Collaborator trust model should trust collaborators (#18539) (#18557)

Backport #18539

There was an unintended regression in #17917 which leads to only
repository admin commits being trusted. This PR restores the old logic.

Fix #18501

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
zeripath 2022-02-03 16:20:37 +00:00 committed by GitHub
parent 8d31cfbfff
commit bc196a35e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 9 additions and 9 deletions

View File

@ -71,7 +71,7 @@ const (
) )
// ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys. // ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys.
func ParseCommitsWithSignature(oldCommits []*user_model.UserCommit, repoTrustModel repo_model.TrustModelType, isCodeReader func(*user_model.User) (bool, error)) []*SignCommit { func ParseCommitsWithSignature(oldCommits []*user_model.UserCommit, repoTrustModel repo_model.TrustModelType, isOwnerMemberCollaborator func(*user_model.User) (bool, error)) []*SignCommit {
newCommits := make([]*SignCommit, 0, len(oldCommits)) newCommits := make([]*SignCommit, 0, len(oldCommits))
keyMap := map[string]bool{} keyMap := map[string]bool{}
@ -81,7 +81,7 @@ func ParseCommitsWithSignature(oldCommits []*user_model.UserCommit, repoTrustMod
Verification: ParseCommitWithSignature(c.Commit), Verification: ParseCommitWithSignature(c.Commit),
} }
_ = CalculateTrustStatus(signCommit.Verification, repoTrustModel, isCodeReader, &keyMap) _ = CalculateTrustStatus(signCommit.Verification, repoTrustModel, isOwnerMemberCollaborator, &keyMap)
newCommits = append(newCommits, signCommit) newCommits = append(newCommits, signCommit)
} }
@ -455,7 +455,7 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *use
// CalculateTrustStatus will calculate the TrustStatus for a commit verification within a repository // CalculateTrustStatus will calculate the TrustStatus for a commit verification within a repository
// There are several trust models in Gitea // There are several trust models in Gitea
func CalculateTrustStatus(verification *CommitVerification, repoTrustModel repo_model.TrustModelType, isCodeReader func(*user_model.User) (bool, error), keyMap *map[string]bool) (err error) { func CalculateTrustStatus(verification *CommitVerification, repoTrustModel repo_model.TrustModelType, isOwnerMemberCollaborator func(*user_model.User) (bool, error), keyMap *map[string]bool) (err error) {
if !verification.Verified { if !verification.Verified {
return return
} }
@ -500,11 +500,11 @@ func CalculateTrustStatus(verification *CommitVerification, repoTrustModel repo_
var has bool var has bool
isMember, has = (*keyMap)[verification.SigningKey.KeyID] isMember, has = (*keyMap)[verification.SigningKey.KeyID]
if !has { if !has {
isMember, err = isCodeReader(verification.SigningUser) isMember, err = isOwnerMemberCollaborator(verification.SigningUser)
(*keyMap)[verification.SigningKey.KeyID] = isMember (*keyMap)[verification.SigningKey.KeyID] = isMember
} }
} else { } else {
isMember, err = isCodeReader(verification.SigningUser) isMember, err = isOwnerMemberCollaborator(verification.SigningUser)
} }
if !isMember { if !isMember {

View File

@ -18,7 +18,7 @@ func ConvertFromGitCommit(commits []*git.Commit, repo *repo_model.Repository) []
user_model.ValidateCommitsWithEmails(commits), user_model.ValidateCommitsWithEmails(commits),
repo.GetTrustModel(), repo.GetTrustModel(),
func(user *user_model.User) (bool, error) { func(user *user_model.User) (bool, error) {
return IsUserRepoAdmin(repo, user) return IsOwnerMemberCollaborator(repo, user.ID)
}, },
), ),
repo, repo,

View File

@ -117,7 +117,7 @@ func (graph *Graph) LoadAndProcessCommits(repository *repo_model.Repository, git
c.Verification = asymkey_model.ParseCommitWithSignature(c.Commit) c.Verification = asymkey_model.ParseCommitWithSignature(c.Commit)
_ = asymkey_model.CalculateTrustStatus(c.Verification, repository.GetTrustModel(), func(user *user_model.User) (bool, error) { _ = asymkey_model.CalculateTrustStatus(c.Verification, repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
return models.IsUserRepoAdmin(repository, user) return models.IsOwnerMemberCollaborator(repository, user.ID)
}, &keyMap) }, &keyMap)
statuses, _, err := models.GetLatestCommitStatus(repository.ID, c.Commit.ID.String(), db.ListOptions{}) statuses, _, err := models.GetLatestCommitStatus(repository.ID, c.Commit.ID.String(), db.ListOptions{})

View File

@ -351,7 +351,7 @@ func Diff(ctx *context.Context) {
ctx.Data["DiffNotAvailable"] = diff.NumFiles == 0 ctx.Data["DiffNotAvailable"] = diff.NumFiles == 0
if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) { if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
return models.IsUserRepoAdmin(ctx.Repo.Repository, user) return models.IsOwnerMemberCollaborator(ctx.Repo.Repository, user.ID)
}, nil); err != nil { }, nil); err != nil {
ctx.ServerError("CalculateTrustStatus", err) ctx.ServerError("CalculateTrustStatus", err)
return return

View File

@ -800,7 +800,7 @@ func renderDirectoryFiles(ctx *context.Context, timeout time.Duration) git.Entri
verification := asymkey_model.ParseCommitWithSignature(latestCommit) verification := asymkey_model.ParseCommitWithSignature(latestCommit)
if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) { if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
return models.IsUserRepoAdmin(ctx.Repo.Repository, user) return models.IsOwnerMemberCollaborator(ctx.Repo.Repository, user.ID)
}, nil); err != nil { }, nil); err != nil {
ctx.ServerError("CalculateTrustStatus", err) ctx.ServerError("CalculateTrustStatus", err)
return nil return nil