e9bde1ace0
The store is world-readable, so secrets shouldn't end up there in the
first place. On top, `types.path` has the following behavior:
* `toString foo` returns the absolute path
* `${foo}` copies the path silently into the store and returns the
store-path.
This happens without any real feedback, so this can be caused by an
innocent looking change.
To address this problem, `pathsWith` was introduced into <nixpkgs/lib>
which allows absolute paths represented as string, but rejects things
pointing to the store and path literals which may be copied later on.
95 lines
3.4 KiB
Nix
95 lines
3.4 KiB
Nix
{
|
|
pkgs,
|
|
authentik-version,
|
|
nixosModules,
|
|
}:
|
|
pkgs.nixosTest {
|
|
name = "authentik";
|
|
nodes = {
|
|
authentik = {
|
|
virtualisation = {
|
|
cores = 3;
|
|
memorySize = 2048;
|
|
};
|
|
imports = [
|
|
nixosModules.default
|
|
"${pkgs.path}/nixos/tests/common/user-account.nix"
|
|
"${pkgs.path}/nixos/tests/common/x11.nix"
|
|
];
|
|
|
|
# Keep in mind that the secret still ends up in the store and is world-readable because the
|
|
# systemd-tmpfiles config lands in the store.
|
|
# This is just a trick to not pass a store-path (which is prohibited) to `environmentFile`
|
|
# without having to integrate secret managers like agenix or sops-nix into the test.
|
|
# Don't do this in production.
|
|
systemd.tmpfiles.rules = [
|
|
"f /etc/authentik.env 0700 root root - AUTHENTIK_SECRET_KEY=notastorepath"
|
|
];
|
|
|
|
services.authentik = {
|
|
enable = true;
|
|
environmentFile = "/etc/authentik.env";
|
|
nginx = {
|
|
enable = true;
|
|
host = "localhost";
|
|
};
|
|
};
|
|
|
|
services.xserver.enable = true;
|
|
test-support.displayManager.auto.user = "alice";
|
|
environment.systemPackages = with pkgs; [
|
|
firefox
|
|
xdotool
|
|
];
|
|
};
|
|
};
|
|
|
|
enableOCR = true;
|
|
|
|
# TODO maybe use bootstrap env vars instead of testing manual workflow?
|
|
testScript = ''
|
|
start_all()
|
|
|
|
authentik.wait_for_unit("postgresql.service")
|
|
authentik.wait_for_unit("redis-authentik.service")
|
|
authentik.wait_for_unit("authentik-migrate.service")
|
|
authentik.wait_for_unit("authentik-worker.service")
|
|
authentik.wait_for_unit("authentik.service")
|
|
authentik.wait_for_open_port(9000)
|
|
authentik.wait_until_succeeds("curl -fL http://localhost:9000/if/flow/initial-setup/ >&2")
|
|
|
|
with subtest("Frontend renders"):
|
|
machine.succeed("su - alice -c 'firefox http://localhost:9000/if/flow/initial-setup/' >&2 &")
|
|
machine.wait_for_text("Welcome to authentik")
|
|
machine.screenshot("1_rendered_frontend")
|
|
|
|
with subtest("admin account setup works"):
|
|
machine.send_key("tab")
|
|
machine.send_key("tab")
|
|
machine.send_chars("akadmin@localhost")
|
|
machine.send_key("tab")
|
|
machine.send_chars("foobar")
|
|
machine.send_key("tab")
|
|
machine.send_chars("foobar")
|
|
machine.send_key("ret")
|
|
machine.wait_for_text("My applications")
|
|
machine.send_key("esc")
|
|
machine.screenshot("2_initial_setup_successful")
|
|
|
|
with subtest("admin settings render and version as expected"):
|
|
machine.succeed("su - alice -c 'firefox http://localhost:9000/if/admin/' >&2 &")
|
|
machine.wait_for_text("General system status")
|
|
machine.screenshot("3_rendered_admin_interface")
|
|
machine.succeed("su - alice -c 'xdotool click 1' >&2")
|
|
machine.succeed("su - alice -c 'xdotool key --delay 100 Page_Down' >&2")
|
|
# sometimes the cursor covers the version string
|
|
machine.succeed("su - alice -c 'xdotool mousemove_relative 50 50' >&2")
|
|
machine.wait_for_text("${builtins.replaceStrings [ "." ] [ ".?" ] authentik-version}")
|
|
machine.screenshot("4_correct_version_in_admin_interface")
|
|
|
|
with subtest("nginx proxies to authentik"):
|
|
machine.succeed("su - alice -c 'firefox http://localhost/' >&2 &")
|
|
machine.wait_for_text("authentik")
|
|
machine.screenshot("5_nginx_proxies_requests")
|
|
'';
|
|
}
|