Test suite: Fully test replay attack prevention

1 files changed, 50 insertions, 2 deletions

diff --git a/tests/tests/trustingpolicy-replay b/tests/tests/trustingpolicy-replay
index 57ef286..4fc3c17 100755
--- a/tests/tests/trustingpolicy-replay
+++ b/tests/tests/trustingpolicy-replay
@@ -15,7 +15,7 @@ git tag start
 t-dgit build
 t-dgit push --new
 
-t-commit 'Prep v2 which will be rewound'
+t-commit 'Prep v1.1 which will be rewound'
 t-dgit build
 t-dgit push
 
@@ -31,5 +31,53 @@ git push "$remote" \
 	debian/1.1 \
 	debian/1.1~0:refs/dgit/sid
 
+git checkout master
+
+
+: "More subtle replay prevention checks"
+
+prepare-replay () {
+	delib=$1
+
+	# We have to stop the pushes succeeding because if they work they
+	# record the tag, which prevents the replays.  We are simulating
+	# abortive pushes (since we do want to avoid a situation where
+	# dangerous old signed tags can exist).
+	t-policy false
+
+	t-commit "request with $delib that we will replay"
+	t-dgit build
+	t-expect-fail "policy-hook.*No such file or directory" \
+	t-dgit push $delib
+
+	t-policy dgit-repos-policy-trusting
+
+	replayv=$v
+}
+
+attempt-replay () {
+	local mpat=$1
+	git show debian/$replayv | grep -e $delib
+	t-expect-fail "$mpat" \
+	git push "$remote" \
+		debian/$replayv \
+		+debian/$replayv~0:refs/dgit/sid
+}
+
+prepare-replay --deliberately-fresh-repo
+
+# simulate some other thing that we shouldn't delete
+git push $tmp/git/$p.git +master:refs/heads/for-testing
+
+attempt-replay 'does not declare previously heads/for-testing'
+
+prepare-replay --deliberately-not-fast-forward
+
+t-commit 'later version to stop not fast forward rewinding'
+t-dgit build
+t-dgit push
+
+attempt-replay "does not declare previously tags/debian/$v"
+
+
 echo ok.
-echo xxx want to check replay prevention insufficient proofs in tag