summary refs log tree commit diff stats
path: root/tests/nixos/vhack
diff options
context:
space:
mode:
Diffstat (limited to 'tests/nixos/vhack')
-rw-r--r--tests/nixos/vhack/git-server/ssh_keys.nix49
-rw-r--r--tests/nixos/vhack/git-server/test.nix211
2 files changed, 260 insertions, 0 deletions
diff --git a/tests/nixos/vhack/git-server/ssh_keys.nix b/tests/nixos/vhack/git-server/ssh_keys.nix
new file mode 100644
index 0000000..07f0b88
--- /dev/null
+++ b/tests/nixos/vhack/git-server/ssh_keys.nix
@@ -0,0 +1,49 @@
+{pkgs}: {
+  admin = {
+    priv = pkgs.writeText "id_ed25519" ''
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      QyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3gAAAJBJiYxDSYmM
+      QwAAAAtzc2gtZWQyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3g
+      AAAEDE1W6vMwSEUcF1r7Hyypm/+sCOoDmKZgPxi3WOa1mD2u7urFhAA90BTpGuEHeWWTY3
+      W/g9PBxXNxfWhfbrm4LeAAAACGJmb0BtaW5pAQIDBAU=
+      -----END OPENSSH PRIVATE KEY-----
+    '';
+
+    pub = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client
+    '';
+  };
+
+  alice = {
+    priv = pkgs.writeText "id_ed25519" ''
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      QyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQAAAJAwVQ5VMFUO
+      VQAAAAtzc2gtZWQyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQ
+      AAAEB7lbfkkdkJoE+4TKHPdPQWBKLSx+J54Eg8DaTr+3KoSlt5a8eH8BYZYjoQhzXGVKKH
+      Je1pw1D0p7O2Vb9VTLzBAAAACGJmb0BtaW5pAQIDBAU=
+      -----END OPENSSH PRIVATE KEY-----
+    '';
+
+    pub = pkgs.writeText "id_ed25519.pub" ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt5a8eH8BYZYjoQhzXGVKKHJe1pw1D0p7O2Vb9VTLzB alice@client
+    '';
+  };
+
+  bob = {
+    priv = pkgs.writeText "id_ed25519" ''
+      -----BEGIN OPENSSH PRIVATE KEY-----
+      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+      QyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMAAAAJDQBmNV0AZj
+      VQAAAAtzc2gtZWQyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMA
+      AAAEDM1IYYFUwk/IVxauha9kuR6bbRtT3gZ6ZA0GLb9txb/pZNonUP1ePHLrvn0W9D2hdN
+      6zWWZYFyJc+QR6pOKQEwAAAACGJmb0BtaW5pAQIDBAU=
+      -----END OPENSSH PRIVATE KEY-----
+    '';
+
+    pub = pkgs.writeText "id_ed25519.pub" ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZNonUP1ePHLrvn0W9D2hdN6zWWZYFyJc+QR6pOKQEw bob@client
+    '';
+  };
+}
diff --git a/tests/nixos/vhack/git-server/test.nix b/tests/nixos/vhack/git-server/test.nix
new file mode 100644
index 0000000..0632483
--- /dev/null
+++ b/tests/nixos/vhack/git-server/test.nix
@@ -0,0 +1,211 @@
+{
+  nixos-lib,
+  pkgsUnstable,
+  nixpkgs-unstable,
+  pkgs,
+  extraModules,
+  ...
+}: let
+  sshKeys =
+    import ./ssh_keys.nix {inherit pkgs;};
+
+  gitServerDomain = "server";
+
+  gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" ''
+    repo CREATOR/[a-zA-Z0-9].*
+      C     = @all
+      RW+   = CREATOR
+      RW    = WRITERS
+      R     = READERS
+  '';
+
+  expectedGitoliteConf = pkgs.writeText "expected-gitolite-conf" ''
+    repo gitolite-admin
+     RW+ = gitolite-admin
+
+    repo testing
+     RW+ = @all
+    repo CREATOR/[a-zA-Z0-9].*
+     C = @all
+     RW+ = CREATOR
+     RW = WRITERS
+     R = READERS
+  '';
+
+  expectedHtmlReadme = pkgs.writeText "expectedHtmlReadme" ''
+    <h1>Alice's Repo</h1>
+  '';
+in
+  nixos-lib.runTest {
+    hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
+
+    name = "git-server";
+
+    node = {
+      specialArgs = {inherit pkgsUnstable nixpkgs-unstable;};
+
+      # Use the nixpkgs as constructed by the `nixpkgs.*` options
+      pkgs = null;
+    };
+
+    nodes = {
+      server = {config, ...}: {
+        imports =
+          extraModules
+          ++ [
+            ../../../../modules/nixos
+          ];
+
+        system.activationScripts = {
+          gitolite = {
+            text = ''
+              if ! [ -d /srv/gitolite ]; then
+                mkdir --parents /srv/gitolite
+                chown -R git:git /srv/gitolite
+              fi
+            '';
+          };
+        };
+
+        vhack = {
+          openssh.enable = true;
+          nginx = {
+            enable = true;
+            selfsign = true;
+          };
+          git-server = {
+            enable = true;
+            domain = gitServerDomain;
+            gitolite.adminPubkey = sshKeys.admin.pub;
+          };
+        };
+      };
+      client = {...}: {
+        environment.systemPackages = [pkgs.git];
+        programs.ssh.extraConfig = ''
+          Host *
+            UserKnownHostsFile /dev/null
+            StrictHostKeyChecking no
+            # there's nobody around that can input password
+            PreferredAuthentications publickey
+        '';
+        users.users.alice = {isNormalUser = true;};
+        users.users.bob = {isNormalUser = true;};
+      };
+    };
+
+    testScript = {nodes, ...}:
+    /*
+    python
+    */
+    ''
+      start_all()
+
+      with subtest("can setup ssh keys on client"):
+        client.succeed(
+            "mkdir -p ~root/.ssh",
+            "cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519",
+            "chmod 600 ~root/.ssh/id_ed25519",
+        )
+        client.succeed(
+            "sudo -u alice mkdir -p ~alice/.ssh",
+            "sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519",
+            "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519",
+        )
+        client.succeed(
+            "sudo -u bob mkdir -p ~bob/.ssh",
+            "sudo -u bob cp ${sshKeys.bob.priv} ~bob/.ssh/id_ed25519",
+            "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519",
+        )
+
+      with subtest("gitolite server starts"):
+        server.wait_for_unit("gitolite-init.service")
+        server.wait_for_unit("sshd.service")
+        client.succeed("ssh -n git@server info")
+
+
+      with subtest("admin can clone and configure gitolite-admin.git"):
+        client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" ''
+        set -xe
+
+        git clone git@server:gitolite-admin.git
+        git config --global user.name 'System Administrator'
+        git config --global user.email root\@domain.example
+
+        cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub
+        cp ${sshKeys.bob.pub} gitolite-admin/keydir/bob.pub
+
+        (cd gitolite-admin && git switch -c master && git branch -D main)
+
+        (cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push -u origin master)
+        cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf
+        (cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push)
+        (cd gitolite-admin && git push -d origin main)
+      ''}")
+
+        server.succeed("${pkgs.writeShellScript "verify gitolite-admin.conf" ''
+        set -xe
+
+        testFile=~git/.gitolite/conf/gitolite.conf.test
+
+        cp ~git/.gitolite/conf/gitolite.conf "$testFile"
+
+        # Normalize the white space
+        sed -i 's/\t/ /g' "$testFile"
+        sed -i 's/\s\+/ /g' "$testFile"
+
+        diff "$testFile" ${expectedGitoliteConf}
+      ''}")
+
+
+      with subtest("non-admins cannot clone gitolite-admin.git"):
+        client.fail("sudo -i -u alice git clone git@server:gitolite-admin.git")
+        client.fail("sudo -i -u bob git clone git@server:gitolite-admin.git")
+
+      with subtest("non-admins can clone testing.git"):
+        client.succeed("sudo -i -u alice git clone git@server:testing.git")
+        client.succeed("sudo -i -u bob git clone git@server:testing.git")
+
+
+      with subtest("alice can create a repo"):
+        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" ''
+        set -xe
+
+        mkdir alice-repo && cd alice-repo;
+
+        git init --initial-branch main
+        echo "# Alice's Repo" > README.md
+        git add README.md
+        git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme'
+
+        git remote add origin git@server:alice/alice-project.git
+        git push --set-upstream origin main
+      ''}")
+
+      with subtest("alice can clone alice-project.git"):
+        client.succeed("sudo -i -u alice git clone git@server:alice/alice-project.git")
+
+      with subtest("bob cannot clone alice-project.git"):
+        client.fail("sudo -i -u bob git clone git@server:alice/alice-project.git")
+
+      with subtest("Alice can make her repo public"):
+        client.succeed(
+            "sudo -u alice ssh git@server perms alice/alice-project + READERS @all",
+            "sudo -u alice ssh git@server desc alice/alice-project 'My nice project.'"
+        )
+
+      with subtest("Bob can see alice config on cgit"):
+        client.succeed(
+            # Disable ssl verification, as the certs are self-signed
+            "sudo -u bob git -c http.sslVerify=false clone https://server/alice/alice-project.git"
+        )
+
+      client.succeed(
+          "curl --insecure --silent --fail --show-error 'https://server/alice/alice-project/about' | diff -u ${expectedHtmlReadme}  -"
+      )
+
+      # server.succeed(
+      #    "git clone http://localhost/%28c%29git/alice-project && diff -u reference/date.txt some-repo/date.txt"
+      # )
+    '';
+  }