1
0
Fork 0

add contract test for secret contract

This commit is contained in:
ibizaman 2024-10-21 12:03:40 +02:00 committed by Pierre Penninckx
parent 9d81a72d51
commit a589a9fe00
6 changed files with 118 additions and 1 deletions

View file

@ -135,6 +135,8 @@
// (vm_test "postgresql" ./test/blocks/postgresql.nix) // (vm_test "postgresql" ./test/blocks/postgresql.nix)
// (vm_test "restic" ./test/blocks/restic.nix) // (vm_test "restic" ./test/blocks/restic.nix)
// (vm_test "ssl" ./test/blocks/ssl.nix) // (vm_test "ssl" ./test/blocks/ssl.nix)
// (vm_test "contracts-secret" ./test/contracts/secret.nix)
)); ));
} }
) // { ) // {

View file

@ -10,6 +10,19 @@ in
{ {
options.shb.hardcodedsecret = mkOption { options.shb.hardcodedsecret = mkOption {
default = {}; default = {};
description = ''
Hardcoded secrets. These should only be used in tests.
'';
example = lib.literalExpression ''
{
mySecret = {
user = "me";
mode = "0400";
restartUnits = [ "myservice.service" ];
content = "My Secrets";
};
}
'';
type = attrsOf (submodule ({ name, ... }: { type = attrsOf (submodule ({ name, ... }: {
options = { options = {
mode = mkOption { mode = mkOption {

View file

@ -1,7 +1,10 @@
{ lib }: { pkgs, lib }:
{ {
backup = import ./backup.nix { inherit lib; }; backup = import ./backup.nix { inherit lib; };
mount = import ./mount.nix { inherit lib; }; mount = import ./mount.nix { inherit lib; };
secret = import ./secret.nix { inherit lib; }; secret = import ./secret.nix { inherit lib; };
ssl = import ./ssl.nix { inherit lib; }; ssl = import ./ssl.nix { inherit lib; };
test = {
secret = import ./secret/test.nix { inherit pkgs lib; };
};
} }

View file

@ -0,0 +1,64 @@
{ pkgs, lib, ... }:
let
pkgs' = pkgs;
testLib = pkgs.callPackage ../../../test/common.nix {};
inherit (lib) getAttrFromPath setAttrByPath;
inherit (lib) mkIf;
in
{ name,
configRoot,
createContent, # config to create a secret with value "secretA".
modules ? [],
owner ? "root",
group ? "root",
mode ? "0400",
restartUnits ? [ "myunit.service" ],
}: pkgs.testers.runNixOSTest {
name = "secret_${name}_${owner}_${group}_${mode}";
nodes.machine = { config, ... }: {
imports = ( testLib.baseImports pkgs' ) ++ modules;
config = lib.mkMerge [
(setAttrByPath configRoot {
A = {
inherit owner group mode restartUnits;
} // createContent;
})
(mkIf (owner != "root") {
users.users.${owner}.isNormalUser = true;
})
(mkIf (group != "root") {
users.groups.${group} = {};
})
];
};
testScript = { nodes, ... }:
let
cfg = (getAttrFromPath configRoot nodes.machine)."A";
in
''
owner = machine.succeed("stat -c '%U' ${cfg.path}").strip()
print(f"Got owner {owner}")
if owner != "${owner}":
raise Exception(f"Owner should be '${owner}' but got '{owner}'")
group = machine.succeed("stat -c '%G' ${cfg.path}").strip()
print(f"Got group {group}")
if group != "${group}":
raise Exception(f"Group should be '${group}' but got '{group}'")
mode = str(int(machine.succeed("stat -c '%a' ${cfg.path}").strip()))
print(f"Got mode {mode}")
wantedMode = str(int("${mode}"))
if mode != wantedMode:
raise Exception(f"Mode should be '{wantedMode}' but got '{mode}'")
content = machine.succeed("cat ${cfg.path}").strip()
print(f"Got content {content}")
if content != "secretA":
raise Exception(f"Content should be 'secretA' but got '{content}'")
'';
}

35
test/contracts/secret.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, ... }:
let
contracts = pkgs.callPackage ../../modules/contracts {};
in
{
hardcoded_root_root = contracts.test.secret {
name = "hardcoded";
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
configRoot = [ "shb" "hardcodedsecret" ];
createContent = {
content = "secretA";
};
};
hardcoded_user_group = contracts.test.secret {
name = "hardcoded";
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
configRoot = [ "shb" "hardcodedsecret" ];
createContent = {
content = "secretA";
};
owner = "user";
group = "group";
mode = "640";
};
# TODO: how to do this?
# sops = contracts.test.secret {
# name = "sops";
# configRoot = cfg: name: cfg.sops.secrets.${name};
# createContent = content: {
# sopsFile = ./secret/sops.yaml;
# };
# };
}

View file