1f422511d5
--- type: change message: |- completely refactor accessctl (again) This time it's using an actual access control list system, rather than whatever it was doing before. The new system uses a Filter type, rather than Condition, to decide which acl element should have its action (allow or deny) applied. This makes testing way easier, since all the different matching conditions are now individual filters, and so are tested individually. change_hash: AFgN0hormIlO0VWkLKnAdSDZeVRbh0Wj8LLXOMVQEK+L credentials: - type: pgp_signature pub_key_id: 95C46FA6A41148AC body: iQIzBAABAgAdFiEEJ6tQKp6olvZKJ0lwlcRvpqQRSKwFAl5yoi8ACgkQlcRvpqQRSKwo/g//QkSA80APnPtwcibNeaoUwduH1Xim8pmi5JScKGsOypYkE0Iy+fO3fRNz4r7Tm6qNn7O04fDsiXlxPojxn7+NDFCQArVgoJk3jVTRDBW7LpahWJsYPP1SBjGtaR9o0bOpclXblTMIcteTkLM94AeASqLaEY8StO+5PX/82AkFRQ8E6m9R2HCmgwbBhqwWp8936x8ekMFbSSi0TMIyV4rpd0wj4mjvjjBwa3ArGmH/ynwabPCFuuqMT6996N1zoDn5EqZA5jGrf+Q7rxsI6t1bOnLmg9NGMQYRaZLAVZrp5P6G5XR3et4Gz/2AphAEgYJM3yLbEjZW6Daa77CgTNHXde7gCaWqyfcKlVGPi29/O+2IXhpjwxHwGpsBgEdX9227zapL+jwSAOdUVj8n6C8I8BGqpT7rTwA53yxlbSwXlkttvAn/lGT5X4lK74YfkzMXMEBZKzsb/dQEPyP2Y+AG6z2D4Bs/4szsCiUXF9aG2Yx1o45lVXTTdPUNLIsnhBjM7usbQRg8i5kC+OC9AVCi8E+lf0/Qgp0cUb6QLH47bHvDTH7UluY1bgSLZy+Zjaisvl3a0aK/UspywWN/fFgOrz2cDw232n8IC+Zi4LSKm7dXDRFbC1JNzrwAPP1ifboOrltwKroOsDNaVGhX8ABahNjmrUO4JgE7gvX+zxXb+/I= account: mediocregopher
66 lines
1.5 KiB
Go
66 lines
1.5 KiB
Go
package dehub
|
|
|
|
import (
|
|
"dehub/sigcred"
|
|
"testing"
|
|
|
|
"gopkg.in/src-d/go-git.v4/plumbing"
|
|
yaml "gopkg.in/yaml.v2"
|
|
)
|
|
|
|
func TestCredentialCommitVerify(t *testing.T) {
|
|
h := newHarness(t)
|
|
|
|
// create a new account and modify the config so that that account is only
|
|
// allowed to add verifications to a single branch
|
|
tootSig, tootPubKeyBody := sigcred.SignifierPGPTmp("toot", h.rand)
|
|
h.cfg.Accounts = append(h.cfg.Accounts, Account{
|
|
ID: "toot",
|
|
Signifiers: []sigcred.Signifier{{PGPPublicKey: &sigcred.SignifierPGP{
|
|
Body: string(tootPubKeyBody),
|
|
}}},
|
|
})
|
|
|
|
tootBranch := plumbing.NewBranchReferenceName("toot_branch")
|
|
|
|
err := yaml.Unmarshal([]byte(`
|
|
- action: allow
|
|
filters:
|
|
- type: branch
|
|
pattern: `+tootBranch.Short()+`
|
|
- type: signature
|
|
count: 1
|
|
account_ids:
|
|
- root
|
|
- toot
|
|
|
|
- action: allow
|
|
filters:
|
|
- type: signature
|
|
count: 1
|
|
account_ids:
|
|
- root
|
|
|
|
- action: deny
|
|
`), &h.cfg.AccessControls)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
h.stageCfg()
|
|
rootGitCommit := h.changeCommit("initial commit", h.cfg.Accounts[0].ID, h.sig)
|
|
|
|
// toot user wants to create a credential commit for the root commit, for
|
|
// whatever reason.
|
|
rootChangeHash := rootGitCommit.Commit.Change.ChangeHash
|
|
credCommit, err := h.repo.NewCommitCredential(rootChangeHash)
|
|
if err != nil {
|
|
t.Fatalf("creating credential commit for hash %x: %v", rootChangeHash, err)
|
|
|
|
}
|
|
h.tryCommit(false, credCommit, "toot", tootSig)
|
|
|
|
// toot tries again in their own branch, and should be allowed.
|
|
h.checkout(tootBranch)
|
|
h.tryCommit(true, credCommit, "toot", tootSig)
|
|
}
|