go-gitea · lunny · Oct 19, 2019 · zeripath · Oct 19, 2019 · zeripath
diff --git a/models/branches.go b/models/branches.go
@@ -41,6 +41,7 @@ type ProtectedBranch struct {
 	ApprovalsWhitelistUserIDs []int64            `xorm:"JSON TEXT"`
 	ApprovalsWhitelistTeamIDs []int64            `xorm:"JSON TEXT"`
 	RequiredApprovals         int64              `xorm:"NOT NULL DEFAULT 0"`
+	RequireSignedCommits      bool               `xorm:"NOT NULL DEFAULT false"`
 	CreatedUnix               timeutil.TimeStamp `xorm:"created"`
 	UpdatedUnix               timeutil.TimeStamp `xorm:"updated"`
 }

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
@@ -260,6 +260,8 @@ var migrations = []Migration{
 	NewMigration("change length of some external login users columns", changeSomeColumnsLengthOfExternalLoginUser),
 	// v102 -> v103
 	NewMigration("update migration repositories' service type", dropColumnHeadUserNameOnPullRequest),
+	// v103 -> v104
+	NewMigration("add require signed commits on protected branch", addRequireSignedCommitsOnProtectedBranch),
 }
 
 // Migrate database to current version

diff --git a/models/migrations/v103.go b/models/migrations/v103.go
@@ -0,0 +1,18 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+func addRequireSignedCommitsOnProtectedBranch(x *xorm.Engine) error {
+	type ProtectedBranch struct {
+		ID                        int64  `xorm:"pk autoincr"` 
+		RequireSignedCommits      bool               `xorm:"NOT NULL DEFAULT false"`
+	}
+
+	return x.Sync2(new(ProtectedBranch))
+}
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
@@ -155,11 +155,12 @@ type ProtectBranchForm struct {
 	EnableMergeWhitelist    bool
 	MergeWhitelistUsers     string
 	MergeWhitelistTeams     string
-	EnableStatusCheck       bool `xorm:"NOT NULL DEFAULT false"`
+	EnableStatusCheck       bool
 	StatusCheckContexts     []string
 	RequiredApprovals       int64
 	ApprovalsWhitelistUsers string
 	ApprovalsWhitelistTeams string
+	RequireSignedCommits    bool
 }
 
 // Validate validates the fields

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -1336,6 +1336,8 @@ settings.protect_merge_whitelist_teams = Whitelisted teams for merging:
 settings.protect_check_status_contexts = Enable Status Check
 settings.protect_check_status_contexts_desc = Require status checks to pass before merging Choose which status checks must pass before branches can be merged into a branch that matches this rule. When enabled, commits must first be pushed to another branch, then merged or pushed directly to a branch that matches this rule after status checks have passed. If no contexts are selected, the last commit must be successful regardless of context.
 settings.protect_check_status_contexts_list = Status checks found in the last week for this repository
+settings.requrie_signed_commits = Require signed commits
-settings.requrie_signed_commits = Require signed commits
+settings.require_signed_commits = Require signed commits
-settings.requrie_signed_commits = Require signed commits
+settings.require_signed_commits = Require signed commits
+settings.requrie_signed_commits_desc = Commits pushed to this branch must have verified signatures.
-settings.requrie_signed_commits_desc = Commits pushed to this branch must have verified signatures.
+settings.require_signed_commits_desc = Commits pushed to this branch must have verified signatures.
-settings.requrie_signed_commits_desc = Commits pushed to this branch must have verified signatures.
+settings.require_signed_commits_desc = Commits pushed to this branch must have verified signatures.
 settings.protect_required_approvals = Required approvals:
 settings.protect_required_approvals_desc = Allow only to merge pull request with enough positive reviews of whitelisted users or teams.
 settings.protect_approvals_whitelist_users = Whitelisted reviewers:

diff --git a/routers/private/hook.go b/routers/private/hook.go
@@ -6,6 +6,7 @@
 package private
 
 import (
+	"bytes"
 	"fmt"
 	"net/http"
 	"os"
@@ -119,6 +120,48 @@ func HookPreReceive(ctx *macaron.Context) {
 			})
 			return
 		}
+
+		// check signed commits
+		if protectBranch.RequireSignedCommits {
+			gitRepo, err := git.OpenRepository(repo.RepoPath())
+			if err != nil {
+				log.Error("Unable to find the git repository %s/%s: %v", ownerName, repoName, err)
+				ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
+					"err": fmt.Sprintf("Unable to find the git repository %s/%s", ownerName, repoName),
+				})
+				return
+			}
+
+			stdout, err := git.NewCommand("rev-list", oldCommitID+"..."+newCommitID).RunInDirBytes(repo.RepoPath())
 env := os.Environ() 
 if gitAlternativeObjectDirectories != "" { 
 	env = append(env, 
 		private.GitAlternativeObjectDirectories+"="+gitAlternativeObjectDirectories) 
 } 
 if gitObjectDirectory != "" { 
 	env = append(env, 
 		private.GitObjectDirectory+"="+gitObjectDirectory) 
 } 
 if gitQuarantinePath != "" { 
 	env = append(env, 
 		private.GitQuarantinePath+"="+gitQuarantinePath) 
 } 
 output, err := git.NewCommand("rev-list", "--max-count=1", oldCommitID, "^"+newCommitID).RunInDirWithEnv(repo.RepoPath(), env) 
 if err != nil { 
 env := os.Environ() 
 if gitAlternativeObjectDirectories != "" { 
 	env = append(env, 
 		private.GitAlternativeObjectDirectories+"="+gitAlternativeObjectDirectories) 
 } 
 if gitObjectDirectory != "" { 
 	env = append(env, 
 		private.GitObjectDirectory+"="+gitObjectDirectory) 
 } 
 if gitQuarantinePath != "" { 
 	env = append(env, 
 		private.GitQuarantinePath+"="+gitQuarantinePath) 
 } 
  
 output, err := git.NewCommand("rev-list", "--max-count=1", oldCommitID, "^"+newCommitID).RunInDirWithEnv(repo.RepoPath(), env) 
 if err != nil { 
+			if err != nil {
+				log.Error("Unable to get commit via id %v : %v", newCommitID, err)
+				ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
+					"err": fmt.Sprintf("Unable to get commit via id %v", newCommitID),
+				})
+				return
+			}
+
+			parts := bytes.Split(stdout, []byte{'\n'})
+			for _, commitID := range parts {
+				commit, err := gitRepo.GetCommit(string(commitID))
+				if err != nil {
+					log.Error("Unable to get commit via id %v : %v", newCommitID, err)
+					ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
+						"err": fmt.Sprintf("Unable to get commit via id %v", newCommitID),
+					})
+					return
+				}
+
+				v := models.ParseCommitWithSignature(commit)
+				if !v.Verified {
+					log.Warn("protected branch %s require signed commits, but %v isn't signed", branchName, commit.ID)
+					ctx.JSON(http.StatusForbidden, map[string]interface{}{
+						"err": fmt.Sprintf("protected branch %s require signed commits, but %v isn't signed", branchName, commit.ID),
+					})
+					return
+				}
+			}
+		}
 	}
 	ctx.PlainText(http.StatusOK, []byte("ok"))
 }

diff --git a/routers/repo/setting_protected_branch.go b/routers/repo/setting_protected_branch.go
@@ -193,6 +193,7 @@ func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm)
 		if f.RequiredApprovals < 0 {
 			ctx.Flash.Error(ctx.Tr("repo.settings.protected_branch_required_approvals_min"))
 			ctx.Redirect(fmt.Sprintf("%s/settings/branches/%s", ctx.Repo.RepoLink, branch))
+			return
 		}
 
 		var whitelistUsers, whitelistTeams, mergeWhitelistUsers, mergeWhitelistTeams, approvalsWhitelistUsers, approvalsWhitelistTeams []int64
@@ -213,6 +214,7 @@ func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm)
 
 		protectBranch.EnableStatusCheck = f.EnableStatusCheck
 		protectBranch.StatusCheckContexts = f.StatusCheckContexts
+		protectBranch.RequireSignedCommits = f.RequireSignedCommits
 
 		protectBranch.RequiredApprovals = f.RequiredApprovals
 		if strings.TrimSpace(f.ApprovalsWhitelistUsers) != "" {

diff --git a/templates/repo/settings/protected_branch.tmpl b/templates/repo/settings/protected_branch.tmpl
@@ -136,6 +136,14 @@
 						</div>
 					</div>
 
+					<div class="field">
+						<div class="ui checkbox">
+							<input class="require-signedcommits" name="require_signed_commits" type="checkbox" {{if .Branch.RequireSignedCommits}}checked{{end}}>
+							<label>{{.i18n.Tr "repo.settings.requrie_signed_commits"}}</label>
-							<label>{{.i18n.Tr "repo.settings.requrie_signed_commits"}}</label>
+							<label>{{.i18n.Tr "repo.settings.require_signed_commits"}}</label>
-							<label>{{.i18n.Tr "repo.settings.requrie_signed_commits"}}</label>
+							<label>{{.i18n.Tr "repo.settings.require_signed_commits"}}</label>
+							<p class="help">{{.i18n.Tr "repo.settings.requrie_signed_commits_desc"}}</p>
-							<p class="help">{{.i18n.Tr "repo.settings.requrie_signed_commits_desc"}}</p>
+							<p class="help">{{.i18n.Tr "repo.settings.require_signed_commits_desc"}}</p>
-							<p class="help">{{.i18n.Tr "repo.settings.requrie_signed_commits_desc"}}</p>
+							<p class="help">{{.i18n.Tr "repo.settings.require_signed_commits_desc"}}</p>
+						</div>
+					</div>
+
 					<div class="field">
 						<label for="required-approvals">{{.i18n.Tr "repo.settings.protect_required_approvals"}}</label>
 						<input name="required_approvals" id="required-approvals" type="number" value="{{.Branch.RequiredApprovals}}">