vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / gitea.nix
blobf62c72bddddca15ba7f8d94c2abca8fd972bd722
1 { system ? builtins.currentSystem,
2   config ? {},
3   giteaPackage ? pkgs.gitea,
4   pkgs ? import ../.. { inherit system config; }
5 }:
7 with import ../lib/testing-python.nix { inherit system pkgs; };
8 with pkgs.lib;
10 let
11   ## gpg --faked-system-time='20230301T010000!' --quick-generate-key snakeoil ed25519 sign
12   signingPrivateKey = ''
13     -----BEGIN PGP PRIVATE KEY BLOCK-----
15     lFgEY/6jkBYJKwYBBAHaRw8BAQdADXiZRV8RJUyC9g0LH04wLMaJL9WTc+szbMi7
16     5fw4yP8AAQCl8EwGfzSLm/P6fCBfA3I9znFb3MEHGCCJhJ6VtKYyRw7ktAhzbmFr
17     ZW9pbIiUBBMWCgA8FiEE+wUM6VW/NLtAdSixTWQt6LZ4x50FAmP+o5ACGwMFCQPC
18     ZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEE1kLei2eMedFTgBAKQs1oGFZrCI
19     TZP42hmBTKxGAI1wg7VSdDEWTZxut/2JAQDGgo2sa4VHMfj0aqYGxrIwfP2B7JHO
20     GCqGCRf9O/hzBA==
21     =9Uy3
22     -----END PGP PRIVATE KEY BLOCK-----
23   '';
24   signingPrivateKeyId = "4D642DE8B678C79D";
26   supportedDbTypes = [ "mysql" "postgres" "sqlite3" ];
27   makeGiteaTest = type: nameValuePair type (makeTest {
28     name = "${giteaPackage.pname}-${type}";
29     meta.maintainers = with maintainers; [ aanderse kolaente ma27 ];
31     nodes = {
32       server = { config, pkgs, ... }: {
33         virtualisation.memorySize = 2047;
34         services.gitea = {
35           enable = true;
36           database = { inherit type; };
37           package = giteaPackage;
38           metricsTokenFile = (pkgs.writeText "metrics_secret" "fakesecret").outPath;
39           settings.service.DISABLE_REGISTRATION = true;
40           settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;
41           settings.actions.ENABLED = true;
42           settings.metrics.ENABLED = true;
43         };
44         environment.systemPackages = [ giteaPackage pkgs.gnupg pkgs.jq ];
45         services.openssh.enable = true;
47         specialisation.runner = {
48           inheritParentConfig = true;
50           configuration.services.gitea-actions-runner.instances."test" = {
51             enable = true;
52             name = "ci";
53             url = "http://localhost:3000";
54             labels = [
55               # don't require docker/podman
56               "native:host"
57             ];
58             tokenFile = "/var/lib/gitea/runner_token";
59           };
60         };
61       };
62       client1 = { config, pkgs, ... }: {
63         environment.systemPackages = [ pkgs.git ];
64       };
65       client2 = { config, pkgs, ... }: {
66         environment.systemPackages = [ pkgs.git ];
67       };
68     };
70     testScript = { nodes, ... }: let
71       inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
72       serverSystem = nodes.server.system.build.toplevel;
73     in ''
74       GIT_SSH_COMMAND = "ssh -i $HOME/.ssh/privk -o StrictHostKeyChecking=no"
75       REPO = "gitea@server:test/repo"
76       PRIVK = "${snakeOilPrivateKey}"
78       start_all()
80       client1.succeed("mkdir /tmp/repo")
81       client1.succeed("mkdir -p $HOME/.ssh")
82       client1.succeed(f"cat {PRIVK} > $HOME/.ssh/privk")
83       client1.succeed("chmod 0400 $HOME/.ssh/privk")
84       client1.succeed("git -C /tmp/repo init")
85       client1.succeed("echo hello world > /tmp/repo/testfile")
86       client1.succeed("git -C /tmp/repo add .")
87       client1.succeed("git config --global user.email test@localhost")
88       client1.succeed("git config --global user.name test")
89       client1.succeed("git -C /tmp/repo commit -m 'Initial import'")
90       client1.succeed(f"git -C /tmp/repo remote add origin {REPO}")
92       server.wait_for_unit("gitea.service")
93       server.wait_for_open_port(3000)
94       server.wait_for_open_port(22)
95       server.succeed("curl --fail http://localhost:3000/")
97       server.succeed(
98           "su -l gitea -c 'gpg --homedir /var/lib/gitea/data/home/.gnupg "
99           + "--import ${toString (pkgs.writeText "gitea.key" signingPrivateKey)}'"
100       )
102       assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg")
104       server.succeed(
105           "curl --fail http://localhost:3000/user/sign_up | grep 'Registration is disabled. "
106           + "Please contact your site administrator.'"
107       )
108       server.succeed(
109           "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea admin user create "
110           + "--username test --password totallysafe --email test@localhost'"
111       )
113       api_token = server.succeed(
114           "curl --fail -X POST http://test:totallysafe@localhost:3000/api/v1/users/test/tokens "
115           + "-H 'Accept: application/json' -H 'Content-Type: application/json' -d "
116           + "'{\"name\":\"token\",\"scopes\":[\"all\"]}' | jq '.sha1' | xargs echo -n"
117       )
119       server.succeed(
120           "curl --fail -X POST http://localhost:3000/api/v1/user/repos "
121           + "-H 'Accept: application/json' -H 'Content-Type: application/json' "
122           + f"-H 'Authorization: token {api_token}'"
123           + ' -d \'{"auto_init":false, "description":"string", "license":"mit", "name":"repo", "private":false}\'''
124       )
126       server.succeed(
127           "curl --fail -X POST http://localhost:3000/api/v1/user/keys "
128           + "-H 'Accept: application/json' -H 'Content-Type: application/json' "
129           + f"-H 'Authorization: token {api_token}'"
130           + ' -d \'{"key":"${snakeOilPublicKey}","read_only":true,"title":"SSH"}\'''
131       )
133       client1.succeed(
134           f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git -C /tmp/repo push origin master"
135       )
137       client2.succeed("mkdir -p $HOME/.ssh")
138       client2.succeed(f"cat {PRIVK} > $HOME/.ssh/privk")
139       client2.succeed("chmod 0400 $HOME/.ssh/privk")
140       client2.succeed(f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git clone {REPO}")
141       client2.succeed('test "$(cat repo/testfile | xargs echo -n)" = "hello world"')
143       server.wait_until_succeeds(
144           'test "$(curl http://localhost:3000/api/v1/repos/test/repo/commits '
145           + '-H "Accept: application/json" | jq length)" = "1"'
146       )
148       with subtest("Testing metrics endpoint"):
149           server.succeed('curl '
150                          + '-H "Authorization: Bearer fakesecret" '
151                          + 'http://localhost:3000/metrics '
152                          + '| grep gitea_accesses')
154       with subtest("Testing runner registration"):
155           server.succeed(
156               "su -l gitea -c 'GITEA_WORK_DIR=/var/lib/gitea gitea actions generate-runner-token' | sed 's/^/TOKEN=/' | tee /var/lib/gitea/runner_token"
157           )
158           server.succeed("${serverSystem}/specialisation/runner/bin/switch-to-configuration test")
159           server.wait_for_unit("gitea-runner-test.service")
160           server.succeed("journalctl -o cat -u gitea-runner-test.service | grep -q 'Runner registered successfully'")
161     '';
162   });
165 listToAttrs (map makeGiteaTest supportedDbTypes)