From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 27 21:07:59 2021 Received: (at 50814) by debbugs.gnu.org; 28 Sep 2021 01:07:59 +0000 Received: from localhost ([127.0.0.1]:43237 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mV1bD-0006Tv-23 for submit@debbugs.gnu.org; Mon, 27 Sep 2021 21:07:59 -0400 Received: from mail-ed1-f53.google.com ([209.85.208.53]:44660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mV1b2-0006T6-Lc for 50814@debbugs.gnu.org; Mon, 27 Sep 2021 21:07:49 -0400 Received: by mail-ed1-f53.google.com with SMTP id v18so41281268edc.11 for <50814@debbugs.gnu.org>; Mon, 27 Sep 2021 18:07:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+TV6SG8Rdqg0pRcyGxLHQ8Vfm+XO1c9ZH3Grd+sdLlY=; b=QQniLNoKAioxFwkN8hCUr5qQZ3PPCEERmJqmjH8dmqaP6YMaNUkcYeKOeGiebmQjJM +nO0fNmF2yjbqzWcRIz5CuhEsNmTrU8ndjKdOEU/zUMRVs+QNPIVG+kp11j7sG/EgTTN k0pPm/Z4Bbidlat03J0+JSYM7aWTp61LCJGlXjLknN6DMq7F/jLBcnpR5btUSCHFG0Yb yLDRkc5oU2gHKYUE7pEJKrmCfbQZW+TYuE1+K5I9U1NhvFMX5kLijQ3sYFFYFgqb7c8q pGlTT+fvIInS6wkvDsKVDfL8u+9NoJDxFLuJZ4yR6DepRStvDvdyz2OE/ELpRJV+7xqT i49g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=+TV6SG8Rdqg0pRcyGxLHQ8Vfm+XO1c9ZH3Grd+sdLlY=; b=MSq7NgrZr2dvy3DjlMYHAX8CxHGaspkqlCD0FmkJX1ipkHwN0ZmxPsnUzcSuySQRib yQYDjA7LwEOJ6w6BSkiWYnhlixQBYve1mANRwGuM5OouNxz4FmeJd4wVRvbuAl7edVy+ GV9+K0olmkCz0G14NDp50NiHIWhBfDDt5fCZRX1ck8dBg1aLd7McJNzibc10985PEKCt lhjh0ab9XPr+xQ4goimAHu6/cWtqptTuCAi0d13sjsPNsREbJ5Wirno3+OpFdGCoVFZP 9c8OdE7UlIuMpMOybqVQHwJGsAkL/8/m/zFjdR+ymUdfJKccFESMLBHEIRXFB550S8Ev sESw== X-Gm-Message-State: AOAM531QtBN1U/z7ABIFPA1Rj4fVoEI/+jyX7goAV+M5kRb6gCiVW8dz KLGAmJbdMWV6ys996EmqrpsKzld3SaY= X-Google-Smtp-Source: ABdhPJzVwBLZHAkfeRhdEnbeDLyLZKcOkTiHuwBm/j3QFg7kUorFXEPlg+VYPfTEFFiMLTIF3tut/A== X-Received: by 2002:a17:906:fc7:: with SMTP id c7mr3675665ejk.333.1632791262992; Mon, 27 Sep 2021 18:07:42 -0700 (PDT) Received: from lelap.lan (catv-213-222-131-28.catv.broadband.hu. [213.222.131.28]) by smtp.gmail.com with ESMTPSA id c5sm11989558edx.81.2021.09.27.18.07.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 18:07:42 -0700 (PDT) From: Attila Lendvai To: 50814@debbugs.gnu.org Subject: [PATCH 3/4] tests: Add failing test for .guix-authorizations and channel intro. Date: Tue, 28 Sep 2021 03:05:37 +0200 Message-Id: <20210928010537.4241-3-attila@lendvai.name> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210928010537.4241-1-attila@lendvai.name> References: <20210928010537.4241-1-attila@lendvai.name> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 50814 Cc: Attila Lendvai X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) Will be fixed in a subsequent commit. * tests/git-authenticate.scm: New test "signed commits, .guix-authorizations, channel-introduction". --- tests/git-authenticate.scm | 111 +++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm index f66ef191b0..672aff2177 100644 --- a/tests/git-authenticate.scm +++ b/tests/git-authenticate.scm @@ -226,6 +226,117 @@ #:keyring-reference "master") #f))))))) +(unless (gpg+git-available?) (test-skip 1)) +(test-assert "signed commits, .guix-authorizations, channel-introduction" + (let* ((result #true) + (key1 %ed25519-public-key-file) + (key2 %ed25519-2-public-key-file) + (key3 %ed25519-3-public-key-file)) + (with-fresh-gnupg-setup (list key1 %ed25519-secret-key-file + key2 %ed25519-2-secret-key-file + key3 %ed25519-3-secret-key-file) + (with-temporary-git-repository dir + `((checkout "keyring" orphan) + (add "signer1.key" ,(call-with-input-file key1 get-string-all)) + (add "signer2.key" ,(call-with-input-file key2 get-string-all)) + (add "signer3.key" ,(call-with-input-file key3 get-string-all)) + (commit "keyring commit") + + (checkout "main" orphan) + (add "noise0") + (add ".guix-authorizations" + ,(object->string + `(authorizations + (version 0) + ((,(key-fingerprint key1) (name "Alice")))))) + (commit "commit 0" (signer ,(key-fingerprint key3))) + (add "noise1") + (commit "commit 1" (signer ,(key-fingerprint key1))) + (add "noise2") + (commit "commit 2" (signer ,(key-fingerprint key1)))) + (with-repository dir repo + (let* ((commit-0 (find-commit repo "commit 0")) + (check-from + (lambda* (commit #:key (should-fail? #false) (key key1) + (historical-authorizations + ;; key3 is trusted to authorize commit 0 + (list (key-fingerprint-vector key3)))) + (guard (c ((unauthorized-commit-error? c) + (if should-fail? + c + (let ((port (current-output-port))) + (format port "FAILURE: Unexpected exception at commit '~s':~%" + commit) + (print-exception port (stack-ref (make-stack #t) 1) + c (exception-args c)) + (set! result #false) + '())))) + (format #true "~%~%Checking ~s, should-fail? ~s, repo commits:~%" + commit should-fail?) + ;; to be able to inspect in the logs + (invoke "git" "-C" dir "log" "--reverse" "--pretty=oneline" "main") + (set! commit (find-commit repo commit)) + (authenticate-repository + repo + (commit-id commit) + (key-fingerprint-vector key) + #:historical-authorizations historical-authorizations) + (when should-fail? + (format #t "FAILURE: Authenticating commit '~s' should have failed.~%" commit) + (set! result #false)) + '())))) + (check-from "commit 0" #:key key3) + (check-from "commit 1") + (check-from "commit 2") + (with-git-repository dir + `((add "noise 3") + ;; a commit with key2 + (commit "commit 3" (signer ,(key-fingerprint key2)))) + ;; Should fail because it is signed with key2, not key1 + (check-from "commit 3" #:should-fail? #true) + ;; Specify commit 3 as a channel-introduction signed with + ;; key2. This is valid, but it should warn the user, because + ;; .guix-authorizations is not updated to include key2, which + ;; means that any subsequent commits with the same key will be + ;; rejected. + ;; + ;; TODO we should check somehow that a warning is issued + (check-from "commit 3" #:key key2)) + (with-git-repository dir + `((reset ,(oid->string (commit-id (find-commit repo "commit 2")))) + (add "noise 4") + ;; set it up properly + (add ".guix-authorizations" + ,(object->string + `(authorizations + (version 0) + ((,(key-fingerprint key1) (name "Alice")) + (,(key-fingerprint key2) (name "Bob")))))) + (commit "commit 4" (signer ,(key-fingerprint key2)))) + ;; This should fail because even though commit 4 adds key2 to + ;; .guix-authorizations, the commit itself is not authorized. + (check-from "commit 1" #:should-fail? #true) + ;; This should pass, because it's a valid channel intro at commit 4 + (check-from "commit 4" #:key key2)) + (with-git-repository dir + `((add "noise 5") + (commit "commit 5" (signer ,(key-fingerprint key2)))) + ;; This is not very intuitive: because commit 4 has once been + ;; used as a channel intro, it got marked as trusted in the + ;; ~/.cache/, and because commit 1 is one of its parent, it is + ;; also trusted. + (check-from "commit 1") + (check-from "commit 2") + ;; Should still be fine, but only when starting from commit 4 + (check-from "commit 4" #:key key2)) + (with-git-repository dir + `((add "noise 6") + (commit "commit 6" (signer ,(key-fingerprint key1)))) + (check-from "commit 1") + (check-from "commit 2") + (check-from "commit 4" #:key key2)))))) + result)) + (unless (gpg+git-available?) (test-skip 1)) (test-assert "signed commits, .guix-authorizations, authorized merge" (with-fresh-gnupg-setup (list %ed25519-public-key-file -- 2.33.0