mkit-cli 0.3.0

The mkit command-line tool: a content-addressed VCS with native attestation support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

//! Git-compatibility `config` aliases (#250, Phase 2): `user.name` /
//! `user.email`. They round-trip like git, but are **non-authoritative** —
//! they must never feed mkit's cryptographic commit author (which is
//! `user.identity` / the signing key). These tests pin both the parity
//! (round-trip) and the security boundary (no author spoofing).

use std::fs;
use std::path::Path;
use std::process::Output;

fn mkit_bin() -> &'static str {
    env!("CARGO_BIN_EXE_mkit")
}

fn run_in(cwd: &Path, xdg: &Path, args: &[&str]) -> Output {
    std::process::Command::new(mkit_bin())
        .args(args)
        .current_dir(cwd)
        .env("XDG_CONFIG_HOME", xdg)
        .output()
        .expect("spawn mkit")
}

fn repo() -> (tempfile::TempDir, tempfile::TempDir) {
    let td = tempfile::tempdir().unwrap();
    let xdg = tempfile::tempdir().unwrap();
    let (root, x) = (td.path(), xdg.path());
    assert!(run_in(root, x, &["init"]).status.success());
    assert!(run_in(root, x, &["keygen"]).status.success());
    fs::write(root.join("a.txt"), b"hello\n").unwrap();
    assert!(run_in(root, x, &["add", "."]).status.success());
    assert!(run_in(root, x, &["commit", "-m", "init"]).status.success());
    (td, xdg)
}

fn config_get(root: &Path, x: &Path, key: &str) -> String {
    let out = run_in(root, x, &["config", key]);
    assert!(out.status.success(), "config {key} failed: {out:?}");
    String::from_utf8(out.stdout).unwrap().trim().to_string()
}

/// Extract the `"author":"..."` value from a `log --format=json` line.
fn author_of_head(root: &Path, x: &Path) -> String {
    let out = run_in(root, x, &["log", "--format=json", "-n", "1"]);
    assert!(out.status.success(), "log failed: {out:?}");
    let s = String::from_utf8(out.stdout).unwrap();
    let key = "\"author\":\"";
    let start = s.find(key).expect("author field") + key.len();
    let rest = &s[start..];
    let end = rest.find('"').expect("author end");
    rest[..end].to_string()
}

#[test]
fn user_name_and_email_round_trip_like_git() {
    let (td, xdg) = repo();
    let (root, x) = (td.path(), xdg.path());

    assert!(
        run_in(root, x, &["config", "user.name", "Alice Example"])
            .status
            .success()
    );
    assert!(
        run_in(root, x, &["config", "user.email", "alice@example.com"])
            .status
            .success()
    );

    assert_eq!(config_get(root, x, "user.name"), "Alice Example");
    assert_eq!(config_get(root, x, "user.email"), "alice@example.com");

    // Round-trips through the JSON view too.
    let json = run_in(root, x, &["config", "--format=json"]);
    let s = String::from_utf8(json.stdout).unwrap();
    assert!(s.contains("\"user.name\":\"Alice Example\""), "json: {s:?}");
    assert!(
        s.contains("\"user.email\":\"alice@example.com\""),
        "json: {s:?}"
    );
}

#[test]
fn user_name_is_repo_scoped_not_user_scoped() {
    let (td, xdg) = repo();
    let (root, x) = (td.path(), xdg.path());
    assert!(
        run_in(root, x, &["config", "user.name", "Repo Local"])
            .status
            .success()
    );

    // Unlike `user.identity` (a REPO_FORBIDDEN_KEY routed to user scope),
    // the non-authoritative alias is written to the repo config.
    let repo_cfg = fs::read_to_string(root.join(".mkit/config")).unwrap();
    assert!(
        repo_cfg.contains("user.name = Repo Local"),
        "user.name should persist in the repo config: {repo_cfg:?}"
    );
}

#[test]
fn unrelated_repo_write_does_not_leak_user_scoped_aliases() {
    let (td, xdg) = repo();
    let (root, x) = (td.path(), xdg.path());
    // A user-scoped (global) user.email, as a user might keep for all repos.
    fs::create_dir_all(x.join("mkit")).unwrap();
    fs::write(x.join("mkit/config"), b"user.email = private@example.com\n").unwrap();

    // Setting an unrelated repo key must NOT copy the user-scoped value
    // into the repo config (which travels with clones).
    assert!(
        run_in(root, x, &["config", "default_branch", "trunk"])
            .status
            .success()
    );
    let repo_cfg = fs::read_to_string(root.join(".mkit/config")).unwrap();
    assert!(
        !repo_cfg.contains("private@example.com"),
        "user-scoped user.email leaked into repo config: {repo_cfg:?}"
    );
    // The merged value is still readable (it lives in the user config).
    assert_eq!(config_get(root, x, "user.email"), "private@example.com");
}

#[test]
fn remote_add_does_not_leak_user_scoped_aliases() {
    let (td, xdg) = repo();
    let (root, x) = (td.path(), xdg.path());
    fs::create_dir_all(x.join("mkit")).unwrap();
    fs::write(x.join("mkit/config"), b"user.email = private@example.com\n").unwrap();

    // `remote add` is another repo-config writer; it must persist only the
    // repo layer, not the merged view, so the user-scoped email stays out
    // of the clone-traveling repo config.
    assert!(
        run_in(root, x, &["remote", "add", "origin", "mkit+file:///tmp/r"])
            .status
            .success()
    );
    let repo_cfg = fs::read_to_string(root.join(".mkit/config")).unwrap();
    assert!(
        !repo_cfg.contains("private@example.com"),
        "user-scoped user.email leaked into repo config via remote add: {repo_cfg:?}"
    );
    assert!(
        repo_cfg.contains("remote.origin.url"),
        "remote was not recorded: {repo_cfg:?}"
    );
}

#[test]
fn user_name_does_not_spoof_the_signed_author() {
    let (td, xdg) = repo();
    let (root, x) = (td.path(), xdg.path());

    // Baseline author (no user.name set) — derived from the signing key
    // since user.identity is unset.
    let baseline = author_of_head(root, x);
    assert!(!baseline.is_empty(), "expected a derived author identity");

    // A hostile-looking user.name / user.email must NOT change the signed
    // author: authorship is cryptographic (user.identity / key), and these
    // aliases are non-authoritative.
    assert!(
        run_in(root, x, &["config", "user.name", "Mallory Spoof"])
            .status
            .success()
    );
    assert!(
        run_in(root, x, &["config", "user.email", "mallory@evil.test"])
            .status
            .success()
    );
    fs::write(root.join("b.txt"), b"more\n").unwrap();
    assert!(run_in(root, x, &["add", "."]).status.success());
    assert!(
        run_in(root, x, &["commit", "-m", "second"])
            .status
            .success()
    );

    let after = author_of_head(root, x);
    assert_eq!(
        after, baseline,
        "user.name/user.email must not influence the signed commit author"
    );
    let log = run_in(root, x, &["log"]);
    let log_s = String::from_utf8(log.stdout).unwrap();
    assert!(
        !log_s.contains("Mallory") && !log_s.contains("mallory@evil"),
        "the non-authoritative alias must never appear as the commit author: {log_s:?}"
    );
}