182 lines
6.0 KiB
Nix
182 lines
6.0 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
baseSiteConfig = import ../site-config.nix;
|
|
baseServiceConfigs = import ../hosts/muffin/service-configs.nix {
|
|
site_config = baseSiteConfig;
|
|
};
|
|
testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
|
|
zpool_ssds = "";
|
|
gitea = {
|
|
dir = "/var/lib/gitea";
|
|
# `:80` makes Caddy bind all hosts on HTTP port 80 with no Host-header
|
|
# matching — simplest path to a reachable vhost inside the test VM
|
|
# where there is no ACME / DNS and no TLS terminator.
|
|
domain = ":80";
|
|
};
|
|
ports.private.gitea = {
|
|
port = 3000;
|
|
proto = "tcp";
|
|
};
|
|
};
|
|
|
|
testLib = lib.extend (
|
|
final: prev: {
|
|
serviceMountWithZpool =
|
|
serviceName: zpool: dirs:
|
|
{ ... }:
|
|
{ };
|
|
serviceFilePerms = serviceName: tmpfilesRules: { ... }: { };
|
|
}
|
|
);
|
|
|
|
giteaModule =
|
|
{ config, pkgs, ... }:
|
|
{
|
|
imports = [
|
|
(import ../services/gitea/gitea.nix {
|
|
inherit config pkgs;
|
|
lib = testLib;
|
|
service_configs = testServiceConfigs;
|
|
})
|
|
];
|
|
};
|
|
in
|
|
pkgs.testers.runNixOSTest {
|
|
name = "gitea-hide-actions";
|
|
|
|
nodes = {
|
|
server =
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
../modules/server-security.nix
|
|
giteaModule
|
|
];
|
|
|
|
# The shared gitea.nix module derives DOMAIN/ROOT_URL from the
|
|
# `service_configs.gitea.domain` string, which here is the full URL
|
|
# `http://server`. Override to valid bare values so Gitea doesn't
|
|
# get a malformed ROOT_URL like `https://http://server`.
|
|
services.gitea.settings.server = {
|
|
DOMAIN = lib.mkForce "server";
|
|
ROOT_URL = lib.mkForce "http://server/";
|
|
};
|
|
services.caddy = {
|
|
enable = true;
|
|
# No DNS / ACME in the VM test network — serve plain HTTP.
|
|
globalConfig = ''
|
|
auto_https off
|
|
'';
|
|
};
|
|
|
|
services.postgresql.enable = true;
|
|
|
|
# Stub out zfs/mount ordering added by the real serviceMountWithZpool.
|
|
systemd.services."gitea-mounts".enable = lib.mkForce false;
|
|
systemd.services.gitea = {
|
|
wants = lib.mkForce [ ];
|
|
after = lib.mkForce [ "postgresql.service" ];
|
|
requires = lib.mkForce [ ];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
3000
|
|
];
|
|
};
|
|
|
|
client =
|
|
{ pkgs, ... }:
|
|
{
|
|
environment.systemPackages = [ pkgs.curl ];
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
server.wait_for_unit("postgresql.service")
|
|
server.wait_for_unit("gitea.service")
|
|
server.wait_for_unit("caddy.service")
|
|
server.wait_for_open_port(3000)
|
|
server.wait_for_open_port(80)
|
|
|
|
# Admin user — used to exercise the authenticated path via Basic Auth.
|
|
server.succeed(
|
|
"su -l gitea -s /bin/sh -c '${pkgs.gitea}/bin/gitea admin user create "
|
|
"--username testuser --password testpassword "
|
|
"--email test@test.local --must-change-password=false "
|
|
"--work-path /var/lib/gitea'"
|
|
)
|
|
|
|
def curl(args):
|
|
cmd = (
|
|
"curl -4 -s -o /dev/null "
|
|
"-w '%{http_code}|%{redirect_url}' " + args
|
|
)
|
|
return client.succeed(cmd).strip()
|
|
|
|
with subtest("Anonymous /{user}/{repo}/actions redirects to login"):
|
|
result = curl("http://server/foo/bar/actions")
|
|
code, _, redir = result.partition("|")
|
|
print(f"anon /foo/bar/actions -> {result!r}")
|
|
assert code == "302", f"expected 302, got {code!r} (full: {result!r})"
|
|
assert "/user/login" in redir, f"expected login redirect, got {redir!r}"
|
|
assert "redirect_to=" in redir, f"expected redirect_to param, got {redir!r}"
|
|
|
|
with subtest("Anonymous deep /actions paths also redirect"):
|
|
for path in ["/foo/bar/actions/", "/foo/bar/actions/runs/1", "/foo/bar/actions/workflows/build.yaml"]:
|
|
result = curl(f"http://server{path}")
|
|
code, _, redir = result.partition("|")
|
|
print(f"anon {path} -> {result!r}")
|
|
assert code == "302", f"{path}: expected 302, got {code!r}"
|
|
assert "/user/login" in redir, f"{path}: expected login redirect, got {redir!r}"
|
|
|
|
with subtest("Anonymous workflow badge stays public"):
|
|
# Repo doesn't exist → Gitea answers 404, but Caddy does NOT intercept
|
|
# with a login redirect so README badges keep rendering.
|
|
result = curl("http://server/foo/bar/actions/workflows/ci.yaml/badge.svg")
|
|
code, _, redir = result.partition("|")
|
|
print(f"anon badge -> {result!r}")
|
|
assert code != "302" or "/user/login" not in redir, (
|
|
f"badge path should not redirect to login, got {result!r}"
|
|
)
|
|
|
|
with subtest("Authenticated /{user}/{repo}/actions does not redirect to login"):
|
|
result = curl(
|
|
"-u testuser:testpassword "
|
|
"http://server/testuser/nonexistent/actions"
|
|
)
|
|
code, _, redir = result.partition("|")
|
|
print(f"auth /testuser/nonexistent/actions -> {result!r}")
|
|
# Gitea will 404 the missing repo — the key assertion is that the
|
|
# Caddy gate let the request through instead of redirecting to login.
|
|
assert not (code == "302" and "/user/login" in redir), (
|
|
f"authenticated actions request was intercepted by login gate: {result!r}"
|
|
)
|
|
|
|
with subtest("Anonymous /explore/repos is served without gating"):
|
|
result = curl("http://server/explore/repos")
|
|
code, _, _ = result.partition("|")
|
|
print(f"anon /explore/repos -> {result!r}")
|
|
assert code == "200", f"expected 200 for public explore page, got {result!r}"
|
|
|
|
with subtest("Anonymous /{user}/{repo} (non-actions) is not login-gated"):
|
|
result = curl("http://server/foo/bar")
|
|
code, _, redir = result.partition("|")
|
|
print(f"anon /foo/bar -> {result!r}")
|
|
assert not (code == "302" and "/user/login" in redir), (
|
|
f"non-actions repo path should not redirect to login: {result!r}"
|
|
)
|
|
'';
|
|
}
|