More test improvements (#19)

kolide · Jan 25, 2024 · bd702cf · bd702cf
1 parent ebf4b90
commit bd702cf
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 25 deletions.
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -24,11 +24,6 @@ jobs:
     - name: build
       run: NIXPKGS_ALLOW_UNFREE=1 nix build --impure
 
-    - name: set up test secret
-      run: |
-        mv ./tests/test-secret ./tests/test-secret.bak
-        echo -n "${{ secrets.NABALU_ENROLL_SECRET }}" | tee ./tests/test-secret
-
     - name: check flake (runs tests)
       run: NIXPKGS_ALLOW_UNFREE=1 nix flake check --impure --log-format internal-json
       timeout-minutes: 15
@@ -69,7 +64,3 @@ jobs:
 
     - name: osqueryd version
       run: ./result/bin/osqueryd --version
-
-    - name: clean up after tests
-      if: always()
-      run: mv ./tests/test-secret.bak ./tests/test-secret
diff --git a/README.md b/README.md
@@ -68,21 +68,32 @@ Update your `/etc/nixos/flake.nix` file to include `kolide-launcher` in its inpu
 
 Then rebuild: `sudo NIXPKGS_ALLOW_UNFREE=1 nixos-rebuild switch --flake /etc/nixos#my-hostname --impure`.
 
-For now, you'll want to manually create your secret file:
+### Setting up your enrollment secret
+
+You can manually create your secret file:
 
 ```
 echo -n 'your-enroll-secret-goes-here' | sudo tee /etc/kolide-k2/secret
 ```
 
 Then start the `kolide-launcher.service` service.
 
+You can also configure the secret in `/etc/nixos/configuration.nix`.
+
+```
+environment.etc."kolide-k2/secret" = {
+  mode = "0600";
+  text = "<enrollment secret goes here>";
+};
+```
+
 ### Running tests
 
 [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests)
 live in the [./tests](./tests) directory and are included via flake checks.
 They are currently intended to run in CI only.
 
-#### Running the mock K2 server
+#### Running the mock agent server
 
-To run the mock K2 server locally for testing purposes, you can run
-`python3 -m flask --app k2server run` from the `tests` directory.
+To run the mock agent server locally for testing purposes, you can run
+`python3 -m flask --app agentserver run` from the `tests` directory.
diff --git a/tests/k2server.py → tests/agentserver.py b/tests/k2server.py → tests/agentserver.py
diff --git a/tests/kolide-launcher.nix b/tests/kolide-launcher.nix
@@ -37,29 +37,36 @@ pkgs.nixosTest {
     # This just quiets some log spam we don't care about
     hardware.pulseaudio.enable = true;
 
+    system.stateVersion = "23.11";
+
+    # Launcher setup
     services.kolide-launcher.enable = true;
     services.kolide-launcher.kolideHostname = "app.kolide.test:80";
     services.kolide-launcher.insecureTransport = true;
     services.kolide-launcher.insecureTLS = true;
 
-    system.stateVersion = "23.11";
+    # Add a (test) secret
+    environment.etc."kolide-k2/secret" = {
+      mode = "0600";
+      text = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAwIiwibmFtZSI6ImFsaWNlIiwiaWF0IjoxNzA2MTkzNzYxLCJvcmdhbml6YXRpb24iOiJ0ZXN0LXRlbmFudCJ9.KaZlRr0_XYhopgFvfRqxlEl71cCbqW16pG9sdyFNZrs";
+    };
 
-    # Set up mock k2 server locally
+    # Set up mock agent server locally
     networking.extraHosts = "127.0.0.1 app.kolide.test";
     services.uwsgi = {
       enable = true;
       plugins = [ "python3" ];
       capabilities = [ "CAP_NET_BIND_SERVICE" ];
       instance.type = "emperor";
 
-      instance.vassals.k2server = {
+      instance.vassals.agentserver = {
         type = "normal";
         module = "wsgi:application";
         http = ":80";
         http-timeout = 30;
         cap = "net_bind_service";
         pythonPackages = self: [ self.flask ];
-        chdir = pkgs.writeTextDir "wsgi.py" (builtins.readFile ./k2server.py);
+        chdir = pkgs.writeTextDir "wsgi.py" (builtins.readFile ./agentserver.py);
       };
     };
   };
@@ -77,7 +84,7 @@ pkgs.nixosTest {
       if "${ci}":
         machine.start()
 
-        with subtest("mock K2 server starts up"):
+        with subtest("mock agent server starts up"):
           machine.wait_for_unit("network-online.target")
           machine.wait_for_unit("uwsgi.service")
           machine.wait_until_succeeds("curl --fail http://app.kolide.test/version", timeout=60)
@@ -96,12 +103,11 @@ pkgs.nixosTest {
           machine.sleep(20)
           machine.screenshot("test-screen1.png")
 
-        with subtest("set up secret file"):
-          machine.copy_from_host("${./test-secret}", "/etc/kolide-k2/secret")
-
         with subtest("launcher service runs and is set up correctly"):
-          machine.systemctl("stop kolide-launcher.service")
-          machine.systemctl("start kolide-launcher.service")
+          # Wait a little bit to be sure and then perform a restart now that we're logged in,
+          # so that launcher can register with systray correctly
+          machine.sleep(20)
+          machine.systemctl("restart kolide-launcher.service")
           machine.wait_for_unit("kolide-launcher.service", timeout=60)
           machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/debug.json")
           machine.sleep(30)
@@ -111,11 +117,11 @@ pkgs.nixosTest {
           machine.wait_until_succeeds("pgrep osqueryd", timeout=30)
           machine.screenshot("test-screen3.png")
 
-        with subtest("launcher desktop runs (test incomplete for now)"):
+        with subtest("launcher desktop runs"):
           machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/kolide.png")
           machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/menu.json")
           machine.screenshot("test-screen4.png")
-
+          # Confirm that a launcher desktop process is spawned for the user
           machine.wait_until_succeeds("pgrep -U ${uid} launcher", timeout=120)
           machine.screenshot("test-screen5.png")