Merge branch 'feat/x509-signatures-api-endpoint' into 'master'

Add api endpoint to get x509 signature

See merge request gitlab-org/gitlab!28590

changelogs/unreleased/feat-x509-signatures-api-endpoint.yml

+---
+title: Add api endpoint to get x509 signature
+merge_request: 28590
+author: Roger Meier
+type: added

doc/api/commits.md

@@ -741,19 +741,43 @@ Parameters:
 curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/repository/commits/da738facbc19eb2fc2cef57c49be0e6038570352/signature"
 ```
 
-Example response if commit is signed:
+Example response if commit is GPG signed:
 
 ```json
 {
+  "signature_type": "PGP",
+  "verification_status": "verified",
   "gpg_key_id": 1,
   "gpg_key_primary_keyid": "8254AAB3FBD54AC9",
   "gpg_key_user_name": "John Doe",
   "gpg_key_user_email": "johndoe@example.com",
-  "verification_status": "verified",
   "gpg_key_subkey_id": null
 }
 ```
 
+Example response if commit is x509 signed:
+
+```json
+{
+  "signature_type": "X509",
+  "verification_status": "unverified",
+  "x509_certificate": {
+    "id": 1,
+    "subject": "CN=gitlab@example.org,OU=Example,O=World",
+    "subject_key_identifier": "BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC:BC",
+    "email": "gitlab@example.org",
+    "serial_number": 278969561018901340486471282831158785578,
+    "certificate_status": "good",
+    "x509_issuer": {
+      "id": 1,
+      "subject": "CN=PKI,OU=Example,O=World",
+      "subject_key_identifier": "AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB",
+      "crl_url": "http://example.com/pki.crl"
+    }
+  }
+}
+```
+
 Example response if commit is unsigned:
 
 ```json

lib/api/commits.rb

@@ -356,7 +356,7 @@ module API
         present paginate(commit_merge_requests), with: Entities::MergeRequestBasic
       end
 
-      desc "Get a commit's GPG signature" do
+      desc "Get a commit's signature" do
         success Entities::CommitSignature
       end
       params do
@@ -365,11 +365,9 @@ module API
       get ':id/repository/commits/:sha/signature', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
         commit = user_project.commit(params[:sha])
         not_found! 'Commit' unless commit
+        not_found! 'Signature' unless commit.has_signature?
 
-        signature = commit.signature
-        not_found! 'GPG Signature' unless signature
-
-        present signature, with: Entities::CommitSignature
+        present commit, with: Entities::CommitSignature
       end
     end
   end

lib/api/entities/commit_signature.rb

@@ -3,10 +3,14 @@
 module API
   module Entities
     class CommitSignature < Grape::Entity
-      expose :gpg_key_id
-      expose :gpg_key_primary_keyid, :gpg_key_user_name, :gpg_key_user_email
-      expose :verification_status
-      expose :gpg_key_subkey_id
+      expose :signature_type
+      expose :signature, merge: true do |commit, options|
+        if commit.signature.is_a?(GpgSignature)
+          ::API::Entities::GpgCommitSignature.represent commit.signature, options
+        elsif commit.signature.is_a?(X509CommitSignature)
+          ::API::Entities::X509Signature.represent commit.signature, options
+        end
+      end
     end
   end
 end

lib/api/entities/gpg_commit_signature.rb

+# frozen_string_literal: true
+
+module API
+  module Entities
+    class GpgCommitSignature < Grape::Entity
+      expose :verification_status
+      expose :gpg_key_id
+      expose :gpg_key_primary_keyid, :gpg_key_user_name, :gpg_key_user_email
+      expose :gpg_key_subkey_id
+    end
+  end
+end

lib/api/entities/x509_certificate.rb

+# frozen_string_literal: true
+
+module API
+  module Entities
+    class X509Certificate < Grape::Entity
+      expose :id
+      expose :subject
+      expose :subject_key_identifier
+      expose :email
+      expose :serial_number
+      expose :certificate_status
+      expose :x509_issuer, using: 'API::Entities::X509Issuer'
+    end
+  end
+end

lib/api/entities/x509_issuer.rb

+# frozen_string_literal: true
+
+module API
+  module Entities
+    class X509Issuer < Grape::Entity
+      expose :id
+      expose :subject
+      expose :subject_key_identifier
+      expose :crl_url
+    end
+  end
+end

lib/api/entities/x509_signature.rb

+# frozen_string_literal: true
+
+module API
+  module Entities
+    class X509Signature < Grape::Entity
+      expose :verification_status
+      expose :x509_certificate, using: 'API::Entities::X509Certificate'
+    end
+  end
+end

spec/requests/api/commits_spec.rb

@@ -1889,11 +1889,11 @@ describe API::Commits do
     context 'unsigned commit' do
       it_behaves_like '404 response' do
         let(:request) { get api(route, current_user) }
-        let(:message) { '404 GPG Signature Not Found'}
+        let(:message) { '404 Signature Not Found'}
       end
     end
 
-    context 'signed commit' do
+    context 'gpg signed commit' do
       let(:commit) { project.repository.commit(GpgHelpers::SIGNED_COMMIT_SHA) }
       let(:commit_id) { commit.id }
 
@@ -1901,11 +1901,35 @@ describe API::Commits do
         get api(route, current_user)
 
         expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['signature_type']).to eq('PGP')
         expect(json_response['gpg_key_id']).to eq(commit.signature.gpg_key_id)
         expect(json_response['gpg_key_subkey_id']).to eq(commit.signature.gpg_key_subkey_id)
         expect(json_response['gpg_key_primary_keyid']).to eq(commit.signature.gpg_key_primary_keyid)
         expect(json_response['verification_status']).to eq(commit.signature.verification_status)
       end
     end
+
+    context 'x509 signed commit' do
+      let(:commit) { project.repository.commit_by(oid: '189a6c924013fc3fe40d6f1ec1dc20214183bc97') }
+      let(:commit_id) { commit.id }
+
+      it 'returns correct JSON' do
+        get api(route, current_user)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['signature_type']).to eq('X509')
+        expect(json_response['verification_status']).to eq(commit.signature.verification_status)
+        expect(json_response['x509_certificate']['id']).to eq(commit.signature.x509_certificate.id)
+        expect(json_response['x509_certificate']['subject']).to eq(commit.signature.x509_certificate.subject)
+        expect(json_response['x509_certificate']['subject_key_identifier']).to eq(commit.signature.x509_certificate.subject_key_identifier)
+        expect(json_response['x509_certificate']['email']).to eq(commit.signature.x509_certificate.email)
+        expect(json_response['x509_certificate']['serial_number']).to eq(commit.signature.x509_certificate.serial_number)
+        expect(json_response['x509_certificate']['certificate_status']).to eq(commit.signature.x509_certificate.certificate_status)
+        expect(json_response['x509_certificate']['x509_issuer']['id']).to eq(commit.signature.x509_certificate.x509_issuer.id)
+        expect(json_response['x509_certificate']['x509_issuer']['subject']).to eq(commit.signature.x509_certificate.x509_issuer.subject)
+        expect(json_response['x509_certificate']['x509_issuer']['subject_key_identifier']).to eq(commit.signature.x509_certificate.x509_issuer.subject_key_identifier)
+        expect(json_response['x509_certificate']['x509_issuer']['crl_url']).to eq(commit.signature.x509_certificate.x509_issuer.crl_url)
+      end
+    end
   end
 end