tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
authentik-nix/tests/minimal-vmtest.nix
Maximilian Bosch 6a080328a3
module: override metrics & http address for worker 
Closes #72

So, #72 is about a segfault in the LDAP outpost, but this is the actual
culprit[0]:

* Both server & worker share the same configuration in this setup.

* Since 2025.8 this means that both try to start a server for metrics at
  port 9300 and an HTTP server (in the worker case for healthchecks) at
  port 9000.

* On upgrades, migrations are performed. Only the server waited for the
  migrations to finish, hence the worker started up earlier. As a
  result, it was quicker in binding port 9000 in ONLY this case (and
  thus, this was never reproducible on a second attempt!). Now, on port
  9000 was NOT the authentik server, but something that returned an
  empty response for everything that's not the healthcheck.

* As a result, the LDAP outpost got a response from what it believed was
  authentik, but actually `nil, nil` because of the empty response.
  Trying to dereference values from that response[1] caused the
  segfault.

The fix is pretty easy, just override the listen ports via the
environment. Unfortunately, the docs[2] are apparently not entirely correct[3],
given the Python code it must be LISTEN__LISTEN_HTTP[4]. I added a
test-case to ensure that the config is properly applied.

[0] Reported as https://github.com/goauthentik/authentik/issues/16850
[1] 57e12cef06/internal/outpost/ak/api.go (L95)
[2] https://docs.goauthentik.io/install-config/configuration/#listen-settings
[3] Reported as https://github.com/goauthentik/authentik/issues/16851
[4] 57e12cef06/authentik/lib/config.py (L238)
2025-09-17 10:43:50 +02:00

102 lines
3.7 KiB
Nix
Raw Blame History

{
pkgs,
authentik-version,
nixosModules,
}:
pkgs.nixosTest {
name = "authentik";
nodes = {
authentik = {
virtualisation = {
cores = 3;
memorySize = 2048;
};
imports = [
nixosModules.default
"${pkgs.path}/nixos/tests/common/user-account.nix"
"${pkgs.path}/nixos/tests/common/x11.nix"
];
# Keep in mind that the secret still ends up in the store and is world-readable because the
# systemd-tmpfiles config lands in the store.
# This is just a trick to not pass a store-path (which is prohibited) to `environmentFile`
# without having to integrate secret managers like agenix or sops-nix into the test.
# Don't do this in production.
systemd.tmpfiles.rules = [
"f /etc/authentik.env 0700 root root - AUTHENTIK_SECRET_KEY=notastorepath"
];
services.authentik = {
enable = true;
environmentFile = "/etc/authentik.env";
nginx = {
enable = true;
host = "localhost";
};
};
services.xserver.enable = true;
test-support.displayManager.auto.user = "alice";
environment.systemPackages = with pkgs; [
firefox
xdotool
];
};
};
enableOCR = true;
# TODO maybe use bootstrap env vars instead of testing manual workflow?
testScript = ''
start_all()
authentik.wait_for_unit("postgresql.service")
authentik.wait_for_unit("redis-authentik.service")
authentik.wait_for_unit("authentik-migrate.service")
authentik.wait_for_unit("authentik-worker.service")
authentik.wait_for_unit("authentik.service")
authentik.wait_for_open_port(9000)
authentik.wait_until_succeeds("curl -fL http://localhost:9000/if/flow/initial-setup/ >&2")
with subtest("Frontend renders"):
machine.succeed("su - alice -c 'firefox http://localhost:9000/if/flow/initial-setup/' >&2 &")
machine.wait_for_text("Welcome to authentik")
machine.screenshot("1_rendered_frontend")
with subtest("admin account setup works"):
machine.send_key("tab")
machine.send_key("tab")
machine.send_chars("akadmin@localhost")
machine.send_key("tab")
machine.send_chars("foobar")
machine.send_key("tab")
machine.send_chars("foobar")
machine.send_key("ret")
machine.wait_for_text("My applications")
machine.send_key("esc")
machine.screenshot("2_initial_setup_successful")
with subtest("admin settings render and version as expected"):
machine.succeed("su - alice -c 'firefox http://localhost:9000/if/admin/' >&2 &")
machine.wait_for_text("General system status")
machine.screenshot("3_rendered_admin_interface")
machine.succeed("su - alice -c 'xdotool click 1' >&2")
machine.succeed("su - alice -c 'xdotool key --delay 100 Page_Down' >&2")
# sometimes the cursor covers the version string
machine.succeed("su - alice -c 'xdotool mousemove_relative 50 50' >&2")
machine.wait_for_text("${builtins.replaceStrings [ "." ] [ ".?" ] authentik-version}")
machine.screenshot("4_correct_version_in_admin_interface")
with subtest("nginx proxies to authentik"):
machine.succeed("su - alice -c 'firefox http://localhost/' >&2 &")
machine.wait_for_text("authentik")
machine.screenshot("5_nginx_proxies_requests")
with subtest("metrics & worker"):
machine.wait_for_open_port(9300)
machine.wait_for_open_port(9301)
print(machine.succeed("curl -L localhost:9300/metrics | grep authentik_outpost_connection | grep 'Embedded'"))
print(machine.succeed("curl -L localhost:9301/metrics | grep authentik_tasks_total"))
'';
}
Reference in a new issue View git blame Copy permalink