diff options
Diffstat (limited to 'tests/rep-auth.test')
-rw-r--r-- | tests/rep-auth.test | 634 |
1 files changed, 0 insertions, 634 deletions
diff --git a/tests/rep-auth.test b/tests/rep-auth.test deleted file mode 100644 index 640f828..0000000 --- a/tests/rep-auth.test +++ /dev/null @@ -1,634 +0,0 @@ -# file : tests/rep-auth.test -# copyright : Copyright (c) 2014-2018 Code Synthesis Ltd -# license : MIT; see accompanying LICENSE file - -.include common.test auth.test config.test remote.test - -# There is no rep-auth command, and this testscript contains tests for various -# authentication scenarios throughout different stages of repositories -# preparation and consumption. Note that by that reason usage of $* is -# meaningless. -# - -# Source repository: -# -# rep-auth -# |-- expired -# | |-- foo-1.tar.gz -# | |-- packages.manifest -# | |-- repositories.manifest -# | `-- signature.manifest -# `-- unsigned -# |-- foo-1.tar.gz -# `-- repositories.manifest - -# Prepare repositories used by tests if running in the local mode. -# -+if ($remote != true) - rc = $rep_create 2>! - - # Create the 'unsigned1' repository. - # - cp -r $src/unsigned $out/unsigned1 - $rc $out/unsigned1 &$out/unsigned1/packages.manifest - - # Create the 'unsigned2' repository. This is a copy of the just created - # 'unsigned1' repository. - # - cp -r $out/unsigned1 $out/unsigned2 - - # Create the 'signed' repository. - # - cp -r $src/unsigned $out/signed - cat <<<$cert_manifest >+$out/signed/repositories.manifest - - $rc --key $key $out/signed &$out/signed/packages.manifest \ - &$out/signed/signature.manifest - - # Create the 'self-match' repository. Note that its certificate name is - # the '*build2.org' wildcard (matches build2.org and any single-level - # subdomain). - # - cp -r $src/unsigned $out/self-match - - echo 'certificate: \' >+$out/self-match/repositories.manifest - cat <<<$src_base/auth/self-cert.pem >+$out/self-match/repositories.manifest - echo '\' >+$out/self-match/repositories.manifest - - $rc --key $key $out/self-match &$out/self-match/packages.manifest \ - &$out/self-match/signature.manifest - - # Create the 'self-any-match' repository. Note that its certificate name is - # the '**build2.org' wildcard (matches build2.org and any subdomain). - # - cp -r $src/unsigned $out/self-any-match - - echo 'certificate: \' >+$out/self-any-match/repositories.manifest - cat <<<$src_base/auth/self-any-cert.pem >+$out/self-any-match/repositories.manifest - echo '\' >+$out/self-any-match/repositories.manifest - - $rc --key $key $out/self-any-match &$out/self-any-match/packages.manifest \ - &$out/self-any-match/signature.manifest - - # Create the 'subdomain-match' repository. Note that its certificate name is - # the '*.build2.org' wildcard (matches any single-level subdomain of - # build2.org). - # - cp -r $src/unsigned $out/subdomain-match - - echo 'certificate: \' >+$out/subdomain-match/repositories.manifest - cat <<<$src_base/auth/subdomain-cert.pem >+$out/subdomain-match/repositories.manifest - echo '\' >+$out/subdomain-match/repositories.manifest - - $rc --key $key $out/subdomain-match &$out/subdomain-match/packages.manifest \ - &$out/subdomain-match/signature.manifest - - # Create the 'name-mismatch' repository. Note that its certificate name - # mismatches the repository location. - # - cp -r $src/unsigned $out/name-mismatch - - echo 'certificate: \' >+$out/name-mismatch/repositories.manifest - cat <<<$src_base/auth/mismatch-cert.pem >+$out/name-mismatch/repositories.manifest - echo '\' >+$out/name-mismatch/repositories.manifest - - $rc --key $key $out/name-mismatch &$out/name-mismatch/packages.manifest \ - &$out/name-mismatch/signature.manifest - - # Create the 'expired' repository. This repository is "pre-created" and its - # certificate is expired by now. So we just copy it from the source - # directory. - # - cp -r $src/expired $out/expired - - # Create the 'sha256sum-mismatch' repository. This is a copy of the just - # created 'signed' repository that has the sha256sum manifest value tampered. - # - cp -r $out/signed $out/sha256sum-mismatch - - v = 'd374c59b36fdbdbd0d4468665061d94fda9c6c687863dfe72b0bcc34ff9d5fb4' - - sed -i -e "s/^\(sha256sum: \).*\$/\\1$v/" \ - $out/sha256sum-mismatch/signature.manifest - - # Create the 'signature-mismatch' repository. This is a copy of the just - # created 'signed' repository that has the signature manifest value tampered. - # - cp -r $out/signed $out/signature-mismatch - - # Here we tamper the last signature line (the one of 76 chars length, without - # spaces and terminated with '='). - # - v = 'mnBAsS529NUdNIQy8EB4si/UK26ICaMywbLeHDVvWOB+AsqZ5rj8VjGDamLbmUrDr3ru7BU1gJU=' - sed -i -e "s%^[^ ]{75}=\$%$v%" $out/signature-mismatch/signature.manifest -end - -pkg_status += -d cfg -rep_add += -d cfg 2>! -rep_fetch += -d cfg - -# Check if rep-fetch command was successfull or not. -# -fetched = $pkg_status foo >'foo available 1' -not_fetched = $pkg_status foo >'foo unknown' - -sc = " " # Space character to append to here-document line when required. - -: no-auth -: -: Test that local repositories do not require authentication by default. -: -{ - r = 1/signed - +mkdir 1/ - +cp -r $src/unsigned $r - +cat <<<$cert_manifest >+$r/repositories.manifest - +$rep_create --key $key $r &$r/packages.manifest &$r/signature.manifest 2>! - - : rep-fetch - : - { - $clone_root_cfg && $rep_add ../$r; - - $rep_fetch 2>>/~%EOE% - %fetching .+/no-auth/signed% - 1 package(s) in 1 repository(s) - EOE - } - - : rep-info - : - $clone_root_cfg; - $rep_info --cert-name ../$r >'name:build2.org' -} - -: signed -: -{ - : rep-fetch - : - { - +$clone_root_cfg && $rep_add $rep/signed - rep_fetch += --auth all &?cfg/.bpkg/certs/** - - : no-auth - : - { - $clone_cfg; - - $rep_fetch 2>>"EOE" != 0; - fetching pkg:build2.org/rep-auth/signed - warning: authenticity of the certificate for repository pkg:build2.org/rep-auth/signed cannot be established - certificate is for build2.org, "Code Synthesis" <info@build2.org> - certificate SHA256 fingerprint: - $cert_fp - trust this certificate? [y/n]$sc - error: unable to read y/n answer from stdin - EOE - - $not_fetched - } - - : trust-fp - : - { - $clone_cfg; - - $rep_fetch --trust $cert_fp 2>>EOE; - fetching pkg:build2.org/rep-auth/signed - 1 package(s) in 1 repository(s) - EOE - - $fetched - } - - : trust-fp-no - : - { - $clone_cfg; - - $rep_fetch --trust-no --trust $cert_fp 2>>EOE; - fetching pkg:build2.org/rep-auth/signed - 1 package(s) in 1 repository(s) - EOE - - $fetched - } - - : trust-yes - : - { - $clone_cfg; - - $rep_fetch --trust-yes 2>>EOE; - fetching pkg:build2.org/rep-auth/signed - 1 package(s) in 1 repository(s) - EOE - - $fetched - } - - : trust-no - : - { - $clone_cfg; - - $rep_fetch --trust-no 2>>EOE != 0; - fetching pkg:build2.org/rep-auth/signed - error: authenticity of the certificate for repository pkg:build2.org/rep-auth/signed cannot be established - EOE - - $not_fetched - } - - : trust-yes-no - : - { - $clone_cfg; - - $rep_fetch --trust-yes --trust-no 2>>EOE != 0; - fetching pkg:build2.org/rep-auth/signed - error: --trust-yes and --trust-no are mutually exclusive - EOE - - $not_fetched - } - - : already-trusted - : - { - $clone_cfg; - - $rep_fetch --trust-yes 2>>EOE; - fetching pkg:build2.org/rep-auth/signed - 1 package(s) in 1 repository(s) - EOE - - $rep_fetch 2>>EOE; - fetching pkg:build2.org/rep-auth/signed - 1 package(s) in 1 repository(s) - EOE - - $fetched; - - $rep_fetch --trust-no 2>>EOE; - fetching pkg:build2.org/rep-auth/signed - 1 package(s) in 1 repository(s) - EOE - - $fetched - } - } - - : rep-info - : - { - rep_info += --cert-name --auth all $rep/signed - - : no-auth - : - $rep_info 2>>"EOE" != 0 - warning: authenticity of the certificate for repository pkg:build2.org/rep-auth/signed cannot be established - certificate is for build2.org, "Code Synthesis" <info@build2.org> - certificate SHA256 fingerprint: - $cert_fp - trust this certificate? [y/n]$sc - error: unable to read y/n answer from stdin - EOE - - : trust-fp - : - $rep_info --trust $cert_fp >'name:build2.org' - - : trust-yes - : - $rep_info --trust-yes >'name:build2.org' - - : trust-no - : - $rep_info --trust-no 2>>EOE != 0 - error: authenticity of the certificate for repository pkg:build2.org/rep-auth/signed cannot be established - EOE - - : already-trusted - : - { - $clone_root_cfg; - rep_info += -d cfg; - - $rep_info --trust "$cert_fp" &cfg/.bpkg/certs/** >>EOO; - name:build2.org - EOO - - $rep_info >'name:build2.org' - } - } - - : subdomain-wildcard - : - { - rep_info += --auth all --trust-yes --cert-name - - : self - : - { - : exact - : - $rep_info $rep/self-match >'name:*build2.org' - - : subdomain - : - if ($remote != true) - { - : first-level - : - { - r = $canonicalize([dir_path] $~/pkg/1/a.build2.org/); - mkdir -p $r; - cp -r $rep/self-match $r; - - $rep_info $r/self-match >'name:*build2.org' - } - - : second-level - : - { - r = $canonicalize([dir_path] $~/pkg/1/b.a.build2.org/); - mkdir -p $r; - cp -r $rep/self-match $r; - - $rep_info $r/self-match 2>>EOE != 0 - error: certificate name mismatch for repository pkg:b.a.build2.org/self-match - info: certificate name is *build2.org - EOE - } - } - } - - : self-any - : - { - : exact - : - $rep_info $rep/self-any-match >'name:**build2.org' - - : subdomain - : - if ($remote != true) - { - : first-level - : - { - r = $canonicalize([dir_path] $~/pkg/1/a.build2.org/); - mkdir -p $r; - cp -r $rep/self-any-match $r; - - $rep_info $r/self-any-match >'name:**build2.org' - } - - : second-level - : - { - r = $canonicalize([dir_path] $~/pkg/1/b.a.build2.org/); - mkdir -p $r; - cp -r $rep/self-any-match $r; - - $rep_info $r/self-any-match >'name:**build2.org' - } - } - } - - : subdomain - : - { - : exact - : - $rep_info $rep/subdomain-match 2>>EOE != 0 - error: certificate name mismatch for repository pkg:build2.org/rep-auth/subdomain-match - info: certificate name is *.build2.org - EOE - - : subdomain - : - if ($remote != true) - { - : first-level - : - { - r = $canonicalize([dir_path] $~/pkg/1/a.build2.org/); - mkdir -p $r; - cp -r $rep/subdomain-match $r; - - $rep_info $r/subdomain-match >'name:*.build2.org' - } - - : second-level - : - { - r = $canonicalize([dir_path] $~/pkg/1/b.a.build2.org/); - mkdir -p $r; - cp -r $rep/subdomain-match $r; - - $rep_info $r/subdomain-match 2>>EOE != 0 - error: certificate name mismatch for repository pkg:b.a.build2.org/subdomain-match - info: certificate name is *.build2.org - EOE - } - } - } - } -} - -: unsigned -: -{ - : rep-fetch - : - { - +$clone_root_cfg && $rep_add $rep/unsigned1 - rep_fetch += --auth all - - : no-auth - : - { - $clone_cfg; - - $rep_fetch 2>>~%EOE% != 0; - fetching pkg:build2.org/rep-auth/unsigned1 - warning: repository pkg:build2.org/rep-auth/unsigned1 is unsigned - %continue without authenticating repositories at .+\? \[y/n\] % - error: unable to read y/n answer from stdin - EOE - - $not_fetched - } - - : trust-yes - : - { - $clone_cfg; - - $rep_fetch --trust-yes 2>>EOE; - fetching pkg:build2.org/rep-auth/unsigned1 - 1 package(s) in 1 repository(s) - EOE - - $fetched - } - - : trust-no - : - { - $clone_cfg; - - $rep_fetch --trust-no 2>>EOE != 0; - fetching pkg:build2.org/rep-auth/unsigned1 - error: repository pkg:build2.org/rep-auth/unsigned1 is unsigned - EOE - - $not_fetched - } - - : already-trusted - : - { - $clone_cfg; - - $rep_fetch --trust-yes 2>>EOE; - fetching pkg:build2.org/rep-auth/unsigned1 - 1 package(s) in 1 repository(s) - EOE - - $rep_fetch 2>>EOE; - fetching pkg:build2.org/rep-auth/unsigned1 - 1 package(s) in 1 repository(s) - EOE - - $fetched; - - $rep_fetch --trust-no 2>>EOE; - fetching pkg:build2.org/rep-auth/unsigned1 - 1 package(s) in 1 repository(s) - EOE - - $fetched; - - $rep_add $rep/unsigned2; - - $rep_fetch 2>>EOE; - fetching pkg:build2.org/rep-auth/unsigned1 - fetching pkg:build2.org/rep-auth/unsigned2 - 1 package(s) in 2 repository(s) - EOE - - $fetched - } - } - - : rep-info - : - { - rep_info += --name --auth all $rep/unsigned1 - - : no-auth - : - $rep_info 2>>~%EOE% != 0 - warning: repository pkg:build2.org/rep-auth/unsigned1 is unsigned - %continue without authenticating repositories at .+\? \[y/n\] % - error: unable to read y/n answer from stdin - EOE - - : trust-yes - : - $rep_info --trust-yes >>"EOO" - pkg:build2.org/rep-auth/unsigned1 ($rep/unsigned1) - EOO - - : trust-no - : - $rep_info --trust-no 2>>EOE != 0 - error: repository pkg:build2.org/rep-auth/unsigned1 is unsigned - EOE - - : already-trusted - : - { - $clone_root_cfg; - rep_info += -d cfg; - - $rep_info --trust-yes >>"EOO"; - pkg:build2.org/rep-auth/unsigned1 ($rep/unsigned1) - EOO - $rep_info >>"EOO" - pkg:build2.org/rep-auth/unsigned1 ($rep/unsigned1) - EOO - } - } -} - -: faulty -: -{ - rep_info += --auth all --trust-yes - - : name-mismatch - : - $rep_info $rep/name-mismatch 2>>EOE != 0 - error: certificate name mismatch for repository pkg:build2.org/rep-auth/name-mismatch - info: certificate name is build2.org/mismatched/name - EOE - - : expired - : - $rep_info $rep/expired 2>>EOE != 0 - error: certificate for repository pkg:build2.org/rep-auth/expired has expired - EOE - - : sha256sum-mismatch - : - $rep_info $rep/sha256sum-mismatch 2>>EOE != 0 - error: packages manifest file checksum mismatch for pkg:build2.org/rep-auth/sha256sum-mismatch - info: try again - EOE - - : signature-mismatch - : - $rep_info $rep/signature-mismatch 2>>~%EOE% != 0 - %.* - %error: unable to authenticate repository pkg:build2.org/rep-auth/signature-mismatch: .*% - EOE - - : create-rep - : - { - : no-email - : - { - cp -r $src/unsigned rep; - - echo 'certificate: \' >+rep/repositories.manifest; - cat <<<$src_base/auth/noemail-cert.pem >+rep/repositories.manifest; - echo '\' >+rep/repositories.manifest; - - $rep_create --key $key rep &rep/packages.manifest 2>>/EOE != 0 - added foo 1 - error: invalid certificate for rep/: no email - EOE - } - - : expired - : - { - cp -r $src/unsigned rep; - - echo 'certificate: \' >+rep/repositories.manifest; - cat <<<$src_base/auth/expired-cert.pem >+rep/repositories.manifest; - echo '\' >+rep/repositories.manifest; - - $rep_create --key $key rep &rep/packages.manifest 2>>/EOE != 0 - added foo 1 - error: certificate for repository rep/ has expired - EOE - } - } -} |