opendev/gerrit
Code Issues Proposed changes

Allow disabling GPG key editing while leaving signed push enabled

Browse Source 
Administrators may choose to populate GPG keys by hand, or to
temporarily restrict adding new keys, without disabling signed push
verification or verification of push certs stored in PatchSets.
Separate the UI and REST API for editing GPG keys from the protocol
machinery for verifying signed push.

Change-Id: I2c921cf92a3452d44ee8cb02efd77ab7f2bd02dd
This commit is contained in:
Dave Borowitz
2015-09-15 09:58:17 -04:00
parent e8ecb9b355
commit a17a9842cd
7 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gerrit-gpg/src/main/java/com/google/gerrit/gpg/GpgModule.java
View File

@@ -35,6 +35,8 @@ public class GpgModule extends FactoryModule {
protected void configure() {
boolean configEnableSignedPush =
cfg.getBoolean("receive", null, "enableSignedPush", false);
boolean configEditGpgKeys =
cfg.getBoolean("gerrit", null, "editGpgKeys", true);
boolean havePgp = BouncyCastleUtil.havePGP();
boolean enableSignedPush = configEnableSignedPush && havePgp;
bindConstant().annotatedWith(EnableSignedPush.class).to(enableSignedPush);
@@ -47,6 +49,6 @@ public class GpgModule extends FactoryModule {
install(new SignedPushModule());
factory(GerritPushCertificateChecker.Factory.class);
}
install(new GpgApiModule(enableSignedPush));
install(new GpgApiModule(enableSignedPush && configEditGpgKeys));
}
}