1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-17 05:58:15 +00:00
sops-nix/pkgs/sops-install-secrets/nixos-test.nix

239 lines
7.4 KiB
Nix
Raw Normal View History

{ makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>, pkgs ? (import <nixpkgs> {}) }:
{
2020-07-12 13:50:55 +01:00
ssh-keys = makeTest {
2021-09-30 21:08:38 +02:00
name = "sops-ssh-keys";
nodes.server = { ... }: {
imports = [ ../../modules/sops ];
services.openssh.enable = true;
services.openssh.hostKeys = [{
type = "rsa";
bits = 4096;
path = ./test-assets/ssh-key;
}];
sops.defaultSopsFile = ./test-assets/secrets.yaml;
sops.secrets.test_key = {};
};
2020-07-12 13:50:55 +01:00
2021-09-30 21:08:38 +02:00
testScript = ''
start_all()
server.succeed("cat /run/secrets/test_key | grep -q test_value")
'';
} {
inherit pkgs;
inherit (pkgs) system;
2020-07-12 13:50:55 +01:00
};
2021-08-27 00:49:58 +02:00
age-keys = makeTest {
2021-09-30 21:08:38 +02:00
name = "sops-age-keys";
machine = {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = {};
};
};
2021-08-27 00:49:58 +02:00
2021-09-30 21:08:38 +02:00
testScript = ''
start_all()
machine.succeed("cat /run/secrets/test_key | grep -q test_value")
'';
2021-08-27 20:09:28 +02:00
} {
inherit pkgs;
inherit (pkgs) system;
};
age-ssh-keys = makeTest {
name = "sops-age-ssh-keys";
machine = {
imports = [ ../../modules/sops ];
2021-08-28 12:37:10 +02:00
services.openssh.enable = true;
services.openssh.hostKeys = [{
type = "ed25519";
path = ./test-assets/ssh-ed25519-key;
}];
2021-08-27 20:09:28 +02:00
sops = {
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = {};
2021-09-30 15:28:39 +02:00
# Generate a key and append it to make sure it appending doesn't break anything
age = {
keyFile = "/tmp/testkey";
generateKey = true;
};
2021-08-27 20:09:28 +02:00
};
};
testScript = ''
start_all()
machine.succeed("cat /run/secrets/test_key | grep -q test_value")
'';
} {
inherit pkgs;
inherit (pkgs) system;
};
2021-08-27 00:49:58 +02:00
2020-07-12 17:43:23 +01:00
pgp-keys = makeTest {
2020-07-12 17:48:37 +01:00
name = "sops-pgp-keys";
nodes.server = { pkgs, lib, config, ... }: {
imports = [
../../modules/sops
];
2021-09-17 21:08:34 +02:00
users.users.someuser = {
isSystemUser = true;
group = "nogroup";
};
2021-08-27 13:35:53 +02:00
sops.gnupg.home = "/run/gpghome";
sops.defaultSopsFile = ./test-assets/secrets.yaml;
sops.secrets.test_key.owner = config.users.users.someuser.name;
2021-09-10 12:02:38 +02:00
sops.secrets."nested/test/file".owner = config.users.users.someuser.name;
2020-07-19 23:23:38 +01:00
sops.secrets.existing-file = {
key = "test_key";
path = "/run/existing-file";
};
# must run before sops
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
cp -r ${./test-assets/gnupghome} /run/gpghome
chmod -R 700 /run/gpghome
2020-07-19 23:23:38 +01:00
touch /run/existing-file
'';
# Useful for debugging
#environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
#environment.variables = {
# GNUPGHOME = "/run/gpghome";
# SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
# SOPSFILE = "${./test-assets/secrets.yaml}";
#};
};
testScript = ''
2020-07-19 23:23:38 +01:00
def assertEqual(exp: str, act: str) -> None:
if exp != act:
raise Exception(f"'{exp}' != '{act}'")
start_all()
2020-07-19 23:23:38 +01:00
value = server.succeed("cat /run/secrets/test_key")
assertEqual("test_value", value)
server.succeed("runuser -u someuser -- cat /run/secrets/test_key >&2")
2021-09-10 12:02:38 +02:00
value = server.succeed("cat /run/secrets/nested/test/file")
assertEqual(value, "another value")
2020-07-19 23:23:38 +01:00
target = server.succeed("readlink -f /run/existing-file")
assertEqual("/run/secrets.d/1/existing-file", target.strip())
'';
} {
inherit pkgs;
inherit (pkgs) system;
2020-07-12 13:50:55 +01:00
};
} // pkgs.lib.optionalAttrs (pkgs.lib.versionAtLeast (pkgs.lib.versions.majorMinor pkgs.lib.version) "21.11") {
restart-and-reload = makeTest {
name = "sops-restart-and-reload";
machine = { pkgs, lib, config, ... }: {
imports = [
../../modules/sops
];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = {
restartUnits = [ "restart-unit.service" "reload-unit.service" ];
};
};
systemd.services."restart-unit" = {
description = "Restart unit";
# not started on boot
serviceConfig = {
ExecStart = "/bin/sh -c 'echo ok > /restarted'";
};
};
systemd.services."reload-unit" = {
description = "Restart unit";
wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "/bin/sh -c true";
ExecReload = "/bin/sh -c 'echo ok > /reloaded'";
};
};
};
testScript = ''
machine.wait_for_unit("multi-user.target")
machine.fail("test -f /restarted")
machine.fail("test -f /reloaded")
# Nothing is to be restarted after boot
machine.fail("ls /run/nixos/*-list")
# Nothing happens when the secret is not changed
machine.succeed("/run/current-system/bin/switch-to-configuration test")
machine.fail("test -f /restarted")
machine.fail("test -f /reloaded")
# Ensure the secret is changed
machine.succeed(": > /run/secrets/test_key")
# The secret is changed, now something should happen
machine.succeed("/run/current-system/bin/switch-to-configuration test")
# Ensure something happened
machine.succeed("test -f /restarted")
machine.succeed("test -f /reloaded")
with subtest("change detection"):
machine.succeed("rm /run/secrets/test_key")
out = machine.succeed("/run/current-system/bin/switch-to-configuration test")
if "adding secret" not in out:
raise Exception("Addition detection does not work")
machine.succeed(": > /run/secrets/test_key")
out = machine.succeed("/run/current-system/bin/switch-to-configuration test")
if "modifying secret" not in out:
raise Exception("Modification detection does not work")
machine.succeed(": > /run/secrets/another_key")
out = machine.succeed("/run/current-system/bin/switch-to-configuration test")
if "removing secret" not in out:
raise Exception("Removal detection does not work")
with subtest("dry activation"):
machine.succeed("rm /run/secrets/test_key")
machine.succeed(": > /run/secrets/another_key")
out = machine.succeed("/run/current-system/bin/switch-to-configuration dry-activate")
if "would add secret" not in out:
raise Exception("Dry addition detection does not work")
if "would remove secret" not in out:
raise Exception("Dry removal detection does not work")
machine.fail("test -f /run/secrets/test_key")
machine.succeed("test -f /run/secrets/another_key")
machine.succeed("/run/current-system/bin/switch-to-configuration test")
machine.succeed("test -f /run/secrets/test_key")
machine.succeed("rm /restarted /reloaded")
machine.fail("test -f /run/secrets/another_key")
machine.succeed(": > /run/secrets/test_key")
out = machine.succeed("/run/current-system/bin/switch-to-configuration dry-activate")
if "would modify secret" not in out:
raise Exception("Dry modification detection does not work")
machine.succeed("[ $(cat /run/secrets/test_key | wc -c) = 0 ]")
machine.fail("test -f /restarted") # not done in dry mode
machine.fail("test -f /reloaded") # not done in dry mode
'';
} {
inherit pkgs;
inherit (pkgs) system;
};
2020-07-12 13:50:55 +01:00
}