This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new f9501e19 Simplify and re-organise code for easier testing
f9501e19 is described below
commit f9501e191199c5e13d717e200a6ad38ec1763b59
Author: Sebb <[email protected]>
AuthorDate: Mon Feb 12 15:53:26 2024 +0000
Simplify and re-organise code for easier testing
---
.../views/actions/check-signature.json.rb | 110 +++++++++++++--------
1 file changed, 69 insertions(+), 41 deletions(-)
diff --git a/www/secretary/workbench/views/actions/check-signature.json.rb
b/www/secretary/workbench/views/actions/check-signature.json.rb
index 41437df2..37d44568 100644
--- a/www/secretary/workbench/views/actions/check-signature.json.rb
+++ b/www/secretary/workbench/views/actions/check-signature.json.rb
@@ -1,17 +1,25 @@
# frozen_string_literal: true
require 'uri'
+require 'net/http'
+
+MAX_KEY_SIZE = 125000 # don't import if the ascii keyfile is larger than this
# check signature on an attachment
#
+if $0 == __FILE__
+ require 'wunderbar'
+ $LOAD_PATH.unshift '/srv/whimsy/lib'
+ require 'whimsy/asf'
+ require_relative '../../models/mailbox'
+end
+
ENV['GNUPGHOME'] = GNUPGHOME if GNUPGHOME
# see WHIMSY-274 for secure servers
# ** N.B. ensure the keyserver URI is known below **
-# Restored keys.openpgp.org; sks-keryservers is dead; we can do without email
-# gozer.rediris.es certificate has expired
KEYSERVERS = %w{keyserver.ubuntu.com}
# openpgp does not return the uid needed by gpg
@@ -33,10 +41,6 @@ def getServerURI(server, keyid)
return uri
end
-MAX_KEY_SIZE = 125000 # don't import if the ascii keyfile is larger than this
-
-require 'net/http'
-
# fetch the Key from the URI and store in the file
def getURI(uri, file)
uri = URI.parse(uri)
@@ -71,13 +75,7 @@ def getURI(uri, file)
end
end
-message = Mailbox.find(@message)
-
-begin
- # fetch attachment and signature
- attachment =
message.find(URI::RFC2396_Parser.new.unescape(@attachment)).as_file # This is
derived from a URI
- signature = message.find(@signature).as_file # This is derived from the
YAML file
-
+def validate_sig(attachment, signature)
# pick the latest gpg version
gpg = `which gpg2`.chomp
gpg = `which gpg`.chomp if gpg.empty?
@@ -97,40 +95,37 @@ begin
# extract and fetch key
keyid = err[/[RD]SA key (ID )?(\w+)/,2]
- out2 = err2 = '' # needed later
-
# Try to fetch the key
- KEYSERVERS.each do |server|
+ Dir.mktmpdir do |dir|
found = false
- Dir.mktmpdir do |dir|
+ tmpfile = File.join(dir, keyid)
+ KEYSERVERS.each do |server|
begin
- tmpfile = File.join(dir, keyid)
- uri = getServerURI(server, keyid)
- getURI(uri, tmpfile)
- out2, err2, rc2 = Open3.capture3 gpg,
+ # uri = getServerURI(server, keyid)
+ # get the public key if possible (throws if not)
+ # getURI(uri, tmpfile)
+ FileUtils.cp(File.join('/srv/whimsy', keyid), tmpfile) # Temp, don't
bother gpg database
+ # import the key for use in validation
+ out, err, rc = Open3.capture3 gpg,
'--batch', '--import', tmpfile
# For later analysis
- Wunderbar.warn "#{gpg} --import #{tmpfile} rc2=#{rc2} out2=#{out2}
err2=#{err2}"
+ Wunderbar.warn "#{gpg} --import #{tmpfile} rc=#{rc} out=#{out}
err=#{err}"
found = true
rescue Exception => e
Wunderbar.warn "GET uri=#{uri} e=#{e}"
- err2 = e.to_s
+ err = "Key #{keyid} not found: #{e.to_s}".dup # Dup needed to
unfreeze string for later
end
+ break if found
+ end
+ if found
+
+ # run gpg verify command again
+ # TODO: may need to drop the keyid-format parameter when gpg is
updated as it might
+ # reduce the keyid length from the full fingerprint
+ out, err, rc = Open3.capture3 gpg,
+ '--keyid-format', 'long', # Show a longer id
+ '--verify', signature.path, attachment.path
end
- break if found
- end
-
- # run gpg verify command again
- # TODO: may need to drop the keyid-format parameter when gpg is updated as
it might
- # reduce the keyid length from the full fingerprint
- out, err, rc = Open3.capture3 gpg,
- '--keyid-format', 'long', # Show a longer id
- '--verify', signature.path, attachment.path
-
- # if verify failed, concatenate fetch output
- if rc.exitstatus != 0
- out += out2
- err += err2
end
end
@@ -146,9 +141,42 @@ begin
ignore.each {|re| err.gsub! re, ''}
-ensure
- attachment.unlink if attachment
- signature.unlink if signature
+ return out, err, rc
+end
+
+def process
+ message = Mailbox.find(@message) # e.g.
/secretary/workbench/yyyymm/123456789a/
+
+ begin
+ # fetch attachment and signature
+ # e.g. icla.pdf and icla.pdf.asc
+ attachment =
message.find(URI::RFC2396_Parser.new.unescape(@attachment)).as_file # This is
derived from a URI
+ signature = message.find(@signature).as_file # This is derived from the
YAML file
+
+ out, err, rc = validate_sig(attachment, signature)
+
+ ensure
+ attachment.unlink if attachment
+ signature.unlink if signature
+ end
+
+ return {output: out, error: err, rc: rc.exitstatus}
end
-{output: out, error: err, rc: rc.exitstatus}
+# Allow direct testing
+if $0 == __FILE__
+ yyyymmid = ARGV.shift or fail "Need yyyymm/msgid"
+ att = ARGV.shift || 'icla.pdf'
+ sig = ARGV.shift || att + '.asc'
+ @message = "/secretary/workbench/#{yyyymmid}/"
+ @attachment=att
+ @signature=sig
+ ret = process
+ if ret[:rc] == 0
+ puts "Success: #{ret[:output]} #{ret[:error]}"
+ else
+ puts "Failure(#{ret[:rc]}): #{ret[:output]} #{ret[:error]}"
+ end
+else
+ process # must be the last executable statement
+end
