Add rake task to update x509 signatures

changelogs/unreleased/feat-x509-update-signatures-rake-task.yml

+---
+title: Add rake task to update x509 signatures
+merge_request: 28406
+author: Roger Meier
+type: added

doc/raketasks/README.md

@@ -36,3 +36,4 @@ The following are available Rake tasks:
 | [Uploads sanitize](../administration/raketasks/uploads/sanitize.md)                        | Remove EXIF data from images uploaded to earlier versions of GitLab.                      |
 | [User management](user_management.md)                                                      | Perform user management tasks.                                                            |
 | [Webhooks administration](web_hooks.md)                                                    | Maintain project Webhooks.                                                                |
+| [X509 signatures](x509_signatures.md)                                                      | Update x509 commit signatures, useful if certificate store has changed.                   |

doc/raketasks/x509_signatures.md

+# X509 signatures
+
+When [signing commits with x509](../user/project/repository/x509_signed_commits/index.md)
+the trust anchor might change and the signatures stored within the database have
+to be updated.
+
+## Update all x509 signatures
+
+This task loops through all X509 signed commits and updates their verification
+based on current certificate store.
+
+**Omnibus Installation**
+
+```shell
+sudo gitlab-rake gitlab:x509:update_signatures
+```
+
+**Source Installation**
+
+```shell
+sudo -u git -H bundle exec rake gitlab:x509:update_signatures RAILS_ENV=production
+```

lib/tasks/gitlab/x509/update.rake

+require 'logger'
+
+desc "GitLab | X509 | Update signatures when certificate store has changed"
+namespace :gitlab do
+  namespace :x509 do
+    task update_signatures: :environment do
+      update_certificates
+    end
+
+    def update_certificates
+      logger = Logger.new(STDOUT)
+
+      unless X509CommitSignature.exists?
+        logger.info("Unable to find any x509 commit signatures. Exiting.")
+        return
+      end
+
+      logger.info("Start to update x509 commit signatures")
+
+      X509CommitSignature.find_each do |sig|
+        sig.x509_commit&.update_signature!(sig)
+      end
+
+      logger.info("End update x509 commit signatures")
+    end
+  end
+end

spec/tasks/gitlab/x509/update_rake_spec.rb

+# frozen_string_literal: true
+
+require 'rake_helper'
+
+describe 'gitlab:x509 namespace rake task' do
+  before :all do
+    Rake.application.rake_require 'tasks/gitlab/x509/update'
+  end
+
+  describe 'update_signatures' do
+    subject { run_rake_task('gitlab:x509:update_signatures') }
+
+    let(:project) { create :project, :repository, path: X509Helpers::User1.path }
+    let(:x509_signed_commit) { project.commit_by(oid: '189a6c924013fc3fe40d6f1ec1dc20214183bc97') }
+    let(:x509_commit) { Gitlab::X509::Commit.new(x509_signed_commit).signature }
+
+    it 'changes from unverified to verified if the certificate store contains the root certificate' do
+      x509_commit
+
+      store = OpenSSL::X509::Store.new
+      certificate = OpenSSL::X509::Certificate.new X509Helpers::User1.trust_cert
+      store.add_cert(certificate)
+      allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
+
+      expect(x509_commit.verification_status).to eq('unverified')
+      expect_any_instance_of(Gitlab::X509::Commit).to receive(:update_signature!).and_call_original
+
+      subject
+
+      x509_commit.reload
+      expect(x509_commit.verification_status).to eq('verified')
+    end
+
+    it 'returns if no signature is available' do
+      expect_any_instance_of(Gitlab::X509::Commit) do |x509_commit|
+        expect(x509_commit).not_to receive(:update_signature!)
+
+        subject
+      end
+    end
+  end
+end