package dehub import ( "dehub/accessctl" "dehub/sigcred" "testing" "gopkg.in/src-d/go-git.v4/plumbing" ) func TestCredentialCommitVerify(t *testing.T) { h := newHarness(t) // create a new account and modify the config so that that account is only // allowed to add verifications to a single branch tootSig, tootPubKeyBody := sigcred.SignifierPGPTmp("toot", h.rand) h.cfg.Accounts = append(h.cfg.Accounts, Account{ ID: "toot", Signifiers: []sigcred.Signifier{{PGPPublicKey: &sigcred.SignifierPGP{ Body: string(tootPubKeyBody), }}}, }) tootBranch := plumbing.NewBranchReferenceName("toot_branch") tootBranchCond := accessctl.Condition{ Signature: &accessctl.ConditionSignature{ AccountIDs: []string{"root", "toot"}, Count: "1", }, } allBranchCond := accessctl.Condition{ Signature: &accessctl.ConditionSignature{ AccountIDs: []string{"root"}, Count: "1", }, } h.cfg.AccessControls = []accessctl.BranchAccessControl{ { BranchPattern: tootBranch.Short(), ChangeAccessControls: []accessctl.ChangeAccessControl{ { FilePathPattern: "**", Condition: tootBranchCond, }, }, CredentialAccessControl: &accessctl.CredentialAccessControl{ Condition: tootBranchCond, }, }, { BranchPattern: "**", ChangeAccessControls: []accessctl.ChangeAccessControl{ { FilePathPattern: "**", Condition: allBranchCond, }, }, CredentialAccessControl: &accessctl.CredentialAccessControl{ Condition: allBranchCond, }, }, } h.stageCfg() rootCommit, _ := h.changeCommit("initial commit", h.cfg.Accounts[0].ID, h.sig) // toot user wants to create a credential commit for the root commit, for // whatever reason. rootChangeHash := rootCommit.Change.ChangeHash credCommit, err := h.repo.NewCommitCredential(rootChangeHash) if err != nil { t.Fatalf("creating credential commit for hash %x: %v", rootChangeHash, err) } h.tryCommit(false, credCommit, "toot", tootSig) // toot tries again in their own branch, and should be allowed. h.checkout(tootBranch) h.tryCommit(true, credCommit, "toot", tootSig) }