nixos/tests/systemd-journal-gateway.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-journal-gateway.nix
at 24.11-pre 2.9 kB view raw
 1import ./make-test-python.nix ({ lib, pkgs, ... }:
 2{
 3  name = "systemd-journal-gateway";
 4  meta = with pkgs.lib.maintainers; {
 5    maintainers = [ minijackson raitobezarius ];
 6  };
 7
 8  # Named client for coherence with the systemd-journal-upload test, and for
 9  # certificate validation
10  nodes.client = {
11    services.journald.gateway = {
12      enable = true;
13      cert = "/run/secrets/client/cert.pem";
14      key = "/run/secrets/client/key.pem";
15      trust = "/run/secrets/ca.cert.pem";
16    };
17  };
18
19  testScript = ''
20    import json
21    import subprocess
22    import tempfile
23
24    tmpdir_o = tempfile.TemporaryDirectory()
25    tmpdir = tmpdir_o.name
26
27    def generate_pems(domain: str):
28      subprocess.run(
29        [
30          "${pkgs.minica}/bin/minica",
31          "--ca-key=ca.key.pem",
32          "--ca-cert=ca.cert.pem",
33          f"--domains={domain}",
34        ],
35        cwd=str(tmpdir),
36      )
37
38    with subtest("Creating keys and certificates"):
39      generate_pems("server")
40      generate_pems("client")
41
42    client.wait_for_unit("multi-user.target")
43
44    def copy_pem(file: str):
45      machine.copy_from_host(source=f"{tmpdir}/{file}", target=f"/run/secrets/{file}")
46      machine.succeed(f"chmod 644 /run/secrets/{file}")
47
48    with subtest("Copying keys and certificates"):
49      machine.succeed("mkdir -p /run/secrets/{client,server}")
50      copy_pem("server/cert.pem")
51      copy_pem("server/key.pem")
52      copy_pem("client/cert.pem")
53      copy_pem("client/key.pem")
54      copy_pem("ca.cert.pem")
55
56    client.wait_for_unit("multi-user.target")
57
58    curl = '${pkgs.curl}/bin/curl'
59    accept_json = '--header "Accept: application/json"'
60    cacert = '--cacert /run/secrets/ca.cert.pem'
61    cert = '--cert /run/secrets/server/cert.pem'
62    key = '--key /run/secrets/server/key.pem'
63    base_url = 'https://client:19531'
64
65    curl_cli = f"{curl} {accept_json} {cacert} {cert} {key} --fail"
66
67    machine_info = client.succeed(f"{curl_cli} {base_url}/machine")
68    assert json.loads(machine_info)["hostname"] == "client", "wrong machine name"
69
70    # The HTTP request should have started the gateway service, triggered by
71    # the .socket unit
72    client.wait_for_unit("systemd-journal-gatewayd.service")
73
74    identifier = "nixos-test"
75    message = "Hello from NixOS test infrastructure"
76
77    client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
78
79    # max-time is a workaround against a bug in systemd-journal-gatewayd where
80    # if TLS is enabled, the connection is never closed. Since it will timeout,
81    # we ignore the return code.
82    entries = client.succeed(
83        f"{curl_cli} --max-time 5 {base_url}/entries?SYSLOG_IDENTIFIER={identifier} || true"
84    )
85
86    # Number of entries should be only 1
87    added_entry = json.loads(entries)
88    assert added_entry["SYSLOG_IDENTIFIER"] == identifier and added_entry["MESSAGE"] == message, "journal entry does not correspond"
89  '';
90})