1 files changed, 280 insertions, 0 deletions
diff --git a/tests/state_authorization.rs b/tests/state_authorization.rs
new file mode 100644
index 0000000..a5dfa2d
--- /dev/null
+++ b/tests/state_authorization.rs
@@ -0,0 +1,280 @@
+//! Tests for state event authorization
+//!
+//! Verifies that state events are properly rejected when:
+//! 1. No announcement exists for the repository
+//! 2. Author is not in the maintainer set
+mod common;
+use common::relay::TestRelay;
+use nostr_sdk::prelude::*;
+#[tokio::test]
+async fn test_reject_state_without_announcement() {
+    // Start test relay
+    let relay = TestRelay::start().await;
+    
+    // Create test keypair
+    let keys = Keys::generate();
+    
+    // Create a state event without any announcement
+    let state_event = EventBuilder::new(
+        Kind::RepoState,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
+    ])
+    .sign_with_keys(&keys)
+    .unwrap();
+    
+    // Connect to relay
+    let client = Client::default();
+    client.add_relay(relay.url()).await.unwrap();
+    client.connect().await;
+    
+    // Try to send state event
+    let result = client.send_event(&state_event).await;
+    
+    // Should be rejected
+    match result {
+        Ok(output) => {
+            assert!(
+                !output.success.is_empty() || !output.failed.is_empty(),
+                "Event should be processed"
+            );
+            // Check if any relay rejected it
+            let rejected = output.failed.values().any(|err| {
+                err.to_string().contains("no announcement exists")
+            });
+            assert!(rejected, "Event should be rejected due to missing announcement");
+        }
+        Err(e) => {
+            // Also acceptable - relay rejected the event
+            assert!(
+                e.to_string().contains("no announcement exists") ||
+                e.to_string().contains("rejected"),
+                "Error should indicate missing announcement: {}",
+                e
+            );
+        }
+    }
+    
+    relay.stop().await;
+}
+#[tokio::test]
+async fn test_reject_state_from_unauthorized_author() {
+    // Start test relay
+    let relay = TestRelay::start().await;
+    
+    // Create two keypairs: one for announcement, one for unauthorized state
+    let announcement_keys = Keys::generate();
+    let unauthorized_keys = Keys::generate();
+    
+    // Create announcement
+    let announcement = EventBuilder::new(
+        Kind::GitRepoAnnouncement,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("clone"), [format!("https://{}/test.git", relay.domain())]),
+        Tag::custom(TagKind::custom("relays"), [relay.url()]),
+    ])
+    .sign_with_keys(&announcement_keys)
+    .unwrap();
+    
+    // Connect to relay
+    let client = Client::default();
+    client.add_relay(relay.url()).await.unwrap();
+    client.connect().await;
+    
+    // Send announcement
+    client.send_event(&announcement).await.unwrap();
+    
+    // Wait for announcement to be processed
+    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
+    
+    // Try to send state event from unauthorized author
+    let state_event = EventBuilder::new(
+        Kind::RepoState,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
+    ])
+    .sign_with_keys(&unauthorized_keys)
+    .unwrap();
+    
+    let result = client.send_event(&state_event).await;
+    
+    // Should be rejected
+    match result {
+        Ok(output) => {
+            let rejected = output.failed.values().any(|err| {
+                err.to_string().contains("not authorized")
+            });
+            assert!(rejected, "Event should be rejected due to unauthorized author");
+        }
+        Err(e) => {
+            assert!(
+                e.to_string().contains("not authorized") ||
+                e.to_string().contains("rejected"),
+                "Error should indicate unauthorized author: {}",
+                e
+            );
+        }
+    }
+    
+    relay.stop().await;
+}
+#[tokio::test]
+async fn test_accept_state_from_announcement_author() {
+    // Start test relay
+    let relay = TestRelay::start().await;
+    
+    // Create keypair
+    let keys = Keys::generate();
+    
+    // Create announcement
+    let announcement = EventBuilder::new(
+        Kind::GitRepoAnnouncement,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("clone"), [format!("https://{}/test.git", relay.domain())]),
+        Tag::custom(TagKind::custom("relays"), [relay.url()]),
+    ])
+    .sign_with_keys(&keys)
+    .unwrap();
+    
+    // Connect to relay
+    let client = Client::default();
+    client.add_relay(relay.url()).await.unwrap();
+    client.connect().await;
+    
+    // Send announcement
+    client.send_event(&announcement).await.unwrap();
+    
+    // Wait for announcement to be processed
+    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
+    
+    // Send state event from same author (should be accepted or go to purgatory)
+    let state_event = EventBuilder::new(
+        Kind::RepoState,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
+    ])
+    .sign_with_keys(&keys)
+    .unwrap();
+    
+    let result = client.send_event(&state_event).await;
+    
+    // Should be accepted or go to purgatory (not permanently rejected)
+    match result {
+        Ok(output) => {
+            // Check that it wasn't permanently rejected
+            let permanently_rejected = output.failed.values().any(|err| {
+                let err_str = err.to_string();
+                err_str.contains("not authorized") || err_str.contains("no announcement exists")
+            });
+            assert!(
+                !permanently_rejected,
+                "Event should not be permanently rejected when author is authorized"
+            );
+        }
+        Err(e) => {
+            // Purgatory is acceptable
+            assert!(
+                e.to_string().contains("purgatory") ||
+                e.to_string().contains("waiting for git"),
+                "Error should be about purgatory, not authorization: {}",
+                e
+            );
+        }
+    }
+    
+    relay.stop().await;
+}
+#[tokio::test]
+async fn test_accept_state_from_maintainer() {
+    // Start test relay
+    let relay = TestRelay::start().await;
+    
+    // Create two keypairs: owner and maintainer
+    let owner_keys = Keys::generate();
+    let maintainer_keys = Keys::generate();
+    
+    // Create announcement with maintainer
+    let announcement = EventBuilder::new(
+        Kind::GitRepoAnnouncement,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("clone"), [format!("https://{}/test.git", relay.domain())]),
+        Tag::custom(TagKind::custom("relays"), [relay.url()]),
+        Tag::custom(TagKind::custom("maintainers"), [maintainer_keys.public_key().to_hex()]),
+    ])
+    .sign_with_keys(&owner_keys)
+    .unwrap();
+    
+    // Connect to relay
+    let client = Client::default();
+    client.add_relay(relay.url()).await.unwrap();
+    client.connect().await;
+    
+    // Send announcement
+    client.send_event(&announcement).await.unwrap();
+    
+    // Wait for announcement to be processed
+    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
+    
+    // Send state event from maintainer
+    let state_event = EventBuilder::new(
+        Kind::RepoState,
+        "",
+    )
+    .tags([
+        Tag::custom(TagKind::custom("d"), ["test-repo"]),
+        Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
+    ])
+    .sign_with_keys(&maintainer_keys)
+    .unwrap();
+    
+    let result = client.send_event(&state_event).await;
+    
+    // Should be accepted or go to purgatory (not permanently rejected)
+    match result {
+        Ok(output) => {
+            let permanently_rejected = output.failed.values().any(|err| {
+                let err_str = err.to_string();
+                err_str.contains("not authorized") || err_str.contains("no announcement exists")
+            });
+            assert!(
+                !permanently_rejected,
+                "Event should not be permanently rejected when maintainer is authorized"
+            );
+        }
+        Err(e) => {
+            // Purgatory is acceptable
+            assert!(
+                e.to_string().contains("purgatory") ||
+                e.to_string().contains("waiting for git"),
+                "Error should be about purgatory, not authorization: {}",
+                e
+            );
+        }
+    }
+    
+    relay.stop().await;
+}

diff --git a/tests/state_authorization.rs b/tests/state_authorization.rs new file mode 100644 index 0000000..a5dfa2d --- /dev/null +++ b/tests/state_authorization.rs
@@ -0,0 +1,280 @@
	1	//! Tests for state event authorization
	2	//!
	3	//! Verifies that state events are properly rejected when:
	4	//! 1. No announcement exists for the repository
	5	//! 2. Author is not in the maintainer set
	6
	7	mod common;
	8
	9	use common::relay::TestRelay;
	10	use nostr_sdk::prelude::*;
	11
	12	#[tokio::test]
	13	async fn test_reject_state_without_announcement() {
	14	// Start test relay
	15	let relay = TestRelay::start().await;
	16
	17	// Create test keypair
	18	let keys = Keys::generate();
	19
	20	// Create a state event without any announcement
	21	let state_event = EventBuilder::new(
	22	Kind::RepoState,
	23	"",
	24	)
	25	.tags([
	26	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	27	Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
	28	])
	29	.sign_with_keys(&keys)
	30	.unwrap();
	31
	32	// Connect to relay
	33	let client = Client::default();
	34	client.add_relay(relay.url()).await.unwrap();
	35	client.connect().await;
	36
	37	// Try to send state event
	38	let result = client.send_event(&state_event).await;
	39
	40	// Should be rejected
	41	match result {
	42	Ok(output) => {
	43	assert!(
	44	!output.success.is_empty() \|\| !output.failed.is_empty(),
	45	"Event should be processed"
	46	);
	47	// Check if any relay rejected it
	48	let rejected = output.failed.values().any(\|err\| {
	49	err.to_string().contains("no announcement exists")
	50	});
	51	assert!(rejected, "Event should be rejected due to missing announcement");
	52	}
	53	Err(e) => {
	54	// Also acceptable - relay rejected the event
	55	assert!(
	56	e.to_string().contains("no announcement exists") \|\|
	57	e.to_string().contains("rejected"),
	58	"Error should indicate missing announcement: {}",
	59	e
	60	);
	61	}
	62	}
	63
	64	relay.stop().await;
	65	}
	66
	67	#[tokio::test]
	68	async fn test_reject_state_from_unauthorized_author() {
	69	// Start test relay
	70	let relay = TestRelay::start().await;
	71
	72	// Create two keypairs: one for announcement, one for unauthorized state
	73	let announcement_keys = Keys::generate();
	74	let unauthorized_keys = Keys::generate();
	75
	76	// Create announcement
	77	let announcement = EventBuilder::new(
	78	Kind::GitRepoAnnouncement,
	79	"",
	80	)
	81	.tags([
	82	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	83	Tag::custom(TagKind::custom("clone"), [format!("https://{}/test.git", relay.domain())]),
	84	Tag::custom(TagKind::custom("relays"), [relay.url()]),
	85	])
	86	.sign_with_keys(&announcement_keys)
	87	.unwrap();
	88
	89	// Connect to relay
	90	let client = Client::default();
	91	client.add_relay(relay.url()).await.unwrap();
	92	client.connect().await;
	93
	94	// Send announcement
	95	client.send_event(&announcement).await.unwrap();
	96
	97	// Wait for announcement to be processed
	98	tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
	99
	100	// Try to send state event from unauthorized author
	101	let state_event = EventBuilder::new(
	102	Kind::RepoState,
	103	"",
	104	)
	105	.tags([
	106	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	107	Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
	108	])
	109	.sign_with_keys(&unauthorized_keys)
	110	.unwrap();
	111
	112	let result = client.send_event(&state_event).await;
	113
	114	// Should be rejected
	115	match result {
	116	Ok(output) => {
	117	let rejected = output.failed.values().any(\|err\| {
	118	err.to_string().contains("not authorized")
	119	});
	120	assert!(rejected, "Event should be rejected due to unauthorized author");
	121	}
	122	Err(e) => {
	123	assert!(
	124	e.to_string().contains("not authorized") \|\|
	125	e.to_string().contains("rejected"),
	126	"Error should indicate unauthorized author: {}",
	127	e
	128	);
	129	}
	130	}
	131
	132	relay.stop().await;
	133	}
	134
	135	#[tokio::test]
	136	async fn test_accept_state_from_announcement_author() {
	137	// Start test relay
	138	let relay = TestRelay::start().await;
	139
	140	// Create keypair
	141	let keys = Keys::generate();
	142
	143	// Create announcement
	144	let announcement = EventBuilder::new(
	145	Kind::GitRepoAnnouncement,
	146	"",
	147	)
	148	.tags([
	149	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	150	Tag::custom(TagKind::custom("clone"), [format!("https://{}/test.git", relay.domain())]),
	151	Tag::custom(TagKind::custom("relays"), [relay.url()]),
	152	])
	153	.sign_with_keys(&keys)
	154	.unwrap();
	155
	156	// Connect to relay
	157	let client = Client::default();
	158	client.add_relay(relay.url()).await.unwrap();
	159	client.connect().await;
	160
	161	// Send announcement
	162	client.send_event(&announcement).await.unwrap();
	163
	164	// Wait for announcement to be processed
	165	tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
	166
	167	// Send state event from same author (should be accepted or go to purgatory)
	168	let state_event = EventBuilder::new(
	169	Kind::RepoState,
	170	"",
	171	)
	172	.tags([
	173	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	174	Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
	175	])
	176	.sign_with_keys(&keys)
	177	.unwrap();
	178
	179	let result = client.send_event(&state_event).await;
	180
	181	// Should be accepted or go to purgatory (not permanently rejected)
	182	match result {
	183	Ok(output) => {
	184	// Check that it wasn't permanently rejected
	185	let permanently_rejected = output.failed.values().any(\|err\| {
	186	let err_str = err.to_string();
	187	err_str.contains("not authorized") \|\| err_str.contains("no announcement exists")
	188	});
	189	assert!(
	190	!permanently_rejected,
	191	"Event should not be permanently rejected when author is authorized"
	192	);
	193	}
	194	Err(e) => {
	195	// Purgatory is acceptable
	196	assert!(
	197	e.to_string().contains("purgatory") \|\|
	198	e.to_string().contains("waiting for git"),
	199	"Error should be about purgatory, not authorization: {}",
	200	e
	201	);
	202	}
	203	}
	204
	205	relay.stop().await;
	206	}
	207
	208	#[tokio::test]
	209	async fn test_accept_state_from_maintainer() {
	210	// Start test relay
	211	let relay = TestRelay::start().await;
	212
	213	// Create two keypairs: owner and maintainer
	214	let owner_keys = Keys::generate();
	215	let maintainer_keys = Keys::generate();
	216
	217	// Create announcement with maintainer
	218	let announcement = EventBuilder::new(
	219	Kind::GitRepoAnnouncement,
	220	"",
	221	)
	222	.tags([
	223	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	224	Tag::custom(TagKind::custom("clone"), [format!("https://{}/test.git", relay.domain())]),
	225	Tag::custom(TagKind::custom("relays"), [relay.url()]),
	226	Tag::custom(TagKind::custom("maintainers"), [maintainer_keys.public_key().to_hex()]),
	227	])
	228	.sign_with_keys(&owner_keys)
	229	.unwrap();
	230
	231	// Connect to relay
	232	let client = Client::default();
	233	client.add_relay(relay.url()).await.unwrap();
	234	client.connect().await;
	235
	236	// Send announcement
	237	client.send_event(&announcement).await.unwrap();
	238
	239	// Wait for announcement to be processed
	240	tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
	241
	242	// Send state event from maintainer
	243	let state_event = EventBuilder::new(
	244	Kind::RepoState,
	245	"",
	246	)
	247	.tags([
	248	Tag::custom(TagKind::custom("d"), ["test-repo"]),
	249	Tag::custom(TagKind::custom("refs/heads/main"), ["abc123"]),
	250	])
	251	.sign_with_keys(&maintainer_keys)
	252	.unwrap();
	253
	254	let result = client.send_event(&state_event).await;
	255
	256	// Should be accepted or go to purgatory (not permanently rejected)
	257	match result {
	258	Ok(output) => {
	259	let permanently_rejected = output.failed.values().any(\|err\| {
	260	let err_str = err.to_string();
	261	err_str.contains("not authorized") \|\| err_str.contains("no announcement exists")
	262	});
	263	assert!(
	264	!permanently_rejected,
	265	"Event should not be permanently rejected when maintainer is authorized"
	266	);
	267	}
	268	Err(e) => {
	269	// Purgatory is acceptable
	270	assert!(
	271	e.to_string().contains("purgatory") \|\|
	272	e.to_string().contains("waiting for git"),
	273	"Error should be about purgatory, not authorization: {}",
	274	e
	275	);
	276	}
	277	}
	278
	279	relay.stop().await;
	280	}