nixos/tests/systemd-journal-gateway.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-journal-gateway.nix
at master 3.0 kB view raw
 1{ lib, pkgs, ... }:
 2{
 3  name = "systemd-journal-gateway";
 4  meta = with pkgs.lib.maintainers; {
 5    maintainers = [
 6      minijackson
 7      raitobezarius
 8    ];
 9  };
10
11  # Named client for coherence with the systemd-journal-upload test, and for
12  # certificate validation
13  nodes.client = {
14    services.journald.gateway = {
15      enable = true;
16      cert = "/run/secrets/client/cert.pem";
17      key = "/run/secrets/client/key.pem";
18      trust = "/run/secrets/ca.cert.pem";
19    };
20  };
21
22  testScript = ''
23    import json
24    import subprocess
25    import tempfile
26
27    tmpdir_o = tempfile.TemporaryDirectory()
28    tmpdir = tmpdir_o.name
29
30    def generate_pems(domain: str):
31      subprocess.run(
32        [
33          "${pkgs.minica}/bin/minica",
34          "--ca-key=ca.key.pem",
35          "--ca-cert=ca.cert.pem",
36          f"--domains={domain}",
37        ],
38        cwd=str(tmpdir),
39      )
40
41    with subtest("Creating keys and certificates"):
42      generate_pems("server")
43      generate_pems("client")
44
45    client.wait_for_unit("multi-user.target")
46
47    def copy_pem(file: str):
48      machine.copy_from_host(source=f"{tmpdir}/{file}", target=f"/run/secrets/{file}")
49      machine.succeed(f"chmod 600 /run/secrets/{file} && chown systemd-journal-gateway /run/secrets/{file}")
50
51    with subtest("Copying keys and certificates"):
52      machine.succeed("mkdir -p /run/secrets/{client,server}")
53      copy_pem("server/cert.pem")
54      copy_pem("server/key.pem")
55      copy_pem("client/cert.pem")
56      copy_pem("client/key.pem")
57      copy_pem("ca.cert.pem")
58
59    client.wait_for_unit("multi-user.target")
60
61    curl = '${pkgs.curl}/bin/curl'
62    accept_json = '--header "Accept: application/json"'
63    cacert = '--cacert /run/secrets/ca.cert.pem'
64    cert = '--cert /run/secrets/server/cert.pem'
65    key = '--key /run/secrets/server/key.pem'
66    base_url = 'https://client:19531'
67
68    curl_cli = f"{curl} {accept_json} {cacert} {cert} {key} --fail"
69
70    machine_info = client.succeed(f"{curl_cli} {base_url}/machine")
71    assert json.loads(machine_info)["hostname"] == "client", "wrong machine name"
72
73    # The HTTP request should have started the gateway service, triggered by
74    # the .socket unit
75    client.wait_for_unit("systemd-journal-gatewayd.service")
76
77    identifier = "nixos-test"
78    message = "Hello from NixOS test infrastructure"
79
80    client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
81
82    # max-time is a workaround against a bug in systemd-journal-gatewayd where
83    # if TLS is enabled, the connection is never closed. Since it will timeout,
84    # we ignore the return code.
85    entries = client.succeed(
86        f"{curl_cli} --max-time 5 {base_url}/entries?SYSLOG_IDENTIFIER={identifier} || true"
87    )
88
89    # Number of entries should be only 1
90    added_entry = json.loads(entries)
91    assert added_entry["SYSLOG_IDENTIFIER"] == identifier and added_entry["MESSAGE"] == message, "journal entry does not correspond"
92  '';
93}