Prevent overwrite read only gpg keys (#1713)

It was possible to download the default SCM-Manager gpg keys and overwrite them with the same raw key. This made the new key deletable. This behaviour is not longer possible.
2026-02-01 20:29:12 +01:00 · 2021-06-28 11:27:13 +02:00
parent 7a3db7ee3f
commit 2cd46ce8a0
3 changed files with 32 additions and 1 deletions
--- a/scm-webapp/src/test/java/sonia/scm/security/gpg/PublicKeyStoreTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/gpg/PublicKeyStoreTest.java
@@ -169,6 +169,19 @@ class PublicKeyStoreTest {
    verify(eventBus, never()).post(any(PublicKeyDeletedEvent.class));
  }

+  @Test()
+  void shouldThrowOnOverwriteReadonlyKey() throws IOException {
+    String rawKey = GPGTestHelper.readResourceAsString("single.asc");
+    keyStore.add("SCM Package Key", "trillian", rawKey, true);
+    Optional<RawGpgKey> key = keyStore.findById("0x975922F193B07D6E");
+
+    assertThat(key).isPresent();
+
+    assertThrows(DeletingReadonlyKeyNotAllowedException.class, () -> keyStore.add("Some other entry with same raw key", "trillian", rawKey, false));
+
+    verify(eventBus, never()).post(any(PublicKeyDeletedEvent.class));
+  }
+
  @Test
  void shouldReturnEmptyListIfNoKeysAvailable() {
    List<RawGpgKey> keys = keyStore.findByUsername("zaphod");