Merge pull request #1627 from bradrydzewski/master

store yaml verification and signature in build
This commit is contained in:
Brad Rydzewski 2016-05-10 19:38:32 -07:00
commit 67848d4152
7 changed files with 64 additions and 25 deletions

View file

@ -27,7 +27,7 @@ gen_migrations:
build: build_static
build_static:
cd drone && go build --ldflags '-extldflags "-static" -X github.com/drone/drone/version.VersionDev=$(CI_BUILD_NUMBER)' -o drone
cd drone && go build --ldflags '-extldflags "-static" -X github.com/drone/drone/version.VersionDev=$(DRONE_BUILD_NUMBER)' -o drone
test:
go test -cover $(PACKAGES)

View file

@ -24,6 +24,8 @@ type Build struct {
Avatar string `json:"author_avatar" meddler:"build_avatar"`
Email string `json:"author_email" meddler:"build_email"`
Link string `json:"link_url" meddler:"build_link"`
Signed bool `json:"signed" meddler:"build_signed"`
Verified bool `json:"verified" meddler:"build_verified"`
}
type BuildGroup struct {

View file

@ -157,6 +157,23 @@ func PostHook(c *gin.Context) {
return
}
signature, err := jose.ParseSigned(string(sec))
if err != nil {
log.Debugf("cannot parse .drone.yml.sig file. %s", err)
} else if len(sec) == 0 {
log.Debugf("cannot parse .drone.yml.sig file. empty file")
} else {
build.Signed = true
output, err := signature.Verify([]byte(repo.Hash))
if err != nil {
log.Debugf("cannot verify .drone.yml.sig file. %s", err)
} else if string(output) != string(raw) {
log.Debugf("cannot verify .drone.yml.sig file. no match")
} else {
build.Verified = true
}
}
// update some build fields
build.Status = model.StatusPending
build.RepoID = repo.ID
@ -194,33 +211,11 @@ func PostHook(c *gin.Context) {
log.Errorf("Error getting secrets for %s#%d. %s", repo.FullName, build.Number, err)
}
var signed bool
var verified bool
signature, err := jose.ParseSigned(string(sec))
if err != nil {
log.Debugf("cannot parse .drone.yml.sig file. %s", err)
} else if len(sec) == 0 {
log.Debugf("cannot parse .drone.yml.sig file. empty file")
} else {
signed = true
output, err := signature.Verify([]byte(repo.Hash))
if err != nil {
log.Debugf("cannot verify .drone.yml.sig file. %s", err)
} else if string(output) != string(raw) {
log.Debugf("cannot verify .drone.yml.sig file. no match")
} else {
verified = true
}
}
log.Debugf(".drone.yml is signed=%v and verified=%v", signed, verified)
bus.Publish(c, bus.NewBuildEvent(bus.Enqueued, repo, build))
for _, job := range jobs {
queue.Publish(c, &queue.Work{
Signed: signed,
Verified: verified,
Signed: build.Signed,
Verified: build.Verified,
User: user,
Repo: repo,
Build: build,

View file

@ -0,0 +1,12 @@
-- +migrate Up
ALTER TABLE builds ADD COLUMN build_signed BOOLEAN;
ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
UPDATE builds SET build_signed = false;
UPDATE builds SET build_verified = false;
-- +migrate Down
ALTER TABLE builds DROP COLUMN build_signed;
ALTER TABLE builds DROP COLUMN build_verified;

View file

@ -0,0 +1,12 @@
-- +migrate Up
ALTER TABLE builds ADD COLUMN build_signed BOOLEAN;
ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
UPDATE builds SET build_signed = false;
UPDATE builds SET build_verified = false;
-- +migrate Down
ALTER TABLE builds DROP COLUMN build_signed;
ALTER TABLE builds DROP COLUMN build_verified;

View file

@ -0,0 +1,12 @@
-- +migrate Up
ALTER TABLE builds ADD COLUMN build_signed BOOLEAN;
ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
UPDATE builds SET build_signed = 0;
UPDATE builds SET build_verified = 0;
-- +migrate Down
ALTER TABLE builds DROP COLUMN build_signed;
ALTER TABLE builds DROP COLUMN build_verified;

View file

@ -75,6 +75,12 @@ block content
button.btn.btn-info.hidden#cancel cancel
div.col-md-8
if Build.Signed
if Build.Verified
noscript
else
div.alert.alert-warning
| Your .drone.yml.sig file did not match your .drone.yml
if Job.Error != ""
div.alert.alert-danger #{Job.Error}
else