Add yarn to ensure auditability of 'as' use

2 files changed, 19 insertions, 0 deletions

diff --git a/testing/02-commands-as.yarn b/testing/02-commands-as.yarn
index a10d7a4..3e45781 100644
--- a/testing/02-commands-as.yarn
+++ b/testing/02-commands-as.yarn
@@ -74,3 +74,18 @@ manages to typo a username, they get a useful error message.
       AND stdout is empty
 
     FINALLY the instance is torn down
+
+As well as not leaking information, use of `as` must not thwart auditability,
+so a user with elevated permissions must not be able to frame another user.
+
+    SCENARIO Ensuring 'as' does not thwart auditability
+
+    GIVEN a standard instance
+      AND testinstance has keys called other
+      AND testinstance has keys called sneakybackdoor
+     WHEN testinstance, using adminkey, adds user other, using testinstance other
+      AND testinstance uses their ssh public key called sneakybackdoor as stdin
+      AND testinstance adminkey runs as other sshkey add sneakybackdoor
+      AND server-side gitano-admin reads git object HEAD^{commit}
+     THEN stdout contains Added sneakybackdoor for other
+      AND stdout contains committer Administrator
diff --git a/testing/library.yarn b/testing/library.yarn
index f678056..e25f6ac 100644
--- a/testing/library.yarn
+++ b/testing/library.yarn
@@ -106,6 +106,10 @@ Server-side repository checking for behind-the-scenes work
     cd "$($GTT serverlocation "$MATCH_1")".git
     git fsck
 
+    IMPLEMENTS WHEN server-side ([^ ]+) reads git object (.+)
+    cd "$($GTT serverlocation "$MATCH_1")".git
+    git cat-file -p "$MATCH_2" >"$DATADIR/stdout" 2>"$DATADIR/stderr"
+
 Clone manipulation
 ------------------