diff --git a/Cargo.lock b/Cargo.lock index f0e1bc541d..3ea40fa0f3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2795,6 +2795,7 @@ dependencies = [ "async-trait", "config", "git2", + "hex", "itertools 0.11.0", "jj-lib", "rand", diff --git a/cli/examples/custom-backend/main.rs b/cli/examples/custom-backend/main.rs index 3827f59c2c..4bc1c797e3 100644 --- a/cli/examples/custom-backend/main.rs +++ b/cli/examples/custom-backend/main.rs @@ -27,7 +27,8 @@ use jj_lib::git_backend::GitBackend; use jj_lib::repo::StoreFactories; use jj_lib::repo_path::RepoPath; use jj_lib::settings::UserSettings; -use jj_lib::workspace::Workspace; +use jj_lib::signing::Signer; +use jj_lib::workspace::{Workspace, WorkspaceInitError}; #[derive(clap::Parser, Clone, Debug)] enum CustomCommands { @@ -59,6 +60,8 @@ fn run_custom_command( command_helper.settings(), wc_path, &|settings, store_path| Ok(Box::new(JitBackend::init(settings, store_path)?)), + Signer::from_settings(command_helper.settings()) + .map_err(WorkspaceInitError::SignInit)?, )?; Ok(()) } diff --git a/cli/examples/custom-working-copy/main.rs b/cli/examples/custom-working-copy/main.rs index a1c50f3880..5101af37af 100644 --- a/cli/examples/custom-working-copy/main.rs +++ b/cli/examples/custom-working-copy/main.rs @@ -28,12 +28,15 @@ use jj_lib::op_store::{OperationId, WorkspaceId}; use jj_lib::repo::ReadonlyRepo; use jj_lib::repo_path::RepoPathBuf; use jj_lib::settings::UserSettings; +use jj_lib::signing::Signer; use jj_lib::store::Store; use jj_lib::working_copy::{ CheckoutError, CheckoutStats, LockedWorkingCopy, ResetError, SnapshotError, SnapshotOptions, WorkingCopy, WorkingCopyStateError, }; -use jj_lib::workspace::{default_working_copy_factories, WorkingCopyInitializer, Workspace}; +use jj_lib::workspace::{ + default_working_copy_factories, WorkingCopyInitializer, Workspace, WorkspaceInitError, +}; #[derive(clap::Parser, Clone, Debug)] enum CustomCommands { @@ -58,6 +61,8 @@ fn run_custom_command( command_helper.settings(), wc_path, &backend_initializer, + Signer::from_settings(command_helper.settings()) + .map_err(WorkspaceInitError::SignInit)?, &ReadonlyRepo::default_op_store_initializer(), &ReadonlyRepo::default_op_heads_store_initializer(), &ReadonlyRepo::default_index_store_initializer(), diff --git a/cli/src/cli_util.rs b/cli/src/cli_util.rs index 68c514aede..bbcd4d0ab6 100644 --- a/cli/src/cli_util.rs +++ b/cli/src/cli_util.rs @@ -57,6 +57,7 @@ use jj_lib::revset::{ }; use jj_lib::rewrite::restore_tree; use jj_lib::settings::{ConfigResultExt as _, UserSettings}; +use jj_lib::signing::SignInitError; use jj_lib::str_util::{StringPattern, StringPatternParseError}; use jj_lib::transaction::Transaction; use jj_lib::tree::TreeMergeError; @@ -194,6 +195,10 @@ impl From for CommandError { WorkspaceInitError::WorkingCopyState(err) => { CommandError::InternalError(format!("Failed to access the repository: {err}")) } + WorkspaceInitError::SignInit(err @ SignInitError::UnknownBackend(_)) => { + user_error(format!("{err}")) + } + WorkspaceInitError::SignInit(err) => CommandError::InternalError(format!("{err}")), } } } @@ -1655,6 +1660,10 @@ jj init --git-repo=.", ) => CommandError::InternalError(format!( "The repository appears broken or inaccessible: {err}" )), + WorkspaceLoadError::StoreLoadError(StoreLoadError::Signing( + err @ SignInitError::UnknownBackend(_), + )) => user_error(format!("{err}")), + WorkspaceLoadError::StoreLoadError(err) => CommandError::InternalError(format!("{err}")), } } diff --git a/cli/src/config-schema.json b/cli/src/config-schema.json index 14e71edf97..a6f980c6f4 100644 --- a/cli/src/config-schema.json +++ b/cli/src/config-schema.json @@ -355,6 +355,31 @@ "default": "1MiB" } } + }, + "signing": { + "type": "object", + "description": "Settings for verifying and creating cryptographic commit signatures", + "properties": { + "backend": { + "type": "string", + "description": "Which backend to use to create commit signatures" + }, + "key": { + "type": "string", + "description": "The key parameter to pass to the signing backend. Overridden by `jj sign` parameter or by the global `--sign-with` option" + }, + "sign-all": { + "type": "boolean", + "description": "Whether to sign all commits by default. Overridden by global `--no-sign` option", + "default": false + }, + "backends": { + "type": "object", + "description": "Tables of options to pass to specific signing backends", + "properties": {}, + "additionalProperties": true + } + } } } } \ No newline at end of file diff --git a/lib/src/backend.rs b/lib/src/backend.rs index 50980a9631..68ec072099 100644 --- a/lib/src/backend.rs +++ b/lib/src/backend.rs @@ -27,6 +27,7 @@ use thiserror::Error; use crate::content_hash::ContentHash; use crate::merge::Merge; use crate::repo_path::{RepoPath, RepoPathComponent, RepoPathComponentBuf}; +use crate::signing::SignResult; pub trait ObjectId { fn new(value: Vec) -> Self; @@ -147,7 +148,7 @@ content_hash! { } } -pub type SigningFn = Box BackendResult>>; +pub type SigningFn = Box SignResult>>; /// Identifies a single legacy tree, which may have path-level conflicts, or a /// merge of multiple trees, where the individual trees do not have conflicts. diff --git a/lib/src/commit.rs b/lib/src/commit.rs index b5c250e858..65e2e1379d 100644 --- a/lib/src/commit.rs +++ b/lib/src/commit.rs @@ -22,6 +22,7 @@ use std::sync::Arc; use crate::backend; use crate::backend::{BackendError, ChangeId, CommitId, MergedTreeId, Signature}; use crate::merged_tree::MergedTree; +use crate::signing::{SignResult, Verification}; use crate::store::Store; #[derive(Clone)] @@ -146,6 +147,20 @@ impl Commit { } false } + + /// A quick way to just check if a signature is present. + pub fn is_signed(&self) -> bool { + self.data.secure_sig.is_some() + } + + /// A slow (but cached) way to get the full verification. + pub fn verification(&self) -> SignResult> { + self.data + .secure_sig + .as_ref() + .map(|sig| self.store.signer().verify(&self.id, &sig.data, &sig.sig)) + .transpose() + } } /// Wrapper to sort `Commit` by committer timestamp. diff --git a/lib/src/commit_builder.rs b/lib/src/commit_builder.rs index 6bb1027052..9f816e29e4 100644 --- a/lib/src/commit_builder.rs +++ b/lib/src/commit_builder.rs @@ -16,10 +16,11 @@ use std::sync::Arc; -use crate::backend::{self, BackendResult, ChangeId, CommitId, MergedTreeId, Signature}; +use crate::backend::{self, BackendResult, ChangeId, CommitId, MergedTreeId, Signature, SigningFn}; use crate::commit::Commit; use crate::repo::{MutableRepo, Repo}; -use crate::settings::{JJRng, UserSettings}; +use crate::settings::{JJRng, SignSettings, UserSettings}; +use crate::signing::SignBehavior; #[must_use] pub struct CommitBuilder<'repo> { @@ -27,6 +28,7 @@ pub struct CommitBuilder<'repo> { rng: Arc, commit: backend::Commit, rewrite_source: Option, + sign_settings: SignSettings, } impl CommitBuilder<'_> { @@ -55,6 +57,7 @@ impl CommitBuilder<'_> { rng, commit, rewrite_source: None, + sign_settings: settings.sign_settings(), } } @@ -83,6 +86,7 @@ impl CommitBuilder<'_> { commit, rng: settings.get_rng(), rewrite_source: Some(predecessor.clone()), + sign_settings: settings.sign_settings(), } } @@ -157,14 +161,44 @@ impl CommitBuilder<'_> { self } - pub fn write(self) -> BackendResult { + pub fn sign_settings(&self) -> &SignSettings { + &self.sign_settings + } + + pub fn set_sign_behavior(mut self, sign_behavior: SignBehavior) -> Self { + self.sign_settings.behavior = sign_behavior; + self + } + + pub fn set_sign_key(mut self, sign_key: Option) -> Self { + self.sign_settings.key = sign_key; + self + } + + pub fn write(mut self) -> BackendResult { let mut rewrite_source_id = None; if let Some(rewrite_source) = self.rewrite_source { if *rewrite_source.change_id() == self.commit.change_id { rewrite_source_id.replace(rewrite_source.id().clone()); } } - let commit = self.mut_repo.write_commit(self.commit)?; + + let sign_settings = self.sign_settings; + let store = self.mut_repo.store(); + + let signing_fn = (store.signer().can_sign() && sign_settings.should_sign(&self.commit)) + .then(|| { + let store = store.clone(); + Box::new(move |data: &_| store.signer().sign(data, sign_settings.key.as_deref())) + as SigningFn + }); + + // Commit backend doesn't use secure_sig for writing and enforces it with an + // assert, but sign_settings.should_sign check above will want to know + // if we're rewriting a signed commit + self.commit.secure_sig = None; + + let commit = self.mut_repo.write_commit(self.commit, signing_fn)?; if let Some(rewrite_source_id) = rewrite_source_id { self.mut_repo .record_rewritten_commit(rewrite_source_id, commit.id().clone()) diff --git a/lib/src/git_backend.rs b/lib/src/git_backend.rs index 79863b9676..866482f699 100644 --- a/lib/src/git_backend.rs +++ b/lib/src/git_backend.rs @@ -967,7 +967,10 @@ impl Backend for GitBackend { let mut data = Vec::with_capacity(512); commit.write_to(&mut data).unwrap(); - let sig = sign(&data)?; + let sig = sign(&data).map_err(|err| BackendError::WriteObject { + object_type: "commit", + source: Box::new(err), + })?; commit .extra_headers .push(("gpgsig".into(), sig.clone().into())); diff --git a/lib/src/lib.rs b/lib/src/lib.rs index f0ac9314a4..cf649466e5 100644 --- a/lib/src/lib.rs +++ b/lib/src/lib.rs @@ -58,6 +58,7 @@ pub mod revset; pub mod revset_graph; pub mod rewrite; pub mod settings; +pub mod signing; pub mod simple_op_heads_store; pub mod simple_op_store; pub mod stacked_table; diff --git a/lib/src/local_backend.rs b/lib/src/local_backend.rs index 4246bc9c05..c2283e26e8 100644 --- a/lib/src/local_backend.rs +++ b/lib/src/local_backend.rs @@ -281,7 +281,7 @@ impl Backend for LocalBackend { let mut proto = commit_to_proto(&commit); if let Some(mut sign) = sign_with { let data = proto.encode_to_vec(); - let sig = sign(&data)?; + let sig = sign(&data).map_err(to_other_err)?; proto.secure_sig = Some(sig.clone()); commit.secure_sig = Some(SecureSig { data, sig }); } diff --git a/lib/src/repo.rs b/lib/src/repo.rs index ac26994d01..2765766ffc 100644 --- a/lib/src/repo.rs +++ b/lib/src/repo.rs @@ -31,7 +31,7 @@ use tracing::instrument; use self::dirty_cell::DirtyCell; use crate::backend::{ Backend, BackendError, BackendInitError, BackendLoadError, BackendResult, ChangeId, CommitId, - MergedTreeId, ObjectId, + MergedTreeId, ObjectId, SigningFn, }; use crate::commit::{Commit, CommitByCommitterTimestamp}; use crate::commit_builder::CommitBuilder; @@ -52,6 +52,7 @@ use crate::refs::{ use crate::revset::{self, ChangeIdIndex, Revset, RevsetExpression}; use crate::rewrite::{DescendantRebaser, RebaseOptions}; use crate::settings::{RepoSettings, UserSettings}; +use crate::signing::{SignInitError, Signer}; use crate::simple_op_heads_store::SimpleOpHeadsStore; use crate::simple_op_store::SimpleOpStore; use crate::store::Store; @@ -140,10 +141,12 @@ impl ReadonlyRepo { &|_settings, store_path| Box::new(DefaultSubmoduleStore::init(store_path)) } + #[allow(clippy::too_many_arguments)] pub fn init( user_settings: &UserSettings, repo_path: &Path, backend_initializer: &BackendInitializer, + signer: Signer, op_store_initializer: &OpStoreInitializer, op_heads_store_initializer: &OpHeadsStoreInitializer, index_store_initializer: &IndexStoreInitializer, @@ -156,7 +159,7 @@ impl ReadonlyRepo { let backend = backend_initializer(user_settings, &store_path)?; let backend_path = store_path.join("type"); fs::write(&backend_path, backend.name()).context(&backend_path)?; - let store = Store::new(backend, user_settings.use_tree_conflict_format()); + let store = Store::new(backend, signer, user_settings.use_tree_conflict_format()); let repo_settings = user_settings.with_repo(&repo_path).unwrap(); let op_store_path = repo_path.join("op_store"); @@ -418,6 +421,8 @@ pub enum StoreLoadError { }, #[error(transparent)] Backend(#[from] BackendLoadError), + #[error(transparent)] + Signing(#[from] SignInitError), } impl StoreFactories { @@ -608,6 +613,7 @@ impl RepoLoader { ) -> Result { let store = Store::new( store_factories.load_backend(user_settings, &repo_path.join("store"))?, + Signer::from_settings(user_settings)?, user_settings.use_tree_conflict_format(), ); let repo_settings = user_settings.with_repo(repo_path).unwrap(); @@ -792,8 +798,12 @@ impl MutableRepo { CommitBuilder::for_rewrite_from(self, settings, predecessor) } - pub fn write_commit(&mut self, commit: backend::Commit) -> BackendResult { - let commit = self.store().write_commit(commit)?; + pub fn write_commit( + &mut self, + commit: backend::Commit, + sign_with: Option, + ) -> BackendResult { + let commit = self.store().write_commit(commit, sign_with)?; self.add_head(&commit); Ok(commit) } diff --git a/lib/src/settings.rs b/lib/src/settings.rs index a56bc83f9a..3584ab16c0 100644 --- a/lib/src/settings.rs +++ b/lib/src/settings.rs @@ -21,9 +21,10 @@ use chrono::DateTime; use rand::prelude::*; use rand_chacha::ChaCha20Rng; -use crate::backend::{ChangeId, ObjectId, Signature, Timestamp}; +use crate::backend::{ChangeId, Commit, ObjectId, Signature, Timestamp}; use crate::fmt_util::binary_prefix; use crate::fsmonitor::FsmonitorKind; +use crate::signing::SignBehavior; #[derive(Debug, Clone)] pub struct UserSettings { @@ -63,6 +64,50 @@ impl Default for GitSettings { } } +/// Commit signing settings, describes how to and if to sign commits. +#[derive(Debug, Clone, Default)] +pub struct SignSettings { + /// What to actually do, see [SignBehavior]. + pub behavior: SignBehavior, + /// The email address to compare against the commit author when determining + /// if the existing signature is "our own" in terms of the sign behavior. + pub user_email: String, + /// The signing backend specific key, to be passed to the signing backend. + pub key: Option, +} + +impl SignSettings { + /// Load the signing settings from the config. + pub fn from_settings(settings: &UserSettings) -> Self { + let sign_all = settings + .config() + .get_bool("signing.sign-all") + .unwrap_or(false); + Self { + behavior: if sign_all { + SignBehavior::Own + } else { + SignBehavior::Keep + }, + user_email: settings.user_email(), + key: settings.config().get_string("signing.key").ok(), + } + } + + /// Check if a commit should be signed according to the configured behavior + /// and email. + pub fn should_sign(&self, commit: &Commit) -> bool { + match self.behavior { + SignBehavior::Drop => false, + SignBehavior::Keep => { + commit.secure_sig.is_some() && commit.author.email == self.user_email + } + SignBehavior::Own => commit.author.email == self.user_email, + SignBehavior::Force => true, + } + } +} + fn get_timestamp_config(config: &config::Config, key: &str) -> Option { match config.get_string(key) { Ok(timestamp_str) => match DateTime::parse_from_rfc3339(×tamp_str) { @@ -215,6 +260,16 @@ impl UserSettings { e @ Err(_) => e, } } + + // separate from sign_settings as those two are needed in pretty different + // places + pub fn signing_backend(&self) -> Option { + self.config.get_string("signing.backend").ok() + } + + pub fn sign_settings(&self) -> SignSettings { + SignSettings::from_settings(self) + } } /// This Rng uses interior mutability to allow generating random values using an diff --git a/lib/src/signing.rs b/lib/src/signing.rs new file mode 100644 index 0000000000..909bead04b --- /dev/null +++ b/lib/src/signing.rs @@ -0,0 +1,249 @@ +// Copyright 2023 The Jujutsu Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//! Generic APIs to work with cryptographic signatures created and verified by +//! various backends. + +use std::collections::HashMap; +use std::fmt::Debug; +use std::sync::RwLock; + +use thiserror::Error; + +use crate::backend::CommitId; +use crate::settings::UserSettings; + +/// A status of the signature, part of the [Verification] type. +#[derive(Debug, Clone, Copy, PartialEq, Eq)] +pub enum SigStatus { + /// Valid signature that matches the data. + Good, + /// Valid signature that could not be verified (e.g. due to an unknown key). + Unknown, + /// Valid signature that does not match the signed data. + Bad, +} + +/// The result of a signature verification. +/// Key and display are optional additional info that backends can or can not +/// provide to add additional information for the templater to potentially show. +#[derive(Debug, Clone, PartialEq, Eq)] +pub struct Verification { + /// The status of the signature. + pub status: SigStatus, + /// The key id representation, if available. For GPG, this will be the key + /// fingerprint. + pub key: Option, + /// A display string, if available. For GPG, this will be formatted primary + /// user ID. + pub display: Option, +} + +impl Verification { + /// A shortcut to create an `Unknown` verification with no additional + /// metadata. + pub fn unknown() -> Self { + Self { + status: SigStatus::Unknown, + key: None, + display: None, + } + } +} + +/// The backend for signing and verifying cryptographic signatures. +/// +/// This allows using different signers, such as GPG or SSH, or different +/// versions of them. +pub trait SigningBackend: Debug + Send + Sync { + /// Name of the backend, used in the config and for display. + fn name(&self) -> &str; + + /// Check if the signature can be read and verified by this backend. + /// + /// Should check the signature format, usually just looks at the prefix. + fn can_read(&self, signature: &[u8]) -> bool; + + /// Create a signature for arbitrary data. + /// + /// The `key` parameter is what `jj sign` receives as key argument, or what + /// is configured in the `signing.key` config. + fn sign(&self, data: &[u8], key: Option<&str>) -> SignResult>; + + /// Verify a signature. Should be reflexive with `sign`: + /// ```rust,ignore + /// verify(data, sign(data)?)?.status == SigStatus::Good + /// ``` + fn verify(&self, data: &[u8], signature: &[u8]) -> SignResult; +} + +/// An error type for the signing/verifying operations +#[derive(Debug, Error)] +pub enum SignError { + /// The verification failed because the signature *format* was invalid. + #[error("Invalid signature")] + InvalidSignatureFormat, + /// A generic error from the backend impl. + #[error("Signing error: {0}")] + Backend(Box), +} + +/// A result type for the signing/verifying operations +pub type SignResult = Result; + +/// An error type for the signing backend initialization. +#[derive(Debug, Error)] +pub enum SignInitError { + /// If the backend name specified in the config is not known. + #[error("Unknown signing backend configured: {0}")] + UnknownBackend(String), + /// A generic error from the backend impl. + #[error("Failed to initialize signing: {0}")] + Backend(Box), +} + +/// A enum that describes if a created/rewritten commit should be signed or not. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)] +pub enum SignBehavior { + /// Drop existing signatures. + /// This is what jj did before signing support or does now when a signing + /// backend is not configured. + #[default] + Drop, + /// Only sign commits that were authored by self and already signed, + /// "preserving" the signature across rewrites. + /// This is what jj does when a signing backend is configured. + Keep, + /// Sign/re-sign commits that were authored by self and drop them for + /// others. This is what jj does when configured to always sign. + Own, + /// Always sign commits, regardless of who authored or signed them before. + /// This is what jj does on `jj sign -f`. + Force, +} + +/// Wraps low-level signing backends and adds caching, similar to `Store`. +#[derive(Debug, Default)] +pub struct Signer { + /// The backend that is used for signing commits. + /// Optional because signing might not be configured. + main_backend: Option>, + /// All known backends without the main one - used for verification. + /// Main backend is also used for verification, but it's not in this list + /// for ownership reasons. + backends: Vec>, + cache: RwLock>, +} + +impl Signer { + /// Creates a signer based on user settings. Uses all known backends, and + /// chooses one of them to be used for signing depending on the config. + pub fn from_settings(settings: &UserSettings) -> Result { + let mut backends: Vec> = vec![ + // Box::new(GpgBackend::from_settings(settings)?), + // Box::new(SshBackend::from_settings(settings)?), + // Box::new(X509Backend::from_settings(settings)?), + ]; + + let main_backend = settings + .signing_backend() + .map(|backend| { + backends + .iter() + .position(|b| b.name() == backend) + .map(|i| backends.remove(i)) + .ok_or(SignInitError::UnknownBackend(backend)) + }) + .transpose()?; + + Ok(Self::new(main_backend, backends)) + } + + /// Creates a signer with the given backends. + pub fn new( + main_backend: Option>, + other_backends: Vec>, + ) -> Self { + Self { + main_backend, + backends: other_backends, + cache: Default::default(), + } + } + + /// Checks if the signer can sign, i.e. if a main backend is configured. + pub fn can_sign(&self) -> bool { + self.main_backend.is_some() + } + + /// This is just a pass-through to the main backend that unconditionally + /// creates a signature. + pub fn sign(&self, data: &[u8], key: Option<&str>) -> SignResult> { + self.main_backend + .as_ref() + .expect("tried to sign without checking can_sign first") + .sign(data, key) + } + + /// Looks for backend that can verify the signature and returns the result + /// of its verification. + pub fn verify( + &self, + commit_id: &CommitId, + data: &[u8], + signature: &[u8], + ) -> SignResult { + let cached = self.cache.read().unwrap().get(commit_id).cloned(); + if let Some(check) = cached { + return Ok(check); + } + + let verification = self + .main_backend + .iter() + .chain(self.backends.iter()) + .filter(|b| b.can_read(signature)) + // skip unknown and invalid sigs to allow other backends that can read to try + // for example, we might have gpg and sq, both of which could read a PGP signature + .find_map(|backend| match backend.verify(data, signature) { + Ok(check) if check.status == SigStatus::Unknown => None, + Err(SignError::InvalidSignatureFormat) => None, + e => Some(e), + }) + .transpose()?; + + if let Some(verification) = verification { + // a key might get imported before next call?. + // realistically this is unlikely, but technically + // it's correct to not cache unknowns here + if verification.status != SigStatus::Unknown { + self.cache + .write() + .unwrap() + .insert(commit_id.clone(), verification.clone()); + } + Ok(verification) + } else { + // now here it's correct to cache unknowns, as we don't + // have a backend that knows how to handle this signature + // + // not sure about how much of an optimization this is + self.cache + .write() + .unwrap() + .insert(commit_id.clone(), Verification::unknown()); + Ok(Verification::unknown()) + } + } +} diff --git a/lib/src/store.rs b/lib/src/store.rs index c85df28431..0ab0149ce4 100644 --- a/lib/src/store.rs +++ b/lib/src/store.rs @@ -22,14 +22,15 @@ use std::sync::{Arc, RwLock}; use pollster::FutureExt; -use crate::backend; use crate::backend::{ - Backend, BackendResult, ChangeId, CommitId, ConflictId, FileId, MergedTreeId, SymlinkId, TreeId, + self, Backend, BackendResult, ChangeId, CommitId, ConflictId, FileId, MergedTreeId, SigningFn, + SymlinkId, TreeId, }; use crate::commit::Commit; use crate::merge::{Merge, MergedTreeValue}; use crate::merged_tree::MergedTree; use crate::repo_path::{RepoPath, RepoPathBuf}; +use crate::signing::Signer; use crate::tree::Tree; use crate::tree_builder::TreeBuilder; @@ -37,6 +38,7 @@ use crate::tree_builder::TreeBuilder; /// adds caching. pub struct Store { backend: Box, + signer: Signer, commit_cache: RwLock>>, tree_cache: RwLock>>, use_tree_conflict_format: bool, @@ -51,9 +53,14 @@ impl Debug for Store { } impl Store { - pub fn new(backend: Box, use_tree_conflict_format: bool) -> Arc { + pub fn new( + backend: Box, + signer: Signer, + use_tree_conflict_format: bool, + ) -> Arc { Arc::new(Store { backend, + signer, commit_cache: Default::default(), tree_cache: Default::default(), use_tree_conflict_format, @@ -64,6 +71,10 @@ impl Store { self.backend.as_any() } + pub fn signer(&self) -> &Signer { + &self.signer + } + /// Whether new tree should be written using the tree-level format. pub fn use_tree_conflict_format(&self) -> bool { self.use_tree_conflict_format @@ -124,9 +135,14 @@ impl Store { Ok(data) } - pub fn write_commit(self: &Arc, commit: backend::Commit) -> BackendResult { + pub fn write_commit( + self: &Arc, + commit: backend::Commit, + sign_with: Option, + ) -> BackendResult { assert!(!commit.parents.is_empty()); - let (commit_id, commit) = self.backend.write_commit(commit, None)?; + + let (commit_id, commit) = self.backend.write_commit(commit, sign_with)?; let data = Arc::new(commit); { let mut write_locked_cache = self.commit_cache.write().unwrap(); diff --git a/lib/src/workspace.rs b/lib/src/workspace.rs index 36b11bfed6..adfb700373 100644 --- a/lib/src/workspace.rs +++ b/lib/src/workspace.rs @@ -36,6 +36,7 @@ use crate::repo::{ StoreFactories, StoreLoadError, SubmoduleStoreInitializer, }; use crate::settings::UserSettings; +use crate::signing::{SignInitError, Signer}; use crate::store::Store; use crate::working_copy::{ CheckoutError, CheckoutStats, LockedWorkingCopy, WorkingCopy, WorkingCopyStateError, @@ -55,6 +56,8 @@ pub enum WorkspaceInitError { Path(#[from] PathError), #[error(transparent)] Backend(#[from] BackendInitError), + #[error(transparent)] + SignInit(#[from] SignInitError), } #[derive(Error, Debug)] @@ -146,7 +149,8 @@ impl Workspace { ) -> Result<(Self, Arc), WorkspaceInitError> { let backend_initializer: &'static BackendInitializer = &|_settings, store_path| Ok(Box::new(LocalBackend::init(store_path))); - Self::init_with_backend(user_settings, workspace_root, backend_initializer) + let signer = Signer::from_settings(user_settings)?; + Self::init_with_backend(user_settings, workspace_root, backend_initializer, signer) } /// Initializes a workspace with a new Git backend and bare Git repo in @@ -157,7 +161,8 @@ impl Workspace { ) -> Result<(Self, Arc), WorkspaceInitError> { let backend_initializer: &'static BackendInitializer = &|settings, store_path| Ok(Box::new(GitBackend::init_internal(settings, store_path)?)); - Self::init_with_backend(user_settings, workspace_root, backend_initializer) + let signer = Signer::from_settings(user_settings)?; + Self::init_with_backend(user_settings, workspace_root, backend_initializer, signer) } /// Initializes a workspace with a new Git backend and Git repo that shares @@ -186,7 +191,8 @@ impl Workspace { Ok(Box::new(backend)) } }; - Self::init_with_backend(user_settings, workspace_root, &backend_initializer) + let signer = Signer::from_settings(user_settings)?; + Self::init_with_backend(user_settings, workspace_root, &backend_initializer, signer) } /// Initializes a workspace with an existing Git repo at the specified path. @@ -218,7 +224,8 @@ impl Workspace { Ok(Box::new(backend)) } }; - Self::init_with_backend(user_settings, workspace_root, &backend_initializer) + let signer = Signer::from_settings(user_settings)?; + Self::init_with_backend(user_settings, workspace_root, &backend_initializer, signer) } #[allow(clippy::too_many_arguments)] @@ -226,6 +233,7 @@ impl Workspace { user_settings: &UserSettings, workspace_root: &Path, backend_initializer: &BackendInitializer, + signer: Signer, op_store_initializer: &OpStoreInitializer, op_heads_store_initializer: &OpHeadsStoreInitializer, index_store_initializer: &IndexStoreInitializer, @@ -241,6 +249,7 @@ impl Workspace { user_settings, &repo_dir, backend_initializer, + signer, op_store_initializer, op_heads_store_initializer, index_store_initializer, @@ -272,11 +281,13 @@ impl Workspace { user_settings: &UserSettings, workspace_root: &Path, backend_initializer: &BackendInitializer, + signer: Signer, ) -> Result<(Self, Arc), WorkspaceInitError> { Self::init_with_factories( user_settings, workspace_root, backend_initializer, + signer, ReadonlyRepo::default_op_store_initializer(), ReadonlyRepo::default_op_heads_store_initializer(), ReadonlyRepo::default_index_store_initializer(), diff --git a/lib/tests/test_git.rs b/lib/tests/test_git.rs index 1885fb9737..516c782f0c 100644 --- a/lib/tests/test_git.rs +++ b/lib/tests/test_git.rs @@ -35,6 +35,7 @@ use jj_lib::op_store::{BranchTarget, RefTarget, RemoteRef, RemoteRefState}; use jj_lib::refs::BranchPushUpdate; use jj_lib::repo::{MutableRepo, ReadonlyRepo, Repo}; use jj_lib::settings::{GitSettings, UserSettings}; +use jj_lib::signing::Signer; use jj_lib::str_util::StringPattern; use jj_lib::workspace::Workspace; use maplit::{btreemap, hashset}; @@ -1125,6 +1126,7 @@ impl GitRepoData { &git_repo_dir, )?)) }, + Signer::from_settings(&settings).unwrap(), ReadonlyRepo::default_op_store_initializer(), ReadonlyRepo::default_op_heads_store_initializer(), ReadonlyRepo::default_index_store_initializer(), @@ -1990,6 +1992,7 @@ fn test_init() { &git_repo_dir, )?)) }, + Signer::from_settings(&settings).unwrap(), ReadonlyRepo::default_op_store_initializer(), ReadonlyRepo::default_op_heads_store_initializer(), ReadonlyRepo::default_index_store_initializer(), @@ -2315,6 +2318,7 @@ fn set_up_push_repos(settings: &UserSettings, temp_dir: &TempDir) -> PushTestSet &clone_repo_dir, )?)) }, + Signer::from_settings(settings).unwrap(), ReadonlyRepo::default_op_store_initializer(), ReadonlyRepo::default_op_heads_store_initializer(), ReadonlyRepo::default_index_store_initializer(), diff --git a/lib/tests/test_signing.rs b/lib/tests/test_signing.rs new file mode 100644 index 0000000000..1a4a165e25 --- /dev/null +++ b/lib/tests/test_signing.rs @@ -0,0 +1,171 @@ +use jj_lib::backend::{MillisSinceEpoch, Signature, Timestamp}; +use jj_lib::repo::Repo; +use jj_lib::settings::UserSettings; +use jj_lib::signing::{SigStatus, SignBehavior, Signer, Verification}; +use test_case::test_case; +use testutils::test_signing_backend::TestSigningBackend; +use testutils::{create_random_commit, write_random_commit, TestRepoBackend, TestWorkspace}; + +fn user_settings(sign_all: bool) -> UserSettings { + let config = testutils::base_config() + .add_source(config::File::from_str( + &format!( + r#" + signing.key = "impeccable" + signing.sign-all = {sign_all} + "# + ), + config::FileFormat::Toml, + )) + .build() + .unwrap(); + UserSettings::from_config(config) +} + +fn someone_else() -> Signature { + Signature { + name: "Someone Else".to_string(), + email: "someone-else@example.com".to_string(), + timestamp: Timestamp { + timestamp: MillisSinceEpoch(0), + tz_offset: 0, + }, + } +} + +fn good_verification() -> Option { + Some(Verification { + status: SigStatus::Good, + key: Some("impeccable".to_owned()), + display: None, + }) +} + +#[test_case(TestRepoBackend::Local ; "local backend")] +#[test_case(TestRepoBackend::Git ; "git backend")] +fn manual(backend: TestRepoBackend) { + let settings = user_settings(true); + + let signer = Signer::new(Some(Box::new(TestSigningBackend)), vec![]); + let test_workspace = TestWorkspace::init_with_backend_and_signer(&settings, backend, signer); + + let repo = &test_workspace.repo; + + let settings = settings.clone(); + let repo = repo.clone(); + let mut tx = repo.start_transaction(&settings, "test"); + let commit1 = create_random_commit(tx.mut_repo(), &settings) + .set_sign_behavior(SignBehavior::Own) + .write() + .unwrap(); + let commit2 = create_random_commit(tx.mut_repo(), &settings) + .set_sign_behavior(SignBehavior::Own) + .set_author(someone_else()) + .write() + .unwrap(); + tx.commit(); + + let commit1 = repo.store().get_commit(commit1.id()).unwrap(); + assert_eq!(commit1.verification().unwrap(), good_verification()); + + let commit2 = repo.store().get_commit(commit2.id()).unwrap(); + assert_eq!(commit2.verification().unwrap(), None); +} + +#[test_case(TestRepoBackend::Git ; "git backend")] +fn keep_on_rewrite(backend: TestRepoBackend) { + let settings = user_settings(true); + + let signer = Signer::new(Some(Box::new(TestSigningBackend)), vec![]); + let test_workspace = TestWorkspace::init_with_backend_and_signer(&settings, backend, signer); + + let repo = &test_workspace.repo; + + let settings = settings.clone(); + let repo = repo.clone(); + let mut tx = repo.start_transaction(&settings, "test"); + let commit = create_random_commit(tx.mut_repo(), &settings) + .set_sign_behavior(SignBehavior::Own) + .write() + .unwrap(); + tx.commit(); + + let mut tx = repo.start_transaction(&settings, "test"); + let mut_repo = tx.mut_repo(); + let rewritten = mut_repo.rewrite_commit(&settings, &commit).write().unwrap(); + + let commit = repo.store().get_commit(rewritten.id()).unwrap(); + assert_eq!(commit.verification().unwrap(), good_verification()); +} + +#[test_case(TestRepoBackend::Git ; "git backend")] +fn manual_drop_on_rewrite(backend: TestRepoBackend) { + let settings = user_settings(true); + + let signer = Signer::new(Some(Box::new(TestSigningBackend)), vec![]); + let test_workspace = TestWorkspace::init_with_backend_and_signer(&settings, backend, signer); + + let repo = &test_workspace.repo; + + let settings = settings.clone(); + let repo = repo.clone(); + let mut tx = repo.start_transaction(&settings, "test"); + let commit = create_random_commit(tx.mut_repo(), &settings) + .set_sign_behavior(SignBehavior::Own) + .write() + .unwrap(); + tx.commit(); + + let mut tx = repo.start_transaction(&settings, "test"); + let mut_repo = tx.mut_repo(); + let rewritten = mut_repo + .rewrite_commit(&settings, &commit) + .set_sign_behavior(SignBehavior::Drop) + .write() + .unwrap(); + + let commit = repo.store().get_commit(rewritten.id()).unwrap(); + assert_eq!(commit.verification().unwrap(), None); +} + +#[test_case(TestRepoBackend::Git ; "git backend")] +fn forced(backend: TestRepoBackend) { + let settings = user_settings(true); + + let signer = Signer::new(Some(Box::new(TestSigningBackend)), vec![]); + let test_workspace = TestWorkspace::init_with_backend_and_signer(&settings, backend, signer); + + let repo = &test_workspace.repo; + + let settings = settings.clone(); + let repo = repo.clone(); + let mut tx = repo.start_transaction(&settings, "test"); + let commit = create_random_commit(tx.mut_repo(), &settings) + .set_sign_behavior(SignBehavior::Force) + .set_author(someone_else()) + .write() + .unwrap(); + tx.commit(); + + let commit = repo.store().get_commit(commit.id()).unwrap(); + assert_eq!(commit.verification().unwrap(), good_verification()); +} + +#[test_case(TestRepoBackend::Git ; "git backend")] +fn configured(backend: TestRepoBackend) { + let settings = user_settings(true); + + let signer = Signer::new(Some(Box::new(TestSigningBackend)), vec![]); + let test_workspace = TestWorkspace::init_with_backend_and_signer(&settings, backend, signer); + + let repo = &test_workspace.repo; + + let settings = settings.clone(); + let repo = repo.clone(); + let mut tx = repo.start_transaction(&settings, "test"); + let commit = write_random_commit(tx.mut_repo(), &settings); + tx.commit(); + + let commit = repo.store().get_commit(commit.id()).unwrap(); + assert_eq!(commit.verification().unwrap(), good_verification()); +} diff --git a/lib/testutils/Cargo.toml b/lib/testutils/Cargo.toml index baefbe85e5..07429e3983 100644 --- a/lib/testutils/Cargo.toml +++ b/lib/testutils/Cargo.toml @@ -18,6 +18,7 @@ readme = { workspace = true } async-trait = { workspace = true } config = { workspace = true } git2 = { workspace = true } +hex = { workspace = true } itertools = { workspace = true } jj-lib = { workspace = true } rand = { workspace = true } diff --git a/lib/testutils/src/lib.rs b/lib/testutils/src/lib.rs index 5dc8dbdd0f..d4e0a9a42f 100644 --- a/lib/testutils/src/lib.rs +++ b/lib/testutils/src/lib.rs @@ -32,6 +32,7 @@ use jj_lib::repo::{MutableRepo, ReadonlyRepo, Repo, RepoLoader, StoreFactories}; use jj_lib::repo_path::{RepoPath, RepoPathBuf}; use jj_lib::rewrite::RebasedDescendant; use jj_lib::settings::UserSettings; +use jj_lib::signing::Signer; use jj_lib::store::Store; use jj_lib::transaction::Transaction; use jj_lib::tree::Tree; @@ -43,6 +44,7 @@ use tempfile::TempDir; use crate::test_backend::TestBackend; pub mod test_backend; +pub mod test_signing_backend; pub fn hermetic_libgit2() { // libgit2 respects init.defaultBranch (and possibly other config @@ -139,6 +141,7 @@ impl TestRepo { &settings, &repo_dir, &move |settings, store_path| backend.init_backend(settings, store_path), + Signer::from_settings(&settings).unwrap(), ReadonlyRepo::default_op_store_initializer(), ReadonlyRepo::default_op_heads_store_initializer(), ReadonlyRepo::default_index_store_initializer(), @@ -175,6 +178,18 @@ impl TestWorkspace { } pub fn init_with_backend(settings: &UserSettings, backend: TestRepoBackend) -> Self { + Self::init_with_backend_and_signer( + settings, + backend, + Signer::from_settings(settings).unwrap(), + ) + } + + pub fn init_with_backend_and_signer( + settings: &UserSettings, + backend: TestRepoBackend, + signer: Signer, + ) -> Self { let temp_dir = new_temp_dir(); let workspace_root = temp_dir.path().join("repo"); @@ -184,6 +199,7 @@ impl TestWorkspace { settings, &workspace_root, &move |settings, store_path| backend.init_backend(settings, store_path), + signer, ) .unwrap(); @@ -336,7 +352,7 @@ pub fn commit_with_tree(store: &Arc, tree_id: MergedTreeId) -> Commit { committer: signature, secure_sig: None, }; - store.write_commit(commit).unwrap() + store.write_commit(commit, None).unwrap() } pub fn dump_tree(store: &Arc, tree_id: &MergedTreeId) -> String { diff --git a/lib/testutils/src/test_backend.rs b/lib/testutils/src/test_backend.rs index 8180d41533..a3d63aeae6 100644 --- a/lib/testutils/src/test_backend.rs +++ b/lib/testutils/src/test_backend.rs @@ -282,7 +282,7 @@ impl Backend for TestBackend { if let Some(sign) = &mut sign_with { let data = format!("{contents:?}").into_bytes(); - let sig = sign(&data)?; + let sig = sign(&data).map_err(|err| BackendError::Other(Box::new(err)))?; contents.secure_sig = Some(SecureSig { data, sig }); } diff --git a/lib/testutils/src/test_signing_backend.rs b/lib/testutils/src/test_signing_backend.rs new file mode 100644 index 0000000000..af6c7e5dd0 --- /dev/null +++ b/lib/testutils/src/test_signing_backend.rs @@ -0,0 +1,54 @@ +use hex::ToHex; +use jj_lib::content_hash::blake2b_hash; +use jj_lib::signing::{SigStatus, SignError, SignResult, SigningBackend, Verification}; + +#[derive(Debug)] +pub struct TestSigningBackend; + +const PREFIX: &str = "--- JJ-TEST-SIGNATURE ---\nKEY: "; + +impl SigningBackend for TestSigningBackend { + fn name(&self) -> &str { + "test" + } + + fn can_read(&self, signature: &[u8]) -> bool { + signature.starts_with(PREFIX.as_bytes()) + } + + fn sign(&self, data: &[u8], key: Option<&str>) -> SignResult> { + let key = key.unwrap_or_default(); + let mut body = Vec::with_capacity(data.len() + key.len()); + body.extend_from_slice(key.as_bytes()); + body.extend_from_slice(data); + + let hash: String = blake2b_hash(&body).encode_hex(); + + Ok(format!("{PREFIX}{key}\n{hash}").into_bytes()) + } + + fn verify(&self, data: &[u8], signature: &[u8]) -> SignResult { + let Some(key) = signature + .strip_prefix(PREFIX.as_bytes()) + .and_then(|s| s.splitn(2, |&b| b == b'\n').next()) + else { + return Err(SignError::InvalidSignatureFormat); + }; + let key = (!key.is_empty()).then_some(std::str::from_utf8(key).unwrap().to_owned()); + + let sig = self.sign(data, key.as_deref())?; + if sig == signature { + Ok(Verification { + status: SigStatus::Good, + key, + display: None, + }) + } else { + Ok(Verification { + status: SigStatus::Bad, + key, + display: None, + }) + } + } +}