wip verifies commits with GitHub and emojis, pretty sweet

billiegoose · billiegoose · commit 587a3a4d0b34 · 2019-11-30T00:30:34.000-05:00
diff --git a/demo.git/logs/HEAD b/demo.git/logs/HEAD
@@ -1 +1,2 @@
 0000000000000000000000000000000000000000 71c666705d861b556d73f2badddaca0cfcf5e930 William Hilton <wmhilton@gmail.com> 1574741587 -0500	commit (initial): Initial commit
+0000000000000000000000000000000000000000 b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 William Hilton <wmhilton@gmail.com> 1575084779 -0500	commit (initial): Initial commit
diff --git a/demo.git/logs/refs/heads/master b/demo.git/logs/refs/heads/master
@@ -1 +1,2 @@
 0000000000000000000000000000000000000000 71c666705d861b556d73f2badddaca0cfcf5e930 William Hilton <wmhilton@gmail.com> 1574741587 -0500	commit (initial): Initial commit
+0000000000000000000000000000000000000000 b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 William Hilton <wmhilton@gmail.com> 1575084779 -0500	commit (initial): Initial commit
diff --git a/demo.git/objects/71/c666705d861b556d73f2badddaca0cfcf5e930 b/demo.git/objects/71/c666705d861b556d73f2badddaca0cfcf5e930
diff --git a/demo.git/objects/b1/f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 b/demo.git/objects/b1/f9a9a2689e95d8aaf9d2ed5513fe78f4c53901
diff --git a/demo.git/refs/heads/master b/demo.git/refs/heads/master
@@ -1 +1 @@
-71c666705d861b556d73f2badddaca0cfcf5e930
+b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901
diff --git a/lookup.js b/lookup.js
@@ -9,22 +9,25 @@ module.exports = (username) =>
     return json.map(data => data.raw_key)
   })
 
-async function username2keys(username) {
-  return new Promise((resolve, reject) => {
-    get.concat({
-      url: `https://api.github.com/users/${username}/gpg_keys`,
-      json: true,
-      headers: {
-        'user-agent': 'GitHub PGP KeyFinder'
-      }
-    }, (err, res, data) => {
-      if (err) return reject(err)
-      return resolve(data.map(i => i.raw_key))
-    })
-  })
+async function usernames2keys(usernames) {
+  const all = await Promise.all(
+    usernames.map(username => new Promise((resolve, reject) => {
+      get.concat({
+        url: `https://api.github.com/users/${username}/gpg_keys`,
+        json: true,
+        headers: {
+          'user-agent': 'GitHub PGP KeyFinder'
+        }
+      }, (err, res, data) => {
+        if (err) return reject(err)
+        return resolve(data.map(i => i.raw_key))
+      })
+    }))
+  )
+  return all.reduce((a, b) => a.concat(b)).filter(Boolean)
 }
 
-async function email2username(email) {
+async function email2usernames(email) {
   return new Promise((resolve, reject) => {
     get.concat({
       url: `https://api.github.com/search/users?q=${email}+in:email`,
@@ -35,11 +38,9 @@ async function email2username(email) {
     }, (err, res, data) => {
       if (err) return reject(err)
       if (data.total_count === 0) {
-        return reject(new Error(`No GitHub user publicly associated with ${email}`))
-      } else if (data.total_count > 1) {
-        return reject(new Error(`Multiple GitHub users found for ${email}: ${JSON.stringify(data.items.map(i => i.login))}`))
-      } else if (data.total_count === 1) {
-        return resolve(data.items[0].login)
+        return reject(new Error(`Could not find the GitHub user publicly associated with the email address "${email}"`))
+      } else if (data.total_count > 0) {
+        return resolve(data.items.map(i => i.login))
       } else {
         return reject('Unexpected value for data.total_count returned by GitHub API')
       }
@@ -49,8 +50,8 @@ async function email2username(email) {
 
 async function lookup(email) {
   if (cache[email]) return cache[email]
-  const username = await email2username(email)
-  const keys = await username2keys(username)
+  const usernames = await email2usernames(email)
+  const keys = await usernames2keys(usernames)
   cache[email] = keys
   return cache[email]
 }
diff --git a/middleware.js b/middleware.js
@@ -3,7 +3,7 @@ const fp = require('fs').promises
 const path = require('path')
 const url = require('url')
 const EventEmitter = require('events').EventEmitter
-const { indexPack, plugins, readObject, verify } = require('isomorphic-git')
+const { E, indexPack, plugins, readObject, verify } = require('isomorphic-git')
 const { serveInfoRefs, serveReceivePack, parseReceivePackRequest } = require('isomorphic-git/dist/for-node/isomorphic-git/internal-apis.js')
 const { pgp } = require('@isomorphic-git/pgp-plugin')
 
@@ -21,6 +21,10 @@ function pad (str) {
   return (str + '    ').slice(0, 7)
 }
 
+function abbr (oid) {
+  return oid.slice(0, 7)
+}
+
 const sleep = ms => new Promise(cb => setTimeout(cb, ms))
 
 function log(req, res) {
@@ -86,37 +90,43 @@ function factory (config) {
 
         // send HTTP response headers
         const { headers } = await serveReceivePack({ type: 'service', service })
-        for (const header in headers) {
-          res.setHeader(header, headers[header])
-        }
-        res.statusCode = 200
+        res.writeHead(200, headers)
 
         // index packfile
         res.write(await serveReceivePack({ type: 'print', message: 'Indexing packfile...' }))
+        console.log('Indexing packfile...')
+        await sleep(1)
         let currentPhase = null
         const listener = async ({ phase, loaded, total, lengthComputable }) => {
           let np = phase !== currentPhase ? '\n' : '\r'
           currentPhase = phase
           res.write(await serveReceivePack({ type: 'print', message: `${np}${phase} ${loaded}/${total}` }))
+          res.flush()
         }
-        let problem = false
         let oids
         try {
           ee.on(`${last20}:progress`, listener)
           oids = await indexPack({ fs, gitdir, dir, filepath, emitterPrefix: `${last20}:` })
-          res.write(await serveReceivePack({ type: 'print', message: '\nIndexing a success!' }))
+          await sleep(1)
+          res.write(await serveReceivePack({ type: 'print', message: '\nIndexing completed' }))
           res.write(await serveReceivePack({ type: 'unpack', unpack: 'ok' }))
         } catch (e) {
-          problem = true
           res.write(await serveReceivePack({ type: 'print', message: '\nOh dear!' }))
           res.write(await serveReceivePack({ type: 'unpack', unpack: e.message }))
+
+          for (const update of updates) {
+            res.write(await serveReceivePack({ type: 'ng', ref: update.fullRef, message: 'Could not index pack' }))
+          }
+          throw e
         } finally {
           ee.removeListener(`${last20}:progress`, listener)
         }
+        await sleep(1)
 
         // Move packfile and index into repo
         await fp.rename(path.join(dir, filepath), path.join(gitdir, 'objects', 'pack', filepath))
         await fp.rename(path.join(dir, filepath.replace(/\.pack$/, '.idx')), path.join(gitdir, 'objects', 'pack', filepath.replace(/\.pack$/, '.idx')))
+        await fp.rmdir(path.join(dir))
 
         // Verify objects (ideally we'd do this _before_ moving it into the repo... but I think we'd need a custom 'fs' implementation with overlays)
         res.write(await serveReceivePack({ type: 'print', message: '\nVerifying objects...\n' }))
@@ -128,44 +138,63 @@ function factory (config) {
           const { type, object } = await readObject({ gitdir, oid })
           if (type === 'commit' || type === 'tag') {
             const email = type === 'commit' ? object.author.email : object.tagger.email
-            res.write(await serveReceivePack({ type: 'print', message: `\nVerifying ${type} ${oid} by ${email}\n` }))
-            const keys = await lookup(email)
+            res.write(await serveReceivePack({ type: 'print', message: `\nVerifying ${type} ${abbr(oid)} by ${email}: ` }))
+            let keys
+            try {
+              keys = await lookup(email) 
+            } catch (e) {
+              res.write(await serveReceivePack({ type: 'print', message: `no keys found 👎\n` }))
+              throw e
+            }
+            if (keys.length === 0) {
+              res.write(await serveReceivePack({ type: 'print', message: `no keys found 👎\n` }))
+              throw new Error(`\nSignature verification failed for ${type} ${abbr(oid)}. No PGP keys could be found for ${email}.\n`)
+            }
             let ok = false
             for (const key of keys) {
               const result = await verify({ gitdir, ref: oid, publicKeys: key })
               if (result === false) {
                 demote(email, key)
               } else {
-                res.write(await serveReceivePack({ type: 'print', message: `\nSigned by ${result[0]}\n` }))
+                res.write(await serveReceivePack({ type: 'print', message: `signed with ${result[0]} 👍\n` }))
                 ok = true
                 break
               }
             }
             if (!ok) {
-              res.write(await serveReceivePack({ type: 'error', message: `\nNo valid signature for ${type} ${oid}\n` }))
-              throw new Error('NO SIGNATURE')
+              res.write(await serveReceivePack({ type: 'print', message: `no keys matched 👎\n` }))
+              throw new Error(`\nSignature verification failed for ${type} ${abbr(oid)}. It was not signed with a key publicly associated with the email address "${email}".
+
+Learn how you can associate your GPG key with your email account using GitHub here:
+https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
+`)
             }
           }
           // await sleep(1)
         }
 
+        res.write(await serveReceivePack({ type: 'print', message: `\nVerification complete` }))
+
         // refs
         for (const update of updates) {
-          if (!problem) {
-            res.write(await serveReceivePack({ type: 'ok', ref: update.fullRef }))
-          } else {
-            res.write(await serveReceivePack({ type: 'ng', ref: update.fullRef, message: 'Could not index pack' }))
-          }
+          res.write(await serveReceivePack({ type: 'ok', ref: update.fullRef }))
         }
 
         // gratuitous banner
         res.write(await serveReceivePack({ type: 'print', message: '\n' + require('./logo.js') }))
       } catch (e) {
         if (e.message === 'Client is done') {
           res.statusCode = 200
+        } else if (e.code && e.code === E.NoSignatureError) {
+          res.write(await serveReceivePack({ type: 'print', message: `no signature 👎\n` }))
+          res.write(await serveReceivePack({ type: 'error', message: e.message + `
+
+This server's policy is to only accept GPG-signed commits.
+Learn how you can create a GPG key and configure git to sign commits here:
+https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
+` }))
         } else {
-          console.log(e)
-          res.statusCode = 500
+          res.write(await serveReceivePack({ type: 'error', message: e.message }))
         }
       } finally {
         // fin

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`0000000000000000000000000000000000000000 71c666705d861b556d73f2badddaca0cfcf5e930 William Hilton <[email protected]> 1574741587 -0500 commit (initial): Initial commit`
	`2`	`+0000000000000000000000000000000000000000 b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 William Hilton <[email protected]> 1575084779 -0500 commit (initial): Initial commit`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-71c666705d861b556d73f2badddaca0cfcf5e930`
	`1`	`+b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901`