Implement wasmer whoami #3316
Implement wasmer whoami #3316
Conversation
There was a problem hiding this comment.
Is there a different way to check whether the whoami command succeeds without requiring access to the ciuser token?
Developers shouldn't have access to the ciuser token because it means they can masquerade as a system process (which screws up the audit trail), and that token has admin rights on WAPM so we'd be screwed if the wrong people got their hands on it.
tests/integration/cli/tests/run.rs
Outdated
| #[test] | ||
| fn run_whoami_works() -> anyhow::Result<()> { | ||
| let ciuser_token = std::env::var("WAPM_DEV_TOKEN").expect("no CIUSER / WAPM_DEV_TOKEN token"); | ||
|
|
||
| let output = Command::new(get_wasmer_path()) | ||
| .arg("login") | ||
| .arg("--registry") | ||
| .arg("wapm.dev") | ||
| .arg(ciuser_token) | ||
| .output()?; | ||
|
|
||
| if !output.status.success() { | ||
| bail!( | ||
| "wasmer login failed with: stdout: {}\n\nstderr: {}", | ||
| std::str::from_utf8(&output.stdout) | ||
| .expect("stdout is not utf8! need to handle arbitrary bytes"), | ||
| std::str::from_utf8(&output.stderr) | ||
| .expect("stderr is not utf8! need to handle arbitrary bytes") | ||
| ); | ||
| } | ||
|
|
||
| let output = Command::new(get_wasmer_path()) | ||
| .arg("whoami") | ||
| .arg("--registry") | ||
| .arg("wapm.dev") | ||
| .output()?; | ||
|
|
||
| let stdout = std::str::from_utf8(&output.stdout) | ||
| .expect("stdout is not utf8! need to handle arbitrary bytes"); | ||
|
|
||
| if !output.status.success() { | ||
| bail!( | ||
| "linking failed with: stdout: {}\n\nstderr: {}", | ||
| stdout, | ||
| std::str::from_utf8(&output.stderr) | ||
| .expect("stderr is not utf8! need to handle arbitrary bytes") | ||
| ); | ||
| } | ||
|
|
||
| assert_eq!( | ||
| stdout, | ||
| "logged into registry \"https://registry.wapm.dev/graphql\" as user \"ciuser\"\n" | ||
| ); | ||
|
|
||
| Ok(()) | ||
| } |
There was a problem hiding this comment.
I don't think this test is a good idea.
It assumes the $WAPM_DEV_TOKEN variable is set and that user's name is ciuser, so the only way for integration tests to pass locally is if you have the ciuser token on your computer, which is a massive no-no (no human developers should have access to CI tokens).
We're also trying to contact wapm.dev, which makes the test slow and flaky (e.g. wapm.dev could be having a bad day and always error out).
There was a problem hiding this comment.
Yeah well with network requests, that's kind of a given, otherwise it wouldn't be an integration test. In the worst case the test fails because wapm.dev is down, then we just need to restart the tests on GitHub.
The other part, I think I can require WAPM_DEV_TOKEN if GITHUB_TOKEN is present (true for integration tests in the CI, false for running tests locally).
Co-authored-by: Michael Bryan <[email protected]>
Co-authored-by: Michael Bryan <[email protected]>
|
bors r+ |
|
Build succeeded: |
Note: has to be rebased on the
wasmer loginbranch, otherwise the integration test won't work