).signature + it 'returns nil' do + expect(described_class.new(commit).signature).to be_nil + end + end - expect(signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'verified' - ) - expect(signature.persisted?).to be_truthy - end + context 'known key' do + context 'user matches the key uid' do + context 'user email matches the email committer' do + it 'returns a valid signature' do + signature = described_class.new(commit).signature - it_behaves_like 'returns the cached signature on second call', use_signature_class - - context 'read-only mode' do - before do - allow(Gitlab::Database).to receive(:read_only?).and_return(true) - end - - it 'does not create a cached signature' do - signature = described_class.new(commit).signature - - expect(signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'verified' - ) - expect(signature.persisted?).to be_falsey - end - end + expect(signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'verified' + ) + expect(signature.persisted?).to be_truthy end - context 'valid key signed using recent version of Gnupg' do + it_behaves_like 'returns the cached signature on second call' + + context 'read-only mode' do before do - verified_signature = double('verified-signature', fingerprint: GpgHelpers::User1.fingerprint, valid?: true) - allow(GPGME::Crypto).to receive(:new).and_return(crypto) - allow(crypto).to receive(:verify).and_yield(verified_signature) + allow(Gitlab::Database).to receive(:read_only?).and_return(true) end - it 'returns a valid signature' do + it 'does not create a cached signature' do signature = described_class.new(commit).signature expect(signature).to have_attributes( @@ -155,156 +109,160 @@ gpg_key_user_email: GpgHelpers::User1.emails.first, verification_status: 'verified' ) + expect(signature.persisted?).to be_falsey end end + end - context 'valid key signed using older version of Gnupg' do - before do - keyid = GpgHelpers::User1.fingerprint.last(16) - verified_signature = double('verified-signature', fingerprint: keyid, valid?: true) - allow(GPGME::Crypto).to receive(:new).and_return(crypto) - allow(crypto).to receive(:verify).and_yield(verified_signature) - end - - it 'returns a valid signature' do - signature = described_class.new(commit).signature - - expect(signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'verified' - ) - end + context 'valid key signed using recent version of Gnupg' do + before do + verified_signature = double('verified-signature', fingerprint: GpgHelpers::User1.fingerprint, valid?: true) + allow(GPGME::Crypto).to receive(:new).and_return(crypto) + allow(crypto).to receive(:verify).and_yield(verified_signature) end - context 'commit with multiple signatures' do - before do - verified_signature = double('verified-signature', fingerprint: GpgHelpers::User1.fingerprint, valid?: true) - allow(GPGME::Crypto).to receive(:new).and_return(crypto) - allow(crypto).to receive(:verify).and_yield(verified_signature).and_yield(verified_signature) - end + it 'returns a valid signature' do + signature = described_class.new(commit).signature - it 'returns an invalid signatures error' do - signature = described_class.new(commit).signature + expect(signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'verified' + ) + end + end - expect(signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'multiple_signatures' - ) - end + context 'valid key signed using older version of Gnupg' do + before do + keyid = GpgHelpers::User1.fingerprint.last(16) + verified_signature = double('verified-signature', fingerprint: keyid, valid?: true) + allow(GPGME::Crypto).to receive(:new).and_return(crypto) + allow(crypto).to receive(:verify).and_yield(verified_signature) end - context 'commit signed with a subkey' do - let(:committer_email) { GpgHelpers::User3.emails.first } - let(:public_key) { GpgHelpers::User3.public_key } + it 'returns a valid signature' do + signature = described_class.new(commit).signature - let(:gpg_key_subkey) do - gpg_key.subkeys.find_by(fingerprint: GpgHelpers::User3.subkey_fingerprints.last) - end + expect(signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'verified' + ) + end + end - let(:signature_data) do - { - signature: GpgHelpers::User3.signed_commit_signature, - signed_text: GpgHelpers::User3.signed_commit_base_data, - signer: signer - } - end + context 'commit with multiple signatures' do + before do + verified_signature = double('verified-signature', fingerprint: GpgHelpers::User1.fingerprint, valid?: true) + allow(GPGME::Crypto).to receive(:new).and_return(crypto) + allow(crypto).to receive(:verify).and_yield(verified_signature).and_yield(verified_signature) + end - it 'returns a valid signature' do - expect(described_class.new(commit).signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key_subkey, - gpg_key_primary_keyid: gpg_key_subkey.keyid, - gpg_key_user_name: GpgHelpers::User3.names.first, - gpg_key_user_email: GpgHelpers::User3.emails.first, - verification_status: 'verified' - ) - end + it 'returns an invalid signatures error' do + signature = described_class.new(commit).signature - it_behaves_like 'returns the cached signature on second call', use_signature_class + expect(signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'multiple_signatures' + ) end + end - context 'gpg key email does not match the committer_email but is the same user when the committer_email belongs to the user as a confirmed secondary email' do - let(:committer_email) { GpgHelpers::User2.emails.first } + context 'commit signed with a subkey' do + let(:committer_email) { GpgHelpers::User3.emails.first } + let(:public_key) { GpgHelpers::User3.public_key } - let(:user) do - create(:user, email: GpgHelpers::User1.emails.first).tap do |user| - create :email, :confirmed, user: user, email: committer_email - end - end + let(:gpg_key_subkey) do + gpg_key.subkeys.find_by(fingerprint: GpgHelpers::User3.subkey_fingerprints.last) + end - it 'returns an invalid signature' do - expect(described_class.new(commit).signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'same_user_different_email' - ) - end + let(:signature_data) do + { + signature: GpgHelpers::User3.signed_commit_signature, + signed_text: GpgHelpers::User3.signed_commit_base_data, + signer: signer + } + end - it_behaves_like 'returns the cached signature on second call', use_signature_class + it 'returns a valid signature' do + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key_subkey, + gpg_key_primary_keyid: gpg_key_subkey.keyid, + gpg_key_user_name: GpgHelpers::User3.names.first, + gpg_key_user_email: GpgHelpers::User3.emails.first, + verification_status: 'verified' + ) end - context 'gpg key email does not match the committer_email when the committer_email belongs to the user as a unconfirmed secondary email' do - let(:committer_email) { GpgHelpers::User2.emails.first } + it_behaves_like 'returns the cached signature on second call' + end - let(:user) do - create(:user, email: GpgHelpers::User1.emails.first).tap do |user| - create :email, user: user, email: committer_email - end - end + context 'gpg key email does not match the committer_email but is the same user when the committer_email belongs to the user as a confirmed secondary email' do + let(:committer_email) { GpgHelpers::User2.emails.first } - it 'returns an invalid signature' do - expect(described_class.new(commit).signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'other_user' - ) + let(:user) do + create(:user, email: GpgHelpers::User1.emails.first).tap do |user| + create :email, :confirmed, user: user, email: committer_email end + end - it_behaves_like 'returns the cached signature on second call', use_signature_class + it 'returns an invalid signature' do + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'same_user_different_email' + ) end - context 'user email does not match the committer email' do - let(:committer_email) { GpgHelpers::User2.emails.first } - let(:user_email) { GpgHelpers::User1.emails.first } + it_behaves_like 'returns the cached signature on second call' + end - it 'returns an invalid signature' do - expect(described_class.new(commit).signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: gpg_key, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: GpgHelpers::User1.names.first, - gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'other_user' - ) + context 'gpg key email does not match the committer_email when the committer_email belongs to the user as a unconfirmed secondary email' do + let(:committer_email) { GpgHelpers::User2.emails.first } + + let(:user) do + create(:user, email: GpgHelpers::User1.emails.first).tap do |user| + create :email, user: user, email: committer_email end + end - it_behaves_like 'returns the cached signature on second call', use_signature_class + it 'returns an invalid signature' do + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: gpg_key, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'other_user' + ) end + + it_behaves_like 'returns the cached signature on second call' end - context 'user does not match the key uid' do - let(:user_email) { GpgHelpers::User2.emails.first } - let(:public_key) { GpgHelpers::User1.public_key } + context 'user email does not match the committer email' do + let(:committer_email) { GpgHelpers::User2.emails.first } + let(:user_email) { GpgHelpers::User1.emails.first } it 'returns an invalid signature' do expect(described_class.new(commit).signature).to have_attributes( @@ -314,63 +272,100 @@ gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, gpg_key_user_name: GpgHelpers::User1.names.first, gpg_key_user_email: GpgHelpers::User1.emails.first, - verification_status: 'unverified_key' + verification_status: 'other_user' ) end - it_behaves_like 'returns the cached signature on second call', use_signature_class + it_behaves_like 'returns the cached signature on second call' end end - context 'unknown key' do - let(:gpg_key) { nil } + context 'user does not match the key uid' do + let(:user_email) { GpgHelpers::User2.emails.first } + let(:public_key) { GpgHelpers::User1.public_key } it 'returns an invalid signature' do expect(described_class.new(commit).signature).to have_attributes( commit_sha: commit_sha, project: project, - gpg_key: nil, + gpg_key: gpg_key, gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: nil, - gpg_key_user_email: nil, - verification_status: 'unknown_key' + gpg_key_user_name: GpgHelpers::User1.names.first, + gpg_key_user_email: GpgHelpers::User1.emails.first, + verification_status: 'unverified_key' ) end - it_behaves_like 'returns the cached signature on second call', use_signature_class + it_behaves_like 'returns the cached signature on second call' end + end - context 'multiple commits with signatures' do - let(:mock_signature_data?) { false } + context 'unknown key' do + let(:gpg_key) { nil } + + it 'returns an invalid signature' do + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: nil, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: nil, + gpg_key_user_email: nil, + verification_status: 'unknown_key' + ) + end - let!(:first_signature) { create(:gpg_signature) } - let!(:gpg_key) { create(:gpg_key, key: GpgHelpers::User2.public_key) } - let!(:second_signature) { create(:gpg_signature, gpg_key: gpg_key) } - let!(:first_commit) { create(:commit, project: project, sha: first_signature.commit_sha) } - let!(:second_commit) { create(:commit, project: project, sha: second_signature.commit_sha) } + it_behaves_like 'returns the cached signature on second call' + end - let!(:commits) do - [first_commit, second_commit].map do |commit| - gpg_commit = described_class.new(commit) + context 'multiple commits with signatures' do + let(:mock_signature_data?) { false } - allow(gpg_commit).to receive(:has_signature?).and_return(true) + let!(:first_signature) { create(:gpg_signature) } + let!(:gpg_key) { create(:gpg_key, key: GpgHelpers::User2.public_key) } + let!(:second_signature) { create(:gpg_signature, gpg_key: gpg_key) } + let!(:first_commit) { create(:commit, project: project, sha: first_signature.commit_sha) } + let!(:second_commit) { create(:commit, project: project, sha: second_signature.commit_sha) } - gpg_commit - end - end + let!(:commits) do + [first_commit, second_commit].map do |commit| + gpg_commit = described_class.new(commit) - it 'does an aggregated sql request instead of 2 separate ones' do - recorder = ActiveRecord::QueryRecorder.new do - commits.each(&:signature) - end + allow(gpg_commit).to receive(:has_signature?).and_return(true) - expect(recorder.count).to eq(1) + gpg_commit end end - context 'when signature created by GitLab' do - let(:signer) { :SIGNER_SYSTEM } - let(:gpg_key) { nil } + it 'does an aggregated sql request instead of 2 separate ones' do + recorder = ActiveRecord::QueryRecorder.new do + commits.each(&:signature) + end + + expect(recorder.count).to eq(1) + end + end + + context 'when signature created by GitLab' do + let(:signer) { :SIGNER_SYSTEM } + let(:gpg_key) { nil } + + it 'returns a valid signature' do + expect(described_class.new(commit).signature).to have_attributes( + commit_sha: commit_sha, + project: project, + gpg_key: nil, + gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, + gpg_key_user_name: nil, + gpg_key_user_email: user_email, + verification_status: 'verified_system' + ) + end + + context 'when check_for_mailmapped_commit_emails feature flag is disabled' do + before do + stub_feature_flags(check_for_mailmapped_commit_emails: false) + end it 'returns a valid signature' do expect(described_class.new(commit).signature).to have_attributes( @@ -379,85 +374,61 @@ gpg_key: nil, gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, gpg_key_user_name: nil, - gpg_key_user_email: user_email, + gpg_key_user_email: nil, verification_status: 'verified_system' ) end + end - context 'when check_for_mailmapped_commit_emails feature flag is disabled' do - before do - stub_feature_flags(check_for_mailmapped_commit_emails: false) - end + it_behaves_like 'returns the cached signature on second call' + end + end - it 'returns a valid signature' do - expect(described_class.new(commit).signature).to have_attributes( - commit_sha: commit_sha, - project: project, - gpg_key: nil, - gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid, - gpg_key_user_name: nil, - gpg_key_user_email: nil, - verification_status: 'verified_system' - ) - end - end + describe '#update_signature!' do + let!(:gpg_key) { nil } - it_behaves_like 'returns the cached signature on second call', use_signature_class - end - end + let(:signature) { described_class.new(commit).signature } - describe '#update_signature!' do - let!(:gpg_key) { nil } + it 'updates signature record' do + signature - let(:signature) { described_class.new(commit).signature } + create(:gpg_key, key: public_key, user: user) - it 'updates signature record' do - signature + stored_signature = CommitSignatures::GpgSignature.find_by_commit_sha(commit_sha) + expect { described_class.new(commit).update_signature!(stored_signature) }.to( + change { signature.reload.verification_status }.from('unknown_key').to('verified') + ) + end - create(:gpg_key, key: public_key, user: user) + context 'when signature is system verified and gpg_key_user_email is nil' do + let(:signer) { :SIGNER_SYSTEM } + + it 'update gpg_key_user_email with signature_data author_email' do + signature stored_signature = CommitSignatures::GpgSignature.find_by_commit_sha(commit_sha) + stored_signature.update!(gpg_key_user_email: nil) + expect { described_class.new(commit).update_signature!(stored_signature) }.to( - change { signature.reload.verification_status }.from('unknown_key').to('verified') + change { signature.reload.gpg_key_user_email }.from(nil).to(user_email) ) end - context 'when signature is system verified and gpg_key_user_email is nil' do - let(:signer) { :SIGNER_SYSTEM } + context 'when check_for_mailmapped_commit_emails feature flag is disabled' do + before do + stub_feature_flags(check_for_mailmapped_commit_emails: false) + end - it 'update gpg_key_user_email with signature_data author_email' do + it 'does not update gpg_key_user_email with signature_data author_email' do signature stored_signature = CommitSignatures::GpgSignature.find_by_commit_sha(commit_sha) stored_signature.update!(gpg_key_user_email: nil) expect { described_class.new(commit).update_signature!(stored_signature) }.to( - change { signature.reload.gpg_key_user_email }.from(nil).to(user_email) - ) - end - - context 'when check_for_mailmapped_commit_emails feature flag is disabled' do - before do - stub_feature_flags(check_for_mailmapped_commit_emails: false) - end - - it 'does not update gpg_key_user_email with signature_data author_email' do - signature - - stored_signature = CommitSignatures::GpgSignature.find_by_commit_sha(commit_sha) - stored_signature.update!(gpg_key_user_email: nil) - - expect { described_class.new(commit).update_signature!(stored_signature) }.to( - not_change { signature.reload.gpg_key_user_email }) - end + not_change { signature.reload.gpg_key_user_email }) end end end end - - context 'when the gpg_commit_delegate_to_signature feature flag is not enabled' do - it_behaves_like 'gpg commit', false - end - - it_behaves_like 'gpg commit', true end -- GitLab