1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
{
nixos-lib,
pkgsUnstable,
nixpkgs-unstable,
pkgs,
extraModules,
nixLib,
...
}: let
sshKeys =
import ./ssh_keys.nix {inherit pkgs;};
gitServerDomain = "server";
gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" ''
repo CREATOR/[a-zA-Z0-9].*
C = @all
RW+ = CREATOR
RW = WRITERS
R = READERS
option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
'';
expectedGitoliteConf = pkgs.writeText "expected-gitolite-conf" ''
repo gitolite-admin
RW+ = gitolite-admin
repo testing
RW+ = @all
repo CREATOR/[a-zA-Z0-9].*
C = @all
RW+ = CREATOR
RW = WRITERS
R = READERS
option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
'';
expectedHtmlReadme = pkgs.writeText "expectedHtmlReadme" ''
<h1>Alice's Repo</h1>
'';
expectedMdReadme = pkgs.writeText "expectedMdReadme" ''
# Alice's Repo
'';
in
nixos-lib.runTest {
hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
name = "git-server";
node = {
specialArgs = {inherit pkgsUnstable nixpkgs-unstable nixLib;};
# Use the nixpkgs as constructed by the `nixpkgs.*` options
pkgs = null;
};
nodes = {
server = {config, ...}: {
imports =
extraModules
++ [
../../../../modules
];
system.activationScripts = {
gitolite = {
text = ''
if ! [ -d /srv/gitolite ]; then
mkdir --parents /srv/gitolite
chown -R git:git /srv/gitolite
fi
'';
};
};
vhack = {
openssh.enable = true;
nginx = {
enable = true;
selfsign = true;
};
git-server = {
enable = true;
domain = gitServerDomain;
gitolite.adminPubkey = sshKeys.admin.pub;
};
};
};
client = {...}: {
environment.systemPackages = [pkgs.git];
programs.ssh.extraConfig = ''
Host *
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
# there's nobody around that can input password
PreferredAuthentications publickey
'';
users.users.alice = {isNormalUser = true;};
users.users.bob = {isNormalUser = true;};
};
};
testScript = {nodes, ...}:
/*
python
*/
''
start_all()
with subtest("can setup ssh keys on client"):
client.succeed(
"mkdir -p ~root/.ssh",
"cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519",
"chmod 600 ~root/.ssh/id_ed25519",
)
client.succeed(
"sudo -u alice mkdir -p ~alice/.ssh",
"sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519",
"sudo -u alice chmod 600 ~alice/.ssh/id_ed25519",
)
client.succeed(
"sudo -u bob mkdir -p ~bob/.ssh",
"sudo -u bob cp ${sshKeys.bob.priv} ~bob/.ssh/id_ed25519",
"sudo -u bob chmod 600 ~bob/.ssh/id_ed25519",
)
with subtest("gitolite server starts"):
server.wait_for_unit("gitolite-init.service")
server.wait_for_unit("sshd.service")
client.succeed("ssh -n git@server info")
with subtest("admin can clone and configure gitolite-admin.git"):
client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" ''
set -xe
git clone git@server:gitolite-admin.git
git config --global user.name 'System Administrator'
git config --global user.email root\@domain.example
cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub
cp ${sshKeys.bob.pub} gitolite-admin/keydir/bob.pub
(cd gitolite-admin && git switch -c master && git branch -D main)
(cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push -u origin master)
cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf
(cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push)
(cd gitolite-admin && git push -d origin main)
''}")
server.succeed("${pkgs.writeShellScript "verify gitolite-admin.conf" ''
set -xe
testFile=~git/.gitolite/conf/gitolite.conf.test
cp ~git/.gitolite/conf/gitolite.conf "$testFile"
# Normalize the white space
sed -i 's/\t/ /g' "$testFile"
sed -i 's/\s\+/ /g' "$testFile"
diff "$testFile" ${expectedGitoliteConf}
''}")
with subtest("non-admins cannot clone gitolite-admin.git"):
client.fail("sudo -i -u alice git clone git@server:gitolite-admin.git")
client.fail("sudo -i -u bob git clone git@server:gitolite-admin.git")
with subtest("non-admins can clone testing.git"):
client.succeed("sudo -i -u alice git clone git@server:testing.git")
client.succeed("sudo -i -u bob git clone git@server:testing.git")
with subtest("alice can create a repo"):
client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" ''
set -xe
mkdir alice-repo && cd alice-repo;
git init --initial-branch main
echo "# Alice's Repo" > README.md
git add README.md
git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme'
git remote add origin git@server:alice/alice-project.git
git push --set-upstream origin main
''}")
with subtest("alice can clone alice-project.git"):
client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-clone-repo" ''
set -xe
git clone git@server:alice/alice-project.git
diff --side-by-side ${expectedMdReadme} ./alice-project/README.md
''}")
with subtest("bob cannot clone alice-project.git"):
client.fail("sudo -i -u bob git clone git@server:alice/alice-project.git")
with subtest("Alice can make her repo public"):
client.succeed(
"sudo -u alice ssh git@server perms alice/alice-project + READERS @all",
"sudo -u alice ssh git@server desc alice/alice-project 'My nice project.'"
)
with subtest("Bob can see alice config on cgit"):
client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-clone-repo" ''
set -xe
cd ~bob
# Disable ssl verification, as the certs are self-signed
git -c http.sslVerify=false clone https://server/alice/alice-project.git
''}")
with subtest("Alice can change settings in her repo"):
client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-change-settings" ''
set -xe
echo 'Hi! You want to work with alice' | ssh git@server motd alice/alice-project set
ssh git@server config alice/alice-project --add 'cgit.owner' 'alice'
ssh git@server config alice/alice-project --add 'cgit.section' 'alice'
ssh git@server config alice/alice-project --add 'cgit.homepage' 'alice'
owner="$(ssh git@server config alice/alice-project --get-all 'cgit.owner')"
[ "$owner" = "alice" ] || {
echo "owner should be alice but is '$owner'!"
exit 1
}
''}")
# He can't see the readme (FIXME: find out why this does not work. <2024-08-13> )
# with subtest("Bob can see alice's README"):
# client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-alice-readme" ''
# set -xe
#
# curl --insecure --silent --fail --show-error 'https://server/alice/alice-project/about' > readme.html
# cat readme.html
# diff --side-by-side ${expectedHtmlReadme} readme.html
# ''}")
'';
}
|