]>
Commit | Line | Data |
---|---|---|
a85b377d JH |
1 | #!/bin/sh |
2 | ||
3 | test_description='signed push' | |
4 | ||
5 | . ./test-lib.sh | |
6 | . "$TEST_DIRECTORY"/lib-gpg.sh | |
7 | ||
8 | prepare_dst () { | |
9 | rm -fr dst && | |
10 | test_create_repo dst && | |
11 | ||
12 | git push dst master:noop master:ff master:noff | |
13 | } | |
14 | ||
15 | test_expect_success setup ' | |
16 | # master, ff and noff branches pointing at the same commit | |
17 | test_tick && | |
18 | git commit --allow-empty -m initial && | |
19 | ||
20 | git checkout -b noop && | |
21 | git checkout -b ff && | |
22 | git checkout -b noff && | |
23 | ||
24 | # noop stays the same, ff advances, noff rewrites | |
25 | test_tick && | |
26 | git commit --allow-empty --amend -m rewritten && | |
27 | git checkout ff && | |
28 | ||
29 | test_tick && | |
30 | git commit --allow-empty -m second | |
31 | ' | |
32 | ||
33 | test_expect_success 'unsigned push does not send push certificate' ' | |
34 | prepare_dst && | |
35 | mkdir -p dst/.git/hooks && | |
36 | write_script dst/.git/hooks/post-receive <<-\EOF && | |
37 | # discard the update list | |
38 | cat >/dev/null | |
39 | # record the push certificate | |
40 | if test -n "${GIT_PUSH_CERT-}" | |
41 | then | |
42 | git cat-file blob $GIT_PUSH_CERT >../push-cert | |
43 | fi | |
44 | EOF | |
45 | ||
46 | git push dst noop ff +noff && | |
47 | ! test -f dst/push-cert | |
48 | ' | |
49 | ||
50 | test_expect_success 'talking with a receiver without push certificate support' ' | |
51 | prepare_dst && | |
52 | mkdir -p dst/.git/hooks && | |
a85b377d JH |
53 | write_script dst/.git/hooks/post-receive <<-\EOF && |
54 | # discard the update list | |
55 | cat >/dev/null | |
56 | # record the push certificate | |
57 | if test -n "${GIT_PUSH_CERT-}" | |
58 | then | |
59 | git cat-file blob $GIT_PUSH_CERT >../push-cert | |
60 | fi | |
61 | EOF | |
62 | ||
63 | git push dst noop ff +noff && | |
64 | ! test -f dst/push-cert | |
65 | ' | |
66 | ||
67 | test_expect_success 'push --signed fails with a receiver without push certificate support' ' | |
68 | prepare_dst && | |
69 | mkdir -p dst/.git/hooks && | |
a85b377d JH |
70 | test_must_fail git push --signed dst noop ff +noff 2>err && |
71 | test_i18ngrep "the receiving end does not support" err | |
72 | ' | |
73 | ||
20a7558f JH |
74 | test_expect_success GPG 'no certificate for a signed push with no update' ' |
75 | prepare_dst && | |
76 | mkdir -p dst/.git/hooks && | |
77 | write_script dst/.git/hooks/post-receive <<-\EOF && | |
78 | if test -n "${GIT_PUSH_CERT-}" | |
79 | then | |
80 | git cat-file blob $GIT_PUSH_CERT >../push-cert | |
81 | fi | |
82 | EOF | |
83 | git push dst noop && | |
84 | ! test -f dst/push-cert | |
85 | ' | |
86 | ||
a85b377d JH |
87 | test_expect_success GPG 'signed push sends push certificate' ' |
88 | prepare_dst && | |
89 | mkdir -p dst/.git/hooks && | |
b89363e4 | 90 | git -C dst config receive.certnonceseed sekrit && |
a85b377d JH |
91 | write_script dst/.git/hooks/post-receive <<-\EOF && |
92 | # discard the update list | |
93 | cat >/dev/null | |
94 | # record the push certificate | |
95 | if test -n "${GIT_PUSH_CERT-}" | |
96 | then | |
97 | git cat-file blob $GIT_PUSH_CERT >../push-cert | |
d05b9618 JH |
98 | fi && |
99 | ||
100 | cat >../push-cert-status <<E_O_F | |
101 | SIGNER=${GIT_PUSH_CERT_SIGNER-nobody} | |
102 | KEY=${GIT_PUSH_CERT_KEY-nokey} | |
103 | STATUS=${GIT_PUSH_CERT_STATUS-nostatus} | |
b89363e4 JH |
104 | NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus} |
105 | NONCE=${GIT_PUSH_CERT_NONCE-nononce} | |
d05b9618 JH |
106 | E_O_F |
107 | ||
108 | EOF | |
109 | ||
a85b377d | 110 | git push --signed dst noop ff +noff && |
b89363e4 JH |
111 | |
112 | ( | |
113 | cat <<-\EOF && | |
114 | SIGNER=C O Mitter <committer@example.com> | |
115 | KEY=13B6F51ECDDE430D | |
116 | STATUS=G | |
117 | NONCE_STATUS=OK | |
118 | EOF | |
119 | sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" dst/push-cert | |
120 | ) >expect && | |
121 | ||
8722947e JS |
122 | noop=$(git rev-parse noop) && |
123 | ff=$(git rev-parse ff) && | |
124 | noff=$(git rev-parse noff) && | |
125 | grep "$noop $ff refs/heads/ff" dst/push-cert && | |
126 | grep "$noop $noff refs/heads/noff" dst/push-cert && | |
d05b9618 | 127 | test_cmp expect dst/push-cert-status |
a85b377d JH |
128 | ' |
129 | ||
cbaf82cc JT |
130 | test_expect_success GPG 'inconsistent push options in signed push not allowed' ' |
131 | # First, invoke receive-pack with dummy input to obtain its preamble. | |
132 | prepare_dst && | |
133 | git -C dst config receive.certnonceseed sekrit && | |
134 | git -C dst config receive.advertisepushoptions 1 && | |
135 | printf xxxx | test_might_fail git receive-pack dst >preamble && | |
136 | ||
137 | # Then, invoke push. Simulate a receive-pack that sends the preamble we | |
138 | # obtained, followed by a dummy packet. | |
139 | write_script myscript <<-\EOF && | |
140 | cat preamble && | |
141 | printf xxxx && | |
142 | cat >push | |
143 | EOF | |
144 | test_might_fail git push --push-option="foo" --push-option="bar" \ | |
145 | --receive-pack="\"$(pwd)/myscript\"" --signed dst --delete ff && | |
146 | ||
147 | # Replay the push output on a fresh dst, checking that ff is truly | |
148 | # deleted. | |
149 | prepare_dst && | |
150 | git -C dst config receive.certnonceseed sekrit && | |
151 | git -C dst config receive.advertisepushoptions 1 && | |
152 | git receive-pack dst <push && | |
153 | test_must_fail git -C dst rev-parse ff && | |
154 | ||
155 | # Tweak the push output to make the push option outside the cert | |
156 | # different, then replay it on a fresh dst, checking that ff is not | |
157 | # deleted. | |
158 | perl -pe "s/([^ ])bar/\$1baz/" push >push.tweak && | |
159 | prepare_dst && | |
160 | git -C dst config receive.certnonceseed sekrit && | |
161 | git -C dst config receive.advertisepushoptions 1 && | |
162 | git receive-pack dst <push.tweak >out && | |
163 | git -C dst rev-parse ff && | |
164 | grep "inconsistent push options" out | |
165 | ' | |
166 | ||
b9459019 MG |
167 | test_expect_success GPG 'fail without key and heed user.signingkey' ' |
168 | prepare_dst && | |
169 | mkdir -p dst/.git/hooks && | |
170 | git -C dst config receive.certnonceseed sekrit && | |
171 | write_script dst/.git/hooks/post-receive <<-\EOF && | |
172 | # discard the update list | |
173 | cat >/dev/null | |
174 | # record the push certificate | |
175 | if test -n "${GIT_PUSH_CERT-}" | |
176 | then | |
177 | git cat-file blob $GIT_PUSH_CERT >../push-cert | |
178 | fi && | |
179 | ||
180 | cat >../push-cert-status <<E_O_F | |
181 | SIGNER=${GIT_PUSH_CERT_SIGNER-nobody} | |
182 | KEY=${GIT_PUSH_CERT_KEY-nokey} | |
183 | STATUS=${GIT_PUSH_CERT_STATUS-nostatus} | |
184 | NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus} | |
185 | NONCE=${GIT_PUSH_CERT_NONCE-nononce} | |
186 | E_O_F | |
187 | ||
188 | EOF | |
189 | ||
190 | unset GIT_COMMITTER_EMAIL && | |
191 | git config user.email hasnokey@nowhere.com && | |
192 | test_must_fail git push --signed dst noop ff +noff && | |
193 | git config user.signingkey committer@example.com && | |
194 | git push --signed dst noop ff +noff && | |
195 | ||
196 | ( | |
197 | cat <<-\EOF && | |
198 | SIGNER=C O Mitter <committer@example.com> | |
199 | KEY=13B6F51ECDDE430D | |
200 | STATUS=G | |
201 | NONCE_STATUS=OK | |
202 | EOF | |
203 | sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" dst/push-cert | |
204 | ) >expect && | |
205 | ||
8722947e JS |
206 | noop=$(git rev-parse noop) && |
207 | ff=$(git rev-parse ff) && | |
208 | noff=$(git rev-parse noff) && | |
209 | grep "$noop $ff refs/heads/ff" dst/push-cert && | |
210 | grep "$noop $noff refs/heads/noff" dst/push-cert && | |
b9459019 MG |
211 | test_cmp expect dst/push-cert-status |
212 | ' | |
213 | ||
a85b377d | 214 | test_done |