guix/tests/git-authenticate.scm
Ludovic Courtès e782756080
git-authenticate: Prevent removal of '.guix-authorizations'.
* guix/git-authenticate.scm (commit-authorized-keys)
[parents-have-authorizations-file?, assert-parents-lack-authorizations]:
New procedures.
Use the latter before returning DEFAULT-AUTHORIZATIONS.
* guix/git.scm (false-if-git-not-found): Export.
* guix/tests/git.scm (populate-git-repository): Add 'remove' clause.
* tests/git-authenticate.scm ("signed commits, .guix-authorizations removed"):
New test.
2020-06-07 23:10:46 +02:00

327 lines
15 KiB
Scheme
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2020 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (test-git-authenticate)
#:use-module (git)
#:use-module (guix git)
#:use-module (guix git-authenticate)
#:use-module (guix openpgp)
#:use-module (guix tests git)
#:use-module (guix tests gnupg)
#:use-module (guix build utils)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-64)
#:use-module (rnrs bytevectors)
#:use-module (rnrs io ports))
;; Test the (guix git-authenticate) tools.
(define %ed25519-public-key-file
(search-path %load-path "tests/ed25519.key"))
(define %ed25519-secret-key-file
(search-path %load-path "tests/ed25519.sec"))
(define %ed25519bis-public-key-file
(search-path %load-path "tests/ed25519bis.key"))
(define %ed25519bis-secret-key-file
(search-path %load-path "tests/ed25519bis.sec"))
(define (read-openpgp-packet file)
(get-openpgp-packet
(open-bytevector-input-port
(call-with-input-file file read-radix-64))))
(define key-fingerprint
(compose openpgp-format-fingerprint
openpgp-public-key-fingerprint
read-openpgp-packet))
(define (key-id file)
(define id
(openpgp-public-key-id (read-openpgp-packet)))
(string-pad (number->string id 16) 16 #\0))
(define (gpg+git-available?)
(and (which (git-command))
(which (gpg-command)) (which (gpgconf-command))))
(test-begin "git-authenticate")
(unless (which (git-command)) (test-skip 1))
(test-assert "unsigned commits"
(with-temporary-git-repository directory
'((add "a.txt" "A")
(commit "first commit")
(add "b.txt" "B")
(commit "second commit"))
(with-repository directory repository
(let ((commit1 (find-commit repository "first"))
(commit2 (find-commit repository "second")))
(guard (c ((unsigned-commit-error? c)
(oid=? (git-authentication-error-commit c)
(commit-id commit1))))
(authenticate-commits repository (list commit1 commit2)
#:keyring-reference "master")
'failed)))))
(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, default authorizations"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file)
(with-temporary-git-repository directory
`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
get-string-all))
(commit "zeroth commit")
(add "a.txt" "A")
(commit "first commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add "b.txt" "B")
(commit "second commit"
(signer ,(key-fingerprint %ed25519-public-key-file))))
(with-repository directory repository
(let ((commit1 (find-commit repository "first"))
(commit2 (find-commit repository "second")))
(authenticate-commits repository (list commit1 commit2)
#:default-authorizations
(list (openpgp-public-key-fingerprint
(read-openpgp-packet
%ed25519-public-key-file)))
#:keyring-reference "master"))))))
(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file)
(with-temporary-git-repository directory
`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add ".guix-authorizations"
,(object->string
`(authorizations (version 0)
((,(key-fingerprint
%ed25519-public-key-file)
(name "Charlie"))))))
(commit "zeroth commit")
(add "a.txt" "A")
(commit "first commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add ".guix-authorizations"
,(object->string `(authorizations (version 0) ()))) ;empty
(commit "second commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add "b.txt" "B")
(commit "third commit"
(signer ,(key-fingerprint %ed25519-public-key-file))))
(with-repository directory repository
(let ((commit1 (find-commit repository "first"))
(commit2 (find-commit repository "second"))
(commit3 (find-commit repository "third")))
;; COMMIT1 and COMMIT2 are fine.
(and (authenticate-commits repository (list commit1 commit2)
#:keyring-reference "master")
;; COMMIT3 is signed by an unauthorized key according to its
;; parent's '.guix-authorizations' file.
(guard (c ((unauthorized-commit-error? c)
(and (oid=? (git-authentication-error-commit c)
(commit-id commit3))
(bytevector=?
(openpgp-public-key-fingerprint
(unauthorized-commit-error-signing-key c))
(openpgp-public-key-fingerprint
(read-openpgp-packet
%ed25519-public-key-file))))))
(authenticate-commits repository
(list commit1 commit2 commit3)
#:keyring-reference "master")
'failed)))))))
(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations, unauthorized merge"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file)
(with-temporary-git-repository directory
`((add "signer1.key"
,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add "signer2.key"
,(call-with-input-file %ed25519bis-public-key-file
get-string-all))
(add ".guix-authorizations"
,(object->string
`(authorizations (version 0)
((,(key-fingerprint
%ed25519-public-key-file)
(name "Alice"))))))
(commit "zeroth commit")
(add "a.txt" "A")
(commit "first commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(branch "devel")
(checkout "devel")
(add "devel/1.txt" "1")
(commit "first devel commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
(checkout "master")
(add "b.txt" "B")
(commit "second commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(merge "devel" "merge"
(signer ,(key-fingerprint %ed25519-public-key-file))))
(with-repository directory repository
(let ((master1 (find-commit repository "first commit"))
(master2 (find-commit repository "second commit"))
(devel1 (find-commit repository "first devel commit"))
(merge (find-commit repository "merge")))
(define (correct? c commit)
(and (oid=? (git-authentication-error-commit c)
(commit-id commit))
(bytevector=?
(openpgp-public-key-fingerprint
(unauthorized-commit-error-signing-key c))
(openpgp-public-key-fingerprint
(read-openpgp-packet %ed25519bis-public-key-file)))))
(and (authenticate-commits repository (list master1 master2)
#:keyring-reference "master")
;; DEVEL1 is signed by an unauthorized key according to its
;; parent's '.guix-authorizations' file.
(guard (c ((unauthorized-commit-error? c)
(correct? c devel1)))
(authenticate-commits repository
(list master1 devel1)
#:keyring-reference "master")
#f)
;; MERGE is authorized but one of its ancestors is not.
(guard (c ((unauthorized-commit-error? c)
(correct? c devel1)))
(authenticate-commits repository
(list master1 master2
devel1 merge)
#:keyring-reference "master")
#f)))))))
(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations, authorized merge"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file
%ed25519bis-public-key-file
%ed25519bis-secret-key-file)
(with-temporary-git-repository directory
`((add "signer1.key"
,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add "signer2.key"
,(call-with-input-file %ed25519bis-public-key-file
get-string-all))
(add ".guix-authorizations"
,(object->string
`(authorizations (version 0)
((,(key-fingerprint
%ed25519-public-key-file)
(name "Alice"))))))
(commit "zeroth commit")
(add "a.txt" "A")
(commit "first commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(branch "devel")
(checkout "devel")
(add ".guix-authorizations"
,(object->string ;add the second signer
`(authorizations (version 0)
((,(key-fingerprint
%ed25519-public-key-file)
(name "Alice"))
(,(key-fingerprint
%ed25519bis-public-key-file))))))
(commit "first devel commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add "devel/2.txt" "2")
(commit "second devel commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file)))
(checkout "master")
(add "b.txt" "B")
(commit "second commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(merge "devel" "merge"
(signer ,(key-fingerprint %ed25519-public-key-file)))
;; After the merge, the second signer is authorized.
(add "c.txt" "C")
(commit "third commit"
(signer ,(key-fingerprint %ed25519bis-public-key-file))))
(with-repository directory repository
(let ((master1 (find-commit repository "first commit"))
(master2 (find-commit repository "second commit"))
(devel1 (find-commit repository "first devel commit"))
(devel2 (find-commit repository "second devel commit"))
(merge (find-commit repository "merge"))
(master3 (find-commit repository "third commit")))
(authenticate-commits repository
(list master1 master2 devel1 devel2
merge master3)
#:keyring-reference "master"))))))
(unless (gpg+git-available?) (test-skip 1))
(test-assert "signed commits, .guix-authorizations removed"
(with-fresh-gnupg-setup (list %ed25519-public-key-file
%ed25519-secret-key-file)
(with-temporary-git-repository directory
`((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
get-string-all))
(add ".guix-authorizations"
,(object->string
`(authorizations (version 0)
((,(key-fingerprint
%ed25519-public-key-file)
(name "Charlie"))))))
(commit "zeroth commit")
(add "a.txt" "A")
(commit "first commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(remove ".guix-authorizations")
(commit "second commit"
(signer ,(key-fingerprint %ed25519-public-key-file)))
(add "b.txt" "B")
(commit "third commit"
(signer ,(key-fingerprint %ed25519-public-key-file))))
(with-repository directory repository
(let ((commit1 (find-commit repository "first"))
(commit2 (find-commit repository "second"))
(commit3 (find-commit repository "third")))
;; COMMIT1 and COMMIT2 are fine.
(and (authenticate-commits repository (list commit1 commit2)
#:keyring-reference "master")
;; COMMIT3 is rejected because COMMIT2 removes
;; '.guix-authorizations'.
(guard (c ((unauthorized-commit-error? c)
(oid=? (git-authentication-error-commit c)
(commit-id commit2))))
(authenticate-commits repository
(list commit1 commit2 commit3)
#:keyring-reference "master")
'failed)))))))
(test-end "git-authenticate")