z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi 99c549702e2bcfe02b0e68d4a2224fb7a1524529

z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk e9f48ef90fe8592e1b1c95f96c21a59ca1495300

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi 99c549702e2bcfe02b0e68d4a2224fb7a1524529

        ├── root

        ├── root

        ├── root

        ├── root

        ├── root

        ├── root

        ├── root

        ├── root

$ rad watch --repo rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji --node z6Mkux1aUQD2voWWukVb5nNUR7thrHveQG4pDQua8nVhib7Z -r 'refs/rad/sigrefs' -t c9a828fc2fb01f893d6e6e9e17b9092dea2b3aba -i 500 --timeout 5000

        ├── root

        ├── root

        ├── root

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi ae3c6b77dc1ed51c1c1e6a2772339c2779fa9ba8

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi ae3c6b77dc1ed51c1c1e6a2772339c2779fa9ba8

z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk dace6fe948548168a2bb687718949d9b5d9076ee

        ├── root

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi 99c549702e2bcfe02b0e68d4a2224fb7a1524529

        ├── root

        ├── root

│ ●   alice   (you)             alice.radicle.example:8776   unannounced   056b1db   [  ...  ] │

│ ●   bob     z6Mkt67…v4N1tRk   bob.radicle.example:8776     out-of-sync   99c5497   [  ...  ] │

│ ●   eve     z6Mkux1…nVhib7Z   eve.radicle.example:8776     out-of-sync   99c5497   [  ...  ] │

│ ●   alice   (you)             alice.radicle.example:8776            056b1db   [  ...  ] │

│ ●   bob     z6Mkt67…v4N1tRk   bob.radicle.example:8776     synced   056b1db   [  ...  ] │

│ ●   eve     z6Mkux1…nVhib7Z   eve.radicle.example:8776     synced   056b1db   [  ...  ] │

use radicle::storage::refs::{RefsAt, SignedRefsAt, IDENTITY_ROOT};

    pub fn signed_refs_at<R: ReadRepository>(

        &self,

        mut refs: Refs,

        at: radicle::git::Oid,

        repo: &R,

    ) -> SignedRefsAt {

        refs.insert(IDENTITY_ROOT.to_ref_string(), repo.identity_root().unwrap());

            sigrefs: refs.signed(self.signer()).unwrap().verified(repo).unwrap(),

    let repo = alice.storage_mut().repo_mut(&rid);

    repo.remotes.insert(

        bob.signed_refs_at(arbitrary::gen::<Refs>(8), arbitrary::oid(), repo),

    let sigrefs = bob.signed_refs_at(arbitrary::gen::<Refs>(8), arbitrary::oid(), repo);

    let repo = alice.storage_mut().repo_mut(&rid);

    repo.remotes.insert(

        carol.signed_refs_at(arbitrary::gen::<Refs>(1), oid, repo),

            if r == *git::refs::storage::IDENTITY_ROOT {

                // Don't notify about the peers's identity root pointer. This is only used

                // for sigref verification.

                continue;

            }

    /// For example, this can occur if an operation references another operation

    ) -> Result<(), storage::RepositoryError> {

    SignRefs(Box<storage::RepositoryError>),

        self.repo

            .sign_refs(signer)

            .map_err(|e| Error::SignRefs(Box::new(e)))?;

        // Nb. We can't sign our refs before the identity refs exist, which are created after

        // the identity COB is created. Therefore we manually sign refs when creating identity

        // COBs.

        if T::type_name() != &*crate::cob::identity::TYPENAME {

            self.repo

                .sign_refs(signer)

                .map_err(|e| Error::SignRefs(Box::new(e)))?;

        }

                self.repo

                    .sign_refs(signer)

                    .map_err(|e| Error::SignRefs(Box::new(e)))?;

        /// Where the repo's identity document is stored.

        /// Where the repo's identity root document is stored.

        ///

        /// `refs/rad/root`

        ///

        pub static IDENTITY_ROOT: Lazy<Qualified> = Lazy::new(|| {

            Qualified::from_components(name::component!("rad"), name::component!("root"), None)

        });

        /// Get the root of the branch where the project's identity document is stored.

        ///

        /// `refs/namespaces/<remote>/refs/rad/root`

        ///

        pub fn id_root(remote: &RemoteId) -> Namespaced {

            IDENTITY_ROOT.with_namespace(remote.into())

        }

/// Create an empty commit on top of the parent.

pub fn empty_commit<'a>(

    repo: &'a git2::Repository,

    parent: &'a git2::Commit,

    target: &RefStr,

    message: &str,

    sig: &git2::Signature,

) -> Result<git2::Commit<'a>, git2::Error> {

    let tree = parent.tree()?;

    let oid = repo.commit(Some(target.as_str()), sig, sig, message, &tree, &[parent])?;

    let commit = repo.find_commit(oid)?;

    Ok(commit)

}

#![warn(clippy::unwrap_used)]

    let delegate: identity::Did = signer.public_key().into();

    let (project, identity) = Repository::init(&doc, &storage, signer)?;

    match init_configure(repo, &project, &default_branch, &url, identity, signer) {

    stored: &Repository,

    identity: git::Oid,

    let pk = signer.public_key();

    stored.set_remote_identity_root_to(pk, identity)?;

    stored.set_identity_head_to(identity)?;

    stored.set_head()?;

    let signed = stored.sign_refs(signer)?;

    pub fn verified<R: ReadRepository>(self, repo: &R) -> Result<Remote<Verified>, Error> {

        let refs = self.refs.verified(repo)?;

        let head = self.canonical_identity_head().unwrap();

    /// Set the identity root reference to the canonical identity root commit.

    fn set_remote_identity_root(&self, remote: &RemoteId) -> Result<Oid, RepositoryError> {

        let root = self.identity_root()?;

        self.set_remote_identity_root_to(remote, root)?;

        Ok(root)

    }

    /// Set the identity root reference to the given commit.

    fn set_remote_identity_root_to(

        &self,

        remote: &RemoteId,

        root: Oid,

    ) -> Result<(), RepositoryError>;

    fn sign_refs<G: Signer>(&self, signer: &G) -> Result<SignedRefs<Verified>, RepositoryError>;

    ReadRepository, ReadStorage, Remote, Remotes, RepositoryInfo, SetHead, SignRepository,

    WriteRepository, WriteStorage,

pub use crate::storage::{Error, RepositoryError};

        let root = self

            .revwalk(oid.into())?

        self.reference_oid(remote, &git::refs::storage::IDENTITY_ROOT)

            .map_err(RepositoryError::from)

    fn set_remote_identity_root_to(

        &self,

        remote: &RemoteId,

        root: Oid,

    ) -> Result<(), RepositoryError> {

        let refname = git::refs::storage::id_root(remote);

        self.raw()

            .reference(refname.as_str(), *root, true, "set-id-root (radicle)")?;

        Ok(())

    }

    fn sign_refs<G: Signer>(&self, signer: &G) -> Result<SignedRefs<Verified>, RepositoryError> {

        // Ensure the root reference is set, which is checked during sigref verification.

        if self.identity_root_of(remote).is_err() {

            self.set_remote_identity_root(remote)?;

        }

        let signed = refs.signed(signer)?.verified(self)?;

            vec![

                &cob,

                "refs/heads/master",

                "refs/rad/id",

                "refs/rad/root",

                "refs/rad/sigrefs"

            ]

        let (rid, _, working, _) =

            fixtures::project(tmp.path().join("project"), &storage, &signer).unwrap();

        let stored = storage.repository(rid).unwrap();

        let head = working.head().unwrap().peel_to_commit().unwrap();

            &working,

            &head.tree().unwrap(),

        let signed = stored.sign_refs(&signer).unwrap();

        let remote = stored.remote(&alice).unwrap();

        let mut unsigned = stored.references_of(&alice).unwrap();

pub use crate::cob::{store, ObjectId, Store};

    ) -> Result<storage::refs::SignedRefs<Verified>, RepositoryError> {

use crate::storage::{ReadRepository, RemoteId, RepoId, WriteRepository};

    #[error("missing identity root reference '{0}'")]

    MissingIdentityRoot(git::RefString),

    #[error("missing identity object '{0}'")]

    MissingIdentity(Oid),

    #[error("mismatched identity: local {local}, remote {remote}")]

    MismatchedIdentity { local: RepoId, remote: RepoId },

    pub fn verified<R: ReadRepository>(

        repo: &R,

        SignedRefs::new(self, signer, signature).verified(repo)

    pub fn signed<G>(self, signer: &G) -> Result<SignedRefs<Unverified>, Error>

        Ok(SignedRefs::new(refs, *signer.public_key(), signature))

    pub fn new(refs: Refs, author: PublicKey, signature: Signature) -> Self {

            id: author,

    pub fn verified<R: ReadRepository>(self, repo: &R) -> Result<SignedRefs<Verified>, Error> {

        match self.verify(repo) {

    pub fn verify<R: ReadRepository>(&self, repo: &R) -> Result<(), Error> {

        let local = repo.id();

        // Verify signature.

        if let Err(e) = self.id.verify(canonical, &self.signature) {

            return Err(e.into());

        // If the identity root was signed, verify it points to the right place.

        if let Some(id_root) = self.refs.get(&IDENTITY_ROOT) {

            // Get the identity at the given oid.

            let Ok(doc) = repo.identity_doc_at(id_root) else {

                return Err(Error::MissingIdentity(id_root));

            };

            let remote = RepoId::from(doc.blob);

            // Make sure the signed identity points to the local repo identity.

            if remote != local {

                return Err(Error::MismatchedIdentity { local, remote });

            }

        } else {

            // TODO(cloudhead): Make this into a hard error (`Error::MissingIdentityRoot`) for

            // repos that have migrated to the new identity document schema.

            log::debug!(

                target: "storage",

                "Signed ref verification for {} in {local}: {} is not provided",

                self.id, *IDENTITY_ROOT

            );

        }

        Ok(())

        let refs = Refs::from_canonical(refs.content())?;

        SignedRefs::new(refs, remote, signature).verified(repo)

                return Ok(Updated::Unchanged { oid: at });

    use crypto::test::signer::MockSigner;

    use storage::{git::transport, RemoteRepository, SignRepository, WriteStorage};

    use super::*;

    use crate::assert_matches;

    use crate::{cob::identity::Identity, rad, test::fixtures, Storage};

    #[test]

    // Test that a user's signed refs are tied to a specific RID, and they can't simply be

    // used in a different repository.

    //

    // We create two repos, `paris` and `london`, and we copy over Bob's signed refs from `paris`

    // to `london`. We expect that this does not cause the canonical head of the `london` repo

    // to change, despite Bob being a delegate of both repos, because the refs were signed for the

    // `paris` repo. We also don't expected the signed refs to validate without error.

    fn test_rid_verification() {

        let tmp = tempfile::tempdir().unwrap();

        let alice = MockSigner::default();

        let bob = MockSigner::default();

        let storage = &Storage::open(tmp.path().join("storage"), fixtures::user()).unwrap();

        transport::local::register(storage.clone());

        // Alice creates "paris" repo.

        let (paris_repo, paris_head) = fixtures::repository(tmp.path().join("paris"));

        let (paris_rid, mut paris_doc, _) = rad::init(

            &paris_repo,

            "paris".try_into().unwrap(),

            "Paris repository",

            git::refname!("master"),

            Default::default(),

            &alice,

            storage,

        )

        .unwrap();

        // Alice creates "london" repo.

        let (london_repo, _london_head) = fixtures::repository(tmp.path().join("london"));

        let (london_rid, mut london_doc, _) = rad::init(

            &london_repo,

            "london".try_into().unwrap(),

            "London repository",

            git::refname!("master"),

            Default::default(),

            &alice,

            storage,

        )

        .unwrap();

        assert_ne!(london_rid, paris_rid);

        log::debug!(target: "test", "London RID: {london_rid}");

        log::debug!(target: "test", "Paris RID: {paris_rid}");

        let paris = storage.repository_mut(paris_rid).unwrap();

        let london = storage.repository_mut(london_rid).unwrap();

        // Bob is added to both repos as a delegate, by Alice.

        {

            paris_doc.delegates.push(bob.public_key().into());

            london_doc.delegates.push(bob.public_key().into());

            let mut paris_ident = Identity::load_mut(&paris).unwrap();

            let mut london_ident = Identity::load_mut(&london).unwrap();

            paris_ident

                .update("Add Bob", "", &paris_doc, &alice)

                .unwrap();

            london_ident

                .update("Add Bob", "", &london_doc, &alice)

                .unwrap();

        }

        // Now Bob checks out a copy of the `paris` repository and pushes a commit to the

        // default branch (master). We store the OID of that commti in `bob_head`, as this

        // is the commit we will try to get the `london` repo to point to.

        let (bob_paris_sigrefs, bob_head) = {

            let bob_working = rad::checkout(

                paris.id,

                bob.public_key(),

                tmp.path().join("working"),

                &storage,

            )

            .unwrap();

            let paris_head = bob_working.find_commit(paris_head).unwrap();

            let bob_sig = git2::Signature::now("bob", "bob@example.com").unwrap();

            let bob_head = git::empty_commit(

                &bob_working,

                &paris_head,

                git::refname!("refs/heads/master").as_refstr(),

                "Bob's commit",

                &bob_sig,

            )

            .unwrap();

            let mut bob_master_ref = bob_working.find_reference("refs/heads/master").unwrap();

            bob_master_ref.set_target(bob_head.id(), "").unwrap();

            bob_working

                .find_remote("rad")

                .unwrap()

                .push(&["refs/heads/master"], None)

                .unwrap();

            let sigrefs = paris.sign_refs(&bob).unwrap();

            assert_eq!(

                sigrefs

                    .get(&git_ext::ref_format::qualified!("refs/heads/master"))

                    .unwrap(),

                bob_head.id().into()

            );

            (sigrefs, bob_head.id())

        };

        {

            // Sanity check: make sure the default branches don't already match between Alice and Bob.

            let alice_paris_sigrefs = SignedRefsAt::load(*alice.public_key(), &paris)

                .unwrap()

                .unwrap();

            assert_ne!(

                alice_paris_sigrefs

                    .get(&git_ext::ref_format::qualified!("refs/heads/master"))

                    .unwrap(),

                bob_paris_sigrefs

                    .get(&git_ext::ref_format::qualified!("refs/heads/master"))

                    .unwrap()

            );

        }

        {

            // For the graft to work, we also have to copy over the objects that Bob created in

            // `paris`, so that the grafted signed refs point to valid objects.

            let paris_odb = paris.raw().odb().unwrap();

            let london_odb = london.raw().odb().unwrap();

            paris_odb

                .foreach(|oid| {

                    let obj = paris_odb.read(*oid).unwrap();

                    london_odb.write(obj.kind(), obj.data()).unwrap();

                    true

                })

                .unwrap();

        }

        // Now we're going to "graft" Bob's signed refs from `paris` to `london`.

        // We save Bob's `paris` signed refs in the `london` repo, performing the graft, and update

        // Bob's `master` branch reference to point to his commit, created in the `paris` repo. This

        // only modifies his own namespace. Note that anyone (eg. Eve) could create a reference

        // under her copy of Bob's namespace, and this would only be rejected during signed ref

        // validation.

        let result = bob_paris_sigrefs.save(&london).unwrap();

        assert_matches!(result, Updated::Updated { .. });

        london

            .raw()

            .reference(

                git::refs::storage::branch_of(bob.public_key(), &git::refname!("master")).as_str(),

                bob_head,

                false,

                "",

            )

            .unwrap();

        // Due to the verification, we get a validation error when trying to load Bob's remote.

        // The graft is not allowed.

        assert_matches!(

            london.remote(bob.public_key()),

            Err(Error::MismatchedIdentity {

                local,

                remote,

            })

            if local == london_rid && remote == paris_rid

        );

    }

        let doc = gen::<DocAt>(1);

        let id = RepoId::from(doc.blob);

                doc,

impl Arbitrary for storage::Remotes<crypto::Unverified> {

        let remotes: RandomMap<storage::RemoteId, storage::Remote<crypto::Unverified>> =

        let author = PublicKey::arbitrary(g);

        Self::new(refs, author, signature)

impl Arbitrary for storage::Remote<crypto::Unverified> {

        storage::Remote::<crypto::Unverified>::new(signed)

        Ok(self.doc.commit)

        Ok(self.doc.commit)

        Ok(self.doc.commit)

        Ok(self.doc.commit)

    fn set_remote_identity_root_to(

        &self,

        _remote: &RemoteId,

        _root: Oid,

    ) -> Result<(), RepositoryError> {

        todo!()

    }

    ) -> Result<crate::storage::refs::SignedRefs<Verified>, RepositoryError> {