From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id sKEwN+uabWEEEAAAgWs5BA (envelope-from ) for ; Mon, 18 Oct 2021 18:03:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id MLbSMuuabWF4dQAA1q6Kng (envelope-from ) for ; Mon, 18 Oct 2021 16:03:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 56DF6CFA2 for ; Mon, 18 Oct 2021 18:03:55 +0200 (CEST) Received: from localhost ([::1]:54420 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mcV7C-0004Ma-Ab for larch@yhetil.org; Mon, 18 Oct 2021 12:03:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56088) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcV2V-00084N-UT for guix-patches@gnu.org; Mon, 18 Oct 2021 11:59:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36781) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mcV2V-00036y-1E for guix-patches@gnu.org; Mon, 18 Oct 2021 11:59:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mcV2V-00072L-1A for guix-patches@gnu.org; Mon, 18 Oct 2021 11:59:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#50814] [PATCH 5/5] tests: Add test for .guix-authorizations and channel intro. Resent-From: Attila Lendvai Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 18 Oct 2021 15:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 50814 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 50814@debbugs.gnu.org Cc: Attila Lendvai Received: via spool by 50814-submit@debbugs.gnu.org id=B50814.163457269326961 (code B ref 50814); Mon, 18 Oct 2021 15:59:02 +0000 Received: (at 50814) by debbugs.gnu.org; 18 Oct 2021 15:58:13 +0000 Received: from localhost ([127.0.0.1]:48325 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcV1g-00070i-QF for submit@debbugs.gnu.org; Mon, 18 Oct 2021 11:58:13 -0400 Received: from mail-ed1-f48.google.com ([209.85.208.48]:41485) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mcV1X-0006zJ-G6 for 50814@debbugs.gnu.org; Mon, 18 Oct 2021 11:58:04 -0400 Received: by mail-ed1-f48.google.com with SMTP id a25so948013edx.8 for <50814@debbugs.gnu.org>; Mon, 18 Oct 2021 08:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+zDupLbRlsQC/k/BphcMTVNlMjLMZIWW6s00wMbOpVA=; b=DF8XD6MmUFjYkB53jjSkm/Shub2nI9o5NooSxdnVgKMzoatGnyH4RyPGU7gKCOv0Kg QSiOUcI85sIkWTz+3Woi+w7fU0yyVU7k7kRrOm/Q1yKyPhgN7njRRu95bNHQ0vJ2ZKFL xIkVA5TELvFsWsdNFyfGFECg8P6EVxglufIBCQCaDdpVNYhEm+cE+XRejiotzT9hewQ6 OfmlYEdO0UG1onQBK4KXH4sY8Quz4QRrYtF5pCDBgjaINaWStzCTg1OXvYgDfW3HkpQE XTZ8DO0UgRzPz3hHnAdTCnTLhtMEYIVI/umzEKRqhENRYh0Vg6supOL+fyqd+yTjOLJJ G9Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=+zDupLbRlsQC/k/BphcMTVNlMjLMZIWW6s00wMbOpVA=; b=C5vIF+kQ8Z1poBeKGYWMGC8kZ125DwJ5TLZZ0PmNDIOaaagnSuWzV0cfto4eDlb9XH FEetKNY+Yo4Xy1erak5RSEC5BoiUfr56T/Ad3qEwjU3YsXHnk+922ZiUHAhYkkaVGz1L 8bQLpRWiK3MAFg8BTbt+2yACKWLmqdUzkSnPhw1e6Xe3X6wNlzfCoCjzgwb+1bFxvzx+ 0aRKgjhSjvX9pFGAdOcakSb087q13wG36XoxWCDrEy/SHLul4fCCFObxEQGC9QT4FNRC Py0iPAo6Tfgg++4sMgHsOJhkU3rhC/y/xAsqT8TlWroRK3uz5koPGbB9z0U2fWBuXHgo Kugw== X-Gm-Message-State: AOAM5332Zor/Okm/e9V1BMJHC2TxDmLWuAniaGeTPBia0W1XKXEmAGs7 75hBd68zNSp2bXZFqINzdvDLlAWEmG8= X-Google-Smtp-Source: ABdhPJxQqGcRAAm0Gd4G5NgAWhhpM7kw59klMMtwivFMIvOe9MCjNkphnTwhxo3Ptmhj7yYP5hCtzg== X-Received: by 2002:a17:906:e85:: with SMTP id p5mr30802289ejf.159.1634572672170; Mon, 18 Oct 2021 08:57:52 -0700 (PDT) Received: from localhost.localdomain ([2a02:ab88:3710:6480:8fb4:66e9:57c0:8a0a]) by smtp.gmail.com with ESMTPSA id n22sm8762059eja.120.2021.10.18.08.57.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Oct 2021 08:57:51 -0700 (PDT) From: Attila Lendvai Date: Mon, 18 Oct 2021 17:57:34 +0200 Message-Id: <20211018155734.5175-5-attila@lendvai.name> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211018155734.5175-1-attila@lendvai.name> References: <20211018155734.5175-1-attila@lendvai.name> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634573035; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+zDupLbRlsQC/k/BphcMTVNlMjLMZIWW6s00wMbOpVA=; b=VZGsvm7fv/BqUU3qMID2gx5WsNOM0m+X1JKu2PXHDFoJZVE5NHScz5FDzYS3t2/xjmhcGB YcWpRYtr5nMJJqHY8kOuWwzLl3/nJylYbKC4Si6CEo/TUffzA3FKuyqJClLz+OqEErrSEu e3hOqbgGcWquvWDpS1JioLxgg+rslh2jKOABLjNQF50jE9SjZM8Zh5FzurG28QuNDcLZH8 OyS/1dw8wGAlpwsB2RTe4tLYQzmqS8a5JSOx0N0E13Md8Sf/lG7ciy3BYZ8Sqx7fPS8aht TXXFfDK13tSK8T9WHZamYEjsBlMzQAW7qacFKQKhdkB7OnMGRIyfP4NoUPqu9w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634573035; a=rsa-sha256; cv=none; b=fZszUE+elj8uTbEWfYV+FhL3Q+s+NE40zcvnL7ioJulVeGob+oKHjNfK8IKIa1MRfB7iBT GW25CnAFdKHB95eJeiDmE6vaCi2ZNA7XGdRAobuFKXIlQbxP2VRrBdcmfAqAmSGzFISg9t G6rBPD9XBmMaS/+sUFFJ/Xaw+zc8bOubB+xbjZKck1m52EYnEzYDRq5Pt8QKrQJVkOAPAH E5MCBUPySWoD6FisKbva9fGwSCay+azhb1EuzgHzYK2i3PKdo4diFkOTAaB4hmr4hmQDPM xx5chxL93YifO/3Qkjv7NfnVbapd39AZ+eUHkmI5pRsbfDzXqARGSyqhHh4cQA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=DF8XD6Mm; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 3.58 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=DF8XD6Mm; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 56DF6CFA2 X-Spam-Score: 3.58 X-Migadu-Scanner: scn0.migadu.com X-TUID: akWGvy+gHB+O This test used to fail before a recent fix to authenticate-repository. * tests/git-authenticate.scm: New test "signed commits, .guix-authorizations, channel-introduction". --- tests/git-authenticate.scm | 150 +++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm index f66ef191b0..25b4962ea4 100644 --- a/tests/git-authenticate.scm +++ b/tests/git-authenticate.scm @@ -18,6 +18,7 @@ (define-module (test-git-authenticate) #:use-module (git) + #:use-module (guix diagnostics) #:use-module (guix git) #:use-module (guix git-authenticate) #:use-module (guix openpgp) @@ -28,6 +29,10 @@ (define-module (test-git-authenticate) #:use-module (srfi srfi-34) #:use-module (srfi srfi-64) #:use-module (rnrs bytevectors) + #:use-module ((rnrs conditions) + #:select (warning?)) + #:use-module ((rnrs exceptions) + #:select (with-exception-handler)) #:use-module (rnrs io ports)) ;; Test the (guix git-authenticate) tools. @@ -226,6 +231,151 @@ (define (correct? c commit) #:keyring-reference "master") #f))))))) +(unless (gpg+git-available?) (test-skip 1)) +(test-assert "signed commits, .guix-authorizations, channel-introduction" + (let* ((result #true) + (key1 %ed25519-public-key-file) + (key2 %ed25519-2-public-key-file) + (key3 %ed25519-3-public-key-file)) + (with-fresh-gnupg-setup (list key1 %ed25519-secret-key-file + key2 %ed25519-2-secret-key-file + key3 %ed25519-3-secret-key-file) + (with-temporary-git-repository dir + `((checkout "keyring" orphan) + (add "signer1.key" ,(call-with-input-file key1 get-string-all)) + (add "signer2.key" ,(call-with-input-file key2 get-string-all)) + (add "signer3.key" ,(call-with-input-file key3 get-string-all)) + (commit "keyring commit") + + (checkout "main" orphan) + (add "noise0") + (add ".guix-authorizations" + ,(object->string + `(authorizations + (version 0) + ((,(key-fingerprint key1) (name "Alice")) + ;; Notice that key2 is not authorized at this point. + (,(key-fingerprint key3) (name "Charlie")))))) + (commit "commit 0" (signer ,(key-fingerprint key3))) + (add "noise1") + (commit "commit 1" (signer ,(key-fingerprint key1))) + (add "noise2") + (commit "commit 2" (signer ,(key-fingerprint key1)))) + (with-repository dir repo + (let* ((commit-0 (find-commit repo "commit 0")) + (check-from + (lambda* (commit #:key (should-fail? #false) (key key1) + (historical-authorizations + ;; Let's mark key3 to be trusted + ;; unconditionally, so that it authorizes + ;; commit 0. + (list (key-fingerprint-vector key3)))) + (guard (c ((unauthorized-commit-error? c) + (if should-fail? + c + (let ((port (current-output-port))) + (format port "FAILURE: Unexpected exception at commit '~s':~%" + commit) + (print-exception port (stack-ref (make-stack #t) 1) + c (exception-args c)) + (set! result #false) + '())))) + (format #true "~%~%Checking ~s, should-fail? ~s, repo commits:~%" + commit should-fail?) + ;; To be able to inspect git's state in the logs. + (invoke "git" "-C" dir "log" "--reverse" "--pretty=oneline" "main") + (set! commit (find-commit repo commit)) + (authenticate-repository repo + (commit-id commit) + (key-fingerprint-vector key) + #:historical-authorizations + historical-authorizations) + (when should-fail? + (format #t "FAILURE: Authenticating commit '~s' should have failed.~%" commit) + (set! result #false)) + '())))) + (check-from "commit 0" #:key key3) + (check-from "commit 1") + (check-from "commit 2") + (with-git-repository dir + `((add "noise 3") + (commit "commit 3" (signer ,(key-fingerprint key2)))) + ;; This should fail because it is signed by key2, i.e. an + ;; unauthorized key. + (check-from "commit 3" #:should-fail? #true) + ;; Specify commit 3 as a channel-introduction signed with + ;; key2. This is valid, but it should warn the user, because + ;; .guix-authorizations is not updated to include key2, which + ;; means that any subsequent commits with the same key will be + ;; rejected. + (set! result + (and (let ((signalled? #false)) + (with-exception-handler + (lambda (c) + (cond + ((not (warning? c)) + (raise c)) + ((formatted-message? c) + (format #true "warning (expected): ~a~%" + (apply format #false + (formatted-message-string c) + (formatted-message-arguments c))) + (set! signalled? #true))) + '()) + (lambda () + (check-from "commit 3" #:key key2) + (unless signalled? + (format #t "FAILURE: No warning signalled for commit 3~%")) + signalled?))) + result))) + (with-git-repository dir + ;; Drop the faulty commit 3 + `((reset ,(oid->string (commit-id (find-commit repo "commit 2")))) + (add "noise 4") + (add ".guix-authorizations" + ,(object->string + ;; Remove key3, add key2. + `(authorizations + (version 0) + ((,(key-fingerprint key1) (name "Alice")) + (,(key-fingerprint key2) (name "Bob")))))) + (commit "commit 4" (signer ,(key-fingerprint key2)))) + ;; This should fail because even though commit 4 adds key2 to + ;; .guix-authorizations, but commit 1 was created prior to that, + ;; therefore it is not authorized. + (check-from "commit 1" #:should-fail? #true) + ;; This should pass, because it's a valid channel intro at commit 4 + (check-from "commit 4" #:key key2)) + (with-git-repository dir + `((add "noise 5") + (commit "commit 5" (signer ,(key-fingerprint key2)))) + ;; It is not very intuitive why commit 1 and 2 should be trusted + ;; at this point: commit 4 has previously been used as a channel + ;; intro, thus it got marked as trusted in the ~/.cache/. + ;; Because commit 1 and 2 are among its parents, it should also + ;; be trusted at this point because of the cache. Note that + ;; it's debatable whether this semantics is a good idea, but + ;; this is how git-authenticate is and has been implemented for + ;; a while (modulo failing to update the cache in the past when + ;; taking certain code paths). + (check-from "commit 1") + (check-from "commit 2") + ;; Should still be fine, but only when starting from commit 4 + (check-from "commit 4" #:key key2)) + (with-git-repository dir + `((add "noise 6") + (commit "commit 6" (signer ,(key-fingerprint key1)))) + (check-from "commit 1") + (check-from "commit 2") + (check-from "commit 4" #:key key2)) + (with-git-repository dir + `((add "noise 7") + (commit "commit 7" (signer ,(key-fingerprint key3)))) + ;; This should fail because key3 is not among the authorized + ;; keys anymore, and commit 7 is signed by it. + (check-from "commit 6" #:should-fail? #true)))))) + result)) + (unless (gpg+git-available?) (test-skip 1)) (test-assert "signed commits, .guix-authorizations, authorized merge" (with-fresh-gnupg-setup (list %ed25519-public-key-file -- 2.33.0