nixos/tests/kanidm.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / kanidm.nix
at 23.11-beta 5.3 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... }:
  2  let
  3    certs = import ./common/acme/server/snakeoil-certs.nix;
  4    serverDomain = certs.domain;
  5
  6    testCredentials = {
  7      password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl";
  8    };
  9  in
 10  {
 11    name = "kanidm";
 12    meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ];
 13
 14    nodes.server = { config, pkgs, lib, ... }: {
 15      services.kanidm = {
 16        enableServer = true;
 17        serverSettings = {
 18          origin = "https://${serverDomain}";
 19          domain = serverDomain;
 20          bindaddress = "[::]:443";
 21          ldapbindaddress = "[::1]:636";
 22          tls_chain = certs."${serverDomain}".cert;
 23          tls_key = certs."${serverDomain}".key;
 24        };
 25      };
 26
 27      security.pki.certificateFiles = [ certs.ca.cert ];
 28
 29      networking.hosts."::1" = [ serverDomain ];
 30      networking.firewall.allowedTCPPorts = [ 443 ];
 31
 32      users.users.kanidm.shell = pkgs.bashInteractive;
 33
 34      environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
 35    };
 36
 37    nodes.client = { pkgs, nodes, ... }: {
 38      services.kanidm = {
 39        enableClient = true;
 40        clientSettings = {
 41          uri = "https://${serverDomain}";
 42          verify_ca = true;
 43          verify_hostnames = true;
 44        };
 45        enablePam = true;
 46        unixSettings = {
 47          pam_allowed_login_groups = [ "shell" ];
 48        };
 49      };
 50
 51      networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ];
 52
 53      security.pki.certificateFiles = [ certs.ca.cert ];
 54    };
 55
 56    testScript = { nodes, ... }:
 57      let
 58        ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));
 59
 60        # We need access to the config file in the test script.
 61        filteredConfig = pkgs.lib.converge
 62          (pkgs.lib.filterAttrsRecursive (_: v: v != null))
 63          nodes.server.services.kanidm.serverSettings;
 64        serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
 65
 66      in
 67      ''
 68        start_all()
 69        server.wait_for_unit("kanidm.service")
 70        client.wait_for_unit("network-online.target")
 71
 72        with subtest("Test HTTP interface"):
 73            server.wait_until_succeeds("curl -Lsf https://${serverDomain} | grep Kanidm")
 74
 75        with subtest("Test LDAP interface"):
 76            server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
 77
 78        with subtest("Test CLI login"):
 79            client.succeed("kanidm login -D anonymous")
 80            client.succeed("kanidm self whoami | grep anonymous@${serverDomain}")
 81            client.succeed("kanidm logout")
 82
 83        with subtest("Recover idm_admin account"):
 84            idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'")
 85
 86        with subtest("Test unixd connection"):
 87            client.wait_for_unit("kanidm-unixd.service")
 88            client.wait_for_file("/run/kanidm-unixd/sock")
 89            client.wait_until_succeeds("kanidm-unix status | grep working!")
 90
 91        with subtest("Test user creation"):
 92            client.wait_for_unit("getty@tty1.service")
 93            client.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
 94            client.wait_until_tty_matches("1", "login: ")
 95            client.send_chars("root\n")
 96            client.send_chars("kanidm login -D idm_admin\n")
 97            client.wait_until_tty_matches("1", "Enter password: ")
 98            client.send_chars(f"{idm_admin_password}\n")
 99            client.wait_until_tty_matches("1", "Login Success for idm_admin")
100            client.succeed("kanidm person create testuser TestUser")
101            client.succeed("kanidm person posix set --shell \"$SHELL\" testuser")
102            client.send_chars("kanidm person posix set-password testuser\n")
103            client.wait_until_tty_matches("1", "Enter new")
104            client.send_chars("${testCredentials.password}\n")
105            client.wait_until_tty_matches("1", "Retype")
106            client.send_chars("${testCredentials.password}\n")
107            output = client.succeed("getent passwd testuser")
108            assert "TestUser" in output
109            client.succeed("kanidm group create shell")
110            client.succeed("kanidm group posix set shell")
111            client.succeed("kanidm group add-members shell testuser")
112
113        with subtest("Test user login"):
114            client.send_key("alt-f2")
115            client.wait_until_succeeds("[ $(fgconsole) = 2 ]")
116            client.wait_for_unit("getty@tty2.service")
117            client.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
118            client.wait_until_tty_matches("2", "login: ")
119            client.send_chars("testuser\n")
120            client.wait_until_tty_matches("2", "login: testuser")
121            client.wait_until_succeeds("pgrep login")
122            client.wait_until_tty_matches("2", "Password: ")
123            client.send_chars("${testCredentials.password}\n")
124            client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service")
125            client.send_chars("touch done\n")
126            client.wait_for_file("/home/testuser@${serverDomain}/done")
127      '';
128  })