Get publisher running inside a nixosTest

diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix
new file mode 100644 (file)
index 0000000..2099047
--- /dev/null
+++ b/checks/one-publisher.nix
@@ -0,0 +1,90 @@
+{ lib, gnused, nixos, nixosTest, trustix, trustixSrc, writeShellScript
+, writeText, }:
+let
+  inherit (lib) filterAttrs hasPrefix mapAttrsToList optional;
+
+  trustixModule = trustixSrc + "/nixos";
+
+  trustixKeyConfig = writeText "trustixKeyConfig" ''
+    { pkgs, ... }: {
+      config = {
+        system.activationScripts.trustix-create-key = '''
+          if [[ ! -e /keys/trustix-priv ]];then
+            mkdir -p /keys
+            ''${pkgs.trustix}/bin/trustix generate-key --privkey /keys/trustix-priv --pubkey /keys/trustix-pub
+          fi
+        ''';
+      };
+    }
+  '';
+
+  publisherConfig = writeText "publisherConfig" ''
+    {
+      services.trustix = {
+        enable = true;
+        signers.aisha-snakeoil = {
+          type = "ed25519";
+          ed25519 = { private-key-path = "/keys/trustix-priv"; };
+        };
+        publishers = [{
+          signer = "aisha-snakeoil";
+          protocol = "nix";
+          publicKey = {
+            type = "ed25519";
+            pub = "@pubkey@";
+          };
+        }];
+      };
+    }
+  '';
+
+  mkConfig = writeShellScript "mkConfig" ''
+    set -euxo pipefail
+    mkdir -p /etc/nixos
+    ${gnused}/bin/sed "s,@pubkey@,$(< /keys/trustix-pub)," ${publisherConfig} > /etc/nixos/publisher.nix
+    cat > /etc/nixos/configuration.nix <<EOF
+    {
+      imports = [
+        ${../lib/nixosTest-rebuild-switch.nix}
+        ${trustixModule}
+        ${trustixKeyConfig}
+        ./publisher.nix
+      ];
+    }
+    EOF
+  '';
+
+in nixosTest {
+  name = "one-publisher";
+  nodes = {
+    alisha = { pkgs, ... }: {
+      imports = [
+        ../lib/nixosTest-rebuild-switch.nix
+        trustixModule
+        "${trustixKeyConfig}"
+      ];
+      system.extraDependencies = [
+        pkgs.hello.inputDerivation
+        pkgs.remarshal # For building trustix-config.toml
+        (nixos {
+          imports = [
+            ../lib/nixosTest-rebuild-switch.nix
+            trustixModule
+            "${trustixKeyConfig}"
+            "${publisherConfig}"
+          ];
+        }).toplevel
+      ];
+      virtualisation.diskSize = "1000";
+      virtualisation.memorySize = "1G";
+    };
+  };
+  testScript = ''
+    alisha.wait_for_file("/keys/trustix-pub")
+    alisha.succeed(
+        "${mkConfig}",
+        "nixos-rebuild switch --show-trace",
+    )
+    alisha.succeed("nix-build '<nixpkgs>' -A hello")
+  '';
+}

diff --git a/flake.lock b/flake.lock
new file mode 100644 (file)
index 0000000..41c4e6d
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,44 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1616174264,
+        "narHash": "sha256-88Pu2xh1p2tixNxdijfqoCqq9ymkEx0d6jc7ycWavLo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f5e8bdd07d1afaabf6b37afc5497b1e498b8046f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f5e8bdd07d1afaabf6b37afc5497b1e498b8046f",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "trustix": "trustix"
+      }
+    },
+    "trustix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1625664295,
+        "narHash": "sha256-oF9A6dcQbD0o3hPqidJYIDnKgZ5qcfUVaIvIu1eJ594=",
+        "owner": "tweag",
+        "repo": "trustix",
+        "rev": "299705170a49737624c3536283709c1af7322e34",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tweag",
+        "repo": "trustix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

diff --git a/flake.nix b/flake.nix
new file mode 100644 (file)
index 0000000..52c92da
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,36 @@
+{
+  description = "Integration tests for trustix";
+
+  inputs = {
+    # nixpkgs.follows = "trustix/nixpkgs";  # When trustix becomes a flake
+    # Until then:
+    nixpkgs.url =
+      "github:nixos/nixpkgs/f5e8bdd07d1afaabf6b37afc5497b1e498b8046f";
+
+    trustix = {
+      url = "github:tweag/trustix";
+      flake = false;
+    };
+  };
+
+  outputs = { self, nixpkgs, trustix, }:
+    let
+      inherit (nixpkgs.lib) genAttrs;
+      supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+      forAllSystems = genAttrs supportedSystems;
+
+    in {
+
+      lib = { prefetchNiv = import ./lib/prefetchNiv.nix; };
+
+      checks = forAllSystems (system: {
+        one-publisher = nixpkgs.legacyPackages."${system}".callPackage
+          ./checks/one-publisher.nix {
+            trustixSrc = (nixpkgs.legacyPackages."${system}".callPackage
+              self.lib.prefetchNiv { }) trustix;
+            trustix = (import trustix).packages.trustix;
+          };
+      });
+
+    };
+}

diff --git a/lib/nixosTest-rebuild-switch.nix b/lib/nixosTest-rebuild-switch.nix
new file mode 100644 (file)
index 0000000..b98875b
--- /dev/null
+++ b/lib/nixosTest-rebuild-switch.nix
@@ -0,0 +1,41 @@
+# NixOS configuration that allows a nixosTest virtual machine to "nixos-rebuild switch".
+# You'll also need to include the config's system.build.toplevel in system.extraDependencies.
+
+{ lib, pkgs, modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/installer/cd-dvd/channel.nix")
+    (modulesPath + "/profiles/base.nix")
+    (modulesPath + "/testing/test-instrumentation.nix")
+    (modulesPath + "/virtualisation/qemu-vm.nix")
+  ];
+
+  nix.binaryCaches = lib.mkForce [ ];
+  nix.extraOptions = ''
+    hashed-mirrors =
+    connect-timeout = 1
+  '';
+
+  system.extraDependencies = with pkgs; [
+    # List of packages from installer test
+    curl # To diagnose fetch requests
+    desktop-file-utils
+    docbook5
+    docbook_xsl_ns
+    grub
+    libxml2.bin
+    libxslt.bin
+    nixos-artwork.wallpapers.simple-dark-gray-bottom
+    ntp
+    perlPackages.ListCompare
+    perlPackages.XMLLibXML
+    shared-mime-info
+    stdenvNoCC
+    sudo
+    texinfo
+    unionfs-fuse
+    xorg.lndir
+  ];
+
+  # Don't try to install bootloaders in a VM
+  boot.loader.grub.devices = lib.mkForce [ "nodev" ];
+}

diff --git a/lib/prefetchNiv.nix b/lib/prefetchNiv.nix
new file mode 100644 (file)
index 0000000..f732e30
--- /dev/null
+++ b/lib/prefetchNiv.nix
@@ -0,0 +1,38 @@
+# Pre-fetch niv-controlled sources so that we can use a niv-using package
+# inside a nixosTest.
+
+{ lib, stdenvNoCC, niv, runCommand, system, }:
+src:
+let
+  inherit (lib) attrNames concatStringsSep filterAttrs hasPrefix mapAttrsToList;
+  nivSources = filterAttrs (name: _: !(hasPrefix "__" name))
+    (import (src + "/nix/sources.nix"));
+in stdenvNoCC.mkDerivation {
+  name = "niv-prefetched-source";
+  inherit src;
+  nativeBuildInputs = [ niv ];
+  buildPhase = ''
+    ${concatStringsSep "\n" (mapAttrsToList (name: info:
+      "niv modify ${name} --attribute url=file://${
+        if info.type == "tarball" then
+        # Because niv
+        #  * fetches nixpkgs with builtin.fetchTarball, even with
+        #    --attribute builtin=false (it has to, to get fetchzip), and
+        #  * only keeps the hash of the unpacked archive,
+        # we have to let niv unpack it and verify the hash, then pack it back
+        # up.  :(  Unpacking nixpkgs ends up being most of the test's disk space
+        # and I/O.  If/when trustix switches from niv to flakes, this can all go
+        # away--the test can just use the host's store paths directly.
+          runCommand "niv-src-tarball-${name}.tar.gz" { } ''
+            cd $(dirname ${info.outPath})
+            tar czf $out --hard-dereference --sort=name $(basename ${info.outPath})
+          ''
+        else
+          info.outPath
+      }") nivSources)}
+  '';
+  installPhase = ''
+    mkdir $out
+    cp -r * $out
+  '';
+}