debian-mirror-gitlab/spec/features/signed_commits_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe 'GPG signed commits' do
  let(:project) { create(:project, :public, :repository) }

  it 'changes from unverified to verified when the user changes their email to match the gpg key', :sidekiq_might_not_need_inline do
    ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA
    user = create(:user, email: 'unrelated.user@example.org')

    perform_enqueued_jobs do
      create :gpg_key, key: GpgHelpers::User1.public_key, user: user
      user.reload # necessary to reload the association with gpg_keys
    end

    visit project_commit_path(project, ref)

    expect(page).to have_selector('.gpg-status-box', text: 'Unverified')

    # user changes their email which makes the gpg key verified
    perform_enqueued_jobs do
      user.skip_reconfirmation!
      user.update!(email: GpgHelpers::User1.emails.first)
    end

    visit project_commit_path(project, ref)

    expect(page).to have_selector('.gpg-status-box', text: 'Verified')
  end

  it 'changes from unverified to verified when the user adds the missing gpg key', :sidekiq_might_not_need_inline do
    ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA
    user = create(:user, email: GpgHelpers::User1.emails.first)

    visit project_commit_path(project, ref)

    expect(page).to have_selector('.gpg-status-box', text: 'Unverified')

    # user adds the gpg key which makes the signature valid
    perform_enqueued_jobs do
      create :gpg_key, key: GpgHelpers::User1.public_key, user: user
    end

    visit project_commit_path(project, ref)

    expect(page).to have_selector('.gpg-status-box', text: 'Verified')
  end

  context 'shows popover badges', :js do
    let(:user_1) do
      create :user, email: GpgHelpers::User1.emails.first, username: 'nannie.bernhard', name: 'Nannie Bernhard'
    end

    let(:user_1_key) do
      perform_enqueued_jobs do
        create :gpg_key, key: GpgHelpers::User1.public_key, user: user_1
      end
    end

    let(:user_2) do
      create(:user, email: GpgHelpers::User2.emails.first, username: 'bette.cartwright', name: 'Bette Cartwright').tap do |user|
        # secondary, unverified email
        create :email, user: user, email: 'mail@koffeinfrei.org'
      end
    end

    let(:user_2_key) do
      perform_enqueued_jobs do
        create :gpg_key, key: GpgHelpers::User2.public_key, user: user_2
      end
    end

    it 'unverified signature' do
      visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)
      wait_for_all_requests

      page.find('.gpg-status-box', text: 'Unverified').click

      within '.popover' do
        expect(page).to have_content 'This commit was signed with an unverified signature.'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"
      end
    end

    it 'unverified signature: gpg key email does not match the committer_email but is the same user when the committer_email belongs to the user as a confirmed secondary email' do
      user_2_key
      user_2.emails.find_by(email: 'mail@koffeinfrei.org').confirm

      visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)
      wait_for_all_requests

      page.find('.gpg-status-box', text: 'Unverified').click

      within '.popover' do
        expect(page).to have_content 'This commit was signed with a verified signature, but the committer email is not associated with the GPG Key.'
        expect(page).to have_content 'Bette Cartwright'
        expect(page).to have_content '@bette.cartwright'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"
      end
    end

    it 'unverified signature: gpg key email does not match the committer_email when the committer_email belongs to the user as a unconfirmed secondary email' do
      user_2_key

      visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)
      wait_for_all_requests

      page.find('.gpg-status-box', text: 'Unverified').click

      within '.popover' do
        expect(page).to have_content "This commit was signed with a different user's verified signature."
        expect(page).to have_content 'Bette Cartwright'
        expect(page).to have_content '@bette.cartwright'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"
      end
    end

    it 'unverified signature: commit contains multiple GPG signatures' do
      user_1_key

      visit project_commit_path(project, GpgHelpers::MULTIPLE_SIGNATURES_SHA)
      wait_for_all_requests

      page.find('.gpg-status-box', text: 'Unverified').click

      within '.popover' do
        expect(page).to have_content "This commit was signed with multiple signatures."
      end
    end

    it 'verified and the gpg user has a gitlab profile' do
      user_1_key

      visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)
      wait_for_all_requests

      page.find('.gpg-status-box', text: 'Verified').click

      within '.popover' do
        expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'
        expect(page).to have_content 'Nannie Bernhard'
        expect(page).to have_content '@nannie.bernhard'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"
      end
    end

    it "verified and the gpg user's profile doesn't exist anymore" do
      user_1_key

      visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)
      wait_for_all_requests

      # wait for the signature to get generated
      expect(page).to have_selector('.gpg-status-box', text: 'Verified')

      user_1.destroy!

      refresh
      wait_for_all_requests

      page.find('.gpg-status-box', text: 'Verified').click

      within '.popover' do
        expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'
        expect(page).to have_content 'Nannie Bernhard'
        expect(page).to have_content 'nannie.bernhard@example.com'
        expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"
      end
    end
  end

  context 'view signed commit on the tree view', :js do
    shared_examples 'a commit with a signature' do
      before do
        visit project_tree_path(project, 'signed-commits')
        wait_for_all_requests
      end

      it 'displays commit signature' do
        expect(page).to have_selector('.gpg-status-box', text: 'Unverified')

        page.find('.gpg-status-box', text: 'Unverified').click

        within '.popover' do
          expect(page).to have_content 'This commit was signed with multiple signatures.'
        end
      end
    end

    context 'with vue tree view enabled' do
      it_behaves_like 'a commit with a signature'
    end
  end
end
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`# frozen_string_literal: true`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`require 'spec_helper'`

New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`RSpec.describe 'GPG signed commits' do`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`let(:project) { create(:project, :public, :repository) }`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`it 'changes from unverified to verified when the user changes their email to match the gpg key', :sidekiq_might_not_need_inline do`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA`
			`user = create(:user, email: 'unrelated.user@example.org')`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`perform_enqueued_jobs do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`create :gpg_key, key: GpgHelpers::User1.public_key, user: user`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`user.reload # necessary to reload the association with gpg_keys`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, ref)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect(page).to have_selector('.gpg-status-box', text: 'Unverified')`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`# user changes their email which makes the gpg key verified`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`perform_enqueued_jobs do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`user.skip_reconfirmation!`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`user.update!(email: GpgHelpers::User1.emails.first)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, ref)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect(page).to have_selector('.gpg-status-box', text: 'Verified')`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`

New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`it 'changes from unverified to verified when the user adds the missing gpg key', :sidekiq_might_not_need_inline do`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`ref = GpgHelpers::SIGNED_AND_AUTHORED_SHA`
			`user = create(:user, email: GpgHelpers::User1.emails.first)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, ref)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect(page).to have_selector('.gpg-status-box', text: 'Unverified')`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`# user adds the gpg key which makes the signature valid`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`perform_enqueued_jobs do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`create :gpg_key, key: GpgHelpers::User1.public_key, user: user`
			`end`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, ref)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect(page).to have_selector('.gpg-status-box', text: 'Verified')`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`context 'shows popover badges', :js do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`let(:user_1) do`
			`create :user, email: GpgHelpers::User1.emails.first, username: 'nannie.bernhard', name: 'Nannie Bernhard'`
			`end`

			`let(:user_1_key) do`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`perform_enqueued_jobs do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`create :gpg_key, key: GpgHelpers::User1.public_key, user: user_1`
			`end`
			`end`

			`let(:user_2) do`
			`create(:user, email: GpgHelpers::User2.emails.first, username: 'bette.cartwright', name: 'Bette Cartwright').tap do \|user\|`
			`# secondary, unverified email`
New upstream version 15.1.4+ds1 2022-07-29 17:44:30 +05:30			`create :email, user: user, email: 'mail@koffeinfrei.org'`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
			`end`

			`let(:user_2_key) do`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`perform_enqueued_jobs do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`create :gpg_key, key: GpgHelpers::User2.public_key, user: user_2`
			`end`
			`end`

			`it 'unverified signature' do`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`page.find('.gpg-status-box', text: 'Unverified').click`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with an unverified signature.'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
			`end`

New upstream version 15.1.4+ds1 2022-07-29 17:44:30 +05:30			`it 'unverified signature: gpg key email does not match the committer_email but is the same user when the committer_email belongs to the user as a confirmed secondary email' do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`user_2_key`
New upstream version 15.1.4+ds1 2022-07-29 17:44:30 +05:30			`user_2.emails.find_by(email: 'mail@koffeinfrei.org').confirm`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 15.1.4+ds1 2022-07-29 17:44:30 +05:30			`visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`page.find('.gpg-status-box', text: 'Unverified').click`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
			`within '.popover' do`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`expect(page).to have_content 'This commit was signed with a verified signature, but the committer email is not associated with the GPG Key.'`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`expect(page).to have_content 'Bette Cartwright'`
			`expect(page).to have_content '@bette.cartwright'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
			`end`

New upstream version 15.1.4+ds1 2022-07-29 17:44:30 +05:30			`it 'unverified signature: gpg key email does not match the committer_email when the committer_email belongs to the user as a unconfirmed secondary email' do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`user_2_key`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, GpgHelpers::SIGNED_COMMIT_SHA)`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`page.find('.gpg-status-box', text: 'Unverified').click`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
			`within '.popover' do`
			`expect(page).to have_content "This commit was signed with a different user's verified signature."`
			`expect(page).to have_content 'Bette Cartwright'`
			`expect(page).to have_content '@bette.cartwright'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User2.primary_keyid}"`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
			`end`

New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`it 'unverified signature: commit contains multiple GPG signatures' do`
			`user_1_key`

			`visit project_commit_path(project, GpgHelpers::MULTIPLE_SIGNATURES_SHA)`
			`wait_for_all_requests`

			`page.find('.gpg-status-box', text: 'Unverified').click`

			`within '.popover' do`
			`expect(page).to have_content "This commit was signed with multiple signatures."`
			`end`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`it 'verified and the gpg user has a gitlab profile' do`
			`user_1_key`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`page.find('.gpg-status-box', text: 'Verified').click`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'`
			`expect(page).to have_content 'Nannie Bernhard'`
			`expect(page).to have_content '@nannie.bernhard'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
			`end`

			`it "verified and the gpg user's profile doesn't exist anymore" do`
			`user_1_key`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`visit project_commit_path(project, GpgHelpers::SIGNED_AND_AUTHORED_SHA)`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`# wait for the signature to get generated`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect(page).to have_selector('.gpg-status-box', text: 'Verified')`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`user_1.destroy!`

			`refresh`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`page.find('.gpg-status-box', text: 'Verified').click`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
			`within '.popover' do`
			`expect(page).to have_content 'This commit was signed with a verified signature and the committer email is verified to belong to the same user.'`
			`expect(page).to have_content 'Nannie Bernhard'`
			`expect(page).to have_content 'nannie.bernhard@example.com'`
			`expect(page).to have_content "GPG Key ID: #{GpgHelpers::User1.primary_keyid}"`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
			`end`
			`end`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
			`context 'view signed commit on the tree view', :js do`
			`shared_examples 'a commit with a signature' do`
			`before do`
			`visit project_tree_path(project, 'signed-commits')`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`wait_for_all_requests`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`end`

			`it 'displays commit signature' do`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`expect(page).to have_selector('.gpg-status-box', text: 'Unverified')`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`page.find('.gpg-status-box', text: 'Unverified').click`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
			`within '.popover' do`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`expect(page).to have_content 'This commit was signed with multiple signatures.'`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`end`
			`end`
			`end`

			`context 'with vue tree view enabled' do`
			`it_behaves_like 'a commit with a signature'`
			`end`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`