ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-11-14 15:36:47 +03:00
Code Issues Projects Releases Wiki Activity
0dfe118d22
nixpkgs/nixos/tests/kanidm.nix
Bjørn Forsman ed99bd0fb9
kanidm: 1.1.0-alpha.11 -> 1.1.0-alpha.12 
* Update Cargo.lock from upstream.
* Adapt expression to upstream source tree layout changes.
* Apply patch to restore x86_64 v1 support

Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>

Also updates the NixOS test:

* Stop kanidm to recover the idm_admin account
* Group all tests into subtest blocks
* Add TODO to wait for unix socket on unixd for the next release

Co-Authored-By: Raito Bezarius <masterancpp@gmail.com>
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
2023-06-01 15:28:11 +02:00

90 lines
3.2 KiB
Nix
Raw Blame History

import ./make-test-python.nix ({ pkgs, ... }:
let
certs = import ./common/acme/server/snakeoil-certs.nix;
serverDomain = certs.domain;
in
{
name = "kanidm";
meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ];
nodes.server = { config, pkgs, lib, ... }: {
services.kanidm = {
enableServer = true;
serverSettings = {
origin = "https://${serverDomain}";
domain = serverDomain;
bindaddress = "[::]:443";
ldapbindaddress = "[::1]:636";
tls_chain = certs."${serverDomain}".cert;
tls_key = certs."${serverDomain}".key;
};
};
security.pki.certificateFiles = [ certs.ca.cert ];
networking.hosts."::1" = [ serverDomain ];
networking.firewall.allowedTCPPorts = [ 443 ];
users.users.kanidm.shell = pkgs.bashInteractive;
environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
};
nodes.client = { pkgs, nodes, ... }: {
services.kanidm = {
enableClient = true;
clientSettings = {
uri = "https://${serverDomain}";
verify_ca = true;
verify_hostnames = true;
};
enablePam = true;
unixSettings = {
pam_allowed_login_groups = [ "shell" ];
};
};
networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ];
security.pki.certificateFiles = [ certs.ca.cert ];
};
testScript = { nodes, ... }:
let
ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));
# We need access to the config file in the test script.
filteredConfig = pkgs.lib.converge
(pkgs.lib.filterAttrsRecursive (_: v: v != null))
nodes.server.services.kanidm.serverSettings;
serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
in
''
start_all()
server.wait_for_unit("kanidm.service")
with subtest("Test HTTP interface"):
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
with subtest("Test LDAP interface"):
server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
with subtest("Test CLI login"):
client.succeed("kanidm login -D anonymous")
client.succeed("kanidm self whoami | grep anonymous@${serverDomain}")
with subtest("Recover idm_admin account"):
# Must stop the server for account recovery or else kanidmd fails with
# "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock".
server.succeed("systemctl stop kanidm")
server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '")
server.succeed("systemctl start kanidm")
with subtest("Test unixd connection"):
client.wait_for_unit("kanidm-unixd.service")
# TODO: client.wait_for_file("/run/kanidm-unixd/sock")
client.wait_until_succeeds("kanidm-unix status | grep working!")
'';
})
Reference in New Issue View Git Blame Copy Permalink