audit: fix push from maintainer tests when in production mode

author: DanConwayDev <DanConwayDev@protonmail.com> 2025-11-28 11:39:26 +0000
committer: DanConwayDev <DanConwayDev@protonmail.com> 2025-11-28 11:39:26 +0000
commit: bf51a082ad54815f108bb255cf258fcae4a9bb4f (patch)
tree: d929f4bb9e113f0754533aa60eca26181ddb8d9d
parent: e5b8854d5065cda8601546fc888e2ef1e00cc166 (diff)
1 files changed, 51 insertions, 126 deletions
diff --git a/grasp-audit/src/specs/grasp01/push_authorization.rs b/grasp-audit/src/specs/grasp01/push_authorization.rs
index 0e30238..0a5b1ec 100644
--- a/grasp-audit/src/specs/grasp01/push_authorization.rs
+++ b/grasp-audit/src/specs/grasp01/push_authorization.rs
@@ -40,6 +40,7 @@ impl PushAuthorizationTests {
        results.add(Self::test_push_authorized_by_owner_state(client, relay_domain).await);
        results.add(Self::test_push_rejected_wrong_commit(client, relay_domain).await);
        results.add(Self::test_push_authorized_by_maintainer_state_only(client, relay_domain).await);
+        results.add(Self::test_push_authorized_by_recursive_maintainer_state(client, relay_domain).await);
        results
    }
@@ -488,7 +489,20 @@ impl PushAuthorizationTests {
            let _ = fs::remove_dir_all(&clone_path);
        };
-        // Create maintainer deterministic commit
+        // Reset to orphan state and create deterministic root commit
+        // Step 1: Create orphan branch (removes all history)
+        let _ = Command::new("git")
+            .args(["checkout", "--orphan", "main-new"])
+            .current_dir(&clone_path)
+            .output();
+        // Step 2: Clear staged files (orphan keeps files staged from previous branch)
+        let _ = Command::new("git")
+            .args(["rm", "-rf", "--cached", "."])
+            .current_dir(&clone_path)
+            .output();
+        // Step 3: Create deterministic commit using existing function
        let commit_hash =
            match create_deterministic_commit_with_variant(&clone_path, CommitVariant::Maintainer) {
                Ok(h) => h,
@@ -503,6 +517,17 @@ impl PushAuthorizationTests {
                }
            };
+        // Step 4: Replace main branch with our new orphan branch
+        let _ = Command::new("git")
+            .args(["branch", "-D", "main"])
+            .current_dir(&clone_path)
+            .output();
+        let _ = Command::new("git")
+            .args(["branch", "-m", "main"])
+            .current_dir(&clone_path)
+            .output();
        // Verify commit hash matches expected
        if commit_hash != MAINTAINER_DETERMINISTIC_COMMIT_HASH {
            cleanup();
@@ -517,68 +542,6 @@ impl PushAuthorizationTests {
            ));
        }
-        // Create main branch
-        let branch_output = Command::new("git")
-            .args(["branch", "main"])
-            .current_dir(&clone_path)
-            .output();
-        match branch_output {
-            Err(e) => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by maintainer state event only (no announcement)",
-                )
-                .fail(&format!("Failed to create main branch: {}", e));
-            }
-            Ok(output) if !output.status.success() => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by maintainer state event only (no announcement)",
-                )
-                .fail(&format!(
-                    "Failed to create main branch: {}",
-                    String::from_utf8_lossy(&output.stderr)
-                ));
-            }
-            _ => {}
-        }
-        // Checkout main branch
-        let checkout_output = Command::new("git")
-            .args(["checkout", "main"])
-            .current_dir(&clone_path)
-            .output();
-        match checkout_output {
-            Err(e) => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by maintainer state event only (no announcement)",
-                )
-                .fail(&format!("Failed to checkout main branch: {}", e));
-            }
-            Ok(output) if !output.status.success() => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by maintainer state event only (no announcement)",
-                )
-                .fail(&format!(
-                    "Failed to checkout main branch: {}",
-                    String::from_utf8_lossy(&output.stderr)
-                ));
-            }
-            _ => {}
-        }
        // ============================================================
        // Step 3: VERIFY - Push should succeed because maintainer's
        // state event authorizes this commit
@@ -747,7 +710,20 @@ impl PushAuthorizationTests {
            let _ = fs::remove_dir_all(&clone_path);
        };
-        // Create recursive maintainer deterministic commit
+        // Reset to orphan state and create deterministic root commit
+        // Step 1: Create orphan branch (removes all history)
+        let _ = Command::new("git")
+            .args(["checkout", "--orphan", "main-new"])
+            .current_dir(&clone_path)
+            .output();
+        // Step 2: Clear staged files (orphan keeps files staged from previous branch)
+        let _ = Command::new("git")
+            .args(["rm", "-rf", "--cached", "."])
+            .current_dir(&clone_path)
+            .output();
+        // Step 3: Create recursive maintainer deterministic commit
        let commit_hash =
            match create_deterministic_commit_with_variant(&clone_path, CommitVariant::RecursiveMaintainer) {
                Ok(h) => h,
@@ -762,6 +738,17 @@ impl PushAuthorizationTests {
                }
            };
+        // Step 4: Replace main branch with our new orphan branch
+        let _ = Command::new("git")
+            .args(["branch", "-D", "main"])
+            .current_dir(&clone_path)
+            .output();
+        let _ = Command::new("git")
+            .args(["branch", "-m", "main"])
+            .current_dir(&clone_path)
+            .output();
        // Verify commit hash matches expected
        if commit_hash != RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH {
            cleanup();
@@ -776,68 +763,6 @@ impl PushAuthorizationTests {
            ));
        }
-        // Create main branch
-        let branch_output = Command::new("git")
-            .args(["branch", "main"])
-            .current_dir(&clone_path)
-            .output();
-        match branch_output {
-            Err(e) => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(&format!("Failed to create main branch: {}", e));
-            }
-            Ok(output) if !output.status.success() => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(&format!(
-                    "Failed to create main branch: {}",
-                    String::from_utf8_lossy(&output.stderr)
-                ));
-            }
-            _ => {}
-        }
-        // Checkout main branch
-        let checkout_output = Command::new("git")
-            .args(["checkout", "main"])
-            .current_dir(&clone_path)
-            .output();
-        match checkout_output {
-            Err(e) => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(&format!("Failed to checkout main branch: {}", e));
-            }
-            Ok(output) if !output.status.success() => {
-                cleanup();
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(&format!(
-                    "Failed to checkout main branch: {}",
-                    String::from_utf8_lossy(&output.stderr)
-                ));
-            }
-            _ => {}
-        }
        // ============================================================
        // Step 3: VERIFY - Push should succeed because recursive
        // maintainer's state event authorizes this commit
author	DanConwayDev <DanConwayDev@protonmail.com>	2025-11-28 11:39:26 +0000
committer	DanConwayDev <DanConwayDev@protonmail.com>	2025-11-28 11:39:26 +0000
commit	bf51a082ad54815f108bb255cf258fcae4a9bb4f (patch)
tree	d929f4bb9e113f0754533aa60eca26181ddb8d9d
parent	e5b8854d5065cda8601546fc888e2ef1e00cc166 (diff)

diff --git a/grasp-audit/src/specs/grasp01/push_authorization.rs b/grasp-audit/src/specs/grasp01/push_authorization.rs index 0e30238..0a5b1ec 100644 --- a/grasp-audit/src/specs/grasp01/push_authorization.rs +++ b/grasp-audit/src/specs/grasp01/push_authorization.rs
@@ -40,6 +40,7 @@ impl PushAuthorizationTests {
40	results.add(Self::test_push_authorized_by_owner_state(client, relay_domain).await);	40	results.add(Self::test_push_authorized_by_owner_state(client, relay_domain).await);
41	results.add(Self::test_push_rejected_wrong_commit(client, relay_domain).await);	41	results.add(Self::test_push_rejected_wrong_commit(client, relay_domain).await);
42	results.add(Self::test_push_authorized_by_maintainer_state_only(client, relay_domain).await);	42	results.add(Self::test_push_authorized_by_maintainer_state_only(client, relay_domain).await);
		43	results.add(Self::test_push_authorized_by_recursive_maintainer_state(client, relay_domain).await);
43		44
44	results	45	results
45	}	46	}
@@ -488,7 +489,20 @@ impl PushAuthorizationTests {
488	let _ = fs::remove_dir_all(&clone_path);	489	let _ = fs::remove_dir_all(&clone_path);
489	};	490	};
490		491
491	// Create maintainer deterministic commit	492	// Reset to orphan state and create deterministic root commit
		493	// Step 1: Create orphan branch (removes all history)
		494	let _ = Command::new("git")
		495	.args(["checkout", "--orphan", "main-new"])
		496	.current_dir(&clone_path)
		497	.output();
		498
		499	// Step 2: Clear staged files (orphan keeps files staged from previous branch)
		500	let _ = Command::new("git")
		501	.args(["rm", "-rf", "--cached", "."])
		502	.current_dir(&clone_path)
		503	.output();
		504
		505	// Step 3: Create deterministic commit using existing function
492	let commit_hash =	506	let commit_hash =
493	match create_deterministic_commit_with_variant(&clone_path, CommitVariant::Maintainer) {	507	match create_deterministic_commit_with_variant(&clone_path, CommitVariant::Maintainer) {
494	Ok(h) => h,	508	Ok(h) => h,
@@ -503,6 +517,17 @@ impl PushAuthorizationTests {
503	}	517	}
504	};	518	};
505		519
		520	// Step 4: Replace main branch with our new orphan branch
		521	let _ = Command::new("git")
		522	.args(["branch", "-D", "main"])
		523	.current_dir(&clone_path)
		524	.output();
		525
		526	let _ = Command::new("git")
		527	.args(["branch", "-m", "main"])
		528	.current_dir(&clone_path)
		529	.output();
		530
506	// Verify commit hash matches expected	531	// Verify commit hash matches expected
507	if commit_hash != MAINTAINER_DETERMINISTIC_COMMIT_HASH {	532	if commit_hash != MAINTAINER_DETERMINISTIC_COMMIT_HASH {
508	cleanup();	533	cleanup();
@@ -517,68 +542,6 @@ impl PushAuthorizationTests {
517	));	542	));
518	}	543	}
519		544
520	// Create main branch
521	let branch_output = Command::new("git")
522	.args(["branch", "main"])
523	.current_dir(&clone_path)
524	.output();
525
526	match branch_output {
527	Err(e) => {
528	cleanup();
529	return TestResult::new(
530	test_name,
531	"GRASP-01",
532	"Push authorized by maintainer state event only (no announcement)",
533	)
534	.fail(&format!("Failed to create main branch: {}", e));
535	}
536	Ok(output) if !output.status.success() => {
537	cleanup();
538	return TestResult::new(
539	test_name,
540	"GRASP-01",
541	"Push authorized by maintainer state event only (no announcement)",
542	)
543	.fail(&format!(
544	"Failed to create main branch: {}",
545	String::from_utf8_lossy(&output.stderr)
546	));
547	}
548	_ => {}
549	}
550
551	// Checkout main branch
552	let checkout_output = Command::new("git")
553	.args(["checkout", "main"])
554	.current_dir(&clone_path)
555	.output();
556
557	match checkout_output {
558	Err(e) => {
559	cleanup();
560	return TestResult::new(
561	test_name,
562	"GRASP-01",
563	"Push authorized by maintainer state event only (no announcement)",
564	)
565	.fail(&format!("Failed to checkout main branch: {}", e));
566	}
567	Ok(output) if !output.status.success() => {
568	cleanup();
569	return TestResult::new(
570	test_name,
571	"GRASP-01",
572	"Push authorized by maintainer state event only (no announcement)",
573	)
574	.fail(&format!(
575	"Failed to checkout main branch: {}",
576	String::from_utf8_lossy(&output.stderr)
577	));
578	}
579	_ => {}
580	}
581
582	// ============================================================	545	// ============================================================
583	// Step 3: VERIFY - Push should succeed because maintainer's	546	// Step 3: VERIFY - Push should succeed because maintainer's
584	// state event authorizes this commit	547	// state event authorizes this commit
@@ -747,7 +710,20 @@ impl PushAuthorizationTests {
747	let _ = fs::remove_dir_all(&clone_path);	710	let _ = fs::remove_dir_all(&clone_path);
748	};	711	};
749		712
750	// Create recursive maintainer deterministic commit	713	// Reset to orphan state and create deterministic root commit
		714	// Step 1: Create orphan branch (removes all history)
		715	let _ = Command::new("git")
		716	.args(["checkout", "--orphan", "main-new"])
		717	.current_dir(&clone_path)
		718	.output();
		719
		720	// Step 2: Clear staged files (orphan keeps files staged from previous branch)
		721	let _ = Command::new("git")
		722	.args(["rm", "-rf", "--cached", "."])
		723	.current_dir(&clone_path)
		724	.output();
		725
		726	// Step 3: Create recursive maintainer deterministic commit
751	let commit_hash =	727	let commit_hash =
752	match create_deterministic_commit_with_variant(&clone_path, CommitVariant::RecursiveMaintainer) {	728	match create_deterministic_commit_with_variant(&clone_path, CommitVariant::RecursiveMaintainer) {
753	Ok(h) => h,	729	Ok(h) => h,
@@ -762,6 +738,17 @@ impl PushAuthorizationTests {
762	}	738	}
763	};	739	};
764		740
		741	// Step 4: Replace main branch with our new orphan branch
		742	let _ = Command::new("git")
		743	.args(["branch", "-D", "main"])
		744	.current_dir(&clone_path)
		745	.output();
		746
		747	let _ = Command::new("git")
		748	.args(["branch", "-m", "main"])
		749	.current_dir(&clone_path)
		750	.output();
		751
765	// Verify commit hash matches expected	752	// Verify commit hash matches expected
766	if commit_hash != RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH {	753	if commit_hash != RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH {
767	cleanup();	754	cleanup();
@@ -776,68 +763,6 @@ impl PushAuthorizationTests {
776	));	763	));
777	}	764	}
778		765
779	// Create main branch
780	let branch_output = Command::new("git")
781	.args(["branch", "main"])
782	.current_dir(&clone_path)
783	.output();
784
785	match branch_output {
786	Err(e) => {
787	cleanup();
788	return TestResult::new(
789	test_name,
790	"GRASP-01",
791	"Push authorized by recursive maintainer state event",
792	)
793	.fail(&format!("Failed to create main branch: {}", e));
794	}
795	Ok(output) if !output.status.success() => {
796	cleanup();
797	return TestResult::new(
798	test_name,
799	"GRASP-01",
800	"Push authorized by recursive maintainer state event",
801	)
802	.fail(&format!(
803	"Failed to create main branch: {}",
804	String::from_utf8_lossy(&output.stderr)
805	));
806	}
807	_ => {}
808	}
809
810	// Checkout main branch
811	let checkout_output = Command::new("git")
812	.args(["checkout", "main"])
813	.current_dir(&clone_path)
814	.output();
815
816	match checkout_output {
817	Err(e) => {
818	cleanup();
819	return TestResult::new(
820	test_name,
821	"GRASP-01",
822	"Push authorized by recursive maintainer state event",
823	)
824	.fail(&format!("Failed to checkout main branch: {}", e));
825	}
826	Ok(output) if !output.status.success() => {
827	cleanup();
828	return TestResult::new(
829	test_name,
830	"GRASP-01",
831	"Push authorized by recursive maintainer state event",
832	)
833	.fail(&format!(
834	"Failed to checkout main branch: {}",
835	String::from_utf8_lossy(&output.stderr)
836	));
837	}
838	_ => {}
839	}
840
841	// ============================================================	766	// ============================================================
842	// Step 3: VERIFY - Push should succeed because recursive	767	// Step 3: VERIFY - Push should succeed because recursive
843	// maintainer's state event authorizes this commit	768	// maintainer's state event authorizes this commit