b503aa6 radicle: validations — heartwood

modified radicle-cli/src/commands/publish.rs

@@ -106,7 +106,14 @@ pub fn run(options: Options, ctx: impl term::Context) -> anyhow::Result<()> {

     identity.update("Publish repository", "", &doc, &signer)?;
     repo.sign_refs(&signer)?;
     repo.set_identity_head()?;
     repo.validate()?;
     let validations = repo.validate()?;
     if !validations.is_empty() {
         for err in validations {
             term::error(format!("Error: validation error {err}"));
         }
         anyhow::bail!("fatal error: repository storage is corrupt");
     }
     term::success!(
         "Repository is now {}",

modified radicle-node/src/tests/e2e.rs

@@ -196,10 +196,15 @@ fn test_replication() {

     assert_eq!(inventory.first(), Some(&acme));
     assert_eq!(alice_refs, bob_refs);
     assert_matches!(alice.storage.repository(acme).unwrap().validate(), Ok(()));
     assert_matches!(
         alice.storage.repository(acme).unwrap().validate(),
         Ok(validations) if validations.is_empty()
     );
 }
 // TODO: ignoring as this is being fixed in incoming fetch changes
 #[test]
 #[ignore]
 fn test_replication_no_delegates() {
     logger::init(log::Level::Debug);

@@ -282,7 +287,7 @@ fn test_replication_invalid() {

     assert_eq!(remotes.next().unwrap().unwrap(), bob.id);
     assert!(remotes.next().is_none());
     repo.validate().unwrap();
     assert!(repo.validate().unwrap().is_empty());
 }
 #[test]

@@ -332,7 +337,10 @@ fn test_migrated_clone() {

         .unwrap();
     assert_eq!(alice_refs, bob_refs);
     assert_matches!(alice.storage.repository(acme).unwrap().validate(), Ok(()));
     assert_matches!(
         alice.storage.repository(acme).unwrap().validate(),
         Ok(validations) if validations.is_empty()
     );
 }
 #[test]

modified radicle-node/src/worker/fetch.rs

@@ -12,7 +12,7 @@ use radicle::git::{url, Namespaced};

 use radicle::prelude::{Doc, Id, NodeId};
 use radicle::storage::git::Repository;
 use radicle::storage::refs::IDENTITY_BRANCH;
 use radicle::storage::{Namespaces, RefUpdate, Remote, RemoteId};
 use radicle::storage::{Namespaces, RefUpdate, Remote, RemoteId, Validation, Validations};
 use radicle::storage::{ReadRepository, ReadStorage, WriteRepository, WriteStorage};
 use radicle::{git, Storage};

@@ -119,8 +119,8 @@ enum VerifiedRemote {

         // Nb. unused but we want to ensure that we verify the identity
         _doc: Doc<Verified>,
         remote: Remote<Verified>,
         /// Unsigned refs.
         unsigned: Vec<git::RefString>,
         /// Validation errors
         validations: Validations,
     },
     UpToDate,
 }

@@ -332,12 +332,20 @@ impl<'a> StagingPhaseFinal<'a> {

                         vec![]
                     }
                     VerifiedRemote::Success {
                         remote, unsigned, ..
                         remote,
                         validations,
                         ..
                     } => {
                         let ns = remote.id.to_namespace();
                         let mut refspecs = vec![];
                         let mut unsigned = Vec::new();
                         // Unsigned refs should be deleted.
                         for validation in validations {
                             if let Validation::UnsignedRef(name) = validation {
                                 unsigned.push(name);
                             }
                         }
                         delete.insert((remote.id, unsigned));
                         //  First add the standard git refs.

@@ -438,7 +446,7 @@ impl<'a> StagingPhaseFinal<'a> {

         // foot with storage inconsistencies.
         radicle::debug_assert_matches!(
             production.validate(),
             Ok(()),
             Ok(validations) if validations.is_empty(),
             "repository {} is not valid",
             production.id,
         );

@@ -522,10 +530,10 @@ impl<'a> StagingPhaseFinal<'a> {

                 // Nb. We aren't verifying this specific remote's identity branch.
                 let verification = match self.repo.identity_doc() {
                     Ok(doc) => match self.repo.validate_remote(&remote) {
                         Ok(unsigned) => VerifiedRemote::Success {
                         Ok(validations) => VerifiedRemote::Success {
                             _doc: doc.into(),
                             remote,
                             unsigned,
                             validations,
                         },
                         Err(e) => VerifiedRemote::Failed {
                             reason: e.to_string(),

modified radicle/src/storage.rs

@@ -11,7 +11,7 @@ use serde::{Deserialize, Serialize};

 use thiserror::Error;
 use crypto::{PublicKey, Signer, Unverified, Verified};
 pub use git::VerifyError;
 pub use git::{Validation, Validations};
 pub use radicle_git_ext::Oid;
 use crate::cob;

@@ -131,10 +131,10 @@ pub enum FetchError {

     Io(#[from] io::Error),
     #[error(transparent)]
     Refs(#[from] refs::Error),
     #[error("verify: {0}")]
     Verify(#[from] git::VerifyError),
     #[error(transparent)]
     Storage(#[from] Error),
     #[error("failed to validate remote layouts in storage")]
     Validation { validations: Validations },
     #[error("repository head: {0}")]
     SetHead(#[from] DocError),
     #[error("repository: {0}")]

@@ -362,18 +362,19 @@ pub trait ReadRepository: Sized {

     fn blob(&self, oid: Oid) -> Result<git2::Blob, git_ext::Error>;
     /// Validate all remotes with [`ReadRepository::validate_remote`].
     fn validate(&self) -> Result<(), VerifyError> {
     fn validate(&self) -> Result<Validations, Error> {
         let mut failures = Validations::default();
         for (_, remote) in self.remotes()? {
             self.validate_remote(&remote)?;
             failures.append(&mut self.validate_remote(&remote)?);
         }
         Ok(())
         Ok(failures)
     }
     /// Validates a remote's signed refs and identity.
     ///
     /// Returns any ref found under that remote that isn't signed.
     /// If a signed ref is missing from the repository, an error is returned.
     fn validate_remote(&self, remote: &Remote<Verified>) -> Result<Vec<RefString>, VerifyError>;
     fn validate_remote(&self, remote: &Remote<Verified>) -> Result<Validations, Error>;
     /// Get the head of this repository.
     ///

modified radicle/src/storage/git.rs

@@ -3,6 +3,7 @@ pub mod cob;

 pub mod transport;
 use std::collections::{BTreeMap, HashMap, HashSet};
 use std::ops::{Deref, DerefMut};
 use std::path::{Path, PathBuf};
 use std::{fs, io};

@@ -216,16 +217,60 @@ pub struct Repository {

     pub backend: git2::Repository,
 }
 /// A set of [`Validation`] errors that a caller **must use**.
 #[must_use]
 #[derive(Debug, Default)]
 pub struct Validations(pub Vec<Validation>);
 impl Validations {
     pub fn append(&mut self, vs: &mut Self) {
         self.0.append(&mut vs.0)
     }
 }
 impl IntoIterator for Validations {
     type Item = Validation;
     type IntoIter = std::vec::IntoIter<Self::Item>;
     fn into_iter(self) -> Self::IntoIter {
         self.0.into_iter()
     }
 }
 impl Deref for Validations {
     type Target = Vec<Validation>;
     fn deref(&self) -> &Self::Target {
         &self.0
     }
 }
 impl DerefMut for Validations {
     fn deref_mut(&mut self) -> &mut Self::Target {
         &mut self.0
     }
 }
 /// Validation errors that can occur when verifying the layout of the
 /// storage. These errors include checking the validity of the
 /// `rad/sigrefs` contents and the identity of the repository.
 #[derive(Debug, Error)]
 pub enum VerifyError {
     #[error("invalid target `{2}` for reference `{1}` of remote `{0}`")]
     InvalidRefTarget(RemoteId, RefString, git2::Oid),
     #[error("refs error: {0}")]
     Refs(#[from] refs::Error),
     #[error("missing reference `{1}` in remote `{0}`")]
     MissingRef(RemoteId, git::RefString),
     #[error(transparent)]
     Storage(#[from] Error),
 pub enum Validation {
     #[error("found unsigned ref `{0}`")]
     UnsignedRef(RefString),
     #[error("{refname}: expected {expected}, but found {actual}")]
     MismatchedRef {
         expected: Oid,
         actual: Oid,
         refname: RefString,
     },
     #[error("missing `refs/namespaces/{remote}/{refname}`")]
     MissingRef {
         remote: RemoteId,
         refname: RefString,
     },
     #[error("missing `refs/namespaces/{0}/refs/rad/sigrefs`")]
     MissingRadSigRefs(RemoteId),
 }
 impl Repository {

@@ -380,35 +425,49 @@ impl ReadRepository for Repository {

         self.backend.find_blob(oid.into()).map_err(git::Error::from)
     }
     fn validate_remote(&self, remote: &Remote<Verified>) -> Result<Vec<RefString>, VerifyError> {
     fn validate_remote(&self, remote: &Remote<Verified>) -> Result<Validations, Error> {
         // Contains a copy of the signed refs of this remote.
         let mut signed = BTreeMap::from((*remote.refs).clone());
         let mut unsigned = Vec::new();
         let mut failures = Validations::default();
         let mut has_sigrefs = false;
         // Check all repository references, making sure they are present in the signed refs map.
         for (refname, oid) in self.references_of(&remote.id)? {
             // Skip validation of the signed refs branch, as it is not part of `Remote`.
             if refname == refs::SIGREFS_BRANCH.to_ref_string() {
                 has_sigrefs = true;
                 continue;
             }
             if let Some(signed_oid) = signed.remove(&refname) {
                 if oid != signed_oid {
                     return Err(VerifyError::InvalidRefTarget(remote.id, refname, *oid));
                     failures.push(Validation::MismatchedRef {
                         refname,
                         expected: signed_oid,
                         actual: oid,
                     });
                 }
             } else {
                 unsigned.push(refname);
                 failures.push(Validation::UnsignedRef(refname));
             }
         }
         if !has_sigrefs {
             failures.push(Validation::MissingRadSigRefs(remote.id));
         }
         // The refs that are left in the map, are ones that were signed, but are not
         // in the repository. If any are left, bail.
         if let Some((name, _)) = signed.into_iter().next() {
             return Err(VerifyError::MissingRef(remote.id, name));
             failures.push(Validation::MissingRef {
                 refname: name,
                 remote: remote.id,
             });
         }
         // Nb. As it stands, it doesn't make sense to verify a single remote's identity branch,
         // since it is a COB.
         Ok(unsigned)
         Ok(failures)
     }
     fn reference(

modified radicle/src/storage/git/cob.rs

@@ -12,7 +12,7 @@ use crate::git::*;

 use crate::storage;
 use crate::storage::Error;
 use crate::storage::{
     git::{Remote, Remotes, VerifyError},
     git::{Remote, Remotes, Validations},
     ReadRepository, Verified,
 };
 use crate::{

@@ -248,10 +248,7 @@ impl<'a, R: storage::ReadRepository> ReadRepository for DraftStore<'a, R> {

         self.repo.canonical_head()
     }
     fn validate_remote(
         &self,
         remote: &Remote<Verified>,
     ) -> Result<Vec<fmt::RefString>, VerifyError> {
     fn validate_remote(&self, remote: &Remote<Verified>) -> Result<Validations, Error> {
         self.repo.validate_remote(remote)
     }

modified radicle/src/test.rs

@@ -59,7 +59,10 @@ pub fn fetch<W: WriteRepository>(

     repo.set_identity_head()?;
     repo.set_head()?;
     repo.validate()?;
     let validations = repo.validate()?;
     if !validations.is_empty() {
         return Err(crate::storage::FetchError::Validation { validations });
     }
     Ok(updates)
 }

modified radicle/src/test/storage.rs

@@ -141,11 +141,8 @@ impl ReadRepository for MockRepository {

         todo!()
     }
     fn validate_remote(
         &self,
         _remote: &Remote<Verified>,
     ) -> Result<Vec<fmt::RefString>, VerifyError> {
         Ok(vec![])
     fn validate_remote(&self, _remote: &Remote<Verified>) -> Result<Validations, Error> {
         Ok(Validations::default())
     }
     fn path(&self) -> &std::path::Path {