2020-04-24 23:36:52 +00:00
|
|
|
import ./make-test-python.nix ({ pkgs, ...}:
|
|
|
|
|
|
|
|
let
|
|
|
|
adminPrivateKey = pkgs.writeText "id_ed25519" ''
|
|
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
|
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
|
|
|
QyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3gAAAJBJiYxDSYmM
|
|
|
|
QwAAAAtzc2gtZWQyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3g
|
|
|
|
AAAEDE1W6vMwSEUcF1r7Hyypm/+sCOoDmKZgPxi3WOa1mD2u7urFhAA90BTpGuEHeWWTY3
|
|
|
|
W/g9PBxXNxfWhfbrm4LeAAAACGJmb0BtaW5pAQIDBAU=
|
|
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
|
|
'';
|
|
|
|
|
|
|
|
adminPublicKey = ''
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client
|
|
|
|
'';
|
|
|
|
|
|
|
|
alicePrivateKey = pkgs.writeText "id_ed25519" ''
|
|
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
|
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
|
|
|
QyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQAAAJAwVQ5VMFUO
|
|
|
|
VQAAAAtzc2gtZWQyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQ
|
|
|
|
AAAEB7lbfkkdkJoE+4TKHPdPQWBKLSx+J54Eg8DaTr+3KoSlt5a8eH8BYZYjoQhzXGVKKH
|
|
|
|
Je1pw1D0p7O2Vb9VTLzBAAAACGJmb0BtaW5pAQIDBAU=
|
|
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
|
|
'';
|
|
|
|
|
|
|
|
alicePublicKey = pkgs.writeText "id_ed25519.pub" ''
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt5a8eH8BYZYjoQhzXGVKKHJe1pw1D0p7O2Vb9VTLzB alice@client
|
|
|
|
'';
|
|
|
|
|
|
|
|
bobPrivateKey = pkgs.writeText "id_ed25519" ''
|
|
|
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
|
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
|
|
|
QyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMAAAAJDQBmNV0AZj
|
|
|
|
VQAAAAtzc2gtZWQyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMA
|
|
|
|
AAAEDM1IYYFUwk/IVxauha9kuR6bbRtT3gZ6ZA0GLb9txb/pZNonUP1ePHLrvn0W9D2hdN
|
|
|
|
6zWWZYFyJc+QR6pOKQEwAAAACGJmb0BtaW5pAQIDBAU=
|
|
|
|
-----END OPENSSH PRIVATE KEY-----
|
|
|
|
'';
|
|
|
|
|
|
|
|
bobPublicKey = pkgs.writeText "id_ed25519.pub" ''
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZNonUP1ePHLrvn0W9D2hdN6zWWZYFyJc+QR6pOKQEw bob@client
|
|
|
|
'';
|
|
|
|
|
|
|
|
gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" ''
|
|
|
|
repo alice-project
|
|
|
|
RW+ = alice
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
name = "gitolite";
|
|
|
|
|
2021-01-15 22:18:51 +00:00
|
|
|
meta = with pkgs.lib.maintainers; {
|
2020-04-24 23:36:52 +00:00
|
|
|
maintainers = [ bjornfor ];
|
|
|
|
};
|
|
|
|
|
|
|
|
nodes = {
|
|
|
|
|
|
|
|
server =
|
|
|
|
{ ... }:
|
|
|
|
{
|
|
|
|
services.gitolite = {
|
|
|
|
enable = true;
|
|
|
|
adminPubkey = adminPublicKey;
|
|
|
|
};
|
|
|
|
services.openssh.enable = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
client =
|
|
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
|
|
environment.systemPackages = [ pkgs.git ];
|
|
|
|
programs.ssh.extraConfig = ''
|
|
|
|
Host *
|
|
|
|
UserKnownHostsFile /dev/null
|
|
|
|
StrictHostKeyChecking no
|
|
|
|
# there's nobody around that can input password
|
|
|
|
PreferredAuthentications publickey
|
|
|
|
'';
|
|
|
|
users.users.alice = { isNormalUser = true; };
|
|
|
|
users.users.bob = { isNormalUser = true; };
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
start_all()
|
|
|
|
|
|
|
|
with subtest("can setup ssh keys on system"):
|
|
|
|
client.succeed(
|
|
|
|
"mkdir -p ~root/.ssh",
|
|
|
|
"cp ${adminPrivateKey} ~root/.ssh/id_ed25519",
|
|
|
|
"chmod 600 ~root/.ssh/id_ed25519",
|
|
|
|
)
|
|
|
|
client.succeed(
|
|
|
|
"sudo -u alice mkdir -p ~alice/.ssh",
|
|
|
|
"sudo -u alice cp ${alicePrivateKey} ~alice/.ssh/id_ed25519",
|
|
|
|
"sudo -u alice chmod 600 ~alice/.ssh/id_ed25519",
|
|
|
|
)
|
|
|
|
client.succeed(
|
|
|
|
"sudo -u bob mkdir -p ~bob/.ssh",
|
|
|
|
"sudo -u bob cp ${bobPrivateKey} ~bob/.ssh/id_ed25519",
|
|
|
|
"sudo -u bob chmod 600 ~bob/.ssh/id_ed25519",
|
|
|
|
)
|
|
|
|
|
|
|
|
with subtest("gitolite server starts"):
|
|
|
|
server.wait_for_unit("gitolite-init.service")
|
|
|
|
server.wait_for_unit("sshd.service")
|
|
|
|
client.succeed("ssh gitolite@server info")
|
|
|
|
|
|
|
|
with subtest("admin can clone and configure gitolite-admin.git"):
|
|
|
|
client.succeed(
|
|
|
|
"git clone gitolite@server:gitolite-admin.git",
|
|
|
|
"git config --global user.name 'System Administrator'",
|
|
|
|
"git config --global user.email root\@domain.example",
|
|
|
|
"cp ${alicePublicKey} gitolite-admin/keydir/alice.pub",
|
|
|
|
"cp ${bobPublicKey} gitolite-admin/keydir/bob.pub",
|
|
|
|
"(cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push)",
|
|
|
|
"cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf",
|
|
|
|
"(cd gitolite-admin && git add . && git commit -m 'Add repo for alice' && git push)",
|
|
|
|
)
|
|
|
|
|
|
|
|
with subtest("non-admins cannot clone gitolite-admin.git"):
|
|
|
|
client.fail("sudo -i -u alice git clone gitolite@server:gitolite-admin.git")
|
|
|
|
client.fail("sudo -i -u bob git clone gitolite@server:gitolite-admin.git")
|
|
|
|
|
|
|
|
with subtest("non-admins can clone testing.git"):
|
|
|
|
client.succeed("sudo -i -u alice git clone gitolite@server:testing.git")
|
|
|
|
client.succeed("sudo -i -u bob git clone gitolite@server:testing.git")
|
|
|
|
|
|
|
|
with subtest("alice can clone alice-project.git"):
|
|
|
|
client.succeed("sudo -i -u alice git clone gitolite@server:alice-project.git")
|
|
|
|
|
|
|
|
with subtest("bob cannot clone alice-project.git"):
|
|
|
|
client.fail("sudo -i -u bob git clone gitolite@server:alice-project.git")
|
|
|
|
'';
|
|
|
|
})
|