From 7eb833a59e7987bc73d303a1a261a0a664c791cc Mon Sep 17 00:00:00 2001
From: southerntofu <southerntofu@thunix.net>
Date: Sat, 19 Feb 2022 00:03:02 +0100
Subject: [PATCH] WIP: Include tests for CLI whck

Web tests for endpoints.php are probably broken at this point. Will be fixed in a later commit.
---
 README.md                   |  8 +++++++-
 test_cli.sh                 | 15 ++++++++++++++
 test.sh => test_web.sh      |  2 +-
 tests/cli/gitea.bats        | 40 +++++++++++++++++++++++++++++++++++++
 tests/cli/github.bats       | 40 +++++++++++++++++++++++++++++++++++++
 tests/cli/gitlab.bats       | 38 +++++++++++++++++++++++++++++++++++
 tests/helper.bash           | 16 ++++++++++-----
 tests/{ => web}/gitea.bats  |  2 +-
 tests/{ => web}/github.bats |  2 +-
 tests/{ => web}/gitlab.bats |  2 +-
 10 files changed, 155 insertions(+), 10 deletions(-)
 create mode 100755 test_cli.sh
 rename test.sh => test_web.sh (97%)
 create mode 100644 tests/cli/gitea.bats
 create mode 100644 tests/cli/github.bats
 create mode 100644 tests/cli/gitlab.bats
 rename tests/{ => web}/gitea.bats (98%)
 rename tests/{ => web}/github.bats (98%)
 rename tests/{ => web}/gitlab.bats (98%)

diff --git a/README.md b/README.md
index 6590171..9530494 100644
--- a/README.md
+++ b/README.md
@@ -12,5 +12,11 @@ This repository contains the specification and tests for the forge webhook endpo
 Running tests requires the bats framework (`apt install bats`). You can run the `test.sh` script to start the tests. If you are not running from the implementation's folder, you may pass it as first argument the path to the program starting the local server (for tests).
 
 ```
-$ ./test.sh ~/endpoints.php/server
+$ ./test_web.sh ~/endpoints.php/server
+```
+
+If you're running test for a CLI program to check credentials (like [whck](https://tildegit.org/forge/whck)), use test_cli.sh instead:
+
+```
+$ ./test_cli.sh ~/whck/target/debug/whck
 ```
diff --git a/test_cli.sh b/test_cli.sh
new file mode 100755
index 0000000..bf441d0
--- /dev/null
+++ b/test_cli.sh
@@ -0,0 +1,15 @@
+#! /bin/bash
+
+# Test me with: ./test_cli.sh PATH/TO/PROGRAM
+
+SCRIPTDIR="$(dirname "$0")"
+
+ORIGDIR="$(pwd)"
+cd "$SCRIPTDIR"
+
+export FORGEHOOK="$(pwd)/tests/mock-forgehook.sh"
+export WHCK="$ORIGDIR"/"$1"
+
+bats tests/cli/*.bats
+
+cd "$ORIGDIR"
diff --git a/test.sh b/test_web.sh
similarity index 97%
rename from test.sh
rename to test_web.sh
index 32f2a51..3c2846e 100755
--- a/test.sh
+++ b/test_web.sh
@@ -25,6 +25,6 @@ cd "$SCRIPTDIR"
 
 export FORGEHOOK="$(pwd)/tests/mock-forgehook.sh"
 export FORGEHOOKNOTIFY=/bin/true
-bats tests/*.bats
+bats tests/web/*.bats
 
 cd "$ORIGDIR"
diff --git a/tests/cli/gitea.bats b/tests/cli/gitea.bats
new file mode 100644
index 0000000..8be658d
--- /dev/null
+++ b/tests/cli/gitea.bats
@@ -0,0 +1,40 @@
+#! /bin/bash
+
+function setup {
+    # Load helper functions
+    load ../helper
+    # Which forgehook implementation to use?
+    if [ -z "$FORGEHOOK" ]; then FORGEHOOK="forgehook"; fi
+
+    # Which CLI validator to use?
+    if [ -z "$WHCK" ]; then WHCK="whck"; fi
+   
+    export WHCK_DIR="$(mktemp -d)"
+}
+
+function teardown {
+    if [ -d $WHCK_DIR ]; then rm -r $WHCK_DIR; fi
+}
+
+@test "correct signature works" {
+    repo="https://tildegit.org/forge/hook.sh"
+    webhook="$(gen_webhook ../gitea.json "$repo")"
+    secret="$($FORGEHOOK secret $repo)"
+    echo -n "$secret" > $WHCK_DIR/identifier
+    sig="$(hash_hmac sha256 "$webhook" "$secret")"
+    # Can't echo "$webhook" | $WHCK because of bats bug which eats STDIN
+    # Can't $WHCK <<< "$webhook" because bash appends a trailing newline?!
+    run $WHCK hmac-sha256 identifier "$sig" < <(echo -n "$webhook")
+    echo "$output"
+    [ $status -eq 0 ]
+}
+
+@test "incorrect signature fails" {
+    repo="https://tildegit.org/forge/hook.sh"
+    webhook="$(gen_webhook ../gitea.json "$repo")"
+    secret="$($FORGEHOOK secret $repo)"
+    echo -n "FAIL$secret" > $WHCK_DIR/identifier
+    sig="$(hash_hmac sha256 "$webhook" "$secret")"
+    run $WHCK hmac-sha256 identifier "$sig" < <(echo -n "$webhook")
+    [ ! $status -eq 0 ]
+}
diff --git a/tests/cli/github.bats b/tests/cli/github.bats
new file mode 100644
index 0000000..55d2bdd
--- /dev/null
+++ b/tests/cli/github.bats
@@ -0,0 +1,40 @@
+#! /bin/bash
+
+function setup {
+    # Load helper functions
+    load ../helper
+    # Which forgehook implementation to use?
+    if [ -z "$FORGEHOOK" ]; then FORGEHOOK="forgehook"; fi
+
+    # Which CLI validator to use?
+    if [ -z "$WHCK" ]; then WHCK="whck"; fi
+   
+    export WHCK_DIR="$(mktemp -d)"
+}
+
+function teardown {
+    if [ -d $WHCK_DIR ]; then rm -r $WHCK_DIR; fi
+}
+
+@test "correct signature works" {
+    repo="https://tildegit.org/forge/hook.sh"
+    webhook="$(gen_webhook ../github.json "$repo")"
+    secret="$($FORGEHOOK secret $repo)"
+    echo -n "$secret" > $WHCK_DIR/identifier
+    sig="$(hash_hmac sha256 "$webhook" "$secret")"
+    # Can't echo "$webhook" | $WHCK because of bats bug which eats STDIN
+    # Can't $WHCK <<< "$webhook" because bash appends a trailing newline?!
+    run $WHCK hmac-sha256 identifier "$sig" < <(echo -n "$webhook")
+    echo "$output"
+    [ $status -eq 0 ]
+}
+
+@test "incorrect signature fails" {
+    repo="https://tildegit.org/forge/hook.sh"
+    webhook="$(gen_webhook ../gitea.json "$repo")"
+    secret="$($FORGEHOOK secret $repo)"
+    echo -n "FAIL$secret" > $WHCK_DIR/identifier
+    sig="$(hash_hmac sha256 "$webhook" "$secret")"
+    run $WHCK hmac-sha256 identifier "$sig" < <(echo -n "$webhook")
+    [ ! $status -eq 0 ]
+}
diff --git a/tests/cli/gitlab.bats b/tests/cli/gitlab.bats
new file mode 100644
index 0000000..8b678f4
--- /dev/null
+++ b/tests/cli/gitlab.bats
@@ -0,0 +1,38 @@
+#! /bin/bash
+
+function setup {
+    # Load helper functions
+    load ../helper
+    # Which forgehook implementation to use?
+    if [ -z "$FORGEHOOK" ]; then FORGEHOOK="forgehook"; fi
+
+    # Which CLI validator to use?
+    if [ -z "$WHCK" ]; then WHCK="whck"; fi
+   
+    export WHCK_DIR="$(mktemp -d)"
+}
+
+function teardown {
+    if [ -f $WHCK_DIR ]; then rm $WHCK_DIR; fi
+}
+
+@test "correct signature works" {
+    repo="https://tildegit.org/forge/hook.sh"
+    webhook="$(gen_webhook ../gitea.json "$repo")"
+    secret="$($FORGEHOOK secret $repo)"
+    echo -n "$secret" > $WHCK_DIR/identifier
+    # Can't echo "$webhook" | $WHCK because of bats bug which eats STDIN
+    # Can't $WHCK <<< "$webhook" because bash appends a trailing newline?!
+    run $WHCK token identifier "$secret" < <(echo -n "$webhook")
+    echo "$output"
+    [ $status -eq 0 ]
+}
+
+@test "incorrect signature fails" {
+    repo="https://tildegit.org/forge/hook.sh"
+    webhook="$(gen_webhook ../gitea.json "$repo")"
+    secret="$($FORGEHOOK secret $repo)"
+    echo -n "FAIL$secret" > $WHCK_DIR/identifier
+    run $WHCK token identifier "$secret" < <(echo -n "$webhook")
+    [ ! $status -eq 0 ]
+}
diff --git a/tests/helper.bash b/tests/helper.bash
index 5ce966f..6ad8a17 100755
--- a/tests/helper.bash
+++ b/tests/helper.bash
@@ -21,10 +21,12 @@ function gen_webhook() {
 #   SECRET: the secret for this transaction
 #   HEADER: where to store the secret
 function send_webhook {
-    echo "$2" > $TMPFILE
+    TMPFILE="$(mktemp)"
+    echo -n "$2" > $TMPFILE
 
     # We can make a few attempts, just in case the webserver hasn't started yet
     n=0
+    status=""
     while [[ "$status" != "0" ]]; do
         if [ $n -eq 3 ]; then
             # Failed to reach server after 3 attempts
@@ -32,16 +34,20 @@ function send_webhook {
         fi
         # --data-binary so that newlines aren't broken
         # (otherwise, signature won't match)
-        run curl --header "Content-Type: application/json" \
+        output="$(curl --header "Content-Type: application/json" \
             --header ""$4": "$3"" \
             --request POST \
             --data-binary @$TMPFILE \
             -s -w "%{http_code}" \
-            "$1"
+            "$1")"
+        status=$?
+        rm $TMPFILE
         # Requested succeeded, break out of loop
         if [ $status -eq 0 ]; then
-            echo "$output"
-            if [[ ! "$output" = 200 ]]; then return 2; fi
+            if [[ ! "$output" = 200 ]]; then
+                echo "|$output|"
+                return 2
+            fi
             return 0;
         fi
         ((n++))
diff --git a/tests/gitea.bats b/tests/web/gitea.bats
similarity index 98%
rename from tests/gitea.bats
rename to tests/web/gitea.bats
index fc0303c..78556ab 100644
--- a/tests/gitea.bats
+++ b/tests/web/gitea.bats
@@ -2,7 +2,7 @@
 
 function setup {
     # Load helper functions
-    load helper
+    load ../helper
     # Which forgehook implementation to use?
     if [ -z "$FORGEHOOK" ]; then FORGEHOOK="forgehook"; fi
     port=$(find_free_port)
diff --git a/tests/github.bats b/tests/web/github.bats
similarity index 98%
rename from tests/github.bats
rename to tests/web/github.bats
index 40fe841..2b1f440 100644
--- a/tests/github.bats
+++ b/tests/web/github.bats
@@ -2,7 +2,7 @@
 
 function setup {
     # Load helper functions
-    load helper
+    load ../helper
     # Which forgehook implementation to use?
     if [ -z "$FORGEHOOK" ]; then FORGEHOOK="forgehook"; fi
     port=$(find_free_port)
diff --git a/tests/gitlab.bats b/tests/web/gitlab.bats
similarity index 98%
rename from tests/gitlab.bats
rename to tests/web/gitlab.bats
index 1d159db..ba6b225 100644
--- a/tests/gitlab.bats
+++ b/tests/web/gitlab.bats
@@ -2,7 +2,7 @@
 
 function setup {
     # Load helper functions
-    load helper
+    load ../helper
     # Which forgehook implementation to use?
     if [ -z "$FORGEHOOK" ]; then FORGEHOOK="forgehook"; fi
     port=$(find_free_port)