357 lines
10 KiB
Nix
357 lines
10 KiB
Nix
{ shb, ... }:
|
|
let
|
|
password = "securepw";
|
|
oidcSecret = "oidcSecret";
|
|
|
|
commonTestScript = shb.test.accessScript {
|
|
hasSSL = { node, ... }: !(isNull node.config.shb.monitoring.ssl);
|
|
waitForServices =
|
|
{ ... }:
|
|
[
|
|
"grafana.service"
|
|
"fluent-bit.service"
|
|
"loki.service"
|
|
"netdata.service"
|
|
];
|
|
waitForPorts =
|
|
{ node, ... }:
|
|
[
|
|
node.config.shb.monitoring.grafanaPort
|
|
];
|
|
};
|
|
|
|
basic =
|
|
{ config, ... }:
|
|
{
|
|
imports = [
|
|
shb.test.baseModule
|
|
../../modules/blocks/monitoring.nix
|
|
];
|
|
|
|
test = {
|
|
subdomain = "g";
|
|
};
|
|
|
|
shb.monitoring = {
|
|
enable = true;
|
|
inherit (config.test) subdomain domain;
|
|
scrutiny.enable = false;
|
|
|
|
contactPoints = [ "me@example.com" ];
|
|
|
|
grafanaPort = 3000;
|
|
adminPassword.result = config.shb.hardcodedsecret."admin_password".result;
|
|
secretKey.result = config.shb.hardcodedsecret."secret_key".result;
|
|
};
|
|
|
|
shb.hardcodedsecret."admin_password" = {
|
|
request = config.shb.monitoring.adminPassword.request;
|
|
settings.content = password;
|
|
};
|
|
shb.hardcodedsecret."secret_key" = {
|
|
request = config.shb.monitoring.secretKey.request;
|
|
settings.content = "secret_key_pw";
|
|
};
|
|
};
|
|
|
|
https =
|
|
{ config, ... }:
|
|
{
|
|
shb.monitoring = {
|
|
ssl = config.shb.certs.certs.selfsigned.n;
|
|
};
|
|
};
|
|
|
|
ldap =
|
|
{ config, ... }:
|
|
{
|
|
shb.monitoring = {
|
|
ldap = {
|
|
userGroup = "user_group";
|
|
adminGroup = "admin_group";
|
|
};
|
|
};
|
|
};
|
|
|
|
clientLoginSso =
|
|
{ config, ... }:
|
|
{
|
|
imports = [
|
|
shb.test.baseModule
|
|
shb.test.clientLoginModule
|
|
];
|
|
test = {
|
|
subdomain = "g";
|
|
};
|
|
|
|
test.login = {
|
|
startUrl = "https://${config.test.fqdn}";
|
|
usernameFieldLabelRegex = "Username";
|
|
passwordFieldLabelRegex = "Password";
|
|
loginButtonNameRegex = "[sS]ign [iI]n";
|
|
testLoginWith = [
|
|
{
|
|
username = "alice";
|
|
password = "NotAlicePassword";
|
|
nextPageExpect = [
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
# TODO: fix this. I tried a lot of stuff but can't figure out why it broke recently.
|
|
# For those reading this, it seems the call to Authelias's /userinfo endpoint returned a json response
|
|
# with the value Editor in the field "grafana_groups". So I don't know what's wrong.
|
|
# {
|
|
# username = "alice";
|
|
# password = "AlicePassword";
|
|
# nextPageExpect = [
|
|
# "page.get_by_role('button', name=re.compile('Accept')).click()"
|
|
# "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).not_to_be_visible(timeout=10000)"
|
|
# "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
|
# "expect(page.get_by_text('Welcome to Grafana')).to_be_visible()"
|
|
# ];
|
|
# }
|
|
{
|
|
username = "bob";
|
|
password = "NotBobPassword";
|
|
nextPageExpect = [
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
# TODO: fix this. I tried a lot of stuff but can't figure out why it broke recently.
|
|
# Same error as above.
|
|
# {
|
|
# username = "bob";
|
|
# password = "BobPassword";
|
|
# nextPageExpect = [
|
|
# "page.get_by_role('button', name=re.compile('Accept')).click()"
|
|
# "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).not_to_be_visible(timeout=10000)"
|
|
# "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
|
# "expect(page.get_by_text('Welcome to Grafana')).to_be_visible()"
|
|
# ];
|
|
# }
|
|
{
|
|
username = "charlie";
|
|
password = "NotCharliePassword";
|
|
nextPageExpect = [
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
# TODO: fix this. This fails with:
|
|
# "If you're seeing this Grafana has failed to load its application files"
|
|
# {
|
|
# username = "charlie";
|
|
# password = "CharliePassword";
|
|
# nextPageExpect = [
|
|
# "page.get_by_role('button', name=re.compile('Accept')).click()" # I don't understand why this is not needed. Maybe it keeps somewhere the previous token?
|
|
# "expect(page.get_by_text(re.compile('[Ll]ogin failed'))).to_be_visible(timeout=10000)"
|
|
# ];
|
|
# }
|
|
];
|
|
};
|
|
};
|
|
|
|
scrutiny =
|
|
{ lib, ... }:
|
|
{
|
|
shb.monitoring = {
|
|
scrutiny.enable = lib.mkForce true;
|
|
};
|
|
};
|
|
|
|
clientScrutinyLoginSso =
|
|
{ config, ... }:
|
|
{
|
|
imports = [
|
|
shb.test.baseModule
|
|
shb.test.clientLoginModule
|
|
];
|
|
test = {
|
|
subdomain = "scrutiny";
|
|
};
|
|
|
|
test.login = {
|
|
startUrl = "https://${config.test.fqdn}";
|
|
usernameFieldLabelRegex = "Username";
|
|
passwordFieldLabelRegex = "Password";
|
|
loginButtonNameRegex = "[sS]ign [iI]n";
|
|
testLoginWith = [
|
|
{
|
|
username = "alice";
|
|
password = "NotAlicePassword";
|
|
nextPageExpect = [
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
{
|
|
username = "alice";
|
|
password = "AlicePassword";
|
|
nextPageExpect = [
|
|
''
|
|
if page.get_by_role('button', name=re.compile('Accept')).count() > 0:
|
|
page.get_by_role('button', name=re.compile('Accept')).click()
|
|
''
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).not_to_be_visible(timeout=10000)"
|
|
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
|
"expect(page.get_by_text('Temperature history for each device')).to_be_visible(timeout=20000)"
|
|
];
|
|
}
|
|
{
|
|
username = "bob";
|
|
password = "NotBobPassword";
|
|
nextPageExpect = [
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
{
|
|
username = "bob";
|
|
password = "BobPassword";
|
|
nextPageExpect = [
|
|
''
|
|
if page.get_by_role('button', name=re.compile('Accept')).count() > 0:
|
|
page.get_by_role('button', name=re.compile('Accept')).click()
|
|
''
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).not_to_be_visible(timeout=10000)"
|
|
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
|
"expect(page.get_by_text('Temperature history for each device')).to_be_visible(timeout=20000)"
|
|
];
|
|
}
|
|
{
|
|
username = "charlie";
|
|
password = "NotCharliePassword";
|
|
nextPageExpect = [
|
|
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
{
|
|
username = "charlie";
|
|
password = "CharliePassword";
|
|
nextPageExpect = [
|
|
"page.get_by_role('button', name=re.compile('Accept')).click()" # I don't understand why this is not needed. Maybe it keeps somewhere the previous token?
|
|
"expect(page.get_by_text(re.compile('[Ll]ogin failed'))).to_be_visible(timeout=10000)"
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
sso =
|
|
{ config, ... }:
|
|
{
|
|
shb.monitoring = {
|
|
sso = {
|
|
enable = true;
|
|
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
|
|
|
sharedSecret.result = config.shb.hardcodedsecret.oidcSecret.result;
|
|
sharedSecretForAuthelia.result = config.shb.hardcodedsecret.oidcAutheliaSecret.result;
|
|
};
|
|
};
|
|
|
|
shb.hardcodedsecret.oidcSecret = {
|
|
request = config.shb.monitoring.sso.sharedSecret.request;
|
|
settings.content = oidcSecret;
|
|
};
|
|
shb.hardcodedsecret.oidcAutheliaSecret = {
|
|
request = config.shb.monitoring.sso.sharedSecretForAuthelia.request;
|
|
settings.content = oidcSecret;
|
|
};
|
|
};
|
|
in
|
|
{
|
|
basic = shb.test.runNixOSTest {
|
|
name = "monitoring_basic";
|
|
|
|
node.pkgsReadOnly = false;
|
|
|
|
nodes.server = {
|
|
imports = [
|
|
basic
|
|
];
|
|
};
|
|
|
|
nodes.client = { };
|
|
|
|
testScript = commonTestScript;
|
|
};
|
|
|
|
https = shb.test.runNixOSTest {
|
|
name = "monitoring_https";
|
|
|
|
node.pkgsReadOnly = false;
|
|
|
|
nodes.server = {
|
|
imports = [
|
|
basic
|
|
shb.test.certs
|
|
https
|
|
];
|
|
};
|
|
|
|
nodes.client = { };
|
|
|
|
testScript = commonTestScript;
|
|
};
|
|
|
|
sso = shb.test.runNixOSTest {
|
|
name = "monitoring_sso";
|
|
|
|
node.pkgsReadOnly = false;
|
|
|
|
nodes.client = {
|
|
imports = [
|
|
clientLoginSso
|
|
];
|
|
|
|
virtualisation.memorySize = 4096;
|
|
};
|
|
nodes.server =
|
|
{ config, pkgs, ... }:
|
|
{
|
|
imports = [
|
|
basic
|
|
shb.test.certs
|
|
https
|
|
shb.test.ldap
|
|
ldap
|
|
(shb.test.sso config.shb.certs.certs.selfsigned.n)
|
|
sso
|
|
];
|
|
|
|
# virtualisation.memorySize = 4096;
|
|
};
|
|
|
|
testScript = commonTestScript;
|
|
};
|
|
|
|
scrutiny_sso = shb.test.runNixOSTest {
|
|
name = "monitoring_scrutiny_sso";
|
|
|
|
node.pkgsReadOnly = false;
|
|
|
|
nodes.client = {
|
|
imports = [
|
|
clientScrutinyLoginSso
|
|
];
|
|
|
|
virtualisation.memorySize = 4096;
|
|
};
|
|
nodes.server =
|
|
{ config, pkgs, ... }:
|
|
{
|
|
imports = [
|
|
basic
|
|
scrutiny
|
|
shb.test.certs
|
|
https
|
|
shb.test.ldap
|
|
ldap
|
|
(shb.test.sso config.shb.certs.certs.selfsigned.n)
|
|
sso
|
|
];
|
|
|
|
# virtualisation.memorySize = 4096;
|
|
};
|
|
|
|
testScript = commonTestScript;
|
|
};
|
|
}
|