Cache gpg keys fetch from database when list commits

Author: lunny

routers/private/hook_verification.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	"os"
 
+	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	asymkey_service "code.gitea.io/gitea/services/asymkey"
@@ -84,6 +85,7 @@ func readAndVerifyCommit(sha string, repo *git.Repository, env []string) error {
 	}()
 
 	commitID := git.MustIDFromString(sha)
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
 
 	return git.NewCommand("cat-file", "commit").AddDynamicArguments(sha).
 		Run(repo.Ctx, &git.RunOpts{
@@ -96,7 +98,7 @@ func readAndVerifyCommit(sha string, repo *git.Repository, env []string) error {
 				if err != nil {
 					return err
 				}
-				verification := asymkey_service.ParseCommitWithSignature(ctx, commit)
+				verification := asymkey_service.ParseCommitWithSignature(ctx, commit, keysCache)
 				if !verification.Verified {
 					cancel()
 					return &errUnverifiedCommit{

routers/web/repo/commit.go

@@ -384,7 +384,8 @@ func Diff(ctx *context.Context) {
 	ctx.Data["CommitStatus"] = git_model.CalcCommitStatus(statuses)
 	ctx.Data["CommitStatuses"] = statuses
 
-	verification := asymkey_service.ParseCommitWithSignature(ctx, commit)
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
+	verification := asymkey_service.ParseCommitWithSignature(ctx, commit, keysCache)
 	ctx.Data["Verification"] = verification
 	ctx.Data["Author"] = user_model.ValidateCommitWithEmail(ctx, commit)
 	ctx.Data["Parents"] = parents

routers/web/repo/view.go

@@ -119,7 +119,8 @@ func loadLatestCommitData(ctx *context.Context, latestCommit *git.Commit) bool {
 	// or of directory if not in root directory.
 	ctx.Data["LatestCommit"] = latestCommit
 	if latestCommit != nil {
-		verification := asymkey_service.ParseCommitWithSignature(ctx, latestCommit)
+		keysCache := make(map[string][]*asymkey_model.GPGKey)
+		verification := asymkey_service.ParseCommitWithSignature(ctx, latestCommit, keysCache)
 
 		if err := asymkey_model.CalculateTrustStatus(verification, ctx.Repo.Repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
 			return repo_model.IsOwnerMemberCollaborator(ctx, ctx.Repo.Repository, user.ID)

services/asymkey/commit.go

@@ -18,7 +18,7 @@ import (
 )
 
 // ParseCommitWithSignature check if signature is good against keystore.
-func ParseCommitWithSignature(ctx context.Context, c *git.Commit) *asymkey_model.CommitVerification {
+func ParseCommitWithSignature(ctx context.Context, c *git.Commit, keysCache map[string][]*asymkey_model.GPGKey) *asymkey_model.CommitVerification {
 	var committer *user_model.User
 	if c.Committer != nil {
 		var err error
@@ -42,10 +42,10 @@ func ParseCommitWithSignature(ctx context.Context, c *git.Commit) *asymkey_model
 		}
 	}
 
-	return ParseCommitWithSignatureCommitter(ctx, c, committer)
+	return ParseCommitWithSignatureCommitter(ctx, c, committer, keysCache)
 }
 
-func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, committer *user_model.User) *asymkey_model.CommitVerification {
+func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, committer *user_model.User, keysCache map[string][]*asymkey_model.GPGKey) *asymkey_model.CommitVerification {
 	// If no signature just report the committer
 	if c.Signature == nil {
 		return &asymkey_model.CommitVerification{
@@ -82,7 +82,8 @@ func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, commi
 		committer,
 		keyID,
 		setting.AppName,
-		""); commitVerification != nil {
+		"",
+		keysCache); commitVerification != nil {
 		if commitVerification.Reason == asymkey_model.BadSignature {
 			defaultReason = asymkey_model.BadSignature
 		} else {
@@ -160,7 +161,7 @@ func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, commi
 		}
 		if err := gpgSettings.LoadPublicKeyContent(); err != nil {
 			log.Error("Error getting default signing key: %s %v", gpgSettings.KeyID, err)
-		} else if commitVerification := VerifyWithGPGSettings(ctx, &gpgSettings, sig, c.Signature.Payload, committer, keyID); commitVerification != nil {
+		} else if commitVerification := VerifyWithGPGSettings(ctx, &gpgSettings, sig, c.Signature.Payload, committer, keyID, keysCache); commitVerification != nil {
 			if commitVerification.Reason == asymkey_model.BadSignature {
 				defaultReason = asymkey_model.BadSignature
 			} else {
@@ -175,7 +176,7 @@ func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, commi
 	} else if defaultGPGSettings == nil {
 		log.Warn("Unable to get defaultGPGSettings for unattached commit: %s", c.ID.String())
 	} else if defaultGPGSettings.Sign {
-		if commitVerification := VerifyWithGPGSettings(ctx, defaultGPGSettings, sig, c.Signature.Payload, committer, keyID); commitVerification != nil {
+		if commitVerification := VerifyWithGPGSettings(ctx, defaultGPGSettings, sig, c.Signature.Payload, committer, keyID, keysCache); commitVerification != nil {
 			if commitVerification.Reason == asymkey_model.BadSignature {
 				defaultReason = asymkey_model.BadSignature
 			} else {
@@ -225,39 +226,48 @@ func checkKeyEmails(ctx context.Context, email string, keys ...*asymkey_model.GP
 	return false, email
 }
 
-func HashAndVerifyForKeyID(ctx context.Context, sig *packet.Signature, payload string, committer *user_model.User, keyID, name, email string) *asymkey_model.CommitVerification {
+func HashAndVerifyForKeyID(ctx context.Context, sig *packet.Signature, payload string, committer *user_model.User, keyID, name, email string, keysCache map[string][]*asymkey_model.GPGKey) *asymkey_model.CommitVerification {
 	if keyID == "" {
 		return nil
 	}
-	keys, err := db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{
-		KeyID:          keyID,
-		IncludeSubKeys: true,
-	})
-	if err != nil {
-		log.Error("GetGPGKeysByKeyID: %v", err)
-		return &asymkey_model.CommitVerification{
-			CommittingUser: committer,
-			Verified:       false,
-			Reason:         "gpg.error.failed_retrieval_gpg_keys",
+	var err error
+	keys, ok := keysCache[keyID]
+	if !ok {
+		keys, err = db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{
+			KeyID:          keyID,
+			IncludeSubKeys: true,
+		})
+		if err != nil {
+			log.Error("GetGPGKeysByKeyID: %v", err)
+			return &asymkey_model.CommitVerification{
+				CommittingUser: committer,
+				Verified:       false,
+				Reason:         "gpg.error.failed_retrieval_gpg_keys",
+			}
 		}
+		keysCache[keyID] = keys
 	}
 	if len(keys) == 0 {
 		return nil
 	}
 	for _, key := range keys {
 		var primaryKeys []*asymkey_model.GPGKey
 		if key.PrimaryKeyID != "" {
-			primaryKeys, err = db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{
-				KeyID:          key.PrimaryKeyID,
-				IncludeSubKeys: true,
-			})
-			if err != nil {
-				log.Error("GetGPGKeysByKeyID: %v", err)
-				return &asymkey_model.CommitVerification{
-					CommittingUser: committer,
-					Verified:       false,
-					Reason:         "gpg.error.failed_retrieval_gpg_keys",
+			primaryKeys, ok = keysCache[keyID]
+			if !ok {
+				primaryKeys, err = db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{
+					KeyID:          key.PrimaryKeyID,
+					IncludeSubKeys: true,
+				})
+				if err != nil {
+					log.Error("GetGPGKeysByKeyID: %v", err)
+					return &asymkey_model.CommitVerification{
+						CommittingUser: committer,
+						Verified:       false,
+						Reason:         "gpg.error.failed_retrieval_gpg_keys",
+					}
 				}
+				keysCache[keyID] = primaryKeys
 			}
 		}
 
@@ -297,9 +307,9 @@ func HashAndVerifyForKeyID(ctx context.Context, sig *packet.Signature, payload s
 	}
 }
 
-func VerifyWithGPGSettings(ctx context.Context, gpgSettings *git.GPGSettings, sig *packet.Signature, payload string, committer *user_model.User, keyID string) *asymkey_model.CommitVerification {
+func VerifyWithGPGSettings(ctx context.Context, gpgSettings *git.GPGSettings, sig *packet.Signature, payload string, committer *user_model.User, keyID string, keysCache map[string][]*asymkey_model.GPGKey) *asymkey_model.CommitVerification {
 	// First try to find the key in the db
-	if commitVerification := HashAndVerifyForKeyID(ctx, sig, payload, committer, gpgSettings.KeyID, gpgSettings.Name, gpgSettings.Email); commitVerification != nil {
+	if commitVerification := HashAndVerifyForKeyID(ctx, sig, payload, committer, gpgSettings.KeyID, gpgSettings.Name, gpgSettings.Email, keysCache); commitVerification != nil {
 		return commitVerification
 	}
 

services/asymkey/sign.go

@@ -176,6 +176,7 @@ func SignWikiCommit(ctx context.Context, repo *repo_model.Repository, u *user_mo
 	if signingKey == "" {
 		return false, "", nil, &ErrWontSign{noKey}
 	}
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
 
 Loop:
 	for _, rule := range rules {
@@ -216,7 +217,7 @@ Loop:
 			if commit.Signature == nil {
 				return false, "", nil, &ErrWontSign{parentSigned}
 			}
-			verification := ParseCommitWithSignature(ctx, commit)
+			verification := ParseCommitWithSignature(ctx, commit, keysCache)
 			if !verification.Verified {
 				return false, "", nil, &ErrWontSign{parentSigned}
 			}
@@ -232,6 +233,7 @@ func SignCRUDAction(ctx context.Context, repoPath string, u *user_model.User, tm
 	if signingKey == "" {
 		return false, "", nil, &ErrWontSign{noKey}
 	}
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
 
 Loop:
 	for _, rule := range rules {
@@ -272,7 +274,7 @@ Loop:
 			if commit.Signature == nil {
 				return false, "", nil, &ErrWontSign{parentSigned}
 			}
-			verification := ParseCommitWithSignature(ctx, commit)
+			verification := ParseCommitWithSignature(ctx, commit, keysCache)
 			if !verification.Verified {
 				return false, "", nil, &ErrWontSign{parentSigned}
 			}
@@ -297,6 +299,7 @@ func SignMerge(ctx context.Context, pr *issues_model.PullRequest, u *user_model.
 
 	var gitRepo *git.Repository
 	var err error
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
 
 Loop:
 	for _, rule := range rules {
@@ -347,7 +350,7 @@ Loop:
 			if err != nil {
 				return false, "", nil, err
 			}
-			verification := ParseCommitWithSignature(ctx, commit)
+			verification := ParseCommitWithSignature(ctx, commit, keysCache)
 			if !verification.Verified {
 				return false, "", nil, &ErrWontSign{baseSigned}
 			}
@@ -363,7 +366,7 @@ Loop:
 			if err != nil {
 				return false, "", nil, err
 			}
-			verification := ParseCommitWithSignature(ctx, commit)
+			verification := ParseCommitWithSignature(ctx, commit, keysCache)
 			if !verification.Verified {
 				return false, "", nil, &ErrWontSign{headSigned}
 			}
@@ -379,7 +382,7 @@ Loop:
 			if err != nil {
 				return false, "", nil, err
 			}
-			verification := ParseCommitWithSignature(ctx, commit)
+			verification := ParseCommitWithSignature(ctx, commit, keysCache)
 			if !verification.Verified {
 				return false, "", nil, &ErrWontSign{commitsSigned}
 			}
@@ -393,7 +396,7 @@ Loop:
 				return false, "", nil, err
 			}
 			for _, commit := range commitList {
-				verification := ParseCommitWithSignature(ctx, commit)
+				verification := ParseCommitWithSignature(ctx, commit, keysCache)
 				if !verification.Verified {
 					return false, "", nil, &ErrWontSign{commitsSigned}
 				}

services/convert/convert.go

@@ -254,7 +254,8 @@ func ToActionArtifact(repo *repo_model.Repository, art *actions_model.ActionArti
 
 // ToVerification convert a git.Commit.Signature to an api.PayloadCommitVerification
 func ToVerification(ctx context.Context, c *git.Commit) *api.PayloadCommitVerification {
-	verif := asymkey_service.ParseCommitWithSignature(ctx, c)
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
+	verif := asymkey_service.ParseCommitWithSignature(ctx, c, keysCache)
 	commitVerification := &api.PayloadCommitVerification{
 		Verified: verif.Verified,
 		Reason:   verif.Reason,

services/git/commit.go

@@ -33,6 +33,8 @@ func ParseCommitsWithSignature(ctx context.Context, oldCommits []*user_model.Use
 		return nil, err
 	}
 
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
+
 	for _, c := range oldCommits {
 		committer, ok := emailUsers[c.Committer.Email]
 		if !ok && c.Committer != nil {
@@ -44,7 +46,7 @@ func ParseCommitsWithSignature(ctx context.Context, oldCommits []*user_model.Use
 
 		signCommit := &asymkey_model.SignCommit{
 			UserCommit:   c,
-			Verification: asymkey_service.ParseCommitWithSignatureCommitter(ctx, c.Commit, committer),
+			Verification: asymkey_service.ParseCommitWithSignatureCommitter(ctx, c.Commit, committer, keysCache),
 		}
 
 		_ = asymkey_model.CalculateTrustStatus(signCommit.Verification, repoTrustModel, isOwnerMemberCollaborator, &keyMap)

services/repository/files/commit.go

@@ -6,6 +6,7 @@ package files
 import (
 	"context"
 
+	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/structs"
@@ -24,7 +25,8 @@ func CountDivergingCommits(ctx context.Context, repo *repo_model.Repository, bra
 // GetPayloadCommitVerification returns the verification information of a commit
 func GetPayloadCommitVerification(ctx context.Context, commit *git.Commit) *structs.PayloadCommitVerification {
 	verification := &structs.PayloadCommitVerification{}
-	commitVerification := asymkey_service.ParseCommitWithSignature(ctx, commit)
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
+	commitVerification := asymkey_service.ParseCommitWithSignature(ctx, commit, keysCache)
 	if commit.Signature != nil {
 		verification.Signature = commit.Signature.Signature
 		verification.Payload = commit.Signature.Payload

services/repository/gitgraph/graph_models.go

@@ -97,6 +97,7 @@ func (graph *Graph) LoadAndProcessCommits(ctx context.Context, repository *repo_
 
 	emails := map[string]*user_model.User{}
 	keyMap := map[string]bool{}
+	keysCache := make(map[string][]*asymkey_model.GPGKey)
 
 	for _, c := range graph.Commits {
 		if len(c.Rev) == 0 {
@@ -115,7 +116,7 @@ func (graph *Graph) LoadAndProcessCommits(ctx context.Context, repository *repo_
 			}
 		}
 
-		c.Verification = asymkey_service.ParseCommitWithSignature(ctx, c.Commit)
+		c.Verification = asymkey_service.ParseCommitWithSignature(ctx, c.Commit, keysCache)
 
 		_ = asymkey_model.CalculateTrustStatus(c.Verification, repository.GetTrustModel(), func(user *user_model.User) (bool, error) {
 			return repo_model.IsOwnerMemberCollaborator(ctx, repository, user.ID)