Instance signing rule pubkey should allow all public keys, not just GPG (#35357)

Instance signing rule `pubkey` is described as "Only sign if the user has a public key", however if the user only has SSH public keys, this check will fail, as it only checks for GPG keys. Changed the `pubkey` checks to call a helper `userHasPubkeys` which sequentially checks for GPG, then SSH keys. Related #34341 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-08-29 12:58:29 +00:00 · 2025-08-26 15:06:37 -07:00
parent c4fbccc4ec
commit da5ce5c8e7
2 changed files with 70 additions and 20 deletions
--- a/services/asymkey/sign_test.go
+++ b/services/asymkey/sign_test.go
@@ -0,0 +1,39 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package asymkey
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserHasPubkeys(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	test := func(t *testing.T, userID int64, expectedHasGPG, expectedHasSSH bool) {
+		ctx := t.Context()
+		hasGPG, err := userHasPubkeysGPG(ctx, userID)
+		require.NoError(t, err)
+		hasSSH, err := userHasPubkeysSSH(ctx, userID)
+		require.NoError(t, err)
+		hasPubkeys, err := userHasPubkeys(ctx, userID)
+		require.NoError(t, err)
+		assert.Equal(t, expectedHasGPG, hasGPG)
+		assert.Equal(t, expectedHasSSH, hasSSH)
+		assert.Equal(t, expectedHasGPG || expectedHasSSH, hasPubkeys)
+	}
+
+	t.Run("AllowUserWithGPGKey", func(t *testing.T) {
+		test(t, 36, true, false) // has gpg
+	})
+	t.Run("AllowUserWithSSHKey", func(t *testing.T) {
+		test(t, 2, false, true) // has ssh
+	})
+	t.Run("DenyUserWithNoKeys", func(t *testing.T) {
+		test(t, 1, false, false) // no pubkey
+	})
+}