fix: add missing trust status to pull review commits (#8296)

Closes: #8293

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8296
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Lucas Schwiderski <lucas@lschwiderski.de>
Co-committed-by: Lucas Schwiderski <lucas@lschwiderski.de>

routers/web/repo/pull.go

@@ -996,6 +996,13 @@ func viewPullFiles(ctx *context.Context, specifiedStartCommit, specifiedEndCommi
 		ctx.Data["Verification"] = verification
 		ctx.Data["Author"] = user_model.ValidateCommitWithEmail(ctx, curCommit)
 
+		if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
+			return repo_model.IsOwnerMemberCollaborator(ctx, ctx.Repo.Repository, user.ID)
+		}, nil); err != nil {
+			ctx.ServerError("CalculateTrustStatus", err)
+			return
+		}
+
 		note := &git.Note{}
 		err = git.GetNote(ctx, ctx.Repo.GitRepo, specifiedEndCommit, note)
 		if err == nil {

tests/integration/pull_commit_test.go

@@ -4,13 +4,26 @@
 package integration
 
 import (
+	"context"
+	"encoding/base64"
+	"fmt"
 	"net/http"
+	"net/url"
+	"os"
 	"testing"
 
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/git"
+	"forgejo.org/modules/setting"
+	api "forgejo.org/modules/structs"
+	"forgejo.org/modules/test"
 	pull_service "forgejo.org/services/pull"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestListPullCommits(t *testing.T) {
@@ -48,3 +61,83 @@ func TestPullCommitLinks(t *testing.T) {
 	commitLinkHref, _ := commitLink.Attr("href")
 	assert.Equal(t, "/user2/repo1/pulls/3/commits/5f22f7d0d95d614d25a5b68592adb345a4b5c7fd", commitLinkHref)
 }
+
+func TestPullCommitSignature(t *testing.T) {
+	t.Cleanup(func() {
+		// Cannot use t.Context(), it is in the done state.
+		require.NoError(t, git.InitFull(context.Background())) //nolint:usetesting
+	})
+
+	defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "UwU")()
+	defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "fox@example.com")()
+	defer test.MockVariableValue(&setting.Repository.Signing.CRUDActions, []string{"always"})()
+	defer test.MockVariableValue(&setting.Repository.Signing.InitialCommit, []string{"always"})()
+
+	filePath := "signed.txt"
+	fromBranch := "master"
+	toBranch := "branch-signed"
+
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		// Use a new GNUPGPHOME to avoid messing with the existing GPG keyring.
+		tmpDir := t.TempDir()
+		require.NoError(t, os.Chmod(tmpDir, 0o700))
+		t.Setenv("GNUPGHOME", tmpDir)
+
+		rootKeyPair, err := importTestingKey()
+		require.NoError(t, err)
+		defer test.MockVariableValue(&setting.Repository.Signing.SigningKey, rootKeyPair.PrimaryKey.KeyIdShortString())()
+		defer test.MockVariableValue(&setting.Repository.Signing.Format, "openpgp")()
+
+		// Ensure the git config is updated with the new signing format.
+		require.NoError(t, git.InitFull(t.Context()))
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		testCtx := NewAPITestContext(t, user.Name, "pull-request-commit-header-signed", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+		u.Path = testCtx.GitPath()
+
+		t.Run("Create repository", doAPICreateRepository(testCtx, false, git.Sha1ObjectFormat))
+
+		t.Run("Create commit", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			options := &api.CreateFileOptions{
+				FileOptions: api.FileOptions{
+					BranchName:    fromBranch,
+					NewBranchName: toBranch,
+					Message:       fmt.Sprintf("from:%s to:%s path:%s", fromBranch, toBranch, filePath),
+					Author: api.Identity{
+						Name:  user.FullName,
+						Email: user.Email,
+					},
+					Committer: api.Identity{
+						Name:  user.FullName,
+						Email: user.Email,
+					},
+				},
+				ContentBase64: base64.StdEncoding.EncodeToString(fmt.Appendf(nil, "This is new text for %s", filePath)),
+			}
+
+			req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", testCtx.Username, testCtx.Reponame, filePath), &options).
+				AddTokenAuth(testCtx.Token)
+			resp := testCtx.Session.MakeRequest(t, req, http.StatusCreated)
+
+			var contents api.FileResponse
+			DecodeJSON(t, resp, &contents)
+
+			assert.True(t, contents.Verification.Verified)
+		})
+
+		t.Run("Create pull request", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			pr, err := doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, fromBranch, toBranch)(t)
+			require.NoError(t, err)
+
+			req := NewRequest(t, "GET", fmt.Sprintf("/%s/%s/pulls/%d/commits/%s", testCtx.Username, testCtx.Reponame, pr.Index, pr.Head.Sha))
+			resp := testCtx.Session.MakeRequest(t, req, http.StatusOK)
+
+			htmlDoc := NewHTMLParser(t, resp.Body)
+			htmlDoc.AssertElement(t, "#diff-commit-header .commit-header-row.message.isSigned.isVerified", true)
+		})
+	})
+}

tests/integration/repo_test.go

@@ -5,15 +5,19 @@
 package integration
 
 import (
+	"context"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"path"
 	"regexp"
 	"strings"
 	"testing"
 	"time"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
 	unit_model "forgejo.org/models/unit"
@@ -22,6 +26,7 @@ import (
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
+	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/translation"
 	repo_service "forgejo.org/services/repository"
@@ -682,6 +687,79 @@ func TestViewCommit(t *testing.T) {
 	assert.True(t, test.IsNormalPageCompleted(resp.Body.String()), "non-existing commit should render 404 page")
 }
 
+func TestViewCommitSignature(t *testing.T) {
+	t.Cleanup(func() {
+		// Cannot use t.Context(), it is in the done state.
+		require.NoError(t, git.InitFull(context.Background())) //nolint:usetesting
+	})
+
+	defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "UwU")()
+	defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "fox@example.com")()
+	defer test.MockVariableValue(&setting.Repository.Signing.CRUDActions, []string{"always"})()
+	defer test.MockVariableValue(&setting.Repository.Signing.InitialCommit, []string{"always"})()
+
+	filePath := "signed.txt"
+	fromBranch := "master"
+	toBranch := "branch-signed"
+
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		// Use a new GNUPGPHOME to avoid messing with the existing GPG keyring.
+		tmpDir := t.TempDir()
+		require.NoError(t, os.Chmod(tmpDir, 0o700))
+		t.Setenv("GNUPGHOME", tmpDir)
+
+		rootKeyPair, err := importTestingKey()
+		require.NoError(t, err)
+		defer test.MockVariableValue(&setting.Repository.Signing.SigningKey, rootKeyPair.PrimaryKey.KeyIdShortString())()
+		defer test.MockVariableValue(&setting.Repository.Signing.Format, "openpgp")()
+
+		// Ensure the git config is updated with the new signing format.
+		require.NoError(t, git.InitFull(t.Context()))
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		testCtx := NewAPITestContext(t, user.Name, "commit-header-signed", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+		u.Path = testCtx.GitPath()
+
+		t.Run("Create repository", doAPICreateRepository(testCtx, false, git.Sha1ObjectFormat))
+
+		t.Run("Create commit", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			options := &api.CreateFileOptions{
+				FileOptions: api.FileOptions{
+					BranchName:    fromBranch,
+					NewBranchName: toBranch,
+					Message:       fmt.Sprintf("from:%s to:%s path:%s", fromBranch, toBranch, filePath),
+					Author: api.Identity{
+						Name:  user.FullName,
+						Email: user.Email,
+					},
+					Committer: api.Identity{
+						Name:  user.FullName,
+						Email: user.Email,
+					},
+				},
+				ContentBase64: base64.StdEncoding.EncodeToString(fmt.Appendf(nil, "This is new text for %s", filePath)),
+			}
+
+			req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", testCtx.Username, testCtx.Reponame, filePath), &options).
+				AddTokenAuth(testCtx.Token)
+			resp := testCtx.Session.MakeRequest(t, req, http.StatusCreated)
+
+			var contents api.FileResponse
+			DecodeJSON(t, resp, &contents)
+
+			assert.True(t, contents.Verification.Verified)
+
+			req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/commit/%s", testCtx.Username, testCtx.Reponame, contents.Commit.SHA))
+			resp = testCtx.Session.MakeRequest(t, req, http.StatusOK)
+
+			htmlDoc := NewHTMLParser(t, resp.Body)
+			htmlDoc.AssertElement(t, ".commit-header-row.message.isSigned.isVerified", true)
+		})
+	})
+}
+
 func TestCommitView(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()