update invalid gpg signatures when email changes

e75ab064 · Alexis Reigel · 24671cd6 · e75ab064 · e75ab064 · e75ab064
4 changed file
--- a/app/models/gpg_key.rb
+++ b/app/models/gpg_key.rb
@@ -53,6 +53,10 @@ class GpgKey < ActiveRecord::Base
    emails_with_verified_status.any? { |_email, verified| verified }
  end

+  def update_invalid_gpg_signatures
+    Gitlab::Gpg::InvalidGpgSignatureUpdater.new(self).run
+  end
+
  private

  def extract_fingerprint
@@ -67,10 +71,6 @@ class GpgKey < ActiveRecord::Base
    self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first
  end

-  def update_invalid_gpg_signatures
-    run_after_commit { Gitlab::Gpg::InvalidGpgSignatureUpdater.new(self).run }
-  end
-
  def notify_user
    run_after_commit { NotificationService.new.new_gpg_key(self) }
  end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -155,6 +155,7 @@ class User < ActiveRecord::Base
  before_validation :set_public_email, if: :public_email_changed?

  after_update :update_emails_with_primary_email, if: :email_changed?
+  after_update :update_invalid_gpg_signatures, if: :email_changed?
  before_save :ensure_authentication_token, :ensure_incoming_email_token
  before_save :ensure_user_rights_and_limits, if: :external_changed?
  after_save :ensure_namespace_correct
@@ -513,6 +514,10 @@ class User < ActiveRecord::Base
    end
  end

+  def update_invalid_gpg_signatures
+    gpg_keys.each(&:update_invalid_gpg_signatures)
+  end
+
  # Returns the groups a user has access to
  def authorized_groups
    union = Gitlab::SQL::Union

--- a/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
+++ b/spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb
@@ -2,37 +2,39 @@ require 'rails_helper'

 RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
  describe '#run' do
-    context 'gpg signature did not have an associated gpg key' do
-      let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
-      let!(:project) { create :project, :repository, path: 'sample-project' }
-      let!(:commit) do
-        raw_commit = double(:raw_commit, signature: [
-          GpgHelpers::User1.signed_commit_signature,
-          GpgHelpers::User1.signed_commit_base_data
-        ], sha: commit_sha)
-        allow(raw_commit).to receive :save!
-
-        create :commit, git_commit: raw_commit, project: project
-      end
+    let!(:commit_sha) { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
+    let!(:project) { create :project, :repository, path: 'sample-project' }
+    let!(:commit) do
+      raw_commit = double(:raw_commit, signature: [
+        GpgHelpers::User1.signed_commit_signature,
+        GpgHelpers::User1.signed_commit_base_data
+      ], sha: commit_sha)
+      allow(raw_commit).to receive :save!

-      let!(:gpg_signature) do
-        create :gpg_signature,
-          project: project,
-          commit_sha: commit_sha,
-          gpg_key: nil,
-          gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
-          valid_signature: false
-      end
+      create :commit, git_commit: raw_commit, project: project
+    end

-      before do
-        allow(Gitlab::Git::Commit).to receive(:find).with(kind_of(Repository), commit_sha).and_return(commit)
-      end
+    let!(:gpg_signature) do
+      create :gpg_signature,
+        project: project,
+        commit_sha: commit_sha,
+        gpg_key: nil,
+        gpg_key_primary_keyid: GpgHelpers::User1.primary_keyid,
+        valid_signature: false
+    end
+
+    before do
+      allow(Gitlab::Git::Commit).to receive(:find).with(kind_of(Repository), commit_sha).and_return(commit)
+    end
+
+    context 'gpg signature did not have an associated gpg key' do
+      let!(:user) { create :user, email: GpgHelpers::User1.emails.first }

      it 'updates the signature to being valid when the missing gpg key is added' do
        # InvalidGpgSignatureUpdater is called by the after_create hook
        create :gpg_key,
          key: GpgHelpers::User1.public_key,
-          user: create(:user, email: GpgHelpers::User1.emails.first)
+          user: user

        expect(gpg_signature.reload.valid_signature).to be_truthy
      end
@@ -41,7 +43,41 @@ RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
        # InvalidGpgSignatureUpdater is called by the after_create hook
        create :gpg_key,
          key: GpgHelpers::User2.public_key,
-          user: create(:user, email: GpgHelpers::User2.emails.first)
+          user: user
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+      end
+    end
+
+    context 'gpg signature did have an associated unverified gpg key' do
+      let!(:user) do
+        create(:user, email: 'unrelated@example.com').tap do |user|
+          user.skip_reconfirmation!
+        end
+      end
+
+      it 'updates the signature to being valid when the user updates the email address' do
+        create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+
+        # InvalidGpgSignatureUpdater is called by the after_update hook
+        user.update_attributes!(email: GpgHelpers::User1.emails.first)
+
+        expect(gpg_signature.reload.valid_signature).to be_truthy
+      end
+
+      it 'keeps the signature at being invalid when the changed email address is still unrelated' do
+        create :gpg_key,
+          key: GpgHelpers::User1.public_key,
+          user: user
+
+        expect(gpg_signature.reload.valid_signature).to be_falsey
+
+        # InvalidGpgSignatureUpdater is called by the after_update hook
+        user.update_attributes!(email: 'still.unrelated@example.com')

        expect(gpg_signature.reload.valid_signature).to be_falsey
      end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -350,6 +350,26 @@ describe User, models: true do
    end
  end

+  describe 'after update hook' do
+    describe '.update_invalid_gpg_signatures' do
+      let(:user) do
+        create(:user, email: 'tula.torphy@abshire.ca').tap do |user|
+          user.skip_reconfirmation!
+        end
+      end
+
+      it 'does nothing when the name is updated' do
+        expect(user).not_to receive(:update_invalid_gpg_signatures)
+        user.update_attributes!(name: 'Bette')
+      end
+
+      it 'synchronizes the gpg keys when the email is updated' do
+        expect(user).to receive(:update_invalid_gpg_signatures)
+        user.update_attributes!(email: 'shawnee.ritchie@denesik.com')
+      end
+    end
+  end
+
  describe '#update_tracked_fields!', :clean_gitlab_redis_shared_state do
    let(:request) { OpenStruct.new(remote_ip: "127.0.0.1") }
    let(:user) { create(:user) }