nixos/tests/pass-secret-service.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / pass-secret-service.nix
at 25.11-pre 2.8 kB view raw
 1import ./make-test-python.nix (
 2  { pkgs, lib, ... }:
 3  {
 4    name = "pass-secret-service";
 5    meta.maintainers = [ lib.maintainers.aidalgol ];
 6
 7    nodes.machine =
 8      { nodes, pkgs, ... }:
 9      {
10        imports = [ ./common/user-account.nix ];
11
12        services.passSecretService.enable = true;
13
14        environment.systemPackages = [
15          # Create a script that tries to make a request to the D-Bus secrets API.
16          (pkgs.writers.writePython3Bin "secrets-dbus-init"
17            {
18              libraries = [ pkgs.python3Packages.secretstorage ];
19            }
20            ''
21              import secretstorage
22              print("Initializing dbus connection...")
23              connection = secretstorage.dbus_init()
24              print("Requesting default collection...")
25              collection = secretstorage.get_default_collection(connection)
26              print("Done!  dbus-org.freedesktop.secrets should now be active.")
27            ''
28          )
29          pkgs.pass
30        ];
31
32        programs.gnupg = {
33          agent.enable = true;
34          dirmngr.enable = true;
35        };
36      };
37
38    # Some of the commands are run via a virtual console because they need to be
39    # run under a real login session, with D-Bus running in the environment.
40    testScript =
41      { nodes, ... }:
42      let
43        user = nodes.machine.config.users.users.alice;
44        gpg-uid = "alice@example.net";
45        gpg-pw = "foobar9000";
46        ready-file = "/tmp/secrets-dbus-init.done";
47      in
48      ''
49        # Initialise the pass(1) storage.
50        machine.succeed("""
51          sudo -u alice gpg --pinentry-mode loopback --batch --passphrase ${gpg-pw} \
52          --quick-gen-key ${gpg-uid} \
53        """)
54        machine.succeed("sudo -u alice pass init ${gpg-uid}")
55
56        with subtest("Service is not running on login"):
57            machine.wait_until_tty_matches("1", "login: ")
58            machine.send_chars("alice\n")
59            machine.wait_until_tty_matches("1", "login: alice")
60            machine.wait_until_succeeds("pgrep login")
61            machine.wait_until_tty_matches("1", "Password: ")
62            machine.send_chars("${user.password}\n")
63            machine.wait_until_succeeds("pgrep -u alice bash")
64
65            _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice")
66            assert "Active: inactive (dead)" in output
67
68        with subtest("Service starts after a client tries to talk to the D-Bus API"):
69            machine.send_chars("secrets-dbus-init; touch ${ready-file}\n")
70            machine.wait_for_file("${ready-file}")
71            _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice")
72            assert "Active: active (running)" in output
73      '';
74  }
75)