store: Test 'import-paths' with unauthorized and unsigned nar bundles.

* tests/store.scm ("import not signed")
("import signed by unauthorized key"): New tests.
This commit is contained in:
Ludovic Courtès 2020-09-08 14:47:41 +02:00
parent 58833aec3f
commit 6310283bae
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5

View file

@ -23,6 +23,8 @@ (define-module (test-store)
#:use-module (guix utils)
#:use-module (guix monads)
#:use-module ((gcrypt hash) #:prefix gcrypt:)
#:use-module ((gcrypt pk-crypto) #:prefix gcrypt:)
#:use-module (guix pki)
#:use-module (guix base32)
#:use-module (guix packages)
#:use-module (guix derivations)
@ -966,6 +968,76 @@ (define ref-hash
(list out1 out2))))
#:guile-for-build (%guile-for-build)))
(test-assert "import not signed"
(let* ((text (random-text))
(file (add-file-tree-to-store %store
`("tree" directory
("text" regular (data ,text))
("link" symlink "text"))))
(dump (call-with-bytevector-output-port
(lambda (port)
(write-int 1 port) ;start
(write-file file port) ;contents
(write-int #x4558494e port) ;%export-magic
(write-string file port) ;store item
(write-string-list '() port) ;references
(write-string "" port) ;deriver
(write-int 0 port) ;not signed
(write-int 0 port))))) ;done
;; Ensure 'import-paths' raises an exception.
(guard (c ((store-protocol-error? c)
(and (not (zero? (store-protocol-error-status (pk 'C c))))
(string-contains (store-protocol-error-message c)
"lacks a signature"))))
(let* ((source (open-bytevector-input-port dump))
(imported (import-paths %store source)))
(pk 'unsigned-imported imported)
#f))))
(test-assert "import signed by unauthorized key"
(let* ((text (random-text))
(file (add-file-tree-to-store %store
`("tree" directory
("text" regular (data ,text))
("link" symlink "text"))))
(key (gcrypt:generate-key
(gcrypt:string->canonical-sexp
"(genkey (ecdsa (curve Ed25519) (flags rfc6979)))")))
(dump (call-with-bytevector-output-port
(lambda (port)
(write-int 1 port) ;start
(write-file file port) ;contents
(write-int #x4558494e port) ;%export-magic
(write-string file port) ;store item
(write-string-list '() port) ;references
(write-string "" port) ;deriver
(write-int 1 port) ;signed
(write-string (gcrypt:canonical-sexp->string
(signature-sexp
(gcrypt:bytevector->hash-data
(gcrypt:sha256 #vu8(0 1 2))
#:key-type 'ecc)
(gcrypt:find-sexp-token key 'private-key)
(gcrypt:find-sexp-token key 'public-key)))
port)
(write-int 0 port))))) ;done
;; Ensure 'import-paths' raises an exception.
(guard (c ((store-protocol-error? c)
;; XXX: The daemon-provided error message currently doesn't
;; mention the reason of the failure.
(not (zero? (store-protocol-error-status c)))))
(let* ((source (open-bytevector-input-port dump))
(imported (import-paths %store source)))
(pk 'unauthorized-imported imported)
#f))))
(test-assert "import corrupt path"
(let* ((text (random-text))
(file (add-text-to-store %store "text" text))