From 92dfec704f25e0384928a17b54efb7ee345f2914 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 1 Apr 2025 09:30:53 -0700
Subject: [PATCH] Move ParseCommitWithSSHSignature to service layer (#34087)

No code change.
---
 models/asymkey/ssh_key_commit_verification.go | 79 -------------------
 services/asymkey/commit.go                    | 66 +++++++++++++++-
 2 files changed, 65 insertions(+), 80 deletions(-)
 delete mode 100644 models/asymkey/ssh_key_commit_verification.go

diff --git a/models/asymkey/ssh_key_commit_verification.go b/models/asymkey/ssh_key_commit_verification.go
deleted file mode 100644
index 4a858e2246..0000000000
--- a/models/asymkey/ssh_key_commit_verification.go
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package asymkey
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"code.gitea.io/gitea/models/db"
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/git"
-	"code.gitea.io/gitea/modules/log"
-
-	"github.com/42wim/sshsig"
-)
-
-// ParseCommitWithSSHSignature check if signature is good against keystore.
-func ParseCommitWithSSHSignature(ctx context.Context, c *git.Commit, committer *user_model.User) *CommitVerification {
-	// Now try to associate the signature with the committer, if present
-	if committer.ID != 0 {
-		keys, err := db.Find[PublicKey](ctx, FindPublicKeyOptions{
-			OwnerID:    committer.ID,
-			NotKeytype: KeyTypePrincipal,
-		})
-		if err != nil { // Skipping failed to get ssh keys of user
-			log.Error("ListPublicKeys: %v", err)
-			return &CommitVerification{
-				CommittingUser: committer,
-				Verified:       false,
-				Reason:         "gpg.error.failed_retrieval_gpg_keys",
-			}
-		}
-
-		committerEmailAddresses, err := user_model.GetEmailAddresses(ctx, committer.ID)
-		if err != nil {
-			log.Error("GetEmailAddresses: %v", err)
-		}
-
-		activated := false
-		for _, e := range committerEmailAddresses {
-			if e.IsActivated && strings.EqualFold(e.Email, c.Committer.Email) {
-				activated = true
-				break
-			}
-		}
-
-		for _, k := range keys {
-			if k.Verified && activated {
-				commitVerification := verifySSHCommitVerification(c.Signature.Signature, c.Signature.Payload, k, committer, committer, c.Committer.Email)
-				if commitVerification != nil {
-					return commitVerification
-				}
-			}
-		}
-	}
-
-	return &CommitVerification{
-		CommittingUser: committer,
-		Verified:       false,
-		Reason:         NoKeyFound,
-	}
-}
-
-func verifySSHCommitVerification(sig, payload string, k *PublicKey, committer, signer *user_model.User, email string) *CommitVerification {
-	if err := sshsig.Verify(strings.NewReader(payload), []byte(sig), []byte(k.Content), "git"); err != nil {
-		return nil
-	}
-
-	return &CommitVerification{ // Everything is ok
-		CommittingUser: committer,
-		Verified:       true,
-		Reason:         fmt.Sprintf("%s / %s", signer.Name, k.Fingerprint),
-		SigningUser:    signer,
-		SigningSSHKey:  k,
-		SigningEmail:   email,
-	}
-}
diff --git a/services/asymkey/commit.go b/services/asymkey/commit.go
index df29133972..5d85be56f1 100644
--- a/services/asymkey/commit.go
+++ b/services/asymkey/commit.go
@@ -5,6 +5,7 @@ package asymkey
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
@@ -14,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 
+	"github.com/42wim/sshsig"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 )
 
@@ -57,7 +59,7 @@ func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, commi
 
 	// If this a SSH signature handle it differently
 	if strings.HasPrefix(c.Signature.Signature, "-----BEGIN SSH SIGNATURE-----") {
-		return asymkey_model.ParseCommitWithSSHSignature(ctx, c, committer)
+		return ParseCommitWithSSHSignature(ctx, c, committer)
 	}
 
 	// Parsing signature
@@ -361,3 +363,65 @@ func VerifyWithGPGSettings(ctx context.Context, gpgSettings *git.GPGSettings, si
 	}
 	return nil
 }
+
+// ParseCommitWithSSHSignature check if signature is good against keystore.
+func ParseCommitWithSSHSignature(ctx context.Context, c *git.Commit, committer *user_model.User) *asymkey_model.CommitVerification {
+	// Now try to associate the signature with the committer, if present
+	if committer.ID != 0 {
+		keys, err := db.Find[asymkey_model.PublicKey](ctx, asymkey_model.FindPublicKeyOptions{
+			OwnerID:    committer.ID,
+			NotKeytype: asymkey_model.KeyTypePrincipal,
+		})
+		if err != nil { // Skipping failed to get ssh keys of user
+			log.Error("ListPublicKeys: %v", err)
+			return &asymkey_model.CommitVerification{
+				CommittingUser: committer,
+				Verified:       false,
+				Reason:         "gpg.error.failed_retrieval_gpg_keys",
+			}
+		}
+
+		committerEmailAddresses, err := user_model.GetEmailAddresses(ctx, committer.ID)
+		if err != nil {
+			log.Error("GetEmailAddresses: %v", err)
+		}
+
+		activated := false
+		for _, e := range committerEmailAddresses {
+			if e.IsActivated && strings.EqualFold(e.Email, c.Committer.Email) {
+				activated = true
+				break
+			}
+		}
+
+		for _, k := range keys {
+			if k.Verified && activated {
+				commitVerification := verifySSHCommitVerification(c.Signature.Signature, c.Signature.Payload, k, committer, committer, c.Committer.Email)
+				if commitVerification != nil {
+					return commitVerification
+				}
+			}
+		}
+	}
+
+	return &asymkey_model.CommitVerification{
+		CommittingUser: committer,
+		Verified:       false,
+		Reason:         asymkey_model.NoKeyFound,
+	}
+}
+
+func verifySSHCommitVerification(sig, payload string, k *asymkey_model.PublicKey, committer, signer *user_model.User, email string) *asymkey_model.CommitVerification {
+	if err := sshsig.Verify(strings.NewReader(payload), []byte(sig), []byte(k.Content), "git"); err != nil {
+		return nil
+	}
+
+	return &asymkey_model.CommitVerification{ // Everything is ok
+		CommittingUser: committer,
+		Verified:       true,
+		Reason:         fmt.Sprintf("%s / %s", signer.Name, k.Fingerprint),
+		SigningUser:    signer,
+		SigningSSHKey:  k,
+		SigningEmail:   email,
+	}
+}