Skip to content

G
gitlab-ce
Commit bde07947 authored by Rubén Dávila's avatar Rubén Dávila
Browse files
Options

Skip GPG signature rule if change is applied from inside the web app

parent 7e046a8d
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 6 deletions
lib/gitlab/checks/change_access.rb
View file @ bde07947
...@@ -82,7 +82,7 @@ module Gitlab ...@@ -82,7 +82,7 @@ module Gitlab
raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch] raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch]
end end
unless protocol == 'web' unless updated_from_web?
raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch] raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch]
end end
end end
...@@ -122,6 +122,10 @@ module Gitlab ...@@ -122,6 +122,10 @@ module Gitlab
private private
def updated_from_web?
protocol == 'web'
end
def tag_exists? def tag_exists?
project.repository.tag_exists?(@tag_name) project.repository.tag_exists?(@tag_name)
end end
...@@ -187,7 +191,7 @@ module Gitlab ...@@ -187,7 +191,7 @@ module Gitlab
def tag_deletion_denied_by_push_rule?(push_rule) def tag_deletion_denied_by_push_rule?(push_rule)
push_rule.try(:deny_delete_tag) && push_rule.try(:deny_delete_tag) &&
protocol != 'web' && !updated_from_web? &&
deletion? && deletion? &&
tag_exists? tag_exists?
end end
...@@ -196,10 +200,6 @@ module Gitlab ...@@ -196,10 +200,6 @@ module Gitlab
# This method should return nil if no error found or a string if error. # This method should return nil if no error found or a string if error.
# In case of errors - all other checks will be canceled and push will be rejected. # In case of errors - all other checks will be canceled and push will be rejected.
def check_commit(commit, push_rule) def check_commit(commit, push_rule)
unless push_rule.commit_signature_allowed?(commit)
return "Commit must be signed with a GPG key"
end
unless push_rule.commit_message_allowed?(commit.safe_message) unless push_rule.commit_message_allowed?(commit.safe_message)
return "Commit message does not follow the pattern '#{push_rule.commit_message_regex}'" return "Commit message does not follow the pattern '#{push_rule.commit_message_regex}'"
end end
...@@ -212,6 +212,10 @@ module Gitlab ...@@ -212,6 +212,10 @@ module Gitlab
return "Author's email '#{commit.author_email}' does not follow the pattern '#{push_rule.author_email_regex}'" return "Author's email '#{commit.author_email}' does not follow the pattern '#{push_rule.author_email_regex}'"
end end
if !updated_from_web? && !push_rule.commit_signature_allowed?(commit)
return "Commit must be signed with a GPG key"
end
# Check whether author is a GitLab member # Check whether author is a GitLab member
if push_rule.member_check if push_rule.member_check
unless User.existing_member?(commit.author_email.downcase) unless User.existing_member?(commit.author_email.downcase)
......
spec/lib/gitlab/checks/change_access_spec.rb
View file @ bde07947
...@@ -392,6 +392,14 @@ describe Gitlab::Checks::ChangeAccess do ...@@ -392,6 +392,14 @@ describe Gitlab::Checks::ChangeAccess do
it 'returns an error' do it 'returns an error' do
expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "Commit must be signed with a GPG key") expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "Commit must be signed with a GPG key")
end end
context 'but the change is made in the web application' do
let(:protocol) { 'web' }
it 'does not return an error' do
expect { subject }.not_to raise_error
end
end
end end
context 'and commit is signed' do context 'and commit is signed' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7