mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-11-30 08:06:52 +02:00
Merge pull request #1627 from bradrydzewski/master
store yaml verification and signature in build
This commit is contained in:
commit
67848d4152
2
Makefile
2
Makefile
@ -27,7 +27,7 @@ gen_migrations:
|
||||
build: build_static
|
||||
|
||||
build_static:
|
||||
cd drone && go build --ldflags '-extldflags "-static" -X github.com/drone/drone/version.VersionDev=$(CI_BUILD_NUMBER)' -o drone
|
||||
cd drone && go build --ldflags '-extldflags "-static" -X github.com/drone/drone/version.VersionDev=$(DRONE_BUILD_NUMBER)' -o drone
|
||||
|
||||
test:
|
||||
go test -cover $(PACKAGES)
|
||||
|
@ -24,6 +24,8 @@ type Build struct {
|
||||
Avatar string `json:"author_avatar" meddler:"build_avatar"`
|
||||
Email string `json:"author_email" meddler:"build_email"`
|
||||
Link string `json:"link_url" meddler:"build_link"`
|
||||
Signed bool `json:"signed" meddler:"build_signed"`
|
||||
Verified bool `json:"verified" meddler:"build_verified"`
|
||||
}
|
||||
|
||||
type BuildGroup struct {
|
||||
|
@ -157,6 +157,23 @@ func PostHook(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
signature, err := jose.ParseSigned(string(sec))
|
||||
if err != nil {
|
||||
log.Debugf("cannot parse .drone.yml.sig file. %s", err)
|
||||
} else if len(sec) == 0 {
|
||||
log.Debugf("cannot parse .drone.yml.sig file. empty file")
|
||||
} else {
|
||||
build.Signed = true
|
||||
output, err := signature.Verify([]byte(repo.Hash))
|
||||
if err != nil {
|
||||
log.Debugf("cannot verify .drone.yml.sig file. %s", err)
|
||||
} else if string(output) != string(raw) {
|
||||
log.Debugf("cannot verify .drone.yml.sig file. no match")
|
||||
} else {
|
||||
build.Verified = true
|
||||
}
|
||||
}
|
||||
|
||||
// update some build fields
|
||||
build.Status = model.StatusPending
|
||||
build.RepoID = repo.ID
|
||||
@ -194,33 +211,11 @@ func PostHook(c *gin.Context) {
|
||||
log.Errorf("Error getting secrets for %s#%d. %s", repo.FullName, build.Number, err)
|
||||
}
|
||||
|
||||
var signed bool
|
||||
var verified bool
|
||||
|
||||
signature, err := jose.ParseSigned(string(sec))
|
||||
if err != nil {
|
||||
log.Debugf("cannot parse .drone.yml.sig file. %s", err)
|
||||
} else if len(sec) == 0 {
|
||||
log.Debugf("cannot parse .drone.yml.sig file. empty file")
|
||||
} else {
|
||||
signed = true
|
||||
output, err := signature.Verify([]byte(repo.Hash))
|
||||
if err != nil {
|
||||
log.Debugf("cannot verify .drone.yml.sig file. %s", err)
|
||||
} else if string(output) != string(raw) {
|
||||
log.Debugf("cannot verify .drone.yml.sig file. no match")
|
||||
} else {
|
||||
verified = true
|
||||
}
|
||||
}
|
||||
|
||||
log.Debugf(".drone.yml is signed=%v and verified=%v", signed, verified)
|
||||
|
||||
bus.Publish(c, bus.NewBuildEvent(bus.Enqueued, repo, build))
|
||||
for _, job := range jobs {
|
||||
queue.Publish(c, &queue.Work{
|
||||
Signed: signed,
|
||||
Verified: verified,
|
||||
Signed: build.Signed,
|
||||
Verified: build.Verified,
|
||||
User: user,
|
||||
Repo: repo,
|
||||
Build: build,
|
||||
|
12
store/datastore/ddl/mysql/5.sql
Normal file
12
store/datastore/ddl/mysql/5.sql
Normal file
@ -0,0 +1,12 @@
|
||||
-- +migrate Up
|
||||
|
||||
ALTER TABLE builds ADD COLUMN build_signed BOOLEAN;
|
||||
ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
|
||||
|
||||
UPDATE builds SET build_signed = false;
|
||||
UPDATE builds SET build_verified = false;
|
||||
|
||||
-- +migrate Down
|
||||
|
||||
ALTER TABLE builds DROP COLUMN build_signed;
|
||||
ALTER TABLE builds DROP COLUMN build_verified;
|
12
store/datastore/ddl/postgres/5.sql
Normal file
12
store/datastore/ddl/postgres/5.sql
Normal file
@ -0,0 +1,12 @@
|
||||
-- +migrate Up
|
||||
|
||||
ALTER TABLE builds ADD COLUMN build_signed BOOLEAN;
|
||||
ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
|
||||
|
||||
UPDATE builds SET build_signed = false;
|
||||
UPDATE builds SET build_verified = false;
|
||||
|
||||
-- +migrate Down
|
||||
|
||||
ALTER TABLE builds DROP COLUMN build_signed;
|
||||
ALTER TABLE builds DROP COLUMN build_verified;
|
12
store/datastore/ddl/sqlite3/5.sql
Normal file
12
store/datastore/ddl/sqlite3/5.sql
Normal file
@ -0,0 +1,12 @@
|
||||
-- +migrate Up
|
||||
|
||||
ALTER TABLE builds ADD COLUMN build_signed BOOLEAN;
|
||||
ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
|
||||
|
||||
UPDATE builds SET build_signed = 0;
|
||||
UPDATE builds SET build_verified = 0;
|
||||
|
||||
-- +migrate Down
|
||||
|
||||
ALTER TABLE builds DROP COLUMN build_signed;
|
||||
ALTER TABLE builds DROP COLUMN build_verified;
|
@ -75,6 +75,12 @@ block content
|
||||
button.btn.btn-info.hidden#cancel cancel
|
||||
|
||||
div.col-md-8
|
||||
if Build.Signed
|
||||
if Build.Verified
|
||||
noscript
|
||||
else
|
||||
div.alert.alert-warning
|
||||
| Your .drone.yml.sig file did not match your .drone.yml
|
||||
if Job.Error != ""
|
||||
div.alert.alert-danger #{Job.Error}
|
||||
else
|
||||
|
Loading…
Reference in New Issue
Block a user