Add a mismatched signatures developer report

This finds odd signatures in our repositories, which includes signature times not matching with build dates, different signer and packager, etc. We enhance our user lookup helper class to look up users by PGP key. Signed-off-by: Dan McGee <dan@archlinux.org>
author: Dan McGee <dan@archlinux.org> 2012-03-23 17:33:55 -0500
committer: Dan McGee <dan@archlinux.org> 2012-04-07 14:53:08 -0500
commit: 1a2f117037fd8b01ec1e1e3cce5186d7bfac1a78 (patch)
tree: e47e83bc34af9ca22705f9d073f6cc36524edfa9
parent: 84f98e3e0b9ef319f501795099cc32bce1bf6a81 (diff)
download: archweb-1a2f117037fd8b01ec1e1e3cce5186d7bfac1a78.tar.gz
archweb-1a2f117037fd8b01ec1e1e3cce5186d7bfac1a78.zip
3 files changed, 44 insertions, 5 deletions
diff --git a/devel/utils.py b/devel/utils.py
index ec035d13..85b4e42f 100644
--- a/devel/utils.py
+++ b/devel/utils.py
@@ -49,6 +49,7 @@ class UserFinder(object):
         self.cache = {}
         self.username_cache = {}
         self.email_cache = {}
+        self.pgp_cache = {}
 
     @staticmethod
     def user_email(name, email):
@@ -146,9 +147,25 @@ class UserFinder(object):
         self.email_cache[email] = user
         return user
 
+    def find_by_pgp_key(self, pgp_key):
+        if not pgp_key:
+            return None
+        if pgp_key in self.pgp_cache:
+            return self.pgp_cache[pgp_key]
+
+        try:
+            user = User.objects.get(
+                    userprofile__pgp_key__endswith=pgp_key)
+        except User.DoesNotExist:
+            user = None
+
+        self.pgp_cache[pgp_key] = user
+        return user
+
     def clear_cache(self):
         self.cache = {}
         self.username_cache = {}
         self.email_cache = {}
+        self.pgp_cache = {}
 
 # vim: set ts=4 sw=4 et:
diff --git a/devel/views.py b/devel/views.py
index 3a9be757..3ede54ab 100644
--- a/devel/views.py
+++ b/devel/views.py
@@ -1,4 +1,4 @@
-from datetime import datetime, timedelta
+from datetime import date, datetime, timedelta
 import operator
 import pytz
 import random
@@ -28,7 +28,7 @@ from main.utils import utc_now
 from packages.models import PackageRelation
 from packages.utils import get_signoff_groups
 from todolists.utils import get_annotated_todolists
-from .utils import get_annotated_maintainers
+from .utils import get_annotated_maintainers, UserFinder
 
 
 @login_required
@@ -232,6 +232,25 @@ def report(request, report_name, username=None):
         # The two separate calls to exclude is required to do the right thing
         packages = packages.exclude(pkgbase__in=owned).exclude(
                 pkgname__in=required)
+    elif report_name == 'mismatched-signature':
+        title = 'Packages with mismatched signatures'
+        names = [ 'Signature Date', 'Signed By', 'Packager' ]
+        attrs = [ 'sig_date', 'sig_by', 'packager' ]
+        cutoff = timedelta(hours=24)
+        finder = UserFinder()
+        filtered = []
+        packages = packages.filter(pgp_signature__isnull=False)
+        for package in packages:
+            sig_date = package.signature.datetime.replace(tzinfo=pytz.utc)
+            package.sig_date = sig_date.date()
+            key_id = package.signature.key_id
+            signer = finder.find_by_pgp_key(key_id)
+            package.sig_by = signer or key_id
+            if signer is None or signer.id != package.packager_id:
+                filtered.append(package)
+            elif sig_date > package.build_date + cutoff:
+                filtered.append(package)
+        packages = filtered
     else:
         raise Http404
 
diff --git a/templates/devel/index.html b/templates/devel/index.html
index 63d18193..7c26aab7 100644
--- a/templates/devel/index.html
+++ b/templates/devel/index.html
@@ -147,9 +147,6 @@
 
     <h3>Developer Reports</h3>
     <ul>
-        <li><a href="reports/big/">Big</a>:
-        All packages with compressed size &gt; 50 MiB
-        (<a href="reports/big/{{ user.username }}/">yours only</a>)</li>
         <li><a href="reports/old/">Old</a>:
         Packages last built more than two years ago
         (<a href="reports/old/{{ user.username }}/">yours only</a>)</li>
@@ -162,6 +159,12 @@
         <li><a href="reports/uncompressed-info/">Uncompressed Info Pages</a>:
         Self-explanatory
         (<a href="reports/uncompressed-info/{{ user.username }}/">yours only</a>)</li>
+        <li><a href="reports/mismatched-signature/">Mismatched Signatures</a>:
+        Packages where 1) signing key is unknown, 2) signer != packager, or 3) signature timestamp more than 24 hours after build timestamp
+        (<a href="reports/mismatched-signature/{{ user.username }}/">yours only</a>)</li>
+        <li><a href="reports/big/">Big</a>:
+        All packages with compressed size &gt; 50 MiB
+        (<a href="reports/big/{{ user.username }}/">yours only</a>)</li>
         <li><a href="reports/badcompression/">Bad Compression</a>:
         Packages with a compression ratio of less than 10%
         (<a href="reports/badcompression/{{ user.username }}/">yours only</a>)</li>
author	Dan McGee <dan@archlinux.org>	2012-03-23 17:33:55 -0500
committer	Dan McGee <dan@archlinux.org>	2012-04-07 14:53:08 -0500
commit	1a2f117037fd8b01ec1e1e3cce5186d7bfac1a78 (patch)
tree	e47e83bc34af9ca22705f9d073f6cc36524edfa9
parent	84f98e3e0b9ef319f501795099cc32bce1bf6a81 (diff)
download	archweb-1a2f117037fd8b01ec1e1e3cce5186d7bfac1a78.tar.gz archweb-1a2f117037fd8b01ec1e1e3cce5186d7bfac1a78.zip