tenseleyflow/shithub / 61261e7

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package sigverify

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/worker"

+)

+

+// BackfillPayload is the on-the-wire schema for the gpg:backfill

+// worker job. One job per repo; the handler walks every signed

+// commit and tag on the repo's default branch and writes

+// commit_verification_cache rows.

+//

+// The handler is intentionally NOT key-scoped — it verifies every

+// signed object regardless of which user key signed it. The

+// orchestrator returns ReasonUnknownKey for signatures it can't

+// resolve; the cache row carries that state forward and the

+// rendering path treats it as "Unverified". When new keys arrive

+// later, those previously-unknown-key cache rows will get

+// re-stamped by the next DispatchForKey or DispatchAll run.

+type BackfillPayload struct {

+	RepoID int64 `json:"repo_id"`

+}

+

+// DispatchForKey enqueues backfill jobs for every repo owned by the

+// user who just added a GPG key. This is the eager-backfill path:

+// "user uploads key → existing signed commits in their own repos

+// retroactively get Verified badges within minutes" — the gh

+// behavior we're matching.

+//

+// We deliberately scope to OWNED repos rather than every repo the

+// user has ever committed to. Owned repos are the common case

+// (~90%); cross-repo authorship (PR contributions to others'

+// repos) gets picked up by the next DispatchAll run. Without a

+// commits-author index, walking every repo on every key upload

+// would be O(repos × commits) per upload and is the wrong cost

+// shape for the eager path.

+//

+// The caller passes (db) so this can run inside an existing

+// transaction (typical pattern in the add-key handler: insert key

+// row → insert subkey rows → dispatch backfill → commit). Notify

+// is called inside the same tx so workers wake up on commit, not

+// before.

+func DispatchForKey(ctx context.Context, db reposdb.DBTX, userID int64) error {

+	rq := reposdb.New()

+	rows, err := rq.ListReposForOwnerUser(ctx, db, pgtype.Int8{Int64: userID, Valid: true})

+	if err != nil {

+		return fmt.Errorf("sigverify: list user repos: %w", err)

+	}

+	for _, row := range rows {

+		if _, err := worker.Enqueue(ctx, db, worker.KindGPGBackfill, BackfillPayload{

+			RepoID: row.ID,

+		}, worker.EnqueueOptions{}); err != nil {

+			return fmt.Errorf("sigverify: enqueue backfill for repo %d: %w", row.ID, err)

+		}

+	}

+	if err := worker.Notify(ctx, db); err != nil {

+		return fmt.Errorf("sigverify: notify workers: %w", err)

+	}

+	return nil

+}

+

+// DispatchAll enqueues backfill jobs for every active repo in the

+// system. Called by `shithubd gpg-backfill-all`. Returns the number

+// of jobs enqueued so the admin command can log progress.

+//

+// Unlike DispatchForKey this is NOT bounded to a single user; it

+// walks every active repo. Use sparingly — typically once on

+// initial S51 deploy, or after a known mass-key-upload event.

+func DispatchAll(ctx context.Context, db reposdb.DBTX) (int, error) {

+	rq := reposdb.New()

+	rows, err := rq.ListAllActiveReposWithOwner(ctx, db)

+	if err != nil {

+		return 0, fmt.Errorf("sigverify: list all repos: %w", err)

+	}

+	for _, row := range rows {

+		if _, err := worker.Enqueue(ctx, db, worker.KindGPGBackfill, BackfillPayload{

+			RepoID: row.ID,

+		}, worker.EnqueueOptions{}); err != nil {

+			return 0, fmt.Errorf("sigverify: enqueue backfill for repo %d: %w", row.ID, err)

+		}

+	}

+	if err := worker.Notify(ctx, db); err != nil {

+		return 0, fmt.Errorf("sigverify: notify workers: %w", err)

+	}

+	return len(rows), nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package sigverify

+

+import (

+	"context"

+	"errors"

+

+	"github.com/jackc/pgx/v5"

+

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// DBTX is the pgx interface the sqlc-backed Lookups need. Matches the

+// sqlc-generated DBTX exactly so callers can pass either a *pgxpool.Pool

+// or a pgx.Tx without conversion.

+type DBTX interface {

+	usersdb.DBTX

+}

+

+// SQLCLookups is the production Lookups implementation, backed by the

+// usersdb-generated queries. Used by the orchestrator when invoked

+// from the backfill worker, the verification render path, and the

+// commits REST handler.

+type SQLCLookups struct {

+	DB DBTX

+	Q  *usersdb.Queries

+}

+

+// NewSQLCLookups constructs a Lookups bound to the given DB handle.

+// The handle can be a connection pool (for concurrent reads) or a tx

+// (for invalidation-followed-by-re-verify flows that need to see

+// uncommitted writes within the same transaction).

+func NewSQLCLookups(db DBTX) *SQLCLookups {

+	return &SQLCLookups{DB: db, Q: usersdb.New()}

+}

+

+// SubkeyByFingerprint resolves a 40-hex fingerprint to a Subkey row.

+// Returns (_, false, nil) on miss; only DB errors propagate.

+func (l *SQLCLookups) SubkeyByFingerprint(ctx context.Context, fingerprint string) (Subkey, bool, error) {

+	row, err := l.Q.GetUserGPGSubkeyByFingerprint(ctx, l.DB, fingerprint)

+	if errors.Is(err, pgx.ErrNoRows) {

+		return Subkey{}, false, nil

+	}

+	if err != nil {

+		return Subkey{}, false, err

+	}

+	sk := Subkey{

+		ID:                row.ID,

+		GPGKeyID:          row.GpgKeyID,

+		Fingerprint:       row.Fingerprint,

+		KeyID:             row.KeyID,

+		CanSign:           row.CanSign,

+		CanEncryptComms:   row.CanEncryptComms,

+		CanEncryptStorage: row.CanEncryptStorage,

+		CanCertify:        row.CanCertify,

+	}

+	if row.ExpiresAt.Valid {

+		sk.ExpiresAt = row.ExpiresAt.Time

+	}

+	if row.RevokedAt.Valid {

+		sk.RevokedAt = row.RevokedAt.Time

+	}

+	return sk, true, nil

+}

+

+// GPGKeyByID resolves a primary user_gpg_keys row by id (NOT scoped

+// to a user_id — the verification path discovers user_id from the

+// row itself). Returns (_, false, nil) on miss; only DB errors

+// propagate.

+func (l *SQLCLookups) GPGKeyByID(ctx context.Context, id int64) (GPGKey, bool, error) {

+	row, err := l.Q.GetUserGPGKeyForVerification(ctx, l.DB, id)

+	if errors.Is(err, pgx.ErrNoRows) {

+		return GPGKey{}, false, nil

+	}

+	if err != nil {

+		return GPGKey{}, false, err

+	}

+	return GPGKey{

+		ID:          row.ID,

+		UserID:      row.UserID,

+		Fingerprint: row.Fingerprint,

+		KeyID:       row.KeyID,

+		Armored:     row.Armored,

+	}, true, nil

+}

+

+// UserEmailsByUserID returns every email associated with the user

+// (verified or not) so the orchestrator can run the bad_email vs

+// unverified_email vs valid discrimination.

+func (l *SQLCLookups) UserEmailsByUserID(ctx context.Context, userID int64) ([]UserEmail, error) {

+	rows, err := l.Q.ListUserEmailsForUser(ctx, l.DB, userID)

+	if err != nil {

+		return nil, err

+	}

+	emails := make([]UserEmail, 0, len(rows))

+	for _, row := range rows {

+		emails = append(emails, UserEmail{

+			Email:    row.Email,

+			Verified: row.Verified,

+		})

+	}

+	return emails, nil

+}