180 lines
7.5 KiB
Rust
180 lines
7.5 KiB
Rust
use assert_cmd::cargo::CommandCargoExt as _;
|
|
use std::path::{Path, PathBuf};
|
|
use std::process::{Command, Stdio};
|
|
use tempfile::TempDir;
|
|
|
|
/// A throwaway org vault with a device signing key wired via XDG_CONFIG_HOME.
|
|
struct OrgFixture {
|
|
_config: TempDir,
|
|
vault: TempDir,
|
|
xdg: PathBuf,
|
|
}
|
|
|
|
impl OrgFixture {
|
|
/// Generate an ed25519 signing key in OpenSSH format using ssh-keygen and
|
|
/// register it as the current device, then `org init`.
|
|
fn new() -> Self {
|
|
let config = TempDir::new().unwrap();
|
|
let xdg = config.path().to_path_buf();
|
|
let devices = xdg.join("relicario").join("devices").join("laptop");
|
|
std::fs::create_dir_all(&devices).unwrap();
|
|
|
|
// Generate an OpenSSH ed25519 keypair without a passphrase.
|
|
let keyfile = devices.join("signing.key");
|
|
let status = Command::new("ssh-keygen")
|
|
.args(["-t", "ed25519", "-N", "", "-C", "relicario-test", "-f"])
|
|
.arg(&keyfile)
|
|
.stdout(Stdio::null())
|
|
.stderr(Stdio::null())
|
|
.status()
|
|
.expect("ssh-keygen");
|
|
assert!(status.success(), "ssh-keygen failed");
|
|
// ssh-keygen writes signing.key + signing.key.pub; rename the .pub to signing.pub.
|
|
std::fs::rename(devices.join("signing.key.pub"), devices.join("signing.pub")).unwrap();
|
|
// Mark this device current.
|
|
std::fs::write(
|
|
xdg.join("relicario").join("devices").join("current"),
|
|
"laptop\n",
|
|
)
|
|
.unwrap();
|
|
|
|
let vault = TempDir::new().unwrap();
|
|
let f = OrgFixture { _config: config, vault, xdg };
|
|
|
|
let out = f.run(&["org", "init", "--dir", f.vault_str(), "--name", "Acme"]);
|
|
assert!(out.status.success(), "org init failed: {}", String::from_utf8_lossy(&out.stderr));
|
|
f
|
|
}
|
|
|
|
fn vault_path(&self) -> &Path { self.vault.path() }
|
|
fn vault_str(&self) -> &str { self.vault.path().to_str().unwrap() }
|
|
|
|
fn run(&self, args: &[&str]) -> std::process::Output {
|
|
let mut cmd = Command::cargo_bin("relicario").unwrap();
|
|
cmd.env("XDG_CONFIG_HOME", &self.xdg)
|
|
.env("RELICARIO_ORG_DIR", self.vault.path())
|
|
.args(args)
|
|
.stdin(Stdio::null())
|
|
.stdout(Stdio::piped())
|
|
.stderr(Stdio::piped());
|
|
cmd.output().unwrap()
|
|
}
|
|
|
|
/// Owner member id printed by `org init`/`org status`. We read it from
|
|
/// members.json directly to avoid parsing stdout.
|
|
fn owner_member_id(&self) -> String {
|
|
let s = std::fs::read_to_string(self.vault.path().join("members.json")).unwrap();
|
|
let v: serde_json::Value = serde_json::from_str(&s).unwrap();
|
|
v["members"][0]["member_id"].as_str().unwrap().to_string()
|
|
}
|
|
}
|
|
|
|
#[test]
|
|
fn org_add_get_list_round_trip() {
|
|
let f = OrgFixture::new();
|
|
let owner = f.owner_member_id();
|
|
|
|
// Create a collection and grant the owner access to it.
|
|
let out = f.run(&["org", "create-collection", "prod", "--name", "Production"]);
|
|
assert!(out.status.success(), "create-collection: {}", String::from_utf8_lossy(&out.stderr));
|
|
let out = f.run(&["org", "grant", &owner, "prod"]);
|
|
assert!(out.status.success(), "grant: {}", String::from_utf8_lossy(&out.stderr));
|
|
|
|
// Add a login into the prod collection.
|
|
let out = f.run(&[
|
|
"org", "add", "login", "--collection", "prod",
|
|
"--title", "GitHub", "--username", "alice",
|
|
"--url", "https://github.com", "--password", "hunter2",
|
|
]);
|
|
assert!(out.status.success(), "org add: {}", String::from_utf8_lossy(&out.stderr));
|
|
|
|
// The blob must live under items/prod/, NOT flat items/.
|
|
let prod_dir = f.vault_path().join("items").join("prod");
|
|
let blobs: Vec<_> = std::fs::read_dir(&prod_dir).unwrap().collect();
|
|
assert_eq!(blobs.len(), 1, "expected one blob under items/prod/");
|
|
|
|
// list shows it.
|
|
let out = f.run(&["org", "list"]);
|
|
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
|
|
assert!(stdout.contains("GitHub"), "list missing GitHub: {stdout}");
|
|
|
|
// get masks by default.
|
|
let out = f.run(&["org", "get", "GitHub"]);
|
|
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
|
|
assert!(stdout.contains("********"), "expected masked secret: {stdout}");
|
|
assert!(!stdout.contains("hunter2"), "leaked plaintext: {stdout}");
|
|
|
|
// get --show reveals.
|
|
let out = f.run(&["org", "get", "GitHub", "--show"]);
|
|
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
|
|
assert!(stdout.contains("hunter2"), "expected plaintext with --show: {stdout}");
|
|
|
|
// The commit trailer records the action + collection + item.
|
|
let log = Command::new("git")
|
|
.args(["-C", f.vault_str(), "log", "-1", "--format=%B"])
|
|
.output()
|
|
.unwrap();
|
|
let body = String::from_utf8_lossy(&log.stdout).to_string();
|
|
assert!(body.contains("Relicario-Action: item-create"), "missing action trailer: {body}");
|
|
assert!(body.contains("Relicario-Collection: prod"), "missing collection trailer: {body}");
|
|
assert!(body.contains("Relicario-Item: "), "missing item trailer: {body}");
|
|
}
|
|
|
|
#[test]
|
|
fn org_add_rejects_ungranted_collection() {
|
|
let f = OrgFixture::new();
|
|
// Create the collection but do NOT grant the owner.
|
|
let out = f.run(&["org", "create-collection", "secret", "--name", "Secret"]);
|
|
assert!(out.status.success(), "create-collection: {}", String::from_utf8_lossy(&out.stderr));
|
|
|
|
let out = f.run(&[
|
|
"org", "add", "login", "--collection", "secret",
|
|
"--title", "X", "--username", "u", "--password", "p",
|
|
]);
|
|
assert!(!out.status.success(), "add into ungranted collection must fail");
|
|
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
|
|
assert!(stderr.contains("access denied") || stderr.contains("grant"), "unexpected error: {stderr}");
|
|
}
|
|
|
|
#[test]
|
|
fn org_add_rejects_unknown_collection() {
|
|
let f = OrgFixture::new();
|
|
let out = f.run(&[
|
|
"org", "add", "login", "--collection", "ghost",
|
|
"--title", "X", "--username", "u", "--password", "p",
|
|
]);
|
|
assert!(!out.status.success(), "add into nonexistent collection must fail");
|
|
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
|
|
assert!(stderr.contains("does not exist") || stderr.contains("ghost"), "unexpected error: {stderr}");
|
|
}
|
|
|
|
#[test]
|
|
fn org_edit_updates_fields_and_commits_update_trailer() {
|
|
let f = OrgFixture::new();
|
|
let owner = f.owner_member_id();
|
|
assert!(f.run(&["org", "create-collection", "prod", "--name", "Production"]).status.success());
|
|
assert!(f.run(&["org", "grant", &owner, "prod"]).status.success());
|
|
assert!(f.run(&[
|
|
"org", "add", "login", "--collection", "prod",
|
|
"--title", "Mail", "--username", "old", "--password", "pw",
|
|
]).status.success());
|
|
|
|
// Edit the username.
|
|
let out = f.run(&[
|
|
"org", "edit", "Mail", "--username", "new-user",
|
|
]);
|
|
assert!(out.status.success(), "org edit: {}", String::from_utf8_lossy(&out.stderr));
|
|
|
|
// get --show reflects the new username.
|
|
let out = f.run(&["org", "get", "Mail", "--show"]);
|
|
let stdout = String::from_utf8_lossy(&out.stdout).to_string();
|
|
assert!(stdout.contains("new-user"), "edit did not take: {stdout}");
|
|
|
|
let log = Command::new("git")
|
|
.args(["-C", f.vault_str(), "log", "-1", "--format=%B"])
|
|
.output().unwrap();
|
|
let body = String::from_utf8_lossy(&log.stdout).to_string();
|
|
assert!(body.contains("Relicario-Action: item-update"), "missing update trailer: {body}");
|
|
assert!(body.contains("Relicario-Collection: prod"), "missing collection trailer: {body}");
|
|
}
|