Committer verification

[IlyaBelitser]

Git and distributed version control have many benefits out of the box, but controlling access and workflows isn’t one of them. For example, without a Git management tool, a developer can push commits that others have written to the central repository.

This creates problems for organizations with strict security and compliance requirements.
It is necessary to add a new committer verification hook, which enforces that only the author of a commit can push those changes back to Gogs Server. We can sleep easy knowing that only authorized code changes can make it to your repositories.

BitBucket has added this feature.

https://www.atlassian.com/blog/bitbucket/enterprise-devops-bitbucket-server-5-bamboo-6

And GitLab adds too.

https://gitlab.com/gitlab-org/gitlab-ee/issues/1802

[sapk]

From git point, I would recommend you to use gpg commit verification (allready implemented) that allow a "pusher" to push commit from another "commiter" and still be able to verify that the commit hasn't be tempered or that the identity of the commiter ins't falsify. This type of verification is totally decentralized and verification can also be done locally and is supported natively by git.

This solution, doesn't cover the part of only allowing to push commit from the logged user that maybe needed for your corporation (this would block cherry-pick and some git flow if enable).

If the gpg method doesn't fully comply with your need, gitea support server-side hook but those need to be added manually via git cli. More generaly, we could provide a way to apply predifined list of server-side hooks.

EDIT: it is also possible to edit the pre-receive hook via web interface.

[sapk]

Some examples of pre-receive hook : https://github.com/github/platform-samples/blob/master/pre-receive-hooks/reject-external-email.sh or https://github.com/github/platform-samples/blob/master/pre-receive-hooks/commit-current-user-check.sh

[lunny]

So maybe we could have an option on repository setting to deny all push gpg verify failed.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[Sebazzz]

Does gitea pass any user info through environmental variables? That would allow these hooks to work.

[zeripath]

Yes it does.

gitea/cmd/serv.go

Lines 187 to 195 in ee1d64d

	os.Setenv(models.EnvRepoIsWiki, strconv.FormatBool(results.IsWiki))
	os.Setenv(models.EnvRepoName, results.RepoName)
	os.Setenv(models.EnvRepoUsername, results.OwnerName)
	os.Setenv(models.EnvPusherName, results.UserName)
	os.Setenv(models.EnvPusherID, strconv.FormatInt(results.UserID, 10))
	os.Setenv(models.ProtectedBranchRepoID, strconv.FormatInt(results.RepoID, 10))
	os.Setenv(models.ProtectedBranchPRID, fmt.Sprintf("%d", 0))
	os.Setenv(models.EnvIsDeployKey, fmt.Sprintf("%t", results.IsDeployKey))
	os.Setenv(models.EnvKeyID, fmt.Sprintf("%d", results.KeyID))

However read my comments on #8584

It can be done we just need to do a bit more work.

[Sebazzz]

For simple committer verification this works work well in Gitea v1.9.5:

#!/bin/sh
err(){
    >&2 echo "Pre-receive validation: $*"
}

hasErr = 0
while read oldrev newrev ref
do
	if [[ "$oldrev" == "0000000000000000000000000000000000000000" ]]; then
		#create new branch
		continue;
	fi
	
	export committers="$(git log --format="%H %ce" $oldrev..$newrev)"
	
	while IFS=' ' read -r commitHash committerEmail;
	do
		if [[ "$committerEmail" != "$GITEA_PUSHER_EMAIL" ]]; then
			err "You are not $GITEA_PUSHER_EMAIL! You pushed commit $commitHash as $committerEmail"
			exit -1
		fi
	done <<< $committers
done

exit 0

This verifies every pushed commit against the Gitea users e-mail address. Indeed, gpg signing might be more perfect, but this does work.

Delta compression using up to 16 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.02 KiB | 1.02 MiB/s, done.
Total 9 (delta 3), reused 0 (delta 0)
remote: ./hooks/pre-receive.d/enforce-author: line 8: hasErr: command not found
remote: Pre-receive validation: You are not sebastiaan@example.com! You pushed commit edb3fc3b808fdaea26fd43a128a40e3457021ac6 as Jean.luc.picard@example.com
To https://git.[redacted]/[user]/test2
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://git.[redacted]/[user]/test2'