Fix verifyCommits error when push a new branch (#26664) (#26810)

Backport #26664 by @CaiCandong > ### Description > If a new branch is pushed, and the repository has a rule that would require signed commits for the new branch, the commit is rejected with a 500 error regardless of whether it's signed. > > When pushing a new branch, the "old" commit is the empty ID (0000000000000000000000000000000000000000). verifyCommits has no provision for this and passes an invalid commit range to git rev-list. Prior to 1.19 this wasn't an issue because only pre-existing individual branches could be protected. > > I was able to reproduce with [try.gitea.io/CraigTest/test](https://try.gitea.io/CraigTest/test), which is set up with a blanket rule to require commits on all branches. Fix #25565 Very thanks to @Craig-Holmquist-NTI for reporting the bug and suggesting an valid solution! Co-authored-by: CaiCandong <50507092+CaiCandong@users.noreply.github.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> (cherry picked from commit 93c36f395c)
2023-08-31 23:29:55 +08:00 · 2023-08-31 23:29:55 +08:00 · 193e04c43b
commit 193e04c43b
parent 6b5ef0fad7
43 changed files with 270 additions and 20 deletions
--- a/routers/private/hook_verification_test.go
+++ b/routers/private/hook_verification_test.go
@ -0,0 +1,43 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package private
+
+import (
+	"context"
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/git"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var testReposDir = "tests/repos/"
+
+func TestVerifyCommits(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+
+	gitRepo, err := git.OpenRepository(context.Background(), testReposDir+"repo1_hook_verification")
+	defer gitRepo.Close()
+	assert.NoError(t, err)
+
+	testCases := []struct {
+		base, head string
+		verified   bool
+	}{
+		{"72920278f2f999e3005801e5d5b8ab8139d3641c", "d766f2917716d45be24bfa968b8409544941be32", true},
+		{git.EmptySHA, "93eac826f6188f34646cea81bf426aa5ba7d3bfe", true}, // New branch with verified commit
+		{"9779d17a04f1e2640583d35703c62460b2d86e0a", "72920278f2f999e3005801e5d5b8ab8139d3641c", false},
+		{git.EmptySHA, "9ce3f779ae33f31fce17fac3c512047b75d7498b", false}, // New branch with unverified commit
+	}
+
+	for _, tc := range testCases {
+		err = verifyCommits(tc.base, tc.head, gitRepo, nil)
+		if tc.verified {
+			assert.NoError(t, err)
+		} else {
+			assert.Error(t, err)
+		}
+	}
+}