diff options
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/aesmd.nix | 106 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 3 | ||||
-rw-r--r-- | nixos/tests/bootspec.nix | 26 | ||||
-rw-r--r-- | nixos/tests/headscale.nix | 17 | ||||
-rw-r--r-- | nixos/tests/keymap.nix | 12 | ||||
-rw-r--r-- | nixos/tests/step-ca.nix | 8 | ||||
-rw-r--r-- | nixos/tests/vscodium.nix | 2 | ||||
-rw-r--r-- | nixos/tests/web-apps/peertube.nix | 7 |
8 files changed, 141 insertions, 40 deletions
diff --git a/nixos/tests/aesmd.nix b/nixos/tests/aesmd.nix index 5da661afd5480..848e1c5992014 100644 --- a/nixos/tests/aesmd.nix +++ b/nixos/tests/aesmd.nix @@ -1,7 +1,7 @@ { pkgs, lib, ... }: { name = "aesmd"; meta = { - maintainers = with lib.maintainers; [ veehaitch ]; + maintainers = with lib.maintainers; [ trundle veehaitch ]; }; nodes.machine = { lib, ... }: { @@ -25,38 +25,78 @@ # We don't have a real SGX machine in NixOS tests systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ]; + + specialisation = { + withQuoteProvider.configuration = { ... }: { + services.aesmd = { + quoteProviderLibrary = pkgs.sgx-azure-dcap-client; + environment = { + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; + }; + }; + }; + }; }; - testScript = '' - with subtest("aesmd.service starts"): - machine.wait_for_unit("aesmd.service") - status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") - assert status == 0, "Could not get MainPID of aesmd.service" - main_pid = main_pid.strip() - - with subtest("aesmd.service runtime directory permissions"): - runtime_dir = "/run/aesmd"; - res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() - assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" - - with subtest("aesm.socket available on host"): - socket_path = "/var/run/aesmd/aesm.socket" - machine.wait_until_succeeds(f"test -S {socket_path}") - machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") - for op in [ "-r", "-w", "-x" ]: - machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") - machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") - - with subtest("Copies white_list_cert_to_be_verify.bin"): - whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" - whitelist_perms = machine.succeed( - f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" - ).strip() - assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" - - with subtest("Writes and binds aesm.conf in service namespace"): - aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") - - assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" - ''; + testScript = { nodes, ... }: + let + specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; + in + '' + def get_aesmd_pid(): + status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") + assert status == 0, "Could not get MainPID of aesmd.service" + return main_pid.strip() + + with subtest("aesmd.service starts"): + machine.wait_for_unit("aesmd.service") + + main_pid = get_aesmd_pid() + + with subtest("aesmd.service runtime directory permissions"): + runtime_dir = "/run/aesmd"; + res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() + assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" + + with subtest("aesm.socket available on host"): + socket_path = "/var/run/aesmd/aesm.socket" + machine.wait_until_succeeds(f"test -S {socket_path}") + machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") + for op in [ "-r", "-w", "-x" ]: + machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") + machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") + + with subtest("Copies white_list_cert_to_be_verify.bin"): + whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" + whitelist_perms = machine.succeed( + f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" + ).strip() + assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" + + with subtest("Writes and binds aesm.conf in service namespace"): + aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") + + assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" + + with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"): + status, environment = machine.systemctl("show --property Environment --value aesmd.service") + assert status == 0, "Could not get Environment of aesmd.service" + env_by_name = dict(entry.split("=", 1) for entry in environment.split()) + assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty" + + with subtest("aesmd.service with quote provider library starts"): + machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test') + machine.wait_for_unit("aesmd.service") + + main_pid = get_aesmd_pid() + + with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"): + ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH") + assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \ + "LD_LIBRARY_PATH is not set to the configured quote provider library" + + with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"): + azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL") + assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO" + ''; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 446de6898ce00..e577001a3baf9 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -69,7 +69,7 @@ in { _3proxy = runTest ./3proxy.nix; acme = runTest ./acme.nix; adguardhome = runTest ./adguardhome.nix; - aesmd = runTest ./aesmd.nix; + aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix; agate = runTest ./web-servers/agate.nix; agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; @@ -258,6 +258,7 @@ in { haste-server = handleTest ./haste-server.nix {}; haproxy = handleTest ./haproxy.nix {}; hardened = handleTest ./hardened.nix {}; + headscale = handleTest ./headscale.nix {}; healthchecks = handleTest ./web-apps/healthchecks.nix {}; hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; }; hbase_2_4 = handleTest ./hbase.nix { package=pkgs.hbase_2_4; }; diff --git a/nixos/tests/bootspec.nix b/nixos/tests/bootspec.nix index 04fd8cd691d26..077dff918e0d2 100644 --- a/nixos/tests/bootspec.nix +++ b/nixos/tests/bootspec.nix @@ -90,6 +90,32 @@ in ''; }; + # Check that initrd create corresponding entries in bootspec. + initrd = makeTest { + name = "bootspec-with-initrd"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + imports = [ standard ]; + environment.systemPackages = [ pkgs.jq ]; + # It's probably the case, but we want to make it explicit here. + boot.initrd.enable = true; + }; + + testScript = '' + import json + + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/bootspec/boot.json") + + bootspec = json.loads(machine.succeed("jq -r '.v1' /run/current-system/bootspec/boot.json")) + + assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled" + ''; + }; + # Check that specialisations create corresponding entries in bootspec. specialisation = makeTest { name = "bootspec-with-specialisation"; diff --git a/nixos/tests/headscale.nix b/nixos/tests/headscale.nix new file mode 100644 index 0000000000000..48658b5dade42 --- /dev/null +++ b/nixos/tests/headscale.nix @@ -0,0 +1,17 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "headscale"; + meta.maintainers = with lib.maintainers; [ misterio77 ]; + + nodes.machine = { ... }: { + services.headscale.enable = true; + environment.systemPackages = [ pkgs.headscale ]; + }; + + testScript = '' + machine.wait_for_unit("headscale") + machine.wait_for_open_port(8080) + # Test basic funcionality + machine.succeed("headscale namespaces create test") + machine.succeed("headscale preauthkeys -n test create") + ''; +}) diff --git a/nixos/tests/keymap.nix b/nixos/tests/keymap.nix index 4306a9ae2cf94..0bde21093b0a2 100644 --- a/nixos/tests/keymap.nix +++ b/nixos/tests/keymap.nix @@ -64,7 +64,6 @@ let # wait for reader to be ready machine.wait_for_file("${readyFile}") - machine.sleep(1) # send all keys for key in inputs: @@ -78,9 +77,18 @@ let with open("${pkgs.writeText "tests.json" (builtins.toJSON tests)}") as json_file: tests = json.load(json_file) + # These environments used to run in the opposite order, causing the + # following error at openvt startup. + # + # openvt: Couldn't deallocate console 1 + # + # This error did not appear in successful runs. + # I don't know the exact cause, but I it seems that openvt and X are + # fighting over the virtual terminal. This does not appear to be a problem + # when the X test runs first. keymap_environments = { - "VT Keymap": "openvt -sw --", "Xorg Keymap": "DISPLAY=:0 xterm -title testterm -class testterm -fullscreen -e", + "VT Keymap": "openvt -sw --", } machine.wait_for_x() diff --git a/nixos/tests/step-ca.nix b/nixos/tests/step-ca.nix index a855b590232dd..d4e1c1ae01446 100644 --- a/nixos/tests/step-ca.nix +++ b/nixos/tests/step-ca.nix @@ -1,11 +1,13 @@ import ./make-test-python.nix ({ pkgs, ... }: let - test-certificates = pkgs.runCommandLocal "test-certificates" { } '' + test-certificates = pkgs.runCommandLocal "test-certificates" { + nativeBuildInputs = with pkgs; [ step-cli ]; + } '' mkdir -p $out echo insecure-root-password > $out/root-password-file echo insecure-intermediate-password > $out/intermediate-password-file - ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca - ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key + step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca + step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key ''; in { diff --git a/nixos/tests/vscodium.nix b/nixos/tests/vscodium.nix index ee884cc4295dd..37bb649889b45 100644 --- a/nixos/tests/vscodium.nix +++ b/nixos/tests/vscodium.nix @@ -49,8 +49,8 @@ let start_all() machine.wait_for_unit('graphical.target') - machine.wait_until_succeeds('pgrep -x codium') + codium_running.wait() with codium_running: # Wait until vscodium is visible. "File" is in the menu bar. machine.wait_for_text('Get Started') diff --git a/nixos/tests/web-apps/peertube.nix b/nixos/tests/web-apps/peertube.nix index ecc45bff2e2ca..0e5f39c08a023 100644 --- a/nixos/tests/web-apps/peertube.nix +++ b/nixos/tests/web-apps/peertube.nix @@ -41,6 +41,9 @@ import ../make-test-python.nix ({pkgs, ...}: server = { pkgs, ... }: { environment = { etc = { + "peertube/secrets-peertube".text = '' + 063d9c60d519597acef26003d5ecc32729083965d09181ef3949200cbe5f09ee + ''; "peertube/password-posgressql-db".text = '' 0gUN0C1mgST6czvjZ8T9 ''; @@ -67,6 +70,10 @@ import ../make-test-python.nix ({pkgs, ...}: localDomain = "peertube.local"; enableWebHttps = false; + secrets = { + secretsFile = "/etc/peertube/secrets-peertube"; + }; + database = { host = "192.168.2.10"; name = "peertube_local"; |