1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
<!-- -*- markdown -*- -->
Destroying repositories
=======================
Git, and Gitano for that matter, works hard to preserve information. However
sometimes you need to destroy a repository. Perhaps it has been moved to
another server, or you never wanted the repository in the first place. Gitano
has a pair of commands for this, the first is the 'destroy' command.
Failure pathways
----------------
SCENARIO repository destruction failure modes
GIVEN a standard instance
AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch
AND testinstance, using adminkey, adds a new user alice, with a key called main
We obviously can't destroy a repository that doesn't exist.
WHEN alice main, expecting failure, runs destroy personal/alice/testrepo --force
THEN stderr contains ERROR: Cannot destroy a repository which does not exist
But the error message must be helpful and not an information leak.
So if the user is permitted to know that repository exists
we can tell them that it failed because it does not exist,
but if the user is not permitted to know the repository exists,
then we must tell them it failed because they weren't permitted.
WHEN alice main, expecting failure, runs destroy gitano-admin --force
THEN stderr does not contain ERROR: Cannot destroy a repository which does not exist
AND stderr contains CRIT: You may not destroy repositories you do not own
FINALLY the instance is torn down
Destroying repositories successfully
------------------------------------
Repositories can, clearly, be destroyed however if the calling user has write
access to them. Since in the default ruleset the owner of a repository has
write access, owners can remove their own repositories.
SCENARIO repository destruction
GIVEN a standard instance
AND testinstance using adminkey has patched gitano-admin with personal-repo-create.patch
AND testinstance, using adminkey, adds a new user alice, with a key called main
Repositories writable by the user can be destroyed by the user.
WHEN alice main runs create personal/alice/testrepo
AND alice main runs ls
THEN stdout contains personal/alice/testrepo
WHEN alice main runs destroy personal/alice/testrepo --force
AND alice main runs ls
THEN stdout does not contain personal/alice/testrepo
Use of `--force` is dangerous as the user has no way of knowing
whether another user pushed to the repository since they last used it.
If not passed then the first time a destroy is attempted it provides a token,
which will do the delete if the token is still valid when passed to destroy.
WHEN alice main runs create personal/alice/testrepo
AND alice main runs ls
THEN stdout contains personal/alice/testrepo
WHEN alice main runs destroy personal/alice/testrepo
THEN stdout contains re-run your command with the following confirmation token
Any changes which have been made to a repository will affect the token and so
if metadata or any content refs are updated, the token will no longer match...
GIVEN the token is saved as delete
WHEN testinstance adminkey runs config personal/alice/testrepo set project.description Foo
AND alice using main, expecting failure, destroys personal/alice/testrepo using the delete token
THEN stderr contains ERROR: Confirmation token does not match, refusing to destroy
This is to prevent deleting a repository that someone has just pushed to
and losing their changes.
FINALLY the instance is torn down
|