From 861431f2824867ccc3dd48dba670b771e6d15a45 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 4 Jan 2024 02:42:29 +0100 Subject: [PATCH] nixos/tests/bootspec: test `initrd` and `initrdSecrets` a bit stricter We will now ensure that no `initrdSecrets` leaks under no initrd secrets and that `initrdSecrets` are there if we do have initrd secrets. --- nixos/tests/bootspec.nix | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/nixos/tests/bootspec.nix b/nixos/tests/bootspec.nix index 9295500422a9..14928b220625 100644 --- a/nixos/tests/bootspec.nix +++ b/nixos/tests/bootspec.nix @@ -112,10 +112,39 @@ in bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json")) - assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled" + assert 'initrd' in bootspec, "Bootspec should contain initrd field when initrd is enabled" + assert 'initrdSecrets' not in bootspec, "Bootspec should not contain initrdSecrets when there's no initrdSecrets" ''; }; + # Check that initrd secrets create corresponding entries in bootspec. + initrd-secrets = makeTest { + name = "bootspec-with-initrd-secrets"; + meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + + nodes.machine = { + imports = [ standard ]; + environment.systemPackages = [ pkgs.jq ]; + # It's probably the case, but we want to make it explicit here. + boot.initrd.enable = true; + boot.initrd.secrets."/some/example" = pkgs.writeText "example-secret" "test"; + }; + + testScript = '' + import json + + machine.start() + machine.wait_for_unit("multi-user.target") + + machine.succeed("test -e /run/current-system/boot.json") + + bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json")) + + assert 'initrdSecrets' in bootspec, "Bootspec should contain an 'initrdSecrets' field given there's an initrd secret" + ''; + }; + + # Check that specialisations create corresponding entries in bootspec. specialisation = makeTest { name = "bootspec-with-specialisation";