From d4e409e3ceb7eadd9cf94b1d1f99ac04fec570ee Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Wed, 2 May 2018 20:02:09 +0300
Subject: Add support for dependent repository trust

---
 tests/common/git/state0/libbar.tar      | Bin 71680 -> 71680 bytes
 tests/common/git/state0/libfoo.tar      | Bin 307200 -> 317440 bytes
 tests/common/git/state0/libfox.tar      | Bin 133120 -> 133120 bytes
 tests/common/git/state0/style-basic.tar | Bin 71680 -> 71680 bytes
 tests/common/git/state0/style.tar       | Bin 133120 -> 133120 bytes
 tests/common/git/state1/libbaz.tar      | Bin 61440 -> 61440 bytes
 tests/common/git/state1/libfoo.tar      | Bin 389120 -> 389120 bytes
 tests/common/git/state1/libfox.tar      | Bin 133120 -> 133120 bytes
 tests/common/git/state1/style-basic.tar | Bin 71680 -> 71680 bytes
 tests/common/git/state1/style.tar       | Bin 133120 -> 133120 bytes
 tests/rep-fetch.test                    | 128 +++++++++++++++++++++++++++++++-
 11 files changed, 125 insertions(+), 3 deletions(-)

(limited to 'tests')

diff --git a/tests/common/git/state0/libbar.tar b/tests/common/git/state0/libbar.tar
index 1db19e5..791d8f2 100644
Binary files a/tests/common/git/state0/libbar.tar and b/tests/common/git/state0/libbar.tar differ
diff --git a/tests/common/git/state0/libfoo.tar b/tests/common/git/state0/libfoo.tar
index b2fa494..e6bb1c2 100644
Binary files a/tests/common/git/state0/libfoo.tar and b/tests/common/git/state0/libfoo.tar differ
diff --git a/tests/common/git/state0/libfox.tar b/tests/common/git/state0/libfox.tar
index fe226a3..31dda5a 100644
Binary files a/tests/common/git/state0/libfox.tar and b/tests/common/git/state0/libfox.tar differ
diff --git a/tests/common/git/state0/style-basic.tar b/tests/common/git/state0/style-basic.tar
index 63904e2..098e0ff 100644
Binary files a/tests/common/git/state0/style-basic.tar and b/tests/common/git/state0/style-basic.tar differ
diff --git a/tests/common/git/state0/style.tar b/tests/common/git/state0/style.tar
index 8c6c6ea..5ad84da 100644
Binary files a/tests/common/git/state0/style.tar and b/tests/common/git/state0/style.tar differ
diff --git a/tests/common/git/state1/libbaz.tar b/tests/common/git/state1/libbaz.tar
index 7ca795c..cd2d215 100644
Binary files a/tests/common/git/state1/libbaz.tar and b/tests/common/git/state1/libbaz.tar differ
diff --git a/tests/common/git/state1/libfoo.tar b/tests/common/git/state1/libfoo.tar
index af5212b..57befb1 100644
Binary files a/tests/common/git/state1/libfoo.tar and b/tests/common/git/state1/libfoo.tar differ
diff --git a/tests/common/git/state1/libfox.tar b/tests/common/git/state1/libfox.tar
index 6e108ba..648811f 100644
Binary files a/tests/common/git/state1/libfox.tar and b/tests/common/git/state1/libfox.tar differ
diff --git a/tests/common/git/state1/style-basic.tar b/tests/common/git/state1/style-basic.tar
index cd6416e..ab302de 100644
Binary files a/tests/common/git/state1/style-basic.tar and b/tests/common/git/state1/style-basic.tar differ
diff --git a/tests/common/git/state1/style.tar b/tests/common/git/state1/style.tar
index d2c2a70..7772b98 100644
Binary files a/tests/common/git/state1/style.tar and b/tests/common/git/state1/style.tar differ
diff --git a/tests/rep-fetch.test b/tests/rep-fetch.test
index 6f563d4..2264462 100644
--- a/tests/rep-fetch.test
+++ b/tests/rep-fetch.test
@@ -79,7 +79,21 @@
   # Create 'foo/*' repositories.
   #
   cp -r $src/foo $out/foo
-  $rep_create $out/foo/stable  &$out/foo/stable/packages.manifest
+
+  # Sign foo/stable repository.
+  #
+  cat <<<$cert_manifest >+$out/foo/stable/repositories.manifest
+  $rep_create --key $key $out/foo/stable &$out/foo/stable/packages.manifest \
+                                         &$out/foo/stable/signature.manifest
+
+  # Add dependent trust to foo complement repository into the foo/testing
+  # repository manifest.
+  #
+  tv = "trust: $cert_fp
+:"
+
+  sed -i -e "s/^\(:\)\$/$tv/" $out/foo/testing/repositories.manifest
+
   $rep_create $out/foo/testing &$out/foo/testing/packages.manifest
 
   # Create 'bar/*' repositories.
@@ -154,7 +168,7 @@ $* 2>>/EOE != 0
   {
     $clone_root_cfg && $rep_add $rep/bar/unstable;
 
-    $* --trust-yes 2>>EOE;
+    $* --trust-yes 2>>EOE &cfg/.bpkg/certs/**;
       fetching pkg:build2.org/rep-fetch/bar/unstable
       fetching pkg:build2.org/rep-fetch/bar/testing (complements pkg:build2.org/rep-fetch/bar/unstable)
       fetching pkg:build2.org/rep-fetch/bar/stable (complements pkg:build2.org/rep-fetch/bar/testing)
@@ -204,7 +218,7 @@ $* 2>>/EOE != 0
   {
     $clone_root_cfg;
 
-    $* --trust-yes $rep/bar/unstable 2>>EOE;
+    $* --trust-yes $rep/bar/unstable 2>>EOE &cfg/.bpkg/certs/**;
       added pkg:build2.org/rep-fetch/bar/unstable
       fetching pkg:build2.org/rep-fetch/bar/testing (complements pkg:build2.org/rep-fetch/bar/unstable)
       fetching pkg:build2.org/rep-fetch/bar/stable (complements pkg:build2.org/rep-fetch/bar/testing)
@@ -325,6 +339,114 @@ $* 2>>/EOE != 0
         EOO
     }
   }
+
+  : use-auth
+  :
+  {
+    : dependent-trust
+    :
+    : Test that the certificate of foo/stable complement repository is
+    : silently authenticated for use by the dependent foo/testing repository.
+    : In this case the certificate is not saved into the database (see the
+    : subsequent 'rep-fetch $rep/foo/stable' test) and certificate file is not
+    : persisted (otherwise cleanup of non-empty cfg/ directory would fail).
+    :
+    {
+      $clone_root_cfg;
+
+      $* --verbose 2 $rep/foo/testing <'y' 2>>~%EOE%;
+        added pkg:build2.org/rep-fetch/foo/testing
+        %.*
+        warning: repository pkg:build2.org/rep-fetch/foo/testing is unsigned
+        %continue without authenticating repositories at .+\? \[y/n\] .+%
+        %.+
+        info: certificate for repository pkg:build2.org/rep-fetch/foo/stable authenticated by dependent trust
+        %.+
+        2 package(s) in 2 repository(s)
+        EOE
+
+      $* $rep/foo/stable 2>>~%EOE% != 0
+        %.+
+        warning: authenticity of the certificate for repository pkg:build2.org/rep-fetch/foo/stable cannot be established
+        %.+
+        EOE
+    }
+
+    : dependent-command-line
+    :
+    : Test that the certificate of foo/stable complement repository is
+    : authenticated for use by the command line (persisted into the database
+    : and the filesystem) rather than dependent trust.
+    :
+    {
+      $clone_root_cfg;
+
+      $* --trust $cert_fp --verbose 2 $rep/foo/testing <'y' 2>>~%EOE% &cfg/.bpkg/certs/**
+        added pkg:build2.org/rep-fetch/foo/testing
+        %.*
+        warning: repository pkg:build2.org/rep-fetch/foo/testing is unsigned
+        %continue without authenticating repositories at .+\? \[y/n\] .+%
+        %.+
+        info: certificate for repository pkg:build2.org/rep-fetch/foo/stable authenticated by command line
+        %.+
+        2 package(s) in 2 repository(s)
+        EOE
+    }
+
+    : dependent-trust-prompt
+    :
+    : Test that the certificate of foo/stable repository is first authenticated
+    : for use by the dependent foo/test repository and then by the user (via
+    : the prompt) as a top-level repository during a single rep-fetch
+    : operation.
+    :
+    {
+      yy = 'y
+y'
+      $clone_root_cfg;
+
+      $* --verbose 2 $rep/foo/testing $rep/foo/stable <$yy 2>>~%EOE% &cfg/.bpkg/certs/**
+        added pkg:build2.org/rep-fetch/foo/testing
+        added pkg:build2.org/rep-fetch/foo/stable
+        fetching pkg:build2.org/rep-fetch/foo/testing
+        %.*
+        warning: repository pkg:build2.org/rep-fetch/foo/testing is unsigned
+        %continue without authenticating repositories at .+\? \[y/n\] .+%
+        %.+
+        info: certificate for repository pkg:build2.org/rep-fetch/foo/stable authenticated by dependent trust
+        %.+
+        warning: authenticity of the certificate for repository pkg:build2.org/rep-fetch/foo/stable cannot be established
+        certificate is for build2.org, "Code Synthesis" <info@build2.org>
+        %.+
+        %.+2 package\(s\) in 2 repository\(s\)%
+        EOE
+    }
+
+    : command-line-dependent-noop
+    :
+    : Test that the certificate of foo/stable repository is first authenticated
+    : by the user (via the command line) as a top-level repository and so
+    : authentication for use by the dependent foo/test is noop.
+    :
+    {
+      $clone_root_cfg;
+
+      $* --trust $cert_fp --verbose 2 $rep/foo/stable $rep/foo/testing <'y' 2>>~%EOE% &cfg/.bpkg/certs/**
+        added pkg:build2.org/rep-fetch/foo/stable
+        added pkg:build2.org/rep-fetch/foo/testing
+        fetching pkg:build2.org/rep-fetch/foo/stable
+        %.+
+        info: certificate for repository pkg:build2.org/rep-fetch/foo/stable authenticated by command line
+        %.+
+        fetching pkg:build2.org/rep-fetch/foo/testing
+        %.*
+        warning: repository pkg:build2.org/rep-fetch/foo/testing is unsigned
+        %continue without authenticating repositories at .+\? \[y/n\] .+%
+        %.*
+        2 package(s) in 2 repository(s)
+        EOE
+    }
+  }
 }
 
 : dir-rep
-- 
cgit v1.1