IdentityVerificationHook: reject pushes with unresolved committer emails

[coopernetes]

Summary

Add a pre-receive hook that resolves each commit's author/committer email against user_emails and rejects the push if the email is not linked to any proxy user. Spun out of #15 Phase 4.

Motivation

CheckUserPushPermissionHook already gates whether a user is allowed to push at all. This hook adds a second check: whether the committer identity in the commits matches the authenticated user's registered emails. Without this, an authenticated user can push commits attributed to someone else.

What to build

IdentityVerificationHook (in jgit-proxy-core)

• Implements GitProxyHook, order ~150 (authz range, after RepositoryWhitelistHook, before content filters)
• For each RevCommit in the push:
  • Resolve committer.emailAddress via UserEmailStore.resolveByEmail()
  • If unresolved → accumulate error, reject push with rp.sendMessage() + block
  • If resolved → verify the resolved ProxyUser.username matches the authenticated HTTP Basic principal from PushIdentityResolver
  • Mismatch → reject with a clear message: "committer email foo@example.com is registered to user X, but you authenticated as user Y"
• Honour a config flag commit.identity-verification: strict | warn | off (default warn to avoid breaking existing deployments)

Config

commit:
  identity-verification: strict  # strict | warn | off

Wiring

• IdentityVerificationHook registered in StoreAndForwardReceivePackFactory alongside existing hooks
• Equivalent IdentityVerificationFilter for the transparent proxy path (same logic, accumulates into ValidationSummaryFilter)

Depends on

• Identity & security foundation #15 — UserEmailStore, LinkedIdentityAuthorizationService, PushIdentityResolver (all already in place)

Acceptance criteria

• Push with a committer email not in user_emails → rejected in strict mode, warning sideband message in warn mode
• Push where committer email belongs to a different user → rejected in strict mode
• Push where committer email matches the authenticated user → passes
• off mode → hook is a no-op
• Unit tests for all three modes

[coopernetes]

Both IdentityVerificationHook (S&F) and IdentityVerificationFilter (transparent proxy) were already fully implemented, wired into their respective pipelines, and unit tested. Config key commit.identity-verification: warn|strict|off is in CommitConfig (default: warn). Closing.

[coopernetes]

Implemented in commit 5e828751.

Mode implemented: WARN (default) + STRICT + OFF, all three modes working. Config key is commit.identity-verification — defaults to warn when omitted.

What was built:

• IdentityVerificationHook (S&F mode, hook order 160) — resolves each commit's author/committer email against user_scm_identities via the SCM identity lookup (the actual trust anchor), falling back to user_emails. In WARN mode, violations accumulate as a PASS step with content (renders as amber ⚠ in the UI). In STRICT mode, blocks the push outright.
• IdentityVerificationFilter (transparent proxy mode) — same logic, integrates with ValidationSummaryFilter.
• resolved_user column added to push_records — non-null when identity was confirmed via SCM identity lookup, null in open mode or unregistered user.
• Identity badge on push list and detail: green (resolved + no warnings), amber (resolved + email warning), gray (push_user known, no SCM resolution).

Deviation from spec: The hook resolves identity primarily via user_scm_identities (SCM credential → proxy user) rather than purely by commit email, since SCM credentials are unforgeable while git author emails are not. Email matching is a secondary signal that triggers the amber warning.

Test scripts in test/push-identity-*.sh and test/proxy-identity-*.sh cover all three providers and both proxy modes.