#50814 [PATCH] guix: git-authenticate: Also authenticate the channel intro commit.

Message #84 received at 50814@debbugs.gnu.org (full text, mbox, reply):

Received: (at 50814) by debbugs.gnu.org; 10 Oct 2021 14:20:55 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 10 10:20:55 2021
Received: from localhost ([127.0.0.1]:55636 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1mZZh8-0005Uj-Tr
	for submit@debbugs.gnu.org; Sun, 10 Oct 2021 10:20:55 -0400
Received: from mail-ed1-f50.google.com ([209.85.208.50]:35338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <attila.lendvai@gmail.com>) id 1mZZh6-0005UV-L5
 for 50814@debbugs.gnu.org; Sun, 10 Oct 2021 10:20:53 -0400
Received: by mail-ed1-f50.google.com with SMTP id b8so56667866edk.2
 for <50814@debbugs.gnu.org>; Sun, 10 Oct 2021 07:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=sender:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=jRHhBJQc/zMoGYglb8xQ7CKaQgrbMLn3rdJkm7wyXq4=;
 b=ZLibIMVR2OhDo0s22xn5EWBm6jClBxXt6iB+BMI6wp3iatiRZKpvxXA4j7X3dEsmYi
 UEPLe+wDVg0bvAv5bxB0Mt2N2yn5qahC6Rc6PQnlZFI5O3mIT10NOufQj0k+0mN4+aoH
 cY36R4RtY0koTwBOEOLolYQdtWi4N//7bVfmwrVTl0D3YTKKB8Kb0KV/CL6c2KsIsmDT
 if4RUKMUioDQfE3LM3NCZ7GnkulN3H4tt02azNJ8XdMQnEChDCBfsoADFBwYe45aChPg
 sZrUhwQ+X/DOBlo2uPblGy3E/uqQ31PunlFz+1oCnLi30l8Z+0uYv/sOK18MFgYRFVRN
 x+gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
 :mime-version:content-transfer-encoding;
 bh=jRHhBJQc/zMoGYglb8xQ7CKaQgrbMLn3rdJkm7wyXq4=;
 b=LaN7MJcWOV7fSSyVFY4fK2obAZ7hpUv/x0aFoOGkIRtdJSW33IfcumhS2piLusRgNO
 jbhusCaYiBcvrjF6J2vGGtMWWrqiOi5nRsaxgY5puRAXcCVrenRc/qyOWQZ4EwCpYVrZ
 vjl1n4D+JDrkxzsVwhvIq6RVL/sgNvDxbwcTnduWXuNIxdZ3ckYZFCpYulALqOs/f2k7
 /y+G8D6S+mXxLqqTvDNJDhQSXmeZGEwkK+5+4nGhnxRTwobiIF8U3NSRCIwjVgbxi6HZ
 2Vfprz50QiNh/h4ig1wYIsi+uiu/DeWYPHbEZYMLKvuQQsZPW2yh0XXFTfvFp4T9Nb5s
 dXfw==
X-Gm-Message-State: AOAM530hE5dIKzVnHUKgAQusGiBPybTSPKWPTHFINCOQYg7JzE/zfUKL
 0OoLOTmZWfr0BY+1feRgmiqo8dnOiAw=
X-Google-Smtp-Source: ABdhPJwDu1dGRPhwYdC3e4WL+XZomWyRibEXZKRtBaVuvNDyBIYA8lfYMcLQL7qmxHDVpB3vBE1AYg==
X-Received: by 2002:a17:906:2816:: with SMTP id
 r22mr19229183ejc.158.1633875646625; 
 Sun, 10 Oct 2021 07:20:46 -0700 (PDT)
Received: from lelap.lan (catv-213-222-131-28.catv.broadband.hu.
 [213.222.131.28])
 by smtp.gmail.com with ESMTPSA id c17sm2584699edu.11.2021.10.10.07.20.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 10 Oct 2021 07:20:45 -0700 (PDT)
From: Attila Lendvai <attila@lendvai.name>
To: 50814@debbugs.gnu.org
Subject: [PATCH] tests: Add test for .guix-authorizations and channel intro.
Date: Sun, 10 Oct 2021 16:15:03 +0200
Message-Id: <20211010141502.15716-1-attila@lendvai.name>
X-Mailer: git-send-email 2.33.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: 50814
Cc: Attila Lendvai <attila@lendvai.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.5 (/)

This test used to fail before a recent fix to authenticate-repository.

* tests/git-authenticate.scm: New test "signed commits, .guix-authorizations,
channel-introduction".
---

reseding the patch that adds the test (i have extended the comments where the
test fails, and also fixed the check for the warning).

> i'll investigate again later by running the test without the fix, and write
> up my results here, or better yet, in a better commit message.

i ran the test without my fix commit, and indeed it fails at two points:

1)

;; Should fail because it is signed with key2, not key1
(check-from "commit 3" #:should-fail? #true)

2)

;; It is not very intuitive why commit 1 and 2 should be trusted
;; at this point: commit 4 has previously been used as a channel
;; intro, thus it got marked as trusted in the ~/.cache/.
;; Because commit 1 and 2 are among its parents, it should also
;; be trusted at this point because of the cache.  Note that
;; it's debatable whether this semantics is a good idea, but
;; this is how git-authenticate is and has been implemented for
;; a while (modulo failing to update the cache in the past when
;; taking certain code paths).
(check-from "commit 1")

please take a look at the test, and let me know if any of the
assumptions encoded into the test is wrong, or if anything
else needs clarification.

- attila


 tests/git-authenticate.scm | 139 +++++++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)

diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm
index f66ef191b0..7989f46924 100644
--- a/tests/git-authenticate.scm
+++ b/tests/git-authenticate.scm
@@ -18,6 +18,7 @@
 
 (define-module (test-git-authenticate)
   #:use-module (git)
+  #:use-module (guix diagnostics)
   #:use-module (guix git)
   #:use-module (guix git-authenticate)
   #:use-module (guix openpgp)
@@ -28,6 +29,10 @@
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-64)
   #:use-module (rnrs bytevectors)
+  #:use-module ((rnrs conditions)
+                #:select (warning?))
+  #:use-module ((rnrs exceptions)
+                #:select (with-exception-handler))
   #:use-module (rnrs io ports))
 
 ;; Test the (guix git-authenticate) tools.
@@ -226,6 +231,140 @@
                                        #:keyring-reference "master")
                  #f)))))))
 
+(unless (gpg+git-available?) (test-skip 1))
+(test-assert "signed commits, .guix-authorizations, channel-introduction"
+  (let* ((result   #true)
+         (key1     %ed25519-public-key-file)
+         (key2     %ed25519-2-public-key-file)
+         (key3     %ed25519-3-public-key-file))
+    (with-fresh-gnupg-setup (list key1 %ed25519-secret-key-file
+                                  key2 %ed25519-2-secret-key-file
+                                  key3 %ed25519-3-secret-key-file)
+      (with-temporary-git-repository dir
+          `((checkout "keyring" orphan)
+            (add "signer1.key" ,(call-with-input-file key1 get-string-all))
+            (add "signer2.key" ,(call-with-input-file key2 get-string-all))
+            (add "signer3.key" ,(call-with-input-file key3 get-string-all))
+            (commit "keyring commit")
+
+            (checkout "main" orphan)
+            (add "noise0")
+            (add ".guix-authorizations"
+                 ,(object->string
+                   `(authorizations
+                     (version 0)
+                     ((,(key-fingerprint key1) (name "Alice"))
+                      (,(key-fingerprint key3) (name "Charlie"))))))
+            (commit "commit 0" (signer ,(key-fingerprint key3)))
+            (add "noise1")
+            (commit "commit 1" (signer ,(key-fingerprint key1)))
+            (add "noise2")
+            (commit "commit 2" (signer ,(key-fingerprint key1))))
+        (with-repository dir repo
+          (let* ((commit-0 (find-commit repo "commit 0"))
+                 (check-from
+                  (lambda* (commit #:key (should-fail? #false) (key key1)
+                                   (historical-authorizations
+                                    ;; key3 is trusted to authorize commit 0
+                                    (list (key-fingerprint-vector key3))))
+                    (guard (c ((unauthorized-commit-error? c)
+                               (if should-fail?
+                                   c
+                                   (let ((port (current-output-port)))
+                                     (format port "FAILURE: Unexpected exception at commit '~s':~%"
+                                             commit)
+                                     (print-exception port (stack-ref (make-stack #t) 1)
+                                                      c (exception-args c))
+                                     (set! result #false)
+                                     '()))))
+                      (format #true "~%~%Checking ~s, should-fail? ~s, repo commits:~%"
+                              commit should-fail?)
+                      ;; to be able to inspect in the logs
+                      (invoke "git" "-C" dir "log" "--reverse" "--pretty=oneline" "main")
+                      (set! commit (find-commit repo commit))
+                      (authenticate-repository
+                       repo
+                       (commit-id commit)
+                       (key-fingerprint-vector key)
+                       #:historical-authorizations historical-authorizations)
+                      (when should-fail?
+                        (format #t "FAILURE: Authenticating commit '~s' should have failed.~%" commit)
+                        (set! result #false))
+                      '()))))
+            (check-from "commit 0" #:key key3)
+            (check-from "commit 1")
+            (check-from "commit 2")
+            (with-git-repository dir
+                `((add "noise 3")
+                  ;; a commit with key2
+                  (commit "commit 3" (signer ,(key-fingerprint key2))))
+              ;; Should fail because it is signed with key2, not key1
+              (check-from "commit 3" #:should-fail? #true)
+              ;; Specify commit 3 as a channel-introduction signed with
+              ;; key2. This is valid, but it should warn the user, because
+              ;; .guix-authorizations is not updated to include key2, which
+              ;; means that any subsequent commits with the same key will be
+              ;; rejected.
+              (set! result
+                    (and (let ((signalled? #false))
+                           (with-exception-handler
+                               (lambda (c)
+                                 (cond
+                                  ((not (warning? c))
+                                   (raise c))
+                                  ((formatted-message? c)
+                                   (format #true "warning (expected): ~a~%"
+                                           (apply format #false
+                                                  (formatted-message-string c)
+                                                  (formatted-message-arguments c)))
+                                   (set! signalled? #true)))
+                                 '())
+                             (lambda ()
+                               (check-from "commit 3" #:key key2)
+                               (unless signalled?
+                                 (format #t "FAILURE: No warning signalled for commit 3~%"))
+                               signalled?)))
+                         result)))
+            (with-git-repository dir
+                `((reset ,(oid->string (commit-id (find-commit repo "commit 2"))))
+                  (add "noise 4")
+                  ;; set it up properly
+                  (add ".guix-authorizations"
+                       ,(object->string
+                         `(authorizations
+                           (version 0)
+                           ((,(key-fingerprint key1) (name "Alice"))
+                            (,(key-fingerprint key2) (name "Bob"))))))
+                  (commit "commit 4" (signer ,(key-fingerprint key2))))
+              ;; This should fail because even though commit 4 adds key2 to
+              ;; .guix-authorizations, the commit itself is not authorized.
+              (check-from "commit 1" #:should-fail? #true)
+              ;; This should pass, because it's a valid channel intro at commit 4
+              (check-from "commit 4" #:key key2))
+            (with-git-repository dir
+                `((add "noise 5")
+                  (commit "commit 5" (signer ,(key-fingerprint key2))))
+              ;; It is not very intuitive why commit 1 and 2 should be trusted
+              ;; at this point: commit 4 has previously been used as a channel
+              ;; intro, thus it got marked as trusted in the ~/.cache/.
+              ;; Because commit 1 and 2 are among its parents, it should also
+              ;; be trusted at this point because of the cache.  Note that
+              ;; it's debatable whether this semantics is a good idea, but
+              ;; this is how git-authenticate is and has been implemented for
+              ;; a while (modulo failing to update the cache in the past when
+              ;; taking certain code paths).
+              (check-from "commit 1")
+              (check-from "commit 2")
+              ;; Should still be fine, but only when starting from commit 4
+              (check-from "commit 4" #:key key2))
+            (with-git-repository dir
+                `((add "noise 6")
+                  (commit "commit 6" (signer ,(key-fingerprint key1))))
+              (check-from "commit 1")
+              (check-from "commit 2")
+              (check-from "commit 4" #:key key2))))))
+    result))
+
 (unless (gpg+git-available?) (test-skip 1))
 (test-assert "signed commits, .guix-authorizations, authorized merge"
   (with-fresh-gnupg-setup (list %ed25519-public-key-file
-- 
2.33.0

Send a report that this bug log contains spam.