Merge pull request #150 from n8henrie/expand_tests

Expand tests
This commit is contained in:
Ryan Mulligan 2023-02-16 17:58:21 -08:00 committed by GitHub
commit de657061b1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 9 deletions

View file

@ -3,13 +3,17 @@
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
system.activationScripts.installSSHHostKeys.text = ''
mkdir -p /etc/ssh
(umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub)
mkdir -p /etc/ssh /home/user1/.ssh
(
umask u=rw,g=r,o=r
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
)
(
umask u=rw,g=,o=
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
touch /etc/ssh/ssh_host_rsa_key
)
'';
}

View file

@ -6,13 +6,12 @@
config = {};
},
system ? builtins.currentSystem,
} @ args:
import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
}:
pkgs.nixosTest {
name = "agenix-integration";
nodes.system1 = {
config,
lib,
pkgs,
options,
...
}: {
@ -29,6 +28,10 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
environment.systemPackages = [
(pkgs.callPackage ../pkgs/agenix.nix {})
];
users = {
mutableUsers = false;
@ -61,6 +64,19 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
system1.send_chars("whoami > /tmp/1\n")
system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1")
system1.succeed('cp -a "${../example}/." /tmp/secrets')
system1.succeed('chmod u+w /tmp/secrets/*.age')
before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
# Ensure we actually have hashes
for h in [before_hash, after_hash]:
assert len(h) == 2, "hash should be [hash, filename]"
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
assert len(h[0].strip()) == 64, "hash length is incorrect"
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
'';
})
args
}