diff options
| author | IndeedNotJames <git@indeednotjames.com> | 2023-03-01 23:44:21 +0100 |
|---|---|---|
| committer | IndeedNotJames <git@indeednotjames.com> | 2023-03-01 23:44:21 +0100 |
| commit | 249f6c4c1df410ee339a8136416092fdcc0b16c2 (patch) | |
| tree | ad6dad28f94ba92ddc926ebdf644b30c8284add2 /nixos/tests/gitea.nix | |
| parent | 29211dc4b4b67d30a18f2e3f315d5a8f18129e62 (diff) | |
nixos/tests/gitea: test gpg commit signing key
`/api/v1/signing-key.gpg` spawns a `gpg` process, which is great to test if `gpg` is available and can be invoked from in the unit. Which is somewhat relevant, since `gpg` was missing from the unit's `$PATH` until recently. And even after adding `gpg` to the unit's `$PATH`, configuring commit signing for a instance resulted in http/500s nonetheless. That's due to `@memlock` being present in `SystemCallFilter=~` and `gpg` trying to use `mlock` (probably to prevent secrets in the memory to swap), resulting in an immediate `SIGKILL` of any spawned `gpg` processes.
Diffstat (limited to 'nixos/tests/gitea.nix')
| -rw-r--r-- | nixos/tests/gitea.nix | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/nixos/tests/gitea.nix b/nixos/tests/gitea.nix index d856ecca9a132..da61abd84e89f 100644 --- a/nixos/tests/gitea.nix +++ b/nixos/tests/gitea.nix @@ -8,6 +8,21 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; let + ## gpg --faked-system-time='20230301T010000!' --quick-generate-key snakeoil ed25519 sign + signingPrivateKey = '' + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lFgEY/6jkBYJKwYBBAHaRw8BAQdADXiZRV8RJUyC9g0LH04wLMaJL9WTc+szbMi7 + 5fw4yP8AAQCl8EwGfzSLm/P6fCBfA3I9znFb3MEHGCCJhJ6VtKYyRw7ktAhzbmFr + ZW9pbIiUBBMWCgA8FiEE+wUM6VW/NLtAdSixTWQt6LZ4x50FAmP+o5ACGwMFCQPC + ZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEE1kLei2eMedFTgBAKQs1oGFZrCI + TZP42hmBTKxGAI1wg7VSdDEWTZxut/2JAQDGgo2sa4VHMfj0aqYGxrIwfP2B7JHO + GCqGCRf9O/hzBA== + =9Uy3 + -----END PGP PRIVATE KEY BLOCK----- + ''; + signingPrivateKeyId = "4D642DE8B678C79D"; + supportedDbTypes = [ "mysql" "postgres" "sqlite3" ]; makeGiteaTest = type: nameValuePair type (makeTest { name = "${giteaPackage.pname}-${type}"; @@ -21,8 +36,9 @@ let database = { inherit type; }; package = giteaPackage; settings.service.DISABLE_REGISTRATION = true; + settings."repository.signing".SIGNING_KEY = signingPrivateKeyId; }; - environment.systemPackages = [ giteaPackage pkgs.jq ]; + environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ]; services.openssh.enable = true; }; client1 = { config, pkgs, ... }: { @@ -59,6 +75,13 @@ let server.succeed("curl --fail http://localhost:3000/") server.succeed( + "su -l gitea -c 'gpg --homedir /var/lib/gitea/data/home/.gnupg " + + "--import ${toString (pkgs.writeText "gitea.key" signingPrivateKey)}'" + ) + + assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg") + + server.succeed( "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. " + "Please contact your site administrator.'" ) |