summary refs log tree commit diff stats
path: root/tests/by-name/gi/git-server/test.nix
blob: 5cd8c334405f878234ad0a11e1cfb3582ea149bd (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
{
  nixos-lib,
  pkgsUnstable,
  nixpkgs-unstable,
  pkgs,
  extraModules,
  nixLib,
  ...
}: let
  sshKeys =
    import ./ssh_keys.nix {inherit pkgs;};

  gitServerDomain = "server";

  gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" ''
    repo CREATOR/[a-zA-Z0-9].*
      C     = @all
      RW+   = CREATOR
      RW    = WRITERS
      R     = READERS
      option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
  '';

  expectedGitoliteConf = pkgs.writeText "expected-gitolite-conf" ''
    repo gitolite-admin
     RW+ = gitolite-admin

    repo testing
     RW+ = @all
    repo CREATOR/[a-zA-Z0-9].*
     C = @all
     RW+ = CREATOR
     RW = WRITERS
     R = READERS
     option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
  '';

  expectedHtmlReadme = pkgs.writeText "expectedHtmlReadme" ''
    <h1>Alice's Repo</h1>
  '';
  expectedMdReadme = pkgs.writeText "expectedMdReadme" ''
    # Alice's Repo
  '';
in
  nixos-lib.runTest {
    hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs

    name = "git-server";

    node = {
      specialArgs = {inherit pkgsUnstable nixpkgs-unstable nixLib;};

      # Use the nixpkgs as constructed by the `nixpkgs.*` options
      pkgs = null;
    };

    nodes = {
      server = {config, ...}: {
        imports =
          extraModules
          ++ [
            ../../../../modules
          ];

        vhack = {
          persist.enable = true;
          openssh.enable = true;
          nginx = {
            enable = true;
            selfsign = true;
          };
          git-server = {
            enable = true;
            domain = gitServerDomain;
            gitolite.adminPubkey = sshKeys.admin.pub;
          };
        };
      };

      client = {...}: {
        environment.systemPackages = [pkgs.git];
        programs.ssh.extraConfig = ''
          Host *
            UserKnownHostsFile /dev/null
            StrictHostKeyChecking no
            # there's nobody around that can input password
            PreferredAuthentications publickey
        '';
        users.users.alice = {isNormalUser = true;};
        users.users.bob = {isNormalUser = true;};
      };
    };

    testScript = {nodes, ...}:
    /*
    python
    */
    ''
      start_all()

      with subtest("can setup ssh keys on client"):
        client.succeed(
            "mkdir -p ~root/.ssh",
            "cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519",
            "chmod 600 ~root/.ssh/id_ed25519",
        )
        client.succeed(
            "sudo -u alice mkdir -p ~alice/.ssh",
            "sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519",
            "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519",
        )
        client.succeed(
            "sudo -u bob mkdir -p ~bob/.ssh",
            "sudo -u bob cp ${sshKeys.bob.priv} ~bob/.ssh/id_ed25519",
            "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519",
        )

      with subtest("gitolite server starts"):
        server.wait_for_unit("gitolite-init.service")
        server.wait_for_unit("sshd.service")
        client.succeed("ssh -n git@server info")


      with subtest("admin can clone and configure gitolite-admin.git"):
        client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" ''
        set -xe

        git clone git@server:gitolite-admin.git
        git config --global user.name 'System Administrator'
        git config --global user.email root\@domain.example

        cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub
        cp ${sshKeys.bob.pub} gitolite-admin/keydir/bob.pub

        (cd gitolite-admin && git switch -c master && git branch -D main)

        (cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push -u origin master)
        cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf
        (cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push)
        (cd gitolite-admin && git push -d origin main)
      ''}")

        server.succeed("${pkgs.writeShellScript "verify gitolite-admin.conf" ''
        set -xe

        testFile=~git/.gitolite/conf/gitolite.conf.test

        cp ~git/.gitolite/conf/gitolite.conf "$testFile"

        # Normalize the white space
        sed -i 's/\t/ /g' "$testFile"
        sed -i 's/\s\+/ /g' "$testFile"

        diff "$testFile" ${expectedGitoliteConf}
      ''}")


      with subtest("non-admins cannot clone gitolite-admin.git"):
        client.fail("sudo -i -u alice git clone git@server:gitolite-admin.git")
        client.fail("sudo -i -u bob git clone git@server:gitolite-admin.git")

      with subtest("non-admins can clone testing.git"):
        client.succeed("sudo -i -u alice git clone git@server:testing.git")
        client.succeed("sudo -i -u bob git clone git@server:testing.git")


      with subtest("alice can create a repo"):
        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" ''
        set -xe

        mkdir alice-repo && cd alice-repo;

        git init --initial-branch main
        echo "# Alice's Repo" > README.md
        git add README.md
        git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme'

        git remote add origin git@server:alice/alice-project.git
        git push --set-upstream origin main
      ''}")

      with subtest("alice can clone alice-project.git"):
        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-clone-repo" ''
        set -xe

        git clone git@server:alice/alice-project.git
        diff --side-by-side ${expectedMdReadme}  ./alice-project/README.md
      ''}")

      with subtest("bob cannot clone alice-project.git"):
        client.fail("sudo -i -u bob git clone git@server:alice/alice-project.git")

      with subtest("Alice can make her repo public"):
        client.succeed(
            "sudo -u alice ssh git@server perms alice/alice-project + READERS @all",
            "sudo -u alice ssh git@server desc alice/alice-project 'My nice project.'"
        )

      with subtest("Bob can see alice config on cgit"):
        client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-clone-repo" ''
        set -xe

        cd ~bob
        # Disable ssl verification, as the certs are self-signed
        git -c http.sslVerify=false clone https://server/alice/alice-project.git
      ''}")

      with subtest("Alice can change settings in her repo"):
        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-change-settings" ''
        set -xe

        echo 'Hi! You want to work with alice' | ssh git@server motd alice/alice-project set
        ssh git@server config alice/alice-project --add 'cgit.owner' 'alice'
        ssh git@server config alice/alice-project --add 'cgit.section' 'alice'
        ssh git@server config alice/alice-project --add 'cgit.homepage' 'alice'

        owner="$(ssh git@server config alice/alice-project --get-all 'cgit.owner')"
        [ "$owner" = "alice" ] || {
          echo "owner should be alice but is '$owner'!"
          exit 1
        }
      ''}")


      # He can't see the readme (FIXME:  find out why this does not work. <2024-08-13> )
      # with subtest("Bob can see alice's README"):
      #   client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-alice-readme" ''
        #   set -xe
        #
        #   curl --insecure --silent --fail --show-error 'https://server/alice/alice-project/about' > readme.html
        #   cat readme.html
        #   diff --side-by-side ${expectedHtmlReadme}  readme.html
        # ''}")
    '';
  }