[v12.0/forgejo] fix: pass doer's ID for CRUD instance signing (#8318)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8304 - When doing CRUD actions, the commiter and author are reconstructed and do not contain the doer's ID. Make sure to pass this ID along so it can be used to verify the rules of instance signing for CRUD actions. - Regression of forgejo/forgejo#7693. It seems that previously this didn't work correctly as it would not care about a empty ID. - Resolves forgejo/forgejo#8278 Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8318 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-08-24 11:13:47 +00:00 · 2025-06-27 16:26:11 +02:00 · 2025-06-27 16:26:11 +02:00 · 5f88d15a63
commit 5f88d15a63
parent 71d3cb9590
2 changed files with 85 additions and 27 deletions
--- a/tests/integration/signing_git_test.go
+++ b/tests/integration/signing_git_test.go
@ -235,7 +235,7 @@ func testCRUD(t *testing.T, u *url.URL, signingFormat string, objectFormat git.O
 			}))
 		})

-		t.Run("No publickey", func(t *testing.T) {
+		t.Run("No 2fa", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()

 			testCtx := NewAPITestContext(t, "user4", "initial-no-2fa"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
@ -287,6 +287,65 @@ func testCRUD(t *testing.T, u *url.URL, signingFormat string, objectFormat git.O
 			}))
 	})

+	t.Run("AlwaysSign-Initial-CRUD-Pubkey", func(t *testing.T) {
+		setting.Repository.Signing.CRUDActions = []string{"pubkey"}
+
+		t.Run("Has publickey", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			testCtx := NewAPITestContext(t, username, "initial-always-pubkey"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+			t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
+			t.Run("CreateCRUDFile-Pubkey", crudActionCreateFile(
+				t, testCtx, user, "master", "pubkey", "signed-pubkey.txt", func(t *testing.T, response api.FileResponse) {
+					assert.True(t, response.Verification.Verified)
+					assert.Equal(t, "fox@example.com", response.Verification.Signer.Email)
+				}))
+		})
+
+		t.Run("No publickey", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			testCtx := NewAPITestContext(t, "user4", "initial-always-no-pubkey"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+			t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
+			t.Run("CreateCRUDFile-Pubkey", crudActionCreateFile(
+				t, testCtx, user, "master", "pubkey", "unsigned-pubkey.txt", func(t *testing.T, response api.FileResponse) {
+					assert.False(t, response.Verification.Verified)
+				}))
+		})
+	})
+
+	t.Run("AlwaysSign-Initial-CRUD-Twofa", func(t *testing.T) {
+		setting.Repository.Signing.CRUDActions = []string{"twofa"}
+
+		t.Run("Has 2fa", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			t.Cleanup(func() {
+				unittest.AssertSuccessfulDelete(t, &auth_model.WebAuthnCredential{UserID: user.ID})
+			})
+
+			testCtx := NewAPITestContext(t, username, "initial-always-twofa"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+			unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID})
+			t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
+			t.Run("CreateCRUDFile-Twofa", crudActionCreateFile(
+				t, testCtx, user, "master", "twofa", "signed-twofa.txt", func(t *testing.T, response api.FileResponse) {
+					assert.True(t, response.Verification.Verified)
+					assert.Equal(t, "fox@example.com", response.Verification.Signer.Email)
+				}))
+		})
+
+		t.Run("No 2fa", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			testCtx := NewAPITestContext(t, "user4", "initial-always-no-twofa"+suffix, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+			t.Run("CreateRepository", doAPICreateRepository(testCtx, false, objectFormat))
+			t.Run("CreateCRUDFile-Pubkey", crudActionCreateFile(
+				t, testCtx, user, "master", "twofa", "unsigned-twofa.txt", func(t *testing.T, response api.FileResponse) {
+					assert.False(t, response.Verification.Verified)
+				}))
+		})
+	})
+
 	t.Run("AlwaysSign-Initial-CRUD-Always", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 		setting.Repository.Signing.CRUDActions = []string{"always"}