Got Mirror

Blob

Date:: Thu Apr 25 14:57:36 2024 UTC
Message:: make it harder to leak notification credentials over plaintext HTTP ok op@
Actions:: History | Blame | Raw File
1 .include "../../got-version.mk"
2 
3 REGRESS_TARGETS=test_repo_read test_repo_read_group \
4 	test_repo_read_denied_user test_repo_read_denied_group \
5 	test_repo_read_bad_user test_repo_read_bad_group \
6 	test_repo_write test_repo_write_empty test_request_bad \
7 	test_repo_write_protected test_repo_write_readonly \
8 	test_email_notification test_http_notification
9 NOOBJ=Yes
10 CLEANFILES=gotd.conf
11 
12 .PHONY: ensure_root prepare_test_repo check_test_repo start_gotd
13 
14 GOTD_TEST_ROOT=/tmp
15 GOTD_DEVUSER?=gotdev
16 GOTD_DEVUSER_HOME!=userinfo $(GOTD_DEVUSER) | awk '/^dir/ {print $$2}'
17 GOTD_TEST_REPO!?=mktemp -d "$(GOTD_TEST_ROOT)/gotd-test-repo-XXXXXXXXXX"
18 GOTD_TEST_REPO_NAME=test-repo
19 GOTD_TEST_REPO_URL=ssh://${GOTD_DEVUSER}@127.0.0.1/$(GOTD_TEST_REPO_NAME)
20 GOTD_TEST_SMTP_PORT=2525
21 GOTD_TEST_HTTP_PORT=8000
22 
23 GOTD_TEST_USER?=${DOAS_USER}
24 .if empty(GOTD_TEST_USER)
25 GOTD_TEST_USER=${SUDO_USER}
26 .endif
27 .if empty(GOTD_TEST_USER)
28 GOTD_TEST_USER=${USER}
29 .endif
30 GOTD_TEST_USER_HOME!=userinfo $(GOTD_TEST_USER) | awk '/^dir/ {print $$2}'
31 
32 # gotd.conf parameters
33 GOTD_USER?=got
34 GOTD_SOCK=${GOTD_DEVUSER_HOME}/gotd.sock
35 
36 .if "${GOT_RELEASE}" == "Yes"
37 PREFIX ?= /usr/local
38 BINDIR ?= ${PREFIX}/bin
39 .else
40 PREFIX ?= ${GOTD_TEST_USER_HOME}
41 BINDIR ?= ${PREFIX}/bin
42 .endif
43 
44 GOTD_START_CMD?=env ${GOTD_ENV} $(BINDIR)/gotd -vv -f $(PWD)/gotd.conf
45 GOTD_STOP_CMD?=$(BINDIR)/gotctl -f $(GOTD_SOCK) stop
46 GOTD_TRAP=trap "$(GOTD_STOP_CMD)" HUP INT QUIT PIPE TERM
47 
48 GOTD_ENV=GOT_NOTIFY_EMAIL_TIMEOUT=1
49 
50 GOTD_TEST_ENV=GOTD_TEST_ROOT=$(GOTD_TEST_ROOT) \
51 	GOTD_TEST_REPO_URL=$(GOTD_TEST_REPO_URL) \
52 	GOTD_TEST_REPO_NAME=$(GOTD_TEST_REPO_NAME) \
53 	GOTD_TEST_REPO=$(GOTD_TEST_REPO) \
54 	GOTD_SOCK=$(GOTD_SOCK) \
55 	GOTD_DEVUSER=$(GOTD_DEVUSER) \
56 	GOTD_USER=$(GOTD_USER) \
57 	GOTD_TEST_SMTP_PORT=$(GOTD_TEST_SMTP_PORT) \
58 	GOTD_TEST_HTTP_PORT=$(GOTD_TEST_HTTP_PORT) \
59 	HOME=$(GOTD_TEST_USER_HOME) \
60 	PATH=$(GOTD_TEST_USER_HOME)/bin:$(PATH)
61 
62 ensure_root:
63 	@if [[ `id -u` -ne 0 ]]; then \
64 		echo gotd test suite must be started by root >&2; \
65 		false; \
66 	fi ; \
67 	if [[ "$(GOTD_TEST_USER)" = "root" ]]; then \
68 		echo GOTD_TEST_USER must be a non-root user >&2; \
69 		false; \
70 	fi
71 
72 start_gotd_ro: ensure_root
73 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
74 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
75 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
76 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
77 	@echo '    permit ro $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
78 	@echo "}" >> $(PWD)/gotd.conf
79 	@$(GOTD_TRAP); $(GOTD_START_CMD)
80 	@$(GOTD_TRAP); sleep .5
81 
82 start_gotd_implicit_ro: ensure_root
83 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
84 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
85 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
86 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
87 	@echo "}" >> $(PWD)/gotd.conf
88 	@$(GOTD_TRAP); $(GOTD_START_CMD)
89 	@$(GOTD_TRAP); sleep .5
90 
91 start_gotd_ro_group: ensure_root
92 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
93 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
94 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
95 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
96 	@echo '    permit ro :$(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
97 	@echo "}" >> $(PWD)/gotd.conf
98 	@$(GOTD_TRAP); $(GOTD_START_CMD)
99 	@$(GOTD_TRAP); sleep .5
100 
101 # try a permit rule followed by a deny rule; last matched rule wins
102 start_gotd_ro_denied_user: ensure_root
103 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
104 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
105 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
106 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
107 	@echo '    permit ro $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
108 	@echo '    deny $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
109 	@echo "}" >> $(PWD)/gotd.conf
110 	@$(GOTD_TRAP); $(GOTD_START_CMD)
111 	@$(GOTD_TRAP); sleep .5
112 
113 # try a permit rule followed by a deny rule; last matched rule wins
114 start_gotd_ro_denied_group: ensure_root
115 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
116 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
117 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
118 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
119 	@echo '    permit ro $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
120 	@echo '    deny :$(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
121 	@echo "}" >> $(PWD)/gotd.conf
122 	@$(GOTD_TRAP); $(GOTD_START_CMD)
123 	@$(GOTD_TRAP); sleep .5
124 
125 # $GOTD_DEVUSER should not equal $GOTD_USER
126 start_gotd_ro_bad_user: ensure_root
127 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
128 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
129 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
130 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
131 	@echo '    permit ro $(GOTD_USER)' >> $(PWD)/gotd.conf
132 	@echo "}" >> $(PWD)/gotd.conf
133 	@$(GOTD_TRAP); $(GOTD_START_CMD)
134 	@$(GOTD_TRAP); sleep .5
135 
136 # $GOTD_DEVUSER should not be in group wheel
137 start_gotd_ro_bad_group: ensure_root
138 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
139 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
140 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
141 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
142 	@echo '    permit ro :wheel' >> $(PWD)/gotd.conf
143 	@echo "}" >> $(PWD)/gotd.conf
144 	@$(GOTD_TRAP); $(GOTD_START_CMD)
145 	@$(GOTD_TRAP); sleep .5
146 
147 start_gotd_rw: ensure_root
148 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
149 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
150 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
151 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
152 	@echo '    permit rw $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
153 	@echo "}" >> $(PWD)/gotd.conf
154 	@$(GOTD_TRAP); $(GOTD_START_CMD)
155 	@$(GOTD_TRAP); sleep .5
156 
157 start_gotd_rw_protected: ensure_root
158 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
159 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
160 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
161 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
162 	@echo '    permit rw $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
163 	@echo '    protect branch "foo"' >> $(PWD)/gotd.conf
164 	@echo '    protect tag namespace "refs/tags/"' >> $(PWD)/gotd.conf
165 	@echo '    protect branch "refs/heads/main"' >> $(PWD)/gotd.conf
166 	@echo "}" >> $(PWD)/gotd.conf
167 	@$(GOTD_TRAP); $(GOTD_START_CMD)
168 	@$(GOTD_TRAP); sleep .5
169 
170 start_gotd_email_notification: ensure_root
171 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
172 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
173 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
174 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
175 	@echo '    permit rw $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
176 	@echo '    notify {' >> $(PWD)/gotd.conf
177 	@echo -n '      email to ${GOTD_DEVUSER}' >> $(PWD)/gotd.conf
178 	@echo ' relay 127.0.0.1 port ${GOTD_TEST_SMTP_PORT}' >> $(PWD)/gotd.conf
179 	@echo "    }" >> $(PWD)/gotd.conf
180 	@echo "}" >> $(PWD)/gotd.conf
181 	@$(GOTD_TRAP); $(GOTD_START_CMD)
182 	@$(GOTD_TRAP); sleep .5
183 
184 start_gotd_http_notification: ensure_root
185 	@echo 'listen on "$(GOTD_SOCK)"' > $(PWD)/gotd.conf
186 	@echo "user $(GOTD_USER)" >> $(PWD)/gotd.conf
187 	@echo 'repository "test-repo" {' >> $(PWD)/gotd.conf
188 	@echo '    path "$(GOTD_TEST_REPO)"' >> $(PWD)/gotd.conf
189 	@echo '    permit rw $(GOTD_DEVUSER)' >> $(PWD)/gotd.conf
190 	@echo '    notify {' >> $(PWD)/gotd.conf
191 	@echo '         url "http://localhost:${GOTD_TEST_HTTP_PORT}/" user flan password "password" insecure' >> $(PWD)/gotd.conf
192 	@echo "    }" >> $(PWD)/gotd.conf
193 	@echo "}" >> $(PWD)/gotd.conf
194 	@$(GOTD_TRAP); $(GOTD_START_CMD)
195 	@$(GOTD_TRAP); sleep .5
196 
197 prepare_test_repo: ensure_root
198 	@chown ${GOTD_USER} "${GOTD_TEST_REPO}"
199 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./prepare_test_repo.sh'
200 
201 prepare_test_repo_empty: ensure_root
202 	@chown ${GOTD_USER} "${GOTD_TEST_REPO}"
203 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./prepare_test_repo.sh 1'
204 
205 test_repo_read: prepare_test_repo start_gotd_ro
206 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
207 		'env $(GOTD_TEST_ENV) sh ./repo_read.sh'
208 	@$(GOTD_STOP_CMD) 2>/dev/null
209 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
210 
211 test_repo_read_group: prepare_test_repo start_gotd_ro_group
212 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
213 		'env $(GOTD_TEST_ENV) sh ./repo_read.sh'
214 	@$(GOTD_STOP_CMD) 2>/dev/null
215 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
216 
217 test_repo_read_denied_user: prepare_test_repo start_gotd_ro_denied_user
218 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
219 		'env $(GOTD_TEST_ENV) sh ./repo_read_access_denied.sh'
220 	@$(GOTD_STOP_CMD) 2>/dev/null
221 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
222 
223 test_repo_read_denied_group: prepare_test_repo start_gotd_ro_denied_group
224 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
225 		'env $(GOTD_TEST_ENV) sh ./repo_read_access_denied.sh'
226 	@$(GOTD_STOP_CMD) 2>/dev/null
227 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
228 
229 test_repo_read_bad_user: prepare_test_repo start_gotd_ro_bad_user
230 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
231 		'env $(GOTD_TEST_ENV) sh ./repo_read_access_denied.sh'
232 	@$(GOTD_STOP_CMD) 2>/dev/null
233 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
234 
235 test_repo_read_bad_group: prepare_test_repo start_gotd_ro_bad_group
236 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
237 		'env $(GOTD_TEST_ENV) sh ./repo_read_access_denied.sh'
238 	@$(GOTD_STOP_CMD) 2>/dev/null
239 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
240 
241 test_repo_write: prepare_test_repo start_gotd_rw
242 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
243 		'env $(GOTD_TEST_ENV) sh ./repo_write.sh'
244 	@$(GOTD_STOP_CMD) 2>/dev/null
245 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
246 
247 test_repo_write_empty: prepare_test_repo_empty start_gotd_rw
248 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
249 		'env $(GOTD_TEST_ENV) sh ./repo_write_empty.sh'
250 	@$(GOTD_STOP_CMD) 2>/dev/null
251 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
252 
253 test_repo_write_protected: prepare_test_repo start_gotd_rw_protected
254 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
255 		'env $(GOTD_TEST_ENV) sh ./repo_write_protected.sh'
256 	@$(GOTD_STOP_CMD) 2>/dev/null
257 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
258 	
259 test_repo_write_readonly: prepare_test_repo_empty start_gotd_implicit_ro
260 	@-$(GOTD_TRAP); su ${GOTD_TEST_USER} -c \
261 		'env $(GOTD_TEST_ENV) sh ./repo_write_readonly.sh'
262 	@$(GOTD_STOP_CMD) 2>/dev/null
263 	@su -m ${GOTD_USER} -c 'env $(GOTD_TEST_ENV) sh ./check_test_repo.sh'
264 
265 test_request_bad: prepare_test_repo_empty start_gotd_ro
266 	@-$(GOTD_TRAP); su -m ${GOTD_TEST_USER} -c \
267 		'env $(GOTD_TEST_ENV) sh ./request_bad.sh'
268 	@$(GOTD_STOP_CMD) 2>/dev/null
269 
270 test_email_notification: prepare_test_repo start_gotd_email_notification
271 	@-$(GOTD_TRAP); su -m ${GOTD_TEST_USER} -c \
272 		'env $(GOTD_TEST_ENV) sh ./email_notification.sh'
273 	@$(GOTD_STOP_CMD) 2>/dev/null
274 
275 test_http_notification: prepare_test_repo start_gotd_http_notification
276 	@-$(GOTD_TRAP); su -m ${GOTD_TEST_USER} -c \
277 		'env $(GOTD_TEST_ENV) sh ./http_notification.sh'
278 	@$(GOTD_STOP_CMD) 2>/dev/null
279 
280 .include <bsd.regress.mk>