diff options
Diffstat (limited to 'object/signed/commit/integration_test.go')
| -rw-r--r-- | object/signed/commit/integration_test.go | 138 |
1 files changed, 0 insertions, 138 deletions
diff --git a/object/signed/commit/integration_test.go b/object/signed/commit/integration_test.go deleted file mode 100644 index 82b34b14..00000000 --- a/object/signed/commit/integration_test.go +++ /dev/null @@ -1,138 +0,0 @@ -package signedcommit_test - -import ( - "bytes" - "os" - "os/exec" - "path/filepath" - "testing" - - "codeberg.org/lindenii/furgit/internal/testgit" - objectid "codeberg.org/lindenii/furgit/object/id" - signedcommit "codeberg.org/lindenii/furgit/object/signed/commit" -) - -func setupSSHSignedCommit( - t *testing.T, - algo objectid.Algorithm, -) (payload []byte, allowedSignersPath string, signaturePath string) { - t.Helper() - - testRepo := testgit.NewRepo(t, testgit.RepoOptions{ObjectFormat: algo}) - - signDir := t.TempDir() - - signRoot, err := os.OpenRoot(signDir) - if err != nil { - t.Fatalf("os.OpenRoot(%q): %v", signDir, err) - } - - t.Cleanup(func() { _ = signRoot.Close() }) - - privateKeyPath := filepath.Join(signDir, "signing_key") - allowedSignersPath = filepath.Join(signDir, "allowed_signers") - signaturePath = filepath.Join(signDir, "commit.sig") - - cmd := exec.Command( //nolint:noctx - "ssh-keygen", - "-q", - "-t", "ed25519", - "-N", "", - "-C", "runxiyu@umich.edu", - "-f", privateKeyPath, - ) //#nosec G204 - - out, err := cmd.CombinedOutput() - if err != nil { - t.Fatalf("ssh-keygen generate failed: %v\n%s", err, out) - } - - publicKey, err := signRoot.ReadFile("signing_key.pub") - if err != nil { - t.Fatalf("ReadFile(signing_key.pub): %v", err) - } - - err = signRoot.WriteFile( - "allowed_signers", - append([]byte("runxiyu@umich.edu "), publicKey...), - 0o600, - ) - if err != nil { - t.Fatalf("WriteFile(allowed_signers): %v", err) - } - - testRepo.Run(t, "config", "gpg.format", "ssh") - testRepo.Run(t, "config", "user.signingkey", privateKeyPath) - - testRepo.WriteFile(t, "file.txt", []byte("signed\n"), 0o644) - testRepo.Run(t, "add", "file.txt") - testRepo.Run(t, "commit", "-S", "-m", "signed commit") - - commitID := testRepo.RevParse(t, "HEAD^{commit}") - body := testRepo.CatFile(t, "commit", commitID) - - commit, err := signedcommit.Parse(body) - if err != nil { - t.Fatalf("Parse: %v", err) - } - - signature, ok := commit.AppendSignature(nil, algo) - if !ok { - t.Fatalf("missing %s signature", algo) - } - - err = signRoot.WriteFile("commit.sig", signature, 0o600) - if err != nil { - t.Fatalf("WriteFile(commit.sig): %v", err) - } - - return commit.AppendPayload(nil), allowedSignersPath, signaturePath -} - -func TestSSHSignedCommitIntegration(t *testing.T) { - t.Parallel() - - testgit.ForEachAlgorithm(t, func(t *testing.T, algo objectid.Algorithm) { //nolint:thelper - payload, allowedSignersPath, signaturePath := setupSSHSignedCommit(t, algo) - - cmd := exec.Command( //nolint:noctx - "ssh-keygen", - "-Y", "verify", - "-n", "git", - "-f", allowedSignersPath, - "-I", "runxiyu@umich.edu", - "-s", signaturePath, - ) //#nosec G204 - cmd.Stdin = bytes.NewReader(payload) - - out, err := cmd.CombinedOutput() - if err != nil { - t.Fatalf("ssh-keygen verify failed: %v\n%s", err, out) - } - }) -} - -func TestSSHSignedCommitIntegrationRejectsTamperedPayload(t *testing.T) { - t.Parallel() - - testgit.ForEachAlgorithm(t, func(t *testing.T, algo objectid.Algorithm) { //nolint:thelper - payload, allowedSignersPath, signaturePath := setupSSHSignedCommit(t, algo) - payload = append([]byte(nil), payload...) - payload[len(payload)-2] ^= 1 - - cmd := exec.Command( //nolint:noctx - "ssh-keygen", - "-Y", "verify", - "-n", "git", - "-f", allowedSignersPath, - "-I", "runxiyu@umich.edu", - "-s", signaturePath, - ) //#nosec G204 - cmd.Stdin = bytes.NewReader(payload) - - out, err := cmd.CombinedOutput() - if err == nil { - t.Fatalf("ssh-keygen verify unexpectedly succeeded:\n%s", out) - } - }) -} |