nixpkgs/nixos/tests/kanidm.nix

import ./make-test-python.nix ({ pkgs, ... }:
  let
    certs = import ./common/acme/server/snakeoil-certs.nix;
    serverDomain = certs.domain;

    testCredentials = {
      password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl";
    };

    # copy certs to store to work around mount namespacing
    certsPath = pkgs.runCommandNoCC "snakeoil-certs" { } ''
      mkdir $out
      cp ${certs."${serverDomain}".cert} $out/snakeoil.crt
      cp ${certs."${serverDomain}".key} $out/snakeoil.key
    '';
  in
  {
    name = "kanidm";
    meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi oddlama ];

    nodes.server = { pkgs, ... }: {
      services.kanidm = {
        enableServer = true;
        serverSettings = {
          origin = "https://${serverDomain}";
          domain = serverDomain;
          bindaddress = "[::]:443";
          ldapbindaddress = "[::1]:636";
          tls_chain = "${certsPath}/snakeoil.crt";
          tls_key = "${certsPath}/snakeoil.key";
        };
      };

      security.pki.certificateFiles = [ certs.ca.cert ];

      networking.hosts."::1" = [ serverDomain ];
      networking.firewall.allowedTCPPorts = [ 443 ];

      users.users.kanidm.shell = pkgs.bashInteractive;

      environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
    };

    nodes.client = { nodes, ... }: {
      services.kanidm = {
        enableClient = true;
        clientSettings = {
          uri = "https://${serverDomain}";
          verify_ca = true;
          verify_hostnames = true;
        };
        enablePam = true;
        unixSettings = {
          pam_allowed_login_groups = [ "shell" ];
        };
      };

      networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ];

      security.pki.certificateFiles = [ certs.ca.cert ];
    };

    testScript = { nodes, ... }:
      let
        ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));

        # We need access to the config file in the test script.
        filteredConfig = pkgs.lib.converge
          (pkgs.lib.filterAttrsRecursive (_: v: v != null))
          nodes.server.services.kanidm.serverSettings;
        serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
      in
      ''
        server.start()
        client.start()
        server.wait_for_unit("kanidm.service")
        client.systemctl("start network-online.target")
        client.wait_for_unit("network-online.target")

        with subtest("Test HTTP interface"):
            server.wait_until_succeeds("curl -Lsf https://${serverDomain} | grep Kanidm")

        with subtest("Test LDAP interface"):
            server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")

        with subtest("Recover idm_admin account"):
            idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'")

        with subtest("Test CLI login"):
            client.wait_until_tty_matches("1", "login: ")
            client.send_chars("root\n")
            client.send_chars("kanidm login -D idm_admin\n")
            client.wait_until_tty_matches("1", "Enter password: ")
            client.send_chars(f"{idm_admin_password}\n")
            client.wait_until_tty_matches("1", "Login Success for idm_admin")

        with subtest("Test unixd connection"):
            client.wait_for_unit("kanidm-unixd.service")
            client.wait_for_file("/run/kanidm-unixd/sock")
            client.wait_until_succeeds("kanidm-unix status | grep working!")

        with subtest("Test user creation"):
            client.wait_for_unit("getty@tty1.service")
            client.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
            client.succeed("kanidm person create testuser TestUser")
            client.succeed("kanidm person posix set --shell \"$SHELL\" testuser")
            client.send_chars("kanidm person posix set-password testuser\n")
            client.wait_until_tty_matches("1", "Enter new")
            client.send_chars("${testCredentials.password}\n")
            client.wait_until_tty_matches("1", "Retype")
            client.send_chars("${testCredentials.password}\n")
            output = client.succeed("getent passwd testuser")
            assert "TestUser" in output
            client.succeed("kanidm group create shell")
            client.succeed("kanidm group posix set shell")
            client.succeed("kanidm group add-members shell testuser")

        with subtest("Test user login"):
            client.send_key("alt-f2")
            client.wait_until_succeeds("[ $(fgconsole) = 2 ]")
            client.wait_for_unit("getty@tty2.service")
            client.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
            client.wait_until_tty_matches("2", "login: ")
            client.send_chars("testuser\n")
            client.wait_until_tty_matches("2", "login: testuser")
            client.wait_until_succeeds("pgrep login")
            client.wait_until_tty_matches("2", "Password: ")
            client.send_chars("${testCredentials.password}\n")
            client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service")
            client.send_chars("touch done\n")
            client.wait_for_file("/home/testuser@${serverDomain}/done")

        server.shutdown()
        client.shutdown()
      '';
  })
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`import ./make-test-python.nix ({ pkgs, ... }:`
			`let`
			`certs = import ./common/acme/server/snakeoil-certs.nix;`
			`serverDomain = certs.domain;`
nixos/tests/kanidm: test posix user creation and login 2023-06-09 00:35:56 +02:00
			`testCredentials = {`
			`password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl";`
			`};`
nixos/tests/kanidm: bind certs path to fix ofborg tests provision # [ 8.223448] (kanidmd)[819]: kanidm.service: Failed to set up mount namespacing: /ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/ofborg-evaluator-1/nixos/tests/common/acme/server: No such file or directory 2024-08-22 16:08:17 +02:00
			`# copy certs to store to work around mount namespacing`
			`certsPath = pkgs.runCommandNoCC "snakeoil-certs" { } ''`
			`mkdir $out`
			`cp ${certs."${serverDomain}".cert} $out/snakeoil.crt`
			`cp ${certs."${serverDomain}".key} $out/snakeoil.key`
			`'';`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`in`
			`{`
			`name = "kanidm";`
nixos/kanidm: add provisioning of groups, persons and oauth2 systems 2024-03-10 21:32:24 +01:00			`meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi oddlama ];`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00
nixos/kanidm: add provisioning of groups, persons and oauth2 systems 2024-03-10 21:32:24 +01:00			`nodes.server = { pkgs, ... }: {`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`services.kanidm = {`
			`enableServer = true;`
			`serverSettings = {`
			`origin = "https://${serverDomain}";`
			`domain = serverDomain;`
nixos/kanidm: Add tls options Since 1.1.0-alpha.10 kanidm requires TLS to be set up or it won't start. 2022-11-20 18:10:15 +01:00			`bindaddress = "[::]:443";`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`ldapbindaddress = "[::1]:636";`
nixos/tests/kanidm: bind certs path to fix ofborg tests provision # [ 8.223448] (kanidmd)[819]: kanidm.service: Failed to set up mount namespacing: /ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/ofborg-evaluator-1/nixos/tests/common/acme/server: No such file or directory 2024-08-22 16:08:17 +02:00			`tls_chain = "${certsPath}/snakeoil.crt";`
			`tls_key = "${certsPath}/snakeoil.key";`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`};`
			`};`

			`security.pki.certificateFiles = [ certs.ca.cert ];`

			`networking.hosts."::1" = [ serverDomain ];`
nixos/kanidm: Add tls options Since 1.1.0-alpha.10 kanidm requires TLS to be set up or it won't start. 2022-11-20 18:10:15 +01:00			`networking.firewall.allowedTCPPorts = [ 443 ];`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00
			`users.users.kanidm.shell = pkgs.bashInteractive;`

			`environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];`
			`};`

nixos/kanidm: add provisioning of groups, persons and oauth2 systems 2024-03-10 21:32:24 +01:00			`nodes.client = { nodes, ... }: {`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`services.kanidm = {`
			`enableClient = true;`
			`clientSettings = {`
			`uri = "https://${serverDomain}";`
nixos/kanidm: Add unixd test Test makes sure unixd is able to run and is able to query the server. 2022-09-06 15:11:53 +02:00			`verify_ca = true;`
			`verify_hostnames = true;`
			`};`
			`enablePam = true;`
			`unixSettings = {`
			`pam_allowed_login_groups = [ "shell" ];`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`};`
			`};`

kanidm: BindMount certificate paths Bind mount the base dirs of the tls key and chain into the service. Make sure to bind every directory just once. The test failed on ofborg when /nix/store and the certificate path in /nix/store/<some path> were bound. 2023-04-19 22:46:14 +02:00			`networking.hosts."${nodes.server.networking.primaryIPAddress}" = [ serverDomain ];`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00
			`security.pki.certificateFiles = [ certs.ca.cert ];`
			`};`

			`testScript = { nodes, ... }:`
			`let`
			`ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));`

			`# We need access to the config file in the test script.`
			`filteredConfig = pkgs.lib.converge`
			`(pkgs.lib.filterAttrsRecursive (_: v: v != null))`
kanidm: BindMount certificate paths Bind mount the base dirs of the tls key and chain into the service. Make sure to bind every directory just once. The test failed on ofborg when /nix/store and the certificate path in /nix/store/<some path> were bound. 2023-04-19 22:46:14 +02:00			`nodes.server.services.kanidm.serverSettings;`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;`
			`in`
			`''`
nixos/kanidm: add provisioning of groups, persons and oauth2 systems 2024-03-10 21:32:24 +01:00			`server.start()`
			`client.start()`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`server.wait_for_unit("kanidm.service")`
nixos/tests: fix kanidm under network-online dep fix 2023-10-03 09:32:37 +02:00			`client.systemctl("start network-online.target")`
kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13 https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13 The kanidmd process now creates a unix socket, over which admin tasks can be done, without having to shut kanidm down first. The kanidm_unixd process now wants access to /etc/shadow and /etc/group, so it can rule out collisions with the host system. 2023-08-01 12:56:10 +02:00			`client.wait_for_unit("network-online.target")`
kanidm: 1.1.0-alpha.11 -> 1.1.0-alpha.12 * Update Cargo.lock from upstream. * Adapt expression to upstream source tree layout changes. * Apply patch to restore x86_64 v1 support Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> Also updates the NixOS test: * Stop kanidm to recover the idm_admin account * Group all tests into subtest blocks * Add TODO to wait for unix socket on unixd for the next release Co-Authored-By: Raito Bezarius <masterancpp@gmail.com> Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-05-01 12:39:28 +02:00
			`with subtest("Test HTTP interface"):`
kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13 https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13 The kanidmd process now creates a unix socket, over which admin tasks can be done, without having to shut kanidm down first. The kanidm_unixd process now wants access to /etc/shadow and /etc/group, so it can rule out collisions with the host system. 2023-08-01 12:56:10 +02:00			`server.wait_until_succeeds("curl -Lsf https://${serverDomain} \| grep Kanidm")`
kanidm: 1.1.0-alpha.11 -> 1.1.0-alpha.12 * Update Cargo.lock from upstream. * Adapt expression to upstream source tree layout changes. * Apply patch to restore x86_64 v1 support Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> Also updates the NixOS test: * Stop kanidm to recover the idm_admin account * Group all tests into subtest blocks * Add TODO to wait for unix socket on unixd for the next release Co-Authored-By: Raito Bezarius <masterancpp@gmail.com> Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-05-01 12:39:28 +02:00
			`with subtest("Test LDAP interface"):`
			`server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")`

			`with subtest("Recover idm_admin account"):`
nixos/tests/kanidm: test posix user creation and login 2023-06-09 00:35:56 +02:00			`idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 \| rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'")`
kanidm: 1.1.0-alpha.11 -> 1.1.0-alpha.12 * Update Cargo.lock from upstream. * Adapt expression to upstream source tree layout changes. * Apply patch to restore x86_64 v1 support Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> Also updates the NixOS test: * Stop kanidm to recover the idm_admin account * Group all tests into subtest blocks * Add TODO to wait for unix socket on unixd for the next release Co-Authored-By: Raito Bezarius <masterancpp@gmail.com> Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-05-01 12:39:28 +02:00
kanidm: 1.1.0-rc.16 -> 1.2.0 https://github.com/kanidm/kanidm/releases/tag/v1.2.0 Added updatescript, and removed Cargo.lock as no more git deps. New release process documented here: https://github.com/kanidm/kanidm/blob/a67d1f51607d92338dd17f62c2b29cabeed18953/book/src/support.md Re-ordered test and removed anonymous login as logout no longer works: [info]: Ignoring request to logout session - these sessions are not recorded 2024-05-01 14:51:11 +02:00			`with subtest("Test CLI login"):`
			`client.wait_until_tty_matches("1", "login: ")`
			`client.send_chars("root\n")`
			`client.send_chars("kanidm login -D idm_admin\n")`
			`client.wait_until_tty_matches("1", "Enter password: ")`
			`client.send_chars(f"{idm_admin_password}\n")`
			`client.wait_until_tty_matches("1", "Login Success for idm_admin")`

kanidm: 1.1.0-alpha.11 -> 1.1.0-alpha.12 * Update Cargo.lock from upstream. * Adapt expression to upstream source tree layout changes. * Apply patch to restore x86_64 v1 support Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> Also updates the NixOS test: * Stop kanidm to recover the idm_admin account * Group all tests into subtest blocks * Add TODO to wait for unix socket on unixd for the next release Co-Authored-By: Raito Bezarius <masterancpp@gmail.com> Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-05-01 12:39:28 +02:00			`with subtest("Test unixd connection"):`
			`client.wait_for_unit("kanidm-unixd.service")`
kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13 https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13 The kanidmd process now creates a unix socket, over which admin tasks can be done, without having to shut kanidm down first. The kanidm_unixd process now wants access to /etc/shadow and /etc/group, so it can rule out collisions with the host system. 2023-08-01 12:56:10 +02:00			`client.wait_for_file("/run/kanidm-unixd/sock")`
kanidm: 1.1.0-alpha.11 -> 1.1.0-alpha.12 * Update Cargo.lock from upstream. * Adapt expression to upstream source tree layout changes. * Apply patch to restore x86_64 v1 support Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> Also updates the NixOS test: * Stop kanidm to recover the idm_admin account * Group all tests into subtest blocks * Add TODO to wait for unix socket on unixd for the next release Co-Authored-By: Raito Bezarius <masterancpp@gmail.com> Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-05-01 12:39:28 +02:00			`client.wait_until_succeeds("kanidm-unix status \| grep working!")`
nixos/tests/kanidm: test posix user creation and login 2023-06-09 00:35:56 +02:00
			`with subtest("Test user creation"):`
			`client.wait_for_unit("getty@tty1.service")`
			`client.wait_until_succeeds("pgrep -f 'agetty.*tty1'")`
			`client.succeed("kanidm person create testuser TestUser")`
			`client.succeed("kanidm person posix set --shell \"$SHELL\" testuser")`
			`client.send_chars("kanidm person posix set-password testuser\n")`
			`client.wait_until_tty_matches("1", "Enter new")`
			`client.send_chars("${testCredentials.password}\n")`
			`client.wait_until_tty_matches("1", "Retype")`
			`client.send_chars("${testCredentials.password}\n")`
			`output = client.succeed("getent passwd testuser")`
			`assert "TestUser" in output`
			`client.succeed("kanidm group create shell")`
			`client.succeed("kanidm group posix set shell")`
			`client.succeed("kanidm group add-members shell testuser")`

			`with subtest("Test user login"):`
			`client.send_key("alt-f2")`
			`client.wait_until_succeeds("[ $(fgconsole) = 2 ]")`
			`client.wait_for_unit("getty@tty2.service")`
			`client.wait_until_succeeds("pgrep -f 'agetty.*tty2'")`
			`client.wait_until_tty_matches("2", "login: ")`
			`client.send_chars("testuser\n")`
			`client.wait_until_tty_matches("2", "login: testuser")`
			`client.wait_until_succeeds("pgrep login")`
			`client.wait_until_tty_matches("2", "Password: ")`
			`client.send_chars("${testCredentials.password}\n")`
			`client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service")`
			`client.send_chars("touch done\n")`
			`client.wait_for_file("/home/testuser@${serverDomain}/done")`
nixos/kanidm: add provisioning of groups, persons and oauth2 systems 2024-03-10 21:32:24 +01:00
			`server.shutdown()`
			`client.shutdown()`
nixos/kanidm: init Co-Authored-By: Martin Weinelt <mweinelt@users.noreply.github.com> Co-Authored-By: Flakebi <flakebi@t-online.de> 2022-05-05 12:09:42 +02:00			`'';`
			`})`