diff options
author | Daniel Silverstone <dsilvers@digital-scurf.org> | 2017-01-02 14:27:57 +0000 |
---|---|---|
committer | Daniel Silverstone <dsilvers@digital-scurf.org> | 2017-01-02 14:27:57 +0000 |
commit | e2d36d9ea5b0ff1b59b33300c2174b95b9d1b562 (patch) | |
tree | 466dbfaeefbb081ebf7c5588ecf203022b7712a3 /testing | |
parent | 2b35f1709bfafc56fc5f9c416da277ba63c61e43 (diff) | |
download | gitano-e2d36d9ea5b0ff1b59b33300c2174b95b9d1b562.tar.gz |
Complete cleanups that Richard started
Diffstat (limited to 'testing')
-rw-r--r-- | testing/02-commands-as.yarn | 62 | ||||
-rw-r--r-- | testing/02-commands-copy.yarn | 36 | ||||
-rw-r--r-- | testing/02-commands-count-objects.yarn | 23 | ||||
-rw-r--r-- | testing/02-commands-create.yarn | 27 | ||||
-rw-r--r-- | testing/02-commands-destroy.yarn | 56 | ||||
-rw-r--r-- | testing/02-commands-fsck.yarn | 50 | ||||
-rw-r--r-- | testing/02-commands-gc.yarn | 58 |
7 files changed, 158 insertions, 154 deletions
diff --git a/testing/02-commands-as.yarn b/testing/02-commands-as.yarn index 44d21da..7eb6b04 100644 --- a/testing/02-commands-as.yarn +++ b/testing/02-commands-as.yarn @@ -12,32 +12,32 @@ Verification of `as` in the simple case In the simple case, `as` is being called by someone who has permission to do so, on behalf of a user which exists and can be used. - SCENARIO Default case for as + SCENARIO Default case for as - GIVEN a standard instance - AND testinstance has keys called other - WHEN testinstance, using adminkey, adds user other, using testinstance other - AND testinstance adminkey runs as other whoami - THEN stdout contains other - AND stdout does not contain gitano-admin + GIVEN a standard instance + AND testinstance has keys called other + WHEN testinstance, using adminkey, adds user other, using testinstance other + AND testinstance adminkey runs as other whoami + THEN stdout contains other + AND stdout does not contain gitano-admin The other trivial case is that a user without permission tries to run `as`. - WHEN testinstance other, expecting failure, runs as other whoami - THEN stdout is empty - AND stderr contains Ruleset denied action + WHEN testinstance other, expecting failure, runs as other whoami + THEN stdout is empty + AND stderr contains Ruleset denied action AND stderr contains exit:1 The final trivial case is that a user which can run `as` cannot use it to run `as`. - WHEN testinstance adminkey, expecting failure, runs as other as other whoami - THEN stdout is empty - AND stderr contains Cannot use 'as' to run 'as' - AND stderr contains Validation of command line failed - AND stderr contains exit:1 + WHEN testinstance adminkey, expecting failure, runs as other as other whoami + THEN stdout is empty + AND stderr contains Cannot use 'as' to run 'as' + AND stderr contains Validation of command line failed + AND stderr contains exit:1 - FINALLY the instance is torn down + FINALLY the instance is torn down Security-related cases for `as` invocation ------------------------------------------ @@ -53,24 +53,24 @@ which does not exist. It is critical that this simply be reported as a lack of permission to run any command, and not leak that the target user does not exist in any way. - SCENARIO Ensuring 'as' does not leak user presence + SCENARIO Ensuring 'as' does not leak user presence - GIVEN a standard instance - AND testinstance has keys called other - WHEN testinstance, using adminkey, adds user other, using testinstance other - AND testinstance adminkey runs as other whoami - THEN stderr is empty - WHEN testinstance other, expecting failure, runs as badger whoami - THEN stdout is empty - AND stderr does not contain badger + GIVEN a standard instance + AND testinstance has keys called other + WHEN testinstance, using adminkey, adds user other, using testinstance other + AND testinstance adminkey runs as other whoami + THEN stderr is empty + WHEN testinstance other, expecting failure, runs as badger whoami + THEN stdout is empty + AND stderr does not contain badger Finally we ensure that when a user who may run `as` commands does so, but manages to typo a username, they get a useful error message. - WHEN testinstance adminkey, expecting failure, runs as badger whoami - THEN stderr contains badger - AND stderr contains does not exist - AND stderr contains exit:1 - AND stdout is empty + WHEN testinstance adminkey, expecting failure, runs as badger whoami + THEN stderr contains badger + AND stderr contains does not exist + AND stderr contains exit:1 + AND stdout is empty - FINALLY the instance is torn down + FINALLY the instance is torn down diff --git a/testing/02-commands-copy.yarn b/testing/02-commands-copy.yarn index 89a1d0a..b1a8b82 100644 --- a/testing/02-commands-copy.yarn +++ b/testing/02-commands-copy.yarn @@ -15,40 +15,40 @@ This requires many round trips and sending the entire repository's contents across the internet twice, so there's use for server-side clone operation. - SCENARIO server-side clone - GIVEN a standard instance + SCENARIO server-side clone + GIVEN a standard instance Users may copy repositories they can read to paths they can write to. - WHEN testinstance adminkey runs copy gitano-admin public/testrepo - THEN server-side public/testrepo has identical refs to gitano-admin - AND server-side public/testrepo has no missing objects + WHEN testinstance adminkey runs copy gitano-admin public/testrepo + THEN server-side public/testrepo has identical refs to gitano-admin + AND server-side public/testrepo has no missing objects Users may not copy repositories they can to read to paths they cannot write to. - GIVEN a unix user called alice - AND alice has keys called main - WHEN testinstance, using adminkey, adds user alice, using alice main + GIVEN a unix user called alice + AND alice has keys called main + WHEN testinstance, using adminkey, adds user alice, using alice main In the default instance only the admin user may create repositories, so all copies by other users will fail. - GIVEN testinstance adminkey has set the owner of public/testrepo to alice - WHEN alice main, expecting failure, runs copy public/testrepo personal/testinstance/ - THEN stderr contains FATAL: Not authorised + GIVEN testinstance adminkey has set the owner of public/testrepo to alice + WHEN alice main, expecting failure, runs copy public/testrepo personal/testinstance/ + THEN stderr contains FATAL: Not authorised Users may copy repositories where they may write to the destination path, but will be unable to do so if the repository already exists. - GIVEN testinstance using adminkey has patched gitano-admin with personal-repo-create.patch - WHEN alice main runs create personal/alice/testrepo - AND alice main, expecting failure, runs copy public/testrepo personal/alice/testrepo - THEN stderr contains ERROR: Repository personal/alice/testrepo already exists + GIVEN testinstance using adminkey has patched gitano-admin with personal-repo-create.patch + WHEN alice main runs create personal/alice/testrepo + AND alice main, expecting failure, runs copy public/testrepo personal/alice/testrepo + THEN stderr contains ERROR: Repository personal/alice/testrepo already exists Users may not copy to paths they may not write to and are not informed if the path already exists if they cannot read it. - WHEN alice main, expecting failure, runs copy user/alice/testrepo gitano-admin - THEN stderr does not contain ERROR: Repository gitano-admin already exists + WHEN alice main, expecting failure, runs copy user/alice/testrepo gitano-admin + THEN stderr does not contain ERROR: Repository gitano-admin already exists - FINALLY the instance is torn down + FINALLY the instance is torn down diff --git a/testing/02-commands-count-objects.yarn b/testing/02-commands-count-objects.yarn index eb7e74e..7d958d5 100644 --- a/testing/02-commands-count-objects.yarn +++ b/testing/02-commands-count-objects.yarn @@ -1,19 +1,20 @@ <!-- -*- markdown -*- --> - SCENARIO counting objects - GIVEN a standard instance - AND a unix user called alice - AND alice has keys called main - WHEN testinstance, using adminkey, adds user alice, using alice main + SCENARIO counting objects + + GIVEN a standard instance + AND a unix user called alice + AND alice has keys called main + WHEN testinstance, using adminkey, adds user alice, using alice main We can't count objects for a repository we can't read, since that would be an information leak that the repository exists. - WHEN alice main, expecting failure, runs count-objects gitano-admin - THEN stderr contains CRIT: Ruleset denied action. + WHEN alice main, expecting failure, runs count-objects gitano-admin + THEN stderr contains CRIT: Ruleset denied action. - WHEN testinstance adminkey runs count-objects gitano-admin - THEN stdout contains objects - AND stdout contains bytes + WHEN testinstance adminkey runs count-objects gitano-admin + THEN stdout contains objects + AND stdout contains bytes - FINALLY the instance is torn down + FINALLY the instance is torn down diff --git a/testing/02-commands-create.yarn b/testing/02-commands-create.yarn index d62bf18..2dec466 100644 --- a/testing/02-commands-create.yarn +++ b/testing/02-commands-create.yarn @@ -1,19 +1,20 @@ <!-- -*- markdown -*- --> - SCENARIO user-created repositories - GIVEN a standard instance - AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch - AND a unix user called alice - AND alice has keys called main - WHEN testinstance, using adminkey, adds user alice, using alice main - AND alice main runs create personal/alice/testrepo - AND alice main runs config personal/alice/testrepo show - THEN stderr is empty - AND stdout contains project.owner: alice + SCENARIO user-created repositories + + GIVEN a standard instance + AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch + AND a unix user called alice + AND alice has keys called main + WHEN testinstance, using adminkey, adds user alice, using alice main + AND alice main runs create personal/alice/testrepo + AND alice main runs config personal/alice/testrepo show + THEN stderr is empty + AND stdout contains project.owner: alice May not create repositories elsewhere. - WHEN alice main, expecting failure, runs create personal/testintance/testrepo - THEN stderr contains CRIT: Repository creation is not permitted. + WHEN alice main, expecting failure, runs create personal/testintance/testrepo + THEN stderr contains CRIT: Repository creation is not permitted. - FINALLY the instance is torn down + FINALLY the instance is torn down diff --git a/testing/02-commands-destroy.yarn b/testing/02-commands-destroy.yarn index 9ea9a44..da2d74f 100644 --- a/testing/02-commands-destroy.yarn +++ b/testing/02-commands-destroy.yarn @@ -1,16 +1,17 @@ <!-- -*- markdown -*- --> - SCENARIO repository destruction - GIVEN a standard instance - AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch - AND a unix user called alice - AND alice has keys called main - WHEN testinstance, using adminkey, adds user alice, using alice main + SCENARIO repository destruction + + GIVEN a standard instance + AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch + AND a unix user called alice + AND alice has keys called main + WHEN testinstance, using adminkey, adds user alice, using alice main We obviously can't destroy a repository that doesn't exist. - WHEN alice main, expecting failure, runs destroy personal/alice/testrepo --force - THEN stderr contains ERROR: Cannot destroy a repository which does not exist + WHEN alice main, expecting failure, runs destroy personal/alice/testrepo --force + THEN stderr contains ERROR: Cannot destroy a repository which does not exist But the error message must be helpful and not an information leak. So if the user is permitted to know that repository exists @@ -18,18 +19,18 @@ we can tell them that it failed because it does not exist, but if the user is not permitted to know the repository exists, then we must tell them it failed because they weren't permitted. - WHEN alice main, expecting failure, runs destroy gitano-admin --force - THEN stderr does not contain ERROR: Cannot destroy a repository which does not exist - AND stderr contains CRIT: You may not destroy repositories you do not own + WHEN alice main, expecting failure, runs destroy gitano-admin --force + THEN stderr does not contain ERROR: Cannot destroy a repository which does not exist + AND stderr contains CRIT: You may not destroy repositories you do not own Repositories writable by the user can be destroyed by the user. - WHEN alice main runs create personal/alice/testrepo - AND alice main runs ls - THEN stdout contains personal/alice/testrepo - WHEN alice main runs destroy personal/alice/testrepo --force - AND alice main runs ls - THEN stdout does not contain personal/alice/testrepo + WHEN alice main runs create personal/alice/testrepo + AND alice main runs ls + THEN stdout contains personal/alice/testrepo + WHEN alice main runs destroy personal/alice/testrepo --force + AND alice main runs ls + THEN stdout does not contain personal/alice/testrepo Use of `--force` is dangerous as the user has no way of knowing whether another user pushed to the repository since they last used it. @@ -37,17 +38,18 @@ whether another user pushed to the repository since they last used it. If not passed then the first time a destroy is attempted it provides a token, which will do the delete if the token is still valid when passed to destroy. - WHEN alice main runs create personal/alice/testrepo - AND alice main runs ls - THEN stdout contains personal/alice/testrepo - WHEN alice main runs destroy personal/alice/testrepo - THEN stdout contains re-run your command with the following confirmation token - GIVEN the token is saved as delete - WHEN testinstance adminkey runs config personal/alice/testrepo set project.description Foo - AND alice using main, expecting failure, destroys personal/alice/testrepo using the delete token - THEN stderr contains ERROR: Confirmation token does not match, refusing to destroy + WHEN alice main runs create personal/alice/testrepo + AND alice main runs ls + THEN stdout contains personal/alice/testrepo + WHEN alice main runs destroy personal/alice/testrepo + THEN stdout contains re-run your command with the following confirmation token + + GIVEN the token is saved as delete + WHEN testinstance adminkey runs config personal/alice/testrepo set project.description Foo + AND alice using main, expecting failure, destroys personal/alice/testrepo using the delete token + THEN stderr contains ERROR: Confirmation token does not match, refusing to destroy This is to prevent deleting a repository that someone has just pushed to and losing their changes. - FINALLY the instance is torn down + FINALLY the instance is torn down diff --git a/testing/02-commands-fsck.yarn b/testing/02-commands-fsck.yarn index a3585e5..fc4e166 100644 --- a/testing/02-commands-fsck.yarn +++ b/testing/02-commands-fsck.yarn @@ -13,21 +13,21 @@ Simple `fsck` usage In the simple case a `gitano-admin` runs `fsck` against a repository which definitely exists and as they are `gitano-admin` they have write access. - SCENARIO Simple `fsck` cases + SCENARIO Simple `fsck` cases - GIVEN a standard instance - WHEN testinstance adminkey runs fsck gitano-admin - THEN stdout is empty - AND stderr is empty + GIVEN a standard instance + WHEN testinstance adminkey runs fsck gitano-admin + THEN stdout is empty + AND stderr is empty No matter how powerful you are, you cannot `fsck` a repository which does not exist... - WHEN testinstance adminkey, expecting failure, runs fsck somethingelse - THEN stdout is empty - AND stderr contains repository does not exist + WHEN testinstance adminkey, expecting failure, runs fsck somethingelse + THEN stdout is empty + AND stderr contains repository does not exist - FINALLY the instance is torn down + FINALLY the instance is torn down Attempting to `fsck` when you have no write access -------------------------------------------------- @@ -36,16 +36,16 @@ Since any non-`gitano-admin` member cannot see `gitano-admin` we can use that as a test case for ensuring that you must have write access in order to `fsck` something. - SCENARIO lowly accolyte fails to fsck + SCENARIO lowly accolyte fails to fsck - GIVEN a standard instance - AND testinstance has keys called other - WHEN testinstance, using adminkey, adds user other, using testinstance other - AND testinstance other, expecting failure, runs fsck gitano-admin - THEN stdout is empty - AND stderr contains Ruleset denied action + GIVEN a standard instance + AND testinstance has keys called other + WHEN testinstance, using adminkey, adds user other, using testinstance other + AND testinstance other, expecting failure, runs fsck gitano-admin + THEN stdout is empty + AND stderr contains Ruleset denied action - FINALLY the instance is torn down + FINALLY the instance is torn down Passing commands through to `fsck` ---------------------------------- @@ -53,19 +53,19 @@ Passing commands through to `fsck` It is possible to pass arguments through to the `git fsck` subprocess. By passing through a bad option, we get to see this in action - SCENARIO passing arguments to `fsck` + SCENARIO passing arguments to `fsck` - GIVEN a standard instance - WHEN testinstance adminkey, expecting failure, runs fsck gitano-admin --bad-option - THEN stdout is empty + GIVEN a standard instance + WHEN testinstance adminkey, expecting failure, runs fsck gitano-admin --bad-option + THEN stdout is empty We check for `git fsck`'s usage message: - AND stderr contains error: unknown option - AND stderr contains usage: git fsck + AND stderr contains error: unknown option + AND stderr contains usage: git fsck And also we see that Gitano has caught the error - AND stderr contains Unable to continue + AND stderr contains Unable to continue - FINALLY the instance is torn down + FINALLY the instance is torn down diff --git a/testing/02-commands-gc.yarn b/testing/02-commands-gc.yarn index 499684d..4e6dd81 100644 --- a/testing/02-commands-gc.yarn +++ b/testing/02-commands-gc.yarn @@ -13,26 +13,26 @@ Using `gc` in the simple case So the simple case is that a `gitano-admin` runs `gc` on a repository which definitely exists which means they always have the rights to do so. - SCENARIO Simple case `gc` usage + SCENARIO Simple case `gc` usage - GIVEN a standard instance - WHEN testinstance adminkey runs gc gitano-admin - THEN stderr is empty - AND stdout is empty + GIVEN a standard instance + WHEN testinstance adminkey runs gc gitano-admin + THEN stderr is empty + AND stdout is empty - FINALLY the instance is torn down + FINALLY the instance is torn down We can then ensure that if the repository does not exist, we get a useful error message back: - SCENARIO Simple failure case `gc` usage + SCENARIO Simple failure case `gc` usage - GIVEN a standard instance - WHEN testinstance adminkey, expecting failure, runs gc something - THEN stdout is empty - AND stderr contains repository does not exist + GIVEN a standard instance + WHEN testinstance adminkey, expecting failure, runs gc something + THEN stdout is empty + AND stderr contains repository does not exist - FINALLY the instance is torn down + FINALLY the instance is torn down Write access checks ------------------- @@ -40,17 +40,17 @@ Write access checks A more complex case involves creating a repository to which a user has no write permissions and trying to get that user to run `gc` on it. - SCENARIO Write access checks for `gc` usage + SCENARIO Write access checks for `gc` usage - GIVEN a standard instance - AND testinstance has keys called other - WHEN testinstance, using adminkey, adds user other, using testinstance other - AND testinstance adminkey runs create testrepo - AND testinstance other, expecting failure, runs gc testrepo - THEN stdout is empty - AND stderr contains Ruleset denied action + GIVEN a standard instance + AND testinstance has keys called other + WHEN testinstance, using adminkey, adds user other, using testinstance other + AND testinstance adminkey runs create testrepo + AND testinstance other, expecting failure, runs gc testrepo + THEN stdout is empty + AND stderr contains Ruleset denied action - FINALLY the instance is torn down + FINALLY the instance is torn down Passing arguments to `git gc` ----------------------------- @@ -59,19 +59,19 @@ Any spare arguments given to `gc` are passed through to `git gc` untouched. We can verify that arguments are passed through by passing a bad argument through and seeing if we get an error message from the underlying `git gc` instance: - SCENARIO Passing arguments through to `git gc` + SCENARIO Passing arguments through to `git gc` - GIVEN a standard instance - WHEN testinstance adminkey, expecting failure, runs gc gitano-admin --not-valid - THEN stdout is empty + GIVEN a standard instance + WHEN testinstance adminkey, expecting failure, runs gc gitano-admin --not-valid + THEN stdout is empty These are the `git gc` errors - AND stderr contains error: unknown option - AND stderr contains usage: git gc + AND stderr contains error: unknown option + AND stderr contains usage: git gc And this demonstrates that Gitano detected the error properly - AND stderr contains Unable to continue + AND stderr contains Unable to continue - FINALLY the instance is torn down + FINALLY the instance is torn down |