Skip GPG signature rule if change is applied from inside the web app

bde07947 · Rubén Dávila · 7e046a8d · bde07947 · bde07947
Commit bde07947 authored Oct 03, 2017 by Rubén Dávila
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 6 deletions

lib/gitlab/checks/change_access.rb lib/gitlab/checks/change_access.rb +10 -6

spec/lib/gitlab/checks/change_access_spec.rb spec/lib/gitlab/checks/change_access_spec.rb +8 -0

No files found.
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -82,7 +82,7 @@ module Gitlab
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch]
        end

-        unless protocol == 'web'
+        unless updated_from_web?
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch]
        end
      end
@@ -122,6 +122,10 @@ module Gitlab

      private

+      def updated_from_web?
+        protocol == 'web'
+      end
+
      def tag_exists?
        project.repository.tag_exists?(@tag_name)
      end
@@ -187,7 +191,7 @@ module Gitlab

      def tag_deletion_denied_by_push_rule?(push_rule)
        push_rule.try(:deny_delete_tag) &&
-          protocol != 'web' &&
+          !updated_from_web? &&
          deletion? &&
          tag_exists?
      end
@@ -196,10 +200,6 @@ module Gitlab
      # This method should return nil if no error found or a string if error.
      # In case of errors - all other checks will be canceled and push will be rejected.
      def check_commit(commit, push_rule)
-        unless push_rule.commit_signature_allowed?(commit)
-          return "Commit must be signed with a GPG key"
-        end
-
        unless push_rule.commit_message_allowed?(commit.safe_message)
          return "Commit message does not follow the pattern '#{push_rule.commit_message_regex}'"
        end
@@ -212,6 +212,10 @@ module Gitlab
          return "Author's email '#{commit.author_email}' does not follow the pattern '#{push_rule.author_email_regex}'"
        end

+        if !updated_from_web? && !push_rule.commit_signature_allowed?(commit)
+          return "Commit must be signed with a GPG key"
+        end
+
        # Check whether author is a GitLab member
        if push_rule.member_check
          unless User.existing_member?(commit.author_email.downcase)

--- a/spec/lib/gitlab/checks/change_access_spec.rb
+++ b/spec/lib/gitlab/checks/change_access_spec.rb
@@ -392,6 +392,14 @@ describe Gitlab::Checks::ChangeAccess do
            it 'returns an error' do
              expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "Commit must be signed with a GPG key")
            end
+
+            context 'but the change is made in the web application' do
+              let(:protocol) { 'web' }
+
+              it 'does not return an error' do
+                expect { subject }.not_to raise_error
+              end
+            end
          end

          context 'and commit is signed' do