add contract test for secret contract
This commit is contained in:
parent
9d81a72d51
commit
a589a9fe00
6 changed files with 118 additions and 1 deletions
|
@ -135,6 +135,8 @@
|
||||||
// (vm_test "postgresql" ./test/blocks/postgresql.nix)
|
// (vm_test "postgresql" ./test/blocks/postgresql.nix)
|
||||||
// (vm_test "restic" ./test/blocks/restic.nix)
|
// (vm_test "restic" ./test/blocks/restic.nix)
|
||||||
// (vm_test "ssl" ./test/blocks/ssl.nix)
|
// (vm_test "ssl" ./test/blocks/ssl.nix)
|
||||||
|
|
||||||
|
// (vm_test "contracts-secret" ./test/contracts/secret.nix)
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
) // {
|
) // {
|
||||||
|
|
|
@ -10,6 +10,19 @@ in
|
||||||
{
|
{
|
||||||
options.shb.hardcodedsecret = mkOption {
|
options.shb.hardcodedsecret = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
|
description = ''
|
||||||
|
Hardcoded secrets. These should only be used in tests.
|
||||||
|
'';
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
mySecret = {
|
||||||
|
user = "me";
|
||||||
|
mode = "0400";
|
||||||
|
restartUnits = [ "myservice.service" ];
|
||||||
|
content = "My Secrets";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
'';
|
||||||
type = attrsOf (submodule ({ name, ... }: {
|
type = attrsOf (submodule ({ name, ... }: {
|
||||||
options = {
|
options = {
|
||||||
mode = mkOption {
|
mode = mkOption {
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
{ lib }:
|
{ pkgs, lib }:
|
||||||
{
|
{
|
||||||
backup = import ./backup.nix { inherit lib; };
|
backup = import ./backup.nix { inherit lib; };
|
||||||
mount = import ./mount.nix { inherit lib; };
|
mount = import ./mount.nix { inherit lib; };
|
||||||
secret = import ./secret.nix { inherit lib; };
|
secret = import ./secret.nix { inherit lib; };
|
||||||
ssl = import ./ssl.nix { inherit lib; };
|
ssl = import ./ssl.nix { inherit lib; };
|
||||||
|
test = {
|
||||||
|
secret = import ./secret/test.nix { inherit pkgs lib; };
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
64
modules/contracts/secret/test.nix
Normal file
64
modules/contracts/secret/test.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
{ pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
pkgs' = pkgs;
|
||||||
|
|
||||||
|
testLib = pkgs.callPackage ../../../test/common.nix {};
|
||||||
|
|
||||||
|
inherit (lib) getAttrFromPath setAttrByPath;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
in
|
||||||
|
{ name,
|
||||||
|
configRoot,
|
||||||
|
createContent, # config to create a secret with value "secretA".
|
||||||
|
modules ? [],
|
||||||
|
owner ? "root",
|
||||||
|
group ? "root",
|
||||||
|
mode ? "0400",
|
||||||
|
restartUnits ? [ "myunit.service" ],
|
||||||
|
}: pkgs.testers.runNixOSTest {
|
||||||
|
name = "secret_${name}_${owner}_${group}_${mode}";
|
||||||
|
|
||||||
|
nodes.machine = { config, ... }: {
|
||||||
|
imports = ( testLib.baseImports pkgs' ) ++ modules;
|
||||||
|
config = lib.mkMerge [
|
||||||
|
(setAttrByPath configRoot {
|
||||||
|
A = {
|
||||||
|
inherit owner group mode restartUnits;
|
||||||
|
} // createContent;
|
||||||
|
})
|
||||||
|
(mkIf (owner != "root") {
|
||||||
|
users.users.${owner}.isNormalUser = true;
|
||||||
|
})
|
||||||
|
(mkIf (group != "root") {
|
||||||
|
users.groups.${group} = {};
|
||||||
|
})
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = { nodes, ... }:
|
||||||
|
let
|
||||||
|
cfg = (getAttrFromPath configRoot nodes.machine)."A";
|
||||||
|
in
|
||||||
|
''
|
||||||
|
owner = machine.succeed("stat -c '%U' ${cfg.path}").strip()
|
||||||
|
print(f"Got owner {owner}")
|
||||||
|
if owner != "${owner}":
|
||||||
|
raise Exception(f"Owner should be '${owner}' but got '{owner}'")
|
||||||
|
|
||||||
|
group = machine.succeed("stat -c '%G' ${cfg.path}").strip()
|
||||||
|
print(f"Got group {group}")
|
||||||
|
if group != "${group}":
|
||||||
|
raise Exception(f"Group should be '${group}' but got '{group}'")
|
||||||
|
|
||||||
|
mode = str(int(machine.succeed("stat -c '%a' ${cfg.path}").strip()))
|
||||||
|
print(f"Got mode {mode}")
|
||||||
|
wantedMode = str(int("${mode}"))
|
||||||
|
if mode != wantedMode:
|
||||||
|
raise Exception(f"Mode should be '{wantedMode}' but got '{mode}'")
|
||||||
|
|
||||||
|
content = machine.succeed("cat ${cfg.path}").strip()
|
||||||
|
print(f"Got content {content}")
|
||||||
|
if content != "secretA":
|
||||||
|
raise Exception(f"Content should be 'secretA' but got '{content}'")
|
||||||
|
'';
|
||||||
|
}
|
35
test/contracts/secret.nix
Normal file
35
test/contracts/secret.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
let
|
||||||
|
contracts = pkgs.callPackage ../../modules/contracts {};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
hardcoded_root_root = contracts.test.secret {
|
||||||
|
name = "hardcoded";
|
||||||
|
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
|
||||||
|
configRoot = [ "shb" "hardcodedsecret" ];
|
||||||
|
createContent = {
|
||||||
|
content = "secretA";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
hardcoded_user_group = contracts.test.secret {
|
||||||
|
name = "hardcoded";
|
||||||
|
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
|
||||||
|
configRoot = [ "shb" "hardcodedsecret" ];
|
||||||
|
createContent = {
|
||||||
|
content = "secretA";
|
||||||
|
};
|
||||||
|
owner = "user";
|
||||||
|
group = "group";
|
||||||
|
mode = "640";
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: how to do this?
|
||||||
|
# sops = contracts.test.secret {
|
||||||
|
# name = "sops";
|
||||||
|
# configRoot = cfg: name: cfg.sops.secrets.${name};
|
||||||
|
# createContent = content: {
|
||||||
|
# sopsFile = ./secret/sops.yaml;
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
}
|
0
test/contracts/secret/sops.yaml
Normal file
0
test/contracts/secret/sops.yaml
Normal file
Loading…
Reference in a new issue