diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-20 13:58:21 +0100 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-20 13:58:21 +0100 |
commit | 33639143ea50404a04bc4c454435aff1bd79dd4b (patch) | |
tree | ede4b6832bb86ac30281fc22700ae1fe40658f37 /tests/by-name/gi/git-server | |
parent | fix(treewide): Update to nixos release 24.11 (diff) | |
download | nixos-server-33639143ea50404a04bc4c454435aff1bd79dd4b.zip |
refactor({modules,test}): Migrate to a `by-name` structure
Diffstat (limited to 'tests/by-name/gi/git-server')
-rw-r--r-- | tests/by-name/gi/git-server/ssh_keys.nix | 49 | ||||
-rw-r--r-- | tests/by-name/gi/git-server/test.nix | 245 |
2 files changed, 294 insertions, 0 deletions
diff --git a/tests/by-name/gi/git-server/ssh_keys.nix b/tests/by-name/gi/git-server/ssh_keys.nix new file mode 100644 index 0000000..07f0b88 --- /dev/null +++ b/tests/by-name/gi/git-server/ssh_keys.nix @@ -0,0 +1,49 @@ +{pkgs}: { + admin = { + priv = pkgs.writeText "id_ed25519" '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3gAAAJBJiYxDSYmM + QwAAAAtzc2gtZWQyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3g + AAAEDE1W6vMwSEUcF1r7Hyypm/+sCOoDmKZgPxi3WOa1mD2u7urFhAA90BTpGuEHeWWTY3 + W/g9PBxXNxfWhfbrm4LeAAAACGJmb0BtaW5pAQIDBAU= + -----END OPENSSH PRIVATE KEY----- + ''; + + pub = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client + ''; + }; + + alice = { + priv = pkgs.writeText "id_ed25519" '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQAAAJAwVQ5VMFUO + VQAAAAtzc2gtZWQyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQ + AAAEB7lbfkkdkJoE+4TKHPdPQWBKLSx+J54Eg8DaTr+3KoSlt5a8eH8BYZYjoQhzXGVKKH + Je1pw1D0p7O2Vb9VTLzBAAAACGJmb0BtaW5pAQIDBAU= + -----END OPENSSH PRIVATE KEY----- + ''; + + pub = pkgs.writeText "id_ed25519.pub" '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt5a8eH8BYZYjoQhzXGVKKHJe1pw1D0p7O2Vb9VTLzB alice@client + ''; + }; + + bob = { + priv = pkgs.writeText "id_ed25519" '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMAAAAJDQBmNV0AZj + VQAAAAtzc2gtZWQyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMA + AAAEDM1IYYFUwk/IVxauha9kuR6bbRtT3gZ6ZA0GLb9txb/pZNonUP1ePHLrvn0W9D2hdN + 6zWWZYFyJc+QR6pOKQEwAAAACGJmb0BtaW5pAQIDBAU= + -----END OPENSSH PRIVATE KEY----- + ''; + + pub = pkgs.writeText "id_ed25519.pub" '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZNonUP1ePHLrvn0W9D2hdN6zWWZYFyJc+QR6pOKQEw bob@client + ''; + }; +} diff --git a/tests/by-name/gi/git-server/test.nix b/tests/by-name/gi/git-server/test.nix new file mode 100644 index 0000000..0cf3ee8 --- /dev/null +++ b/tests/by-name/gi/git-server/test.nix @@ -0,0 +1,245 @@ +{ + nixos-lib, + pkgsUnstable, + nixpkgs-unstable, + pkgs, + extraModules, + nixLib, + ... +}: let + sshKeys = + import ./ssh_keys.nix {inherit pkgs;}; + + gitServerDomain = "server"; + + gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" '' + repo CREATOR/[a-zA-Z0-9].* + C = @all + RW+ = CREATOR + RW = WRITERS + R = READERS + option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage + ''; + + expectedGitoliteConf = pkgs.writeText "expected-gitolite-conf" '' + repo gitolite-admin + RW+ = gitolite-admin + + repo testing + RW+ = @all + repo CREATOR/[a-zA-Z0-9].* + C = @all + RW+ = CREATOR + RW = WRITERS + R = READERS + option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage + ''; + + expectedHtmlReadme = pkgs.writeText "expectedHtmlReadme" '' + <h1>Alice's Repo</h1> + ''; + expectedMdReadme = pkgs.writeText "expectedMdReadme" '' + # Alice's Repo + ''; +in + nixos-lib.runTest { + hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs + + name = "git-server"; + + node = { + specialArgs = {inherit pkgsUnstable nixpkgs-unstable nixLib;}; + + # Use the nixpkgs as constructed by the `nixpkgs.*` options + pkgs = null; + }; + + nodes = { + server = {config, ...}: { + imports = + extraModules + ++ [ + ../../../../modules + ]; + + system.activationScripts = { + gitolite = { + text = '' + if ! [ -d /srv/gitolite ]; then + mkdir --parents /srv/gitolite + chown -R git:git /srv/gitolite + fi + ''; + }; + }; + + vhack = { + openssh.enable = true; + nginx = { + enable = true; + selfsign = true; + }; + git-server = { + enable = true; + domain = gitServerDomain; + gitolite.adminPubkey = sshKeys.admin.pub; + }; + }; + }; + + client = {...}: { + environment.systemPackages = [pkgs.git]; + programs.ssh.extraConfig = '' + Host * + UserKnownHostsFile /dev/null + StrictHostKeyChecking no + # there's nobody around that can input password + PreferredAuthentications publickey + ''; + users.users.alice = {isNormalUser = true;}; + users.users.bob = {isNormalUser = true;}; + }; + }; + + testScript = {nodes, ...}: + /* + python + */ + '' + start_all() + + with subtest("can setup ssh keys on client"): + client.succeed( + "mkdir -p ~root/.ssh", + "cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519", + "chmod 600 ~root/.ssh/id_ed25519", + ) + client.succeed( + "sudo -u alice mkdir -p ~alice/.ssh", + "sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519", + "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519", + ) + client.succeed( + "sudo -u bob mkdir -p ~bob/.ssh", + "sudo -u bob cp ${sshKeys.bob.priv} ~bob/.ssh/id_ed25519", + "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519", + ) + + with subtest("gitolite server starts"): + server.wait_for_unit("gitolite-init.service") + server.wait_for_unit("sshd.service") + client.succeed("ssh -n git@server info") + + + with subtest("admin can clone and configure gitolite-admin.git"): + client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" '' + set -xe + + git clone git@server:gitolite-admin.git + git config --global user.name 'System Administrator' + git config --global user.email root\@domain.example + + cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub + cp ${sshKeys.bob.pub} gitolite-admin/keydir/bob.pub + + (cd gitolite-admin && git switch -c master && git branch -D main) + + (cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push -u origin master) + cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf + (cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push) + (cd gitolite-admin && git push -d origin main) + ''}") + + server.succeed("${pkgs.writeShellScript "verify gitolite-admin.conf" '' + set -xe + + testFile=~git/.gitolite/conf/gitolite.conf.test + + cp ~git/.gitolite/conf/gitolite.conf "$testFile" + + # Normalize the white space + sed -i 's/\t/ /g' "$testFile" + sed -i 's/\s\+/ /g' "$testFile" + + diff "$testFile" ${expectedGitoliteConf} + ''}") + + + with subtest("non-admins cannot clone gitolite-admin.git"): + client.fail("sudo -i -u alice git clone git@server:gitolite-admin.git") + client.fail("sudo -i -u bob git clone git@server:gitolite-admin.git") + + with subtest("non-admins can clone testing.git"): + client.succeed("sudo -i -u alice git clone git@server:testing.git") + client.succeed("sudo -i -u bob git clone git@server:testing.git") + + + with subtest("alice can create a repo"): + client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" '' + set -xe + + mkdir alice-repo && cd alice-repo; + + git init --initial-branch main + echo "# Alice's Repo" > README.md + git add README.md + git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme' + + git remote add origin git@server:alice/alice-project.git + git push --set-upstream origin main + ''}") + + with subtest("alice can clone alice-project.git"): + client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-clone-repo" '' + set -xe + + git clone git@server:alice/alice-project.git + diff --side-by-side ${expectedMdReadme} ./alice-project/README.md + ''}") + + with subtest("bob cannot clone alice-project.git"): + client.fail("sudo -i -u bob git clone git@server:alice/alice-project.git") + + with subtest("Alice can make her repo public"): + client.succeed( + "sudo -u alice ssh git@server perms alice/alice-project + READERS @all", + "sudo -u alice ssh git@server desc alice/alice-project 'My nice project.'" + ) + + with subtest("Bob can see alice config on cgit"): + client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-clone-repo" '' + set -xe + + cd ~bob + # Disable ssl verification, as the certs are self-signed + git -c http.sslVerify=false clone https://server/alice/alice-project.git + ''}") + + with subtest("Alice can change settings in her repo"): + client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-change-settings" '' + set -xe + + echo 'Hi! You want to work with alice' | ssh git@server motd alice/alice-project set + ssh git@server config alice/alice-project --add 'cgit.owner' 'alice' + ssh git@server config alice/alice-project --add 'cgit.section' 'alice' + ssh git@server config alice/alice-project --add 'cgit.homepage' 'alice' + + owner="$(ssh git@server config alice/alice-project --get-all 'cgit.owner')" + [ "$owner" = "alice" ] || { + echo "owner should be alice but is '$owner'!" + exit 1 + } + ''}") + + + # He can't see the readme (FIXME: find out why this does not work. <2024-08-13> ) + # with subtest("Bob can see alice's README"): + # client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-alice-readme" '' + # set -xe + # + # curl --insecure --silent --fail --show-error 'https://server/alice/alice-project/about' > readme.html + # cat readme.html + # diff --side-by-side ${expectedHtmlReadme} readme.html + # ''}") + ''; + } |