luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-06-19 07:30:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

feat: consider WebAuthn & SSH for instance signing (#7693)
Some checks are pending
/ release (push) Waiting to run
Details
testing / backend-checks (push) Has been skipped
Details
testing / frontend-checks (push) Has been skipped
Details
testing / test-unit (push) Has been skipped
Details
testing / test-e2e (push) Has been skipped
Details
testing / test-mysql (push) Has been skipped
Details
testing / test-pgsql (push) Has been skipped
Details
testing / test-sqlite (push) Has been skipped
Details
testing / test-remote-cacher (redis) (push) Has been skipped
Details
testing / test-remote-cacher (valkey) (push) Has been skipped
Details
testing / test-remote-cacher (garnet) (push) Has been skipped
Details
testing / test-remote-cacher (redict) (push) Has been skipped
Details
testing / security-check (push) Has been skipped
Details

Browse source 
- Currently the options `pubkey` and `twofa` only consider TOTP and GPG keys respectively. Adjust the code to also consider WebAuthn credentials and SSH keys.
- While adding the new unified functions I noticed that certain places also benefited from using these unified functions and took the liberty (where it was either a trivial translation or it was covered under testing) to use the new unified functions.
- Resolves forgejo/forgejo#7658
- Adds unit and integration tests.

Documentation PR: https://codeberg.org/forgejo/docs/pulls/1166

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7693
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
This commit is contained in:
Gusted 2025-04-29 10:34:07 +00:00 committed by Earl Warren
parent 386e7f8208
commit df5d656827
15 changed files with 222 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

64
tests/integration/signing_git_test.go
View file

@ -180,6 +180,70 @@ func testCRUD(t *testing.T, u *url.URL, signingFormat string, objectFormat git.O
}))
})
t.Run("AlwaysSign-Pubkey", func(t *testing.T) {
setting.Repository.Signing.InitialCommit = []string{"pubkey"}
t.Run("Has publickey", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-pubkey"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {
require.NotNil(t, branch.Commit)
require.NotNil(t, branch.Commit.Verification)
assert.True(t, branch.Commit.Verification.Verified)
assert.Equal(t, "fox@example.com", branch.Commit.Verification.Signer.Email)
}))
})
t.Run("No publickey", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, "user4", "initial-no-pubkey"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {
require.NotNil(t, branch.Commit)
require.NotNil(t, branch.Commit.Verification)
assert.False(t, branch.Commit.Verification.Verified)
}))
})
})
t.Run("AlwaysSign-Twofa", func(t *testing.T) {
setting.Repository.Signing.InitialCommit = []string{"twofa"}
t.Run("Has 2fa", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
t.Cleanup(func() {
unittest.AssertSuccessfulDelete(t, &auth_model.WebAuthnCredential{UserID: user.ID})
})
testCtx := NewAPITestContext(t, username, "initial-2fa"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID})
t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {
require.NotNil(t, branch.Commit)
require.NotNil(t, branch.Commit.Verification)
assert.True(t, branch.Commit.Verification.Verified)
assert.Equal(t, "fox@example.com", branch.Commit.Verification.Signer.Email)
}))
})
t.Run("No publickey", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, "user4", "initial-no-2fa"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {
require.NotNil(t, branch.Commit)
require.NotNil(t, branch.Commit.Verification)
assert.False(t, branch.Commit.Verification.Verified)
}))
})
})
t.Run("AlwaysSign-Initial", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
setting.Repository.Signing.InitialCommit = []string{"always"}