Collaborator trust model should trust collaborators (#18539)
* Collaborator trust model should trust collaborators There was an unintended regression in #17917 which leads to only repository admin commits being trusted. This PR restores the old logic. Fix #18501 Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
parent
92e81e97e8
commit
76e3111596
5 changed files with 9 additions and 9 deletions
|
@ -71,7 +71,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys.
|
// ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys.
|
||||||
func ParseCommitsWithSignature(oldCommits []*user_model.UserCommit, repoTrustModel repo_model.TrustModelType, isCodeReader func(*user_model.User) (bool, error)) []*SignCommit {
|
func ParseCommitsWithSignature(oldCommits []*user_model.UserCommit, repoTrustModel repo_model.TrustModelType, isOwnerMemberCollaborator func(*user_model.User) (bool, error)) []*SignCommit {
|
||||||
newCommits := make([]*SignCommit, 0, len(oldCommits))
|
newCommits := make([]*SignCommit, 0, len(oldCommits))
|
||||||
keyMap := map[string]bool{}
|
keyMap := map[string]bool{}
|
||||||
|
|
||||||
|
@ -81,7 +81,7 @@ func ParseCommitsWithSignature(oldCommits []*user_model.UserCommit, repoTrustMod
|
||||||
Verification: ParseCommitWithSignature(c.Commit),
|
Verification: ParseCommitWithSignature(c.Commit),
|
||||||
}
|
}
|
||||||
|
|
||||||
_ = CalculateTrustStatus(signCommit.Verification, repoTrustModel, isCodeReader, &keyMap)
|
_ = CalculateTrustStatus(signCommit.Verification, repoTrustModel, isOwnerMemberCollaborator, &keyMap)
|
||||||
|
|
||||||
newCommits = append(newCommits, signCommit)
|
newCommits = append(newCommits, signCommit)
|
||||||
}
|
}
|
||||||
|
@ -455,7 +455,7 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *use
|
||||||
|
|
||||||
// CalculateTrustStatus will calculate the TrustStatus for a commit verification within a repository
|
// CalculateTrustStatus will calculate the TrustStatus for a commit verification within a repository
|
||||||
// There are several trust models in Gitea
|
// There are several trust models in Gitea
|
||||||
func CalculateTrustStatus(verification *CommitVerification, repoTrustModel repo_model.TrustModelType, isCodeReader func(*user_model.User) (bool, error), keyMap *map[string]bool) (err error) {
|
func CalculateTrustStatus(verification *CommitVerification, repoTrustModel repo_model.TrustModelType, isOwnerMemberCollaborator func(*user_model.User) (bool, error), keyMap *map[string]bool) (err error) {
|
||||||
if !verification.Verified {
|
if !verification.Verified {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -500,11 +500,11 @@ func CalculateTrustStatus(verification *CommitVerification, repoTrustModel repo_
|
||||||
var has bool
|
var has bool
|
||||||
isMember, has = (*keyMap)[verification.SigningKey.KeyID]
|
isMember, has = (*keyMap)[verification.SigningKey.KeyID]
|
||||||
if !has {
|
if !has {
|
||||||
isMember, err = isCodeReader(verification.SigningUser)
|
isMember, err = isOwnerMemberCollaborator(verification.SigningUser)
|
||||||
(*keyMap)[verification.SigningKey.KeyID] = isMember
|
(*keyMap)[verification.SigningKey.KeyID] = isMember
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
isMember, err = isCodeReader(verification.SigningUser)
|
isMember, err = isOwnerMemberCollaborator(verification.SigningUser)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !isMember {
|
if !isMember {
|
||||||
|
|
|
@ -18,7 +18,7 @@ func ConvertFromGitCommit(commits []*git.Commit, repo *repo_model.Repository) []
|
||||||
user_model.ValidateCommitsWithEmails(commits),
|
user_model.ValidateCommitsWithEmails(commits),
|
||||||
repo.GetTrustModel(),
|
repo.GetTrustModel(),
|
||||||
func(user *user_model.User) (bool, error) {
|
func(user *user_model.User) (bool, error) {
|
||||||
return IsUserRepoAdmin(repo, user)
|
return IsOwnerMemberCollaborator(repo, user.ID)
|
||||||
},
|
},
|
||||||
),
|
),
|
||||||
repo,
|
repo,
|
||||||
|
|
|
@ -117,7 +117,7 @@ func (graph *Graph) LoadAndProcessCommits(repository *repo_model.Repository, git
|
||||||
c.Verification = asymkey_model.ParseCommitWithSignature(c.Commit)
|
c.Verification = asymkey_model.ParseCommitWithSignature(c.Commit)
|
||||||
|
|
||||||
_ = asymkey_model.CalculateTrustStatus(c.Verification, repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
|
_ = asymkey_model.CalculateTrustStatus(c.Verification, repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
|
||||||
return models.IsUserRepoAdmin(repository, user)
|
return models.IsOwnerMemberCollaborator(repository, user.ID)
|
||||||
}, &keyMap)
|
}, &keyMap)
|
||||||
|
|
||||||
statuses, _, err := models.GetLatestCommitStatus(repository.ID, c.Commit.ID.String(), db.ListOptions{})
|
statuses, _, err := models.GetLatestCommitStatus(repository.ID, c.Commit.ID.String(), db.ListOptions{})
|
||||||
|
|
|
@ -351,7 +351,7 @@ func Diff(ctx *context.Context) {
|
||||||
ctx.Data["DiffNotAvailable"] = diff.NumFiles == 0
|
ctx.Data["DiffNotAvailable"] = diff.NumFiles == 0
|
||||||
|
|
||||||
if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
|
if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
|
||||||
return models.IsUserRepoAdmin(ctx.Repo.Repository, user)
|
return models.IsOwnerMemberCollaborator(ctx.Repo.Repository, user.ID)
|
||||||
}, nil); err != nil {
|
}, nil); err != nil {
|
||||||
ctx.ServerError("CalculateTrustStatus", err)
|
ctx.ServerError("CalculateTrustStatus", err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -799,7 +799,7 @@ func renderDirectoryFiles(ctx *context.Context, timeout time.Duration) git.Entri
|
||||||
verification := asymkey_model.ParseCommitWithSignature(latestCommit)
|
verification := asymkey_model.ParseCommitWithSignature(latestCommit)
|
||||||
|
|
||||||
if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
|
if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
|
||||||
return models.IsUserRepoAdmin(ctx.Repo.Repository, user)
|
return models.IsOwnerMemberCollaborator(ctx.Repo.Repository, user.ID)
|
||||||
}, nil); err != nil {
|
}, nil); err != nil {
|
||||||
ctx.ServerError("CalculateTrustStatus", err)
|
ctx.ServerError("CalculateTrustStatus", err)
|
||||||
return nil
|
return nil
|
||||||
|
|
Reference in a new issue