From 09025b8435f673779ce109e2fb72ce48a13bf28e Mon Sep 17 00:00:00 2001 From: DanConwayDev Date: Thu, 27 Nov 2025 15:23:59 +0000 Subject: fix(auth): accept state announcements from maintainers Updated get_maintainers_recursive() to properly handle maintainers listed in accepted repository announcements: 1. Separated 'visited' set (cycle prevention) from 'maintainers' set (result) 2. Maintainers listed in an announcement's 'maintainers' tag are now added to the maintainer set immediately, even without their own announcement 3. Recursively traverse maintainer chains to handle multi-level delegation Also fixed RecursiveMaintainerRepoAndState fixture to publish the maintainer's announcement (which lists the recursive maintainer) before publishing the recursive maintainer's announcement, establishing the proper trust chain: Owner -> Maintainer -> RecursiveMaintainer Test results: 7/7 push authorization tests passing --- grasp-audit/src/fixtures.rs | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'grasp-audit/src') diff --git a/grasp-audit/src/fixtures.rs b/grasp-audit/src/fixtures.rs index 3e21eae..45a413d 100644 --- a/grasp-audit/src/fixtures.rs +++ b/grasp-audit/src/fixtures.rs @@ -533,6 +533,12 @@ impl<'a> TestContext<'a> { .ok_or_else(|| anyhow::anyhow!("Missing d tag in owner repo announcement"))? .to_string(); + // Build and send the maintainer's repo announcement first + // This establishes the chain: Owner -> Maintainer -> RecursiveMaintainer + // The maintainer's announcement lists the recursive maintainer in its maintainers tag + let maintainer_announcement = self.build_maintainer_announcement(&repo_id).await?; + self.client.send_event(maintainer_announcement).await?; + // Build and send the recursive maintainer's repo announcement let recursive_maintainer_announcement = self.build_recursive_maintainer_announcement(&repo_id).await?; self.client.send_event(recursive_maintainer_announcement).await?; -- cgit v1.2.3