source common.sh

requireGit
[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen

enableFeatures "verified-fetches"

clearStore

repo="$TEST_ROOT/git"

# generate signing keys
keysDir=$TEST_ROOT/.ssh
mkdir -p "$keysDir"
ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
key1File="$keysDir/testkey1.pub"
publicKey1=$(awk '{print $2}' "$key1File")
ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
key2File="$keysDir/testkey2.pub"
publicKey2=$(awk '{print $2}' "$key2File")

git init $repo
git -C $repo config user.email "foobar@example.com"
git -C $repo config user.name "Foobar"
git -C $repo config gpg.format ssh

echo 'hello' > $repo/text
git -C $repo add text
git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'

out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'No principal matched.' ]]
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]

echo 'hello world' > $repo/text

# Verification on a dirty repo should fail.
out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'dirty' ]]

git -C $repo add text
git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'

[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]

# Flake input test
flakeDir="$TEST_ROOT/flake"
mkdir -p "$flakeDir"
cat > "$flakeDir/flake.nix" <<EOF
{
  inputs.test = {
    type = "git";
    url = "file://$repo";
    flake = false;
    publicKeys = [
      { type = "ssh-rsa"; key = "$publicKey2"; }
    ];
  };

  outputs = { test, ... }: { test = test.outPath; };
}
EOF
nix build --out-link "$flakeDir/result" "$flakeDir#test"
[[ $(cat "$flakeDir/result/text") = 'hello world' ]]

cat > "$flakeDir/flake.nix" <<EOF
{
  inputs.test = {
    type = "git";
    url = "file://$repo";
    flake = false;
    publicKey= "$publicKey1";
  };

  outputs = { test, ... }: { test = test.outPath; };
}
EOF
out=$(nix build "$flakeDir#test" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'No principal matched.' ]]