--- type: change message: |- Fully implement credential commits The actual commit objects and related refactoring had already been done, this commit takes the next step of implementing the access control changes, tests for verification, and refactoring of the dehub command to support multiple commit message types (as well as a small fix to dcmd). change_hash: AJyuAR0koVoe+uPBisa5qXsbW8YhlgOKNhnvy9uv7hQ8 credentials: - type: pgp_signature pub_key_id: 95C46FA6A41148AC body: iQIzBAABAgAdFiEEJ6tQKp6olvZKJ0lwlcRvpqQRSKwFAl5tVzoACgkQlcRvpqQRSKyznw//b9lWd4V4G81cFwGAxZtJ3JiFpspYdtTAUUcLi9nogGsDmqkkSQxLdmBCT99QtaenKsxpad+9sXhkZpgWF/AyCX9pN6TTlMKuRcDXeoMUjeKjRpRhCHN0Lt8Sz80NDPYIa81r9cH0o1987GirgGmDEkYNDAFPDdGNDcCad/LLnG+ONwOl9WEM1q5O4etUPurTywlBiELDjHxeLzqgxCo8fMaMejW6mxnMDV6DIHiX6INWZAAG66HPVetmq6EVl9bnFgZmgKNzqKzFVZJRdGQNbhR/WzlOh0HPyJGwCveZPM5Zjd/dpfQUYEGGprVKc0G0YVNU2Hcz6O7hqafGGxWpCFW6zKrNmBRaW2u2zjVJD4ukmWn9gFuKJKhs0kyawRTbHNIX+gonYv9lDFO3cZ5qcsJbSAYSHrCav121z0GsQDoFJMJDQnP0syEEbAaxdQe7Bd7bmOM3SpCOLJLF1+X7Srrq5//u6fiFDxQ82Ylo3hG/r7/QT/vSipUCglx4POq33+z8VEHGhVfl4dgSU6OgIV/S7evKC7EiS/jh/xywU44RHpxFhwS3hthHxZqgRIHTm65DqGYWWZds2Hkr29TTRajuf0t4MxqY2MrLAhNJUc6OmrVN+lWMmm/z1FEhfrOvZ8v7mOSqTKwkvbsZzk5mpeo2RrLdNnnWvTCy87FpA48= account: mediocregophermain
parent
69e336ea5e
commit
326de2afc6
@ -0,0 +1,79 @@ |
||||
package dehub |
||||
|
||||
import ( |
||||
"dehub/accessctl" |
||||
"dehub/sigcred" |
||||
"testing" |
||||
|
||||
"gopkg.in/src-d/go-git.v4/plumbing" |
||||
) |
||||
|
||||
func TestCredentialCommitVerify(t *testing.T) { |
||||
h := newHarness(t) |
||||
|
||||
// create a new account and modify the config so that that account is only
|
||||
// allowed to add verifications to a single branch
|
||||
tootSig, tootPubKeyBody := sigcred.SignifierPGPTmp("toot", h.rand) |
||||
h.cfg.Accounts = append(h.cfg.Accounts, Account{ |
||||
ID: "toot", |
||||
Signifiers: []sigcred.Signifier{{PGPPublicKey: &sigcred.SignifierPGP{ |
||||
Body: string(tootPubKeyBody), |
||||
}}}, |
||||
}) |
||||
|
||||
tootBranch := plumbing.NewBranchReferenceName("toot_branch") |
||||
tootBranchCond := accessctl.Condition{ |
||||
Signature: &accessctl.ConditionSignature{ |
||||
AccountIDs: []string{"root", "toot"}, |
||||
Count: "1", |
||||
}, |
||||
} |
||||
allBranchCond := accessctl.Condition{ |
||||
Signature: &accessctl.ConditionSignature{ |
||||
AccountIDs: []string{"root"}, |
||||
Count: "1", |
||||
}, |
||||
} |
||||
h.cfg.AccessControls = []accessctl.BranchAccessControl{ |
||||
{ |
||||
BranchPattern: tootBranch.Short(), |
||||
ChangeAccessControls: []accessctl.ChangeAccessControl{ |
||||
{ |
||||
FilePathPattern: "**", |
||||
Condition: tootBranchCond, |
||||
}, |
||||
}, |
||||
CredentialAccessControl: &accessctl.CredentialAccessControl{ |
||||
Condition: tootBranchCond, |
||||
}, |
||||
}, |
||||
{ |
||||
BranchPattern: "**", |
||||
ChangeAccessControls: []accessctl.ChangeAccessControl{ |
||||
{ |
||||
FilePathPattern: "**", |
||||
Condition: allBranchCond, |
||||
}, |
||||
}, |
||||
CredentialAccessControl: &accessctl.CredentialAccessControl{ |
||||
Condition: allBranchCond, |
||||
}, |
||||
}, |
||||
} |
||||
h.stageCfg() |
||||
rootCommit, _ := h.changeCommit("initial commit", h.cfg.Accounts[0].ID, h.sig) |
||||
|
||||
// toot user wants to create a credential commit for the root commit, for
|
||||
// whatever reason.
|
||||
rootChangeHash := rootCommit.Change.ChangeHash |
||||
credCommit, err := h.repo.NewCommitCredential(rootChangeHash) |
||||
if err != nil { |
||||
t.Fatalf("creating credential commit for hash %x: %v", rootChangeHash, err) |
||||
|
||||
} |
||||
h.tryCommit(false, credCommit, "toot", tootSig) |
||||
|
||||
// toot tries again in their own branch, and should be allowed.
|
||||
h.checkout(tootBranch) |
||||
h.tryCommit(true, credCommit, "toot", tootSig) |
||||
} |
Loading…
Reference in new issue