commit c343b6811380169034b3341781bac5f3a347e7f6
from: Stefan Sperling <stsp@stsp.name>
date: Thu Jun 26 13:54:07 2025 UTC

add a test case for deny rules in gotsys.conf

Deny rules in gotsys.conf didn't actually work until recently and were
lacking test coverage.

commit - df9fee32dd219ae70b3e0c8d7a0bd95a8d063f68
commit + c343b6811380169034b3341781bac5f3a347e7f6
blob - da2ba9e791a56f80f6a789fb2fae102adc6501aa
blob + 7e60f16b3db43adbee999e9d75a456e2c5327ea1
--- regress/gotsysd/test_gotsysd.sh
+++ regress/gotsysd/test_gotsysd.sh
@@ -1431,7 +1431,109 @@ EOF
 
 	test_done "$testroot" "$ret"
 }
+
+test_deny_access() {
+	local testroot=`test_init deny_access 1`
+
+	got checkout -q $testroot/${GOTSYS_REPO} $testroot/wt >/dev/null
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		echo "got checkout failed unexpectedly" >&2
+		test_done "$testroot" 1
+		return 1
+	fi
 
+	crypted_vm_pw=`echo ${GOTSYSD_VM_PASSWORD} | encrypt | tr -d '\n'`
+	crypted_pw=`echo ${GOTSYSD_DEV_PASSWORD} | encrypt | tr -d '\n'`
+	sshkey=`cat ${GOTSYSD_SSH_PUBKEY}`
+	cat > ${testroot}/wt/gotsys.conf <<EOF
+group slackers
+
+user ${GOTSYSD_TEST_USER} {
+	password "${crypted_vm_pw}" 
+	authorized key ${sshkey}
+}
+user ${GOTSYSD_DEV_USER} {
+	password "${crypted_pw}" 
+	authorized key ${sshkey}
+}
+repository gotsys.git {
+	permit rw ${GOTSYSD_TEST_USER}
+	permit rw ${GOTSYSD_DEV_USER}
+}
+repository "foo" {
+	deny ${GOTSYSD_DEV_USER}
+	permit ro anonymous
+	head foo
+	protect branch foo
+	protect {
+		tag namespace "refs/tags"
+	}
+}
+EOF
+	(cd ${testroot}/wt && \
+		got commit -m "deny access to foo repository" >/dev/null)
+	local commit_id=`git_show_head $testroot/${GOTSYS_REPO}`
+
+	got send -q -i ${GOTSYSD_SSH_KEY} -r ${testroot}/${GOTSYS_REPO}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		echo "got send failed unexpectedly" >&2
+		test_done "$testroot" 1
+		return 1
+	fi
+
+	# Wait for gotsysd to apply the new configuration.
+	echo "$commit_id" > $testroot/stdout.expected
+	for i in 1 2 3 4 5; do
+		sleep 1
+		ssh -i ${GOTSYSD_SSH_KEY} root@${VMIP} \
+			cat /var/db/gotsysd/commit > $testroot/stdout
+		if cmp -s $testroot/stdout.expected $testroot/stdout; then
+			break;
+		fi
+	done
+	cmp -s $testroot/stdout.expected $testroot/stdout
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		echo "gotsysd failed to apply configuration" >&2
+		diff -u $testroot/stdout.expected $testroot/stdout
+		test_done "$testroot" "$ret"
+		return 1
+	fi
+
+	# Try to clone repository foo. Should fail.
+	got clone -q -i ${GOTSYSD_SSH_KEY} -b foo \
+		${GOTSYSD_DEV_USER}@${VMIP}:foo.git $testroot/foo.git \
+		> $testroot/stdout 2> $testroot/stderr
+	ret=$?
+	if [ $ret -eq 0 ]; then
+		echo "got clone succeeded unexpectedly" >&2
+		return 1
+	fi
+
+	echo -n "" > $testroot/stdout.expected
+	cmp -s $testroot/stdout.expected $testroot/stdout
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		diff -u $testroot/stdout.expected $testroot/stdout
+		test_done "$testroot" "$ret"
+		return 1
+	fi
+
+	echo "gotsh: foo: Permission denied" > $testroot/stderr.expected
+	grep '^gotsh:' $testroot/stderr > $testroot/stderr.filtered
+	cmp -s $testroot/stderr.expected $testroot/stderr.filtered
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		diff -u $testroot/stderr.expected $testroot/stderr.filtered
+		test_done "$testroot" "$ret"
+		return 1
+	fi
+
+	test_done "$testroot" "$ret"
+}
+
 test_parseargs "$@"
 run_test test_user_add
 run_test test_user_mod
@@ -1443,3 +1545,4 @@ run_test test_user_anonymous
 run_test test_bad_gotsysconf
 run_test test_set_head
 run_test test_protect_refs
+run_test test_deny_access