nixpkgs/nixos/tests/gitea.nix
IndeedNotJames 249f6c4c1d
nixos/tests/gitea: test gpg commit signing key
`/api/v1/signing-key.gpg` spawns a `gpg` process,
which is great to test if `gpg` is available
and can be invoked from in the unit.

Which is somewhat relevant, since `gpg` was
missing from the unit's `$PATH` until recently.

And even after adding `gpg` to the unit's `$PATH`,
configuring commit signing for a instance
resulted in http/500s nonetheless.

That's due to `@memlock` being present in
`SystemCallFilter=~` and `gpg` trying to
use `mlock` (probably to prevent secrets
in the memory to swap), resulting in an
immediate `SIGKILL` of any spawned `gpg` processes.
2023-03-01 23:44:21 +01:00

136 lines
5.1 KiB
Nix

{ system ? builtins.currentSystem,
config ? {},
giteaPackage,
pkgs ? import ../.. { inherit system config; }
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
with pkgs.lib;
let
## gpg --faked-system-time='20230301T010000!' --quick-generate-key snakeoil ed25519 sign
signingPrivateKey = ''
-----BEGIN PGP PRIVATE KEY BLOCK-----
lFgEY/6jkBYJKwYBBAHaRw8BAQdADXiZRV8RJUyC9g0LH04wLMaJL9WTc+szbMi7
5fw4yP8AAQCl8EwGfzSLm/P6fCBfA3I9znFb3MEHGCCJhJ6VtKYyRw7ktAhzbmFr
ZW9pbIiUBBMWCgA8FiEE+wUM6VW/NLtAdSixTWQt6LZ4x50FAmP+o5ACGwMFCQPC
ZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEE1kLei2eMedFTgBAKQs1oGFZrCI
TZP42hmBTKxGAI1wg7VSdDEWTZxut/2JAQDGgo2sa4VHMfj0aqYGxrIwfP2B7JHO
GCqGCRf9O/hzBA==
=9Uy3
-----END PGP PRIVATE KEY BLOCK-----
'';
signingPrivateKeyId = "4D642DE8B678C79D";
supportedDbTypes = [ "mysql" "postgres" "sqlite3" ];
makeGiteaTest = type: nameValuePair type (makeTest {
name = "${giteaPackage.pname}-${type}";
meta.maintainers = with maintainers; [ aanderse indeednotjames kolaente ma27 ];
nodes = {
server = { config, pkgs, ... }: {
virtualisation.memorySize = 2048;
services.gitea = {
enable = true;
database = { inherit type; };
package = giteaPackage;
settings.service.DISABLE_REGISTRATION = true;
settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;
};
environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ];
services.openssh.enable = true;
};
client1 = { config, pkgs, ... }: {
environment.systemPackages = [ pkgs.git ];
};
client2 = { config, pkgs, ... }: {
environment.systemPackages = [ pkgs.git ];
};
};
testScript = let
inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
in ''
GIT_SSH_COMMAND = "ssh -i $HOME/.ssh/privk -o StrictHostKeyChecking=no"
REPO = "gitea@server:test/repo"
PRIVK = "${snakeOilPrivateKey}"
start_all()
client1.succeed("mkdir /tmp/repo")
client1.succeed("mkdir -p $HOME/.ssh")
client1.succeed(f"cat {PRIVK} > $HOME/.ssh/privk")
client1.succeed("chmod 0400 $HOME/.ssh/privk")
client1.succeed("git -C /tmp/repo init")
client1.succeed("echo hello world > /tmp/repo/testfile")
client1.succeed("git -C /tmp/repo add .")
client1.succeed("git config --global user.email test@localhost")
client1.succeed("git config --global user.name test")
client1.succeed("git -C /tmp/repo commit -m 'Initial import'")
client1.succeed(f"git -C /tmp/repo remote add origin {REPO}")
server.wait_for_unit("gitea.service")
server.wait_for_open_port(3000)
server.succeed("curl --fail http://localhost:3000/")
server.succeed(
"su -l gitea -c 'gpg --homedir /var/lib/gitea/data/home/.gnupg "
+ "--import ${toString (pkgs.writeText "gitea.key" signingPrivateKey)}'"
)
assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg")
server.succeed(
"curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. "
+ "Please contact your site administrator.'"
)
server.succeed(
"su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea admin user create "
+ "--username test --password totallysafe --email test@localhost'"
)
api_token = server.succeed(
"curl --fail -X POST http://test:totallysafe@localhost:3000/api/v1/users/test/tokens "
+ "-H 'Accept: application/json' -H 'Content-Type: application/json' -d "
+ "'{\"name\":\"token\"}' | jq '.sha1' | xargs echo -n"
)
server.succeed(
"curl --fail -X POST http://localhost:3000/api/v1/user/repos "
+ "-H 'Accept: application/json' -H 'Content-Type: application/json' "
+ f"-H 'Authorization: token {api_token}'"
+ ' -d \'{"auto_init":false, "description":"string", "license":"mit", "name":"repo", "private":false}\'''
)
server.succeed(
"curl --fail -X POST http://localhost:3000/api/v1/user/keys "
+ "-H 'Accept: application/json' -H 'Content-Type: application/json' "
+ f"-H 'Authorization: token {api_token}'"
+ ' -d \'{"key":"${snakeOilPublicKey}","read_only":true,"title":"SSH"}\'''
)
client1.succeed(
f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git -C /tmp/repo push origin master"
)
client2.succeed("mkdir -p $HOME/.ssh")
client2.succeed(f"cat {PRIVK} > $HOME/.ssh/privk")
client2.succeed("chmod 0400 $HOME/.ssh/privk")
client2.succeed(f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git clone {REPO}")
client2.succeed('test "$(cat repo/testfile | xargs echo -n)" = "hello world"')
server.succeed(
'test "$(curl http://localhost:3000/api/v1/repos/test/repo/commits '
+ '-H "Accept: application/json" | jq length)" = "1"'
)
client1.shutdown()
client2.shutdown()
server.shutdown()
'';
});
in
listToAttrs (map makeGiteaTest supportedDbTypes)