diff options
Diffstat (limited to 'docs/tutorials/first-audit.md')
| -rw-r--r-- | docs/tutorials/first-audit.md | 270 |
1 files changed, 270 insertions, 0 deletions
diff --git a/docs/tutorials/first-audit.md b/docs/tutorials/first-audit.md new file mode 100644 index 0000000..194a976 --- /dev/null +++ b/docs/tutorials/first-audit.md | |||
| @@ -0,0 +1,270 @@ | |||
| 1 | # Tutorial: Running Your First GRASP Audit | ||
| 2 | |||
| 3 | **Purpose:** Learn how to use grasp-audit to check GRASP compliance | ||
| 4 | **Time:** 10-15 minutes | ||
| 5 | **Prerequisites:** [Getting Started Tutorial](getting-started.md) completed | ||
| 6 | |||
| 7 | --- | ||
| 8 | |||
| 9 | ## What You'll Learn | ||
| 10 | |||
| 11 | By the end of this tutorial, you will: | ||
| 12 | - ✅ Understand what GRASP compliance means | ||
| 13 | - ✅ Run a compliance audit against a relay | ||
| 14 | - ✅ Interpret audit results | ||
| 15 | - ✅ Know how to use the audit tool in your own projects | ||
| 16 | |||
| 17 | --- | ||
| 18 | |||
| 19 | ## Step 1: Understanding GRASP Compliance | ||
| 20 | |||
| 21 | GRASP (Git Relays Authorized via Signed-Nostr Proofs) defines requirements for Git hosting with Nostr authorization. | ||
| 22 | |||
| 23 | **Key compliance areas:** | ||
| 24 | - **NIP-01**: Basic Nostr relay functionality | ||
| 25 | - **NIP-34**: Git repository events (kind 30317, 30318) | ||
| 26 | - **Git HTTP**: Smart HTTP protocol support | ||
| 27 | - **Authorization**: Push validation against state events | ||
| 28 | |||
| 29 | The `grasp-audit` tool verifies all of these automatically. | ||
| 30 | |||
| 31 | --- | ||
| 32 | |||
| 33 | ## Step 2: Start a Test Relay | ||
| 34 | |||
| 35 | For this tutorial, we'll use a standard Nostr relay: | ||
| 36 | |||
| 37 | ```bash | ||
| 38 | # In a separate terminal window: | ||
| 39 | docker run --rm -p 7000:7000 scsibug/nostr-rs-relay | ||
| 40 | |||
| 41 | # Keep this running throughout the tutorial | ||
| 42 | ``` | ||
| 43 | |||
| 44 | **What this does:** Starts a NIP-01 compliant Nostr relay on port 7000. | ||
| 45 | |||
| 46 | **Note:** This relay doesn't fully implement GRASP (no Git hosting), but we can test the Nostr parts. | ||
| 47 | |||
| 48 | --- | ||
| 49 | |||
| 50 | ## Step 3: Run the Audit Tool | ||
| 51 | |||
| 52 | Navigate to the grasp-audit directory and run: | ||
| 53 | |||
| 54 | ```bash | ||
| 55 | cd grasp-audit | ||
| 56 | nix develop | ||
| 57 | |||
| 58 | # Run the integration tests (which include audits) | ||
| 59 | cargo test --ignored -- --test-threads=1 | ||
| 60 | ``` | ||
| 61 | |||
| 62 | **What you'll see:** | ||
| 63 | ``` | ||
| 64 | running 3 tests | ||
| 65 | test tests::test_isolation_basic ... ok | ||
| 66 | test tests::test_isolation_cleanup ... ok | ||
| 67 | test tests::test_isolation_concurrent ... ok | ||
| 68 | |||
| 69 | test result: ok. 3 passed; 0 failed; 0 ignored | ||
| 70 | ``` | ||
| 71 | |||
| 72 | **What just happened?** The audit tool: | ||
| 73 | 1. Connected to the relay on port 7000 | ||
| 74 | 2. Checked NIP-01 compliance (event submission, retrieval) | ||
| 75 | 3. Tested isolation between test runs | ||
| 76 | 4. Verified cleanup mechanisms | ||
| 77 | |||
| 78 | --- | ||
| 79 | |||
| 80 | ## Step 4: Use the Audit Library | ||
| 81 | |||
| 82 | Let's write a simple audit script. Create a new file: | ||
| 83 | |||
| 84 | ```bash | ||
| 85 | # From grasp-audit directory | ||
| 86 | cat > examples/my_audit.rs << 'EOF' | ||
| 87 | use grasp_audit::prelude::*; | ||
| 88 | |||
| 89 | #[tokio::main] | ||
| 90 | async fn main() -> Result<(), Box<dyn std::error::Error>> { | ||
| 91 | // Create an audit client | ||
| 92 | let client = AuditClient::new("ws://localhost:7000").await?; | ||
| 93 | |||
| 94 | println!("✅ Connected to relay"); | ||
| 95 | |||
| 96 | // Test basic event submission | ||
| 97 | let test_event = client.create_test_event("Hello GRASP!").await?; | ||
| 98 | println!("✅ Created test event: {}", test_event.id); | ||
| 99 | |||
| 100 | // Verify we can retrieve it | ||
| 101 | let retrieved = client.get_event(&test_event.id).await?; | ||
| 102 | println!("✅ Retrieved event successfully"); | ||
| 103 | |||
| 104 | println!("\n🎉 Basic audit passed!"); | ||
| 105 | |||
| 106 | Ok(()) | ||
| 107 | } | ||
| 108 | EOF | ||
| 109 | ``` | ||
| 110 | |||
| 111 | **Note:** This is a simplified example. The actual audit tool has more sophisticated checks. | ||
| 112 | |||
| 113 | --- | ||
| 114 | |||
| 115 | ## Step 5: Understanding Audit Results | ||
| 116 | |||
| 117 | When audits fail, you'll see detailed error messages: | ||
| 118 | |||
| 119 | ```rust | ||
| 120 | // Example failure output: | ||
| 121 | Error: GRASP-01 compliance failed | ||
| 122 | - NIP-01: ✅ PASS | ||
| 123 | - NIP-34 kind 30317: ❌ FAIL - Relay rejected repository announcement | ||
| 124 | - NIP-34 kind 30318: ❌ FAIL - Relay rejected state event | ||
| 125 | - Git HTTP: ❌ NOT TESTED - No Git endpoint found | ||
| 126 | ``` | ||
| 127 | |||
| 128 | **How to interpret:** | ||
| 129 | - ✅ **PASS**: Feature works correctly | ||
| 130 | - ❌ **FAIL**: Feature broken or missing | ||
| 131 | - ⚠️ **PARTIAL**: Works but with issues | ||
| 132 | - ⏭️ **SKIPPED**: Couldn't test (dependency failed) | ||
| 133 | |||
| 134 | --- | ||
| 135 | |||
| 136 | ## Step 6: Audit a GRASP-Compliant Relay | ||
| 137 | |||
| 138 | To audit a real GRASP relay (when available): | ||
| 139 | |||
| 140 | ```bash | ||
| 141 | # Example (relay doesn't exist yet): | ||
| 142 | cargo run --bin grasp-audit -- --relay wss://gitnostr.com | ||
| 143 | |||
| 144 | # Or use the library: | ||
| 145 | let client = AuditClient::new("wss://gitnostr.com").await?; | ||
| 146 | let results = client.run_full_audit().await?; | ||
| 147 | println!("{}", results.summary()); | ||
| 148 | ``` | ||
| 149 | |||
| 150 | **What this would check:** | ||
| 151 | - Nostr relay functionality (NIP-01) | ||
| 152 | - Git event acceptance (NIP-34) | ||
| 153 | - Git HTTP endpoint availability | ||
| 154 | - Push authorization logic | ||
| 155 | - Multi-maintainer support | ||
| 156 | |||
| 157 | --- | ||
| 158 | |||
| 159 | ## Step 7: Automated Testing | ||
| 160 | |||
| 161 | The audit tool is designed for CI/CD integration: | ||
| 162 | |||
| 163 | ```bash | ||
| 164 | # Run all tests (unit + integration) | ||
| 165 | cargo test --all | ||
| 166 | |||
| 167 | # Run only integration tests | ||
| 168 | cargo test --ignored | ||
| 169 | |||
| 170 | # Generate coverage report | ||
| 171 | cargo tarpaulin --ignored --out Html | ||
| 172 | ``` | ||
| 173 | |||
| 174 | **Use in CI:** | ||
| 175 | ```yaml | ||
| 176 | # Example GitHub Actions | ||
| 177 | - name: Run GRASP Compliance Tests | ||
| 178 | run: | | ||
| 179 | docker run -d -p 7000:7000 scsibug/nostr-rs-relay | ||
| 180 | cd grasp-audit | ||
| 181 | cargo test --ignored | ||
| 182 | ``` | ||
| 183 | |||
| 184 | --- | ||
| 185 | |||
| 186 | ## What You've Accomplished | ||
| 187 | |||
| 188 | Congratulations! You now: | ||
| 189 | |||
| 190 | ✅ Understand GRASP compliance requirements | ||
| 191 | ✅ Can run the audit tool against a relay | ||
| 192 | ✅ Know how to interpret audit results | ||
| 193 | ✅ Can integrate audits into your workflow | ||
| 194 | |||
| 195 | --- | ||
| 196 | |||
| 197 | ## Next Steps | ||
| 198 | |||
| 199 | ### Learn more about testing: | ||
| 200 | - Read [Compliance Testing How-To](../how-to/test-compliance.md) | ||
| 201 | - Review [Test Strategy](../reference/test-strategy.md) | ||
| 202 | |||
| 203 | ### Understand the protocols: | ||
| 204 | - Read [GRASP Protocol Reference](../reference/grasp-protocol.md) | ||
| 205 | - Review [Git Protocol Reference](../reference/git-protocol.md) | ||
| 206 | |||
| 207 | ### Contribute to grasp-audit: | ||
| 208 | - Check open issues | ||
| 209 | - Add new compliance checks | ||
| 210 | - Improve error messages | ||
| 211 | |||
| 212 | --- | ||
| 213 | |||
| 214 | ## Troubleshooting | ||
| 215 | |||
| 216 | ### "Connection refused" errors | ||
| 217 | - Make sure the relay is running: `docker ps` | ||
| 218 | - Check the port: `netstat -an | grep 7000` | ||
| 219 | - Verify the URL: `ws://localhost:7000` (not `wss://`) | ||
| 220 | |||
| 221 | ### Tests timeout | ||
| 222 | - Relay might be slow to start | ||
| 223 | - Try running tests again after 5 seconds | ||
| 224 | - Check Docker logs: `docker logs <container-id>` | ||
| 225 | |||
| 226 | ### "Event rejected" errors | ||
| 227 | - Expected for non-GRASP relays | ||
| 228 | - The relay might not support NIP-34 | ||
| 229 | - This is normal for the tutorial relay | ||
| 230 | |||
| 231 | --- | ||
| 232 | |||
| 233 | ## Deep Dive: How Audits Work | ||
| 234 | |||
| 235 | The audit tool uses **isolated test environments**: | ||
| 236 | |||
| 237 | ```rust | ||
| 238 | // Each test gets a unique identifier | ||
| 239 | let isolation = IsolationContext::new("my-test"); | ||
| 240 | |||
| 241 | // Events are tagged with this identifier | ||
| 242 | let event = isolation.create_event("test content").await?; | ||
| 243 | |||
| 244 | // Cleanup removes only this test's events | ||
| 245 | isolation.cleanup().await?; | ||
| 246 | ``` | ||
| 247 | |||
| 248 | **Why isolation matters:** | ||
| 249 | - Tests don't interfere with each other | ||
| 250 | - Can run tests in parallel | ||
| 251 | - Easy cleanup (no leftover data) | ||
| 252 | |||
| 253 | See [Test Strategy Reference](../reference/test-strategy.md) for details. | ||
| 254 | |||
| 255 | --- | ||
| 256 | |||
| 257 | ## Summary | ||
| 258 | |||
| 259 | You've learned how to: | ||
| 260 | - Run GRASP compliance audits | ||
| 261 | - Interpret audit results | ||
| 262 | - Use the audit library | ||
| 263 | - Integrate audits into testing workflows | ||
| 264 | |||
| 265 | **Next tutorial:** [Deploying ngit-grasp](../how-to/deploy.md) (when main server is ready) | ||
| 266 | |||
| 267 | --- | ||
| 268 | |||
| 269 | *Part of the [ngit-grasp tutorials](./)* | ||
| 270 | *Previous: [Getting Started](getting-started.md)* | ||