Merge pull request 'script bugfixes' (#6) from script-fixes into main

Reviewed-on: infra/keys#6

autinerd/keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJIN3GrRR5suQHnWBL7b/W4gu2CoZZK+eXOsicnHct3 sidney

autinerd/meta.toml

@@ -0,0 +1,2 @@
+name = "autinerd"
+email = "autinerd@noreply.localhost"

autinerd/wireguard

@@ -0,0 +1 @@
+fugelNyT7VVriZgB6gwebHH/JfsZGQ8G34xjb6uVY0k=

denny/keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGo9RUJ7MiKAsWdBKaYqUFYZAFl6qsOlSv+GEN5Z5Bdu denny

denny/meta.toml

@@ -0,0 +1,3 @@
+name = "denny"
+email = "denny@dennybertus.de"
+

denny/wireguard

@@ -0,0 +1 @@
+oMTiAkSRrvqxLuy59YzjXPgy8R5CuGvwDW6/vorOHgk=

lilian/keys

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTt9fIKrXhfUYCKdpkI8etdvNgn8jubA2YxvdFj4Rn5 lilian@metis
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFc/fKL52XHMx2oM9YE9o20zQ/Y+JAwx+YSUPdT+Y7Vf lilian@cordelia

lilian/meta.toml

@@ -0,0 +1,2 @@
+name = "lilian"
+email = "lilian.no-reply@chaostreff-backnang.de"

lilian/wireguard

@@ -0,0 +1 @@
+PSnR3Z+O9ChkFsQSsFzYk23fnyeCaqzF2cH+4MnK5xI=

verify.py

@@ -28,14 +28,15 @@ def collect_user_dirs():
 
 def last_commit_for(dir: Path, ref: git.Reference):
     """Returns the Git commit signature for the last commit on this path."""
-    last_commit_hash = str(ref.repo.git.rev_list("--max-count=1", action_ref, dir))
+    last_commit_hash = str(ref.repo.git.rev_list("--max-count=1", ref, dir))
     return ref.repo.commit(last_commit_hash)
 
 
 def keylist_to_principals(keyfile_text: str, email: str) -> str:
+    # trailing newline, otherwise git may get confused and reject the key
     return "\n".join(
         f"{email} {public_key}" for public_key in keyfile_text.splitlines()
-    )
+    ) + "\n"
 
 
 def get_forgejo_keys(username: str) -> str:
@@ -53,7 +54,8 @@ def verify_dir(dir: Path, ref: git.Reference):
         raise Exception("Missing keyfile")
     commit = last_commit_for(dir, ref)
     log.debug(f"Found last commit: {commit.name_rev}")
-    if commit.author.name != username:
+    # ignore author casing
+    if commit.author.name.lower() != username.lower():
         raise Exception(
             f"Commit author {commit.author.name} is not the owner of this directory."
         )
@@ -80,9 +82,10 @@ def verify_dir(dir: Path, ref: git.Reference):
             config.set_value("gpg.ssh", "allowedSignersFile", temp_keyfile.name)
 
         temp_keyfile_contents = keylist_to_principals(remote_keys, email)
-        log.debug(f"temp keyfile:\n{temp_keyfile_contents}")
         temp_keyfile.write(temp_keyfile_contents)
         temp_keyfile.flush()
+
+        log.debug(f"temp keyfile:\n{Path(temp_keyfile.name).read_text()}")
         # Check whether one of the user keys signed this commit.
         # throws an exception automatically if verification fails, nothing else to do
         ref.repo.git.verify_commit("--raw", commit.hexsha)
@@ -98,7 +101,18 @@ def verify_dir(dir: Path, ref: git.Reference):
 
 
 def current_ref(repo: git.Repo) -> git.Reference:
-    for ref in repo.references:
+    log.debug(f"{repo.references}")
+    # some of this logic stolen from https://code.forgejo.org/actions/checkout/src/branch/main/src/ref-helper.ts - the ref names github provides are beyond fucked
+    global action_ref
+    if (action_ref.startswith('refs/heads/')):
+        branch = action_ref.removeprefix('refs/heads/')
+        action_ref = branch
+    # refs/pull/
+    elif (action_ref.startswith('refs/pull/')):
+        branch = action_ref.removeprefix('refs/pull/')
+        action_ref = f'refs/remotes/pull/{branch}'
+
+    for ref in repo.refs:
         if ref.name == action_ref or ref.path == action_ref:
             return ref
     raise Exception(f"No ref named {action_ref} found")