Skip to content

GPG Key Ownership verification with Signed Token #14054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 48 commits into from
Jul 13, 2021
Merged

GPG Key Ownership verification with Signed Token #14054

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
33ee748
Add option to provide signed token to verify key ownership
zeripath Dec 18, 2020
527a22b
Merge remote-tracking branch 'origin/master' into gpg-key-token-signed
zeripath Mar 2, 2021
68b6228
Ensure verified keys can act for all active emails for the user
zeripath Mar 2, 2021
6c72b6a
Add code to mark keys as verified
zeripath Mar 2, 2021
0ece493
Slight UI adjustments
zeripath Mar 3, 2021
175c003
Slight UI adjustments 2
zeripath Mar 3, 2021
66f6e7d
Simplify signature verification slightly
zeripath Mar 3, 2021
3d145ec
fix postgres test
zeripath Mar 3, 2021
3105706
add api routes
zeripath Mar 3, 2021
c4529b8
prepare for merge
zeripath Mar 20, 2021
9818df0
Merge branch 'master' into gpg-key-token-signed
zeripath Mar 20, 2021
e3a2770
as per @6543
zeripath Mar 20, 2021
43b967c
Merge remote-tracking branch 'origin/master' into gpg-key-token-signed
zeripath Apr 5, 2021
f006ef7
Merge branch 'master' into gpg-key-token-signed
zeripath May 3, 2021
223c71e
Merge branch 'main' into gpg-key-token-signed
zeripath May 8, 2021
164daeb
prepare for update
zeripath Jun 6, 2021
068fef3
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 6, 2021
c4d94ef
pre-merge
zeripath Jun 14, 2021
de80f0a
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 14, 2021
47d9cad
prepare merge
zeripath Jun 14, 2021
830f345
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 14, 2021
cee8a8c
handle swapped primarykeys
zeripath Jun 15, 2021
34d2ac7
prepare to merge
zeripath Jun 17, 2021
a2b733b
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 17, 2021
eb69eff
prepare merge
zeripath Jun 24, 2021
f10251e
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 24, 2021
7609edd
pre-merge
zeripath Jun 25, 2021
5275103
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 25, 2021
bf7ef6c
Merge remote-tracking branch 'origin/main' into gpg-key-token-signed
zeripath Jun 26, 2021
4e5c668
Verify the no-reply address for verified keys
zeripath Jun 26, 2021
4aa4015
Merge branch 'main' into gpg-key-token-signed
6543 Jun 27, 2021
18df555
Only add email addresses that are activated to keys
zeripath Jun 27, 2021
020d5f7
fix committer shortcut properly
zeripath Jun 27, 2021
6e2a15a
Restructure gpg_keys.go
zeripath Jun 27, 2021
4af7d8c
Use common Verification Token code
zeripath Jun 27, 2021
4caba0d
Merge branch 'gpg-key-token-signed' of github.com:zeripath/gitea into…
zeripath Jun 27, 2021
3bb22c4
fix tests
zeripath Jun 27, 2021
26e401b
Merge branch 'main' into gpg-key-token-signed
6543 Jun 27, 2021
c728845
Update models/gpg_key_verify.go
6543 Jun 27, 2021
64801a0
Merge branch 'main' into gpg-key-token-signed
6543 Jun 27, 2021
452eca3
Merge branch 'master' into gpg-key-token-signed
6543 Jun 29, 2021
6446bb7
Merge branch 'main' into gpg-key-token-signed
6543 Jun 30, 2021
ce2a2d2
Update models/gpg_key_add.go
techknowlogick Jul 9, 2021
408ba96
Update models/gpg_key_commit_verification.go
techknowlogick Jul 9, 2021
caf4b6e
Merge commit 'bc6f060b8cd89685cc32980c4f03cba58850cab1' into merge-at…
zeripath Jul 13, 2021
e7bc4c9
Merge commit 'e0296b6a6de6450c474fdf7fe62635a05beb49ab' into merge-at…
zeripath Jul 13, 2021
4b4de16
Merge remote-tracking branch 'origin/main' into merge-attempts
zeripath Jul 13, 2021
49690df
Merge branch 'main' into gpg-key-token-signed
6543 Jul 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 4 additions & 18 deletions integrations/api_gpg_keys_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@ func TestGPGKeys(t *testing.T) {
results []int
}{
{name: "NoLogin", makeRequest: MakeRequest, token: "",
results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
},
{name: "LoggedAsUser2", makeRequest: session.MakeRequest, token: token,
results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusUnprocessableEntity, http.StatusNotFound, http.StatusCreated, http.StatusCreated}},
results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusUnprocessableEntity, http.StatusNotFound, http.StatusCreated, http.StatusNotFound, http.StatusCreated}},
}

for _, tc := range tt {
Expand Down Expand Up @@ -60,7 +60,7 @@ func TestGPGKeys(t *testing.T) {
t.Run("CreateValidGPGKey", func(t *testing.T) {
testCreateValidGPGKey(t, tc.makeRequest, tc.token, tc.results[6])
})
t.Run("CreateValidSecondaryEmailGPGKey", func(t *testing.T) {
t.Run("CreateValidSecondaryEmailGPGKeyNotActivated", func(t *testing.T) {
testCreateValidSecondaryEmailGPGKey(t, tc.makeRequest, tc.token, tc.results[7])
})
})
Expand All @@ -74,6 +74,7 @@ func TestGPGKeys(t *testing.T) {
req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+token) //GET all keys
resp := session.MakeRequest(t, req, http.StatusOK)
DecodeJSON(t, resp, &keys)
assert.Len(t, keys, 1)

primaryKey1 := keys[0] //Primary key 1
assert.EqualValues(t, "38EA3BCED732982C", primaryKey1.KeyID)
Expand All @@ -85,12 +86,6 @@ func TestGPGKeys(t *testing.T) {
assert.EqualValues(t, "70D7C694D17D03AD", subKey.KeyID)
assert.Empty(t, subKey.Emails)

primaryKey2 := keys[1] //Primary key 2
assert.EqualValues(t, "3CEF46EF40BEFC3E", primaryKey2.KeyID)
assert.Len(t, primaryKey2.Emails, 1)
assert.EqualValues(t, "[email protected]", primaryKey2.Emails[0].Email)
assert.False(t, primaryKey2.Emails[0].Verified)

var key api.GPGKey
req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)+"?token="+token) //Primary key 1
resp = session.MakeRequest(t, req, http.StatusOK)
Expand All @@ -105,15 +100,6 @@ func TestGPGKeys(t *testing.T) {
DecodeJSON(t, resp, &key)
assert.EqualValues(t, "70D7C694D17D03AD", key.KeyID)
assert.Empty(t, key.Emails)

req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey2.ID, 10)+"?token="+token) //Primary key 2
resp = session.MakeRequest(t, req, http.StatusOK)
DecodeJSON(t, resp, &key)
assert.EqualValues(t, "3CEF46EF40BEFC3E", key.KeyID)
assert.Len(t, key.Emails, 1)
assert.EqualValues(t, "[email protected]", key.Emails[0].Email)
assert.False(t, key.Emails[0].Verified)

})

//Check state after basic add
Expand Down
17 changes: 17 additions & 0 deletions models/error.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,7 @@ func (err ErrKeyNameAlreadyUsed) Error() string {
// ErrGPGNoEmailFound represents a "ErrGPGNoEmailFound" kind of error.
type ErrGPGNoEmailFound struct {
FailedEmails []string
ID string
}

// IsErrGPGNoEmailFound checks if an error is a ErrGPGNoEmailFound.
Expand All @@ -463,6 +464,22 @@ func (err ErrGPGNoEmailFound) Error() string {
return fmt.Sprintf("none of the emails attached to the GPG key could be found: %v", err.FailedEmails)
}

// ErrGPGInvalidTokenSignature represents a "ErrGPGInvalidTokenSignature" kind of error.
type ErrGPGInvalidTokenSignature struct {
Wrapped error
ID string
}

// IsErrGPGInvalidTokenSignature checks if an error is a ErrGPGInvalidTokenSignature.
func IsErrGPGInvalidTokenSignature(err error) bool {
_, ok := err.(ErrGPGInvalidTokenSignature)
return ok
}

func (err ErrGPGInvalidTokenSignature) Error() string {
return "the provided signature does not sign the token with the provided key"
}

// ErrGPGKeyParsing represents a "ErrGPGKeyParsing" kind of error.
type ErrGPGKeyParsing struct {
ParseError error
Expand Down
Loading