tests: init kratos

Author: philocalyst

nixos/tests/all-tests.nix

@@ -807,6 +807,8 @@ in
   jitsi-meet = runTest ./jitsi-meet.nix;
   jool = import ./jool.nix { inherit pkgs runTest; };
   jotta-cli = runTest ./jotta-cli.nix;
+  kratos = runTest ./kratos.nix;
+  kratos-abstractions = runTest ./kratos-abstractions.nix;
   k3s = import ./rancher {
     inherit pkgs runTest;
     inherit (pkgs) lib;

nixos/tests/kratos-abstractions.nix

@@ -0,0 +1,104 @@
+{ lib, pkgs, ... }:
+
+{
+  name = "kratos-abstractions";
+  meta.maintainers = with lib.maintainers; [ philocalyst ];
+
+  nodes.machine =
+    { ... }:
+    let
+      identitySchema = pkgs.writeText "kratos-identity.schema.json" ''
+        {
+          "$id": "https://example.com/schemas/identity.schema.json",
+          "$schema": "http://json-schema.org/draft-07/schema#",
+          "title": "Identity",
+          "type": "object",
+          "properties": {
+            "traits": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string",
+                  "format": "email",
+                  "ory.sh/kratos": {
+                    "credentials": {
+                      "password": {
+                        "identifier": true
+                      }
+                    }
+                  }
+                }
+              },
+              "required": [ "email" ],
+              "additionalProperties": false
+            }
+          }
+        }
+      '';
+
+      defaultSecret = pkgs.writeText "kratos-default-secret" "abcdefghijklmnopqrstuvwxyz123456";
+      cookieSecret = pkgs.writeText "kratos-cookie-secret" "bcdefghijklmnopqrstuvwxyz1234567";
+      cipherSecret = pkgs.writeText "kratos-cipher-secret" "0123456789abcdef0123456789abcdef";
+      smtpConnectionURI = pkgs.writeText "kratos-smtp-connection-uri" "smtps://test:test@localhost:1025/?skip_ssl_verify=true";
+    in
+    {
+      services.kratos = {
+        enable = true;
+        database.createLocally = true;
+        identitySchemas = [
+          {
+            id = "default";
+            path = identitySchema;
+          }
+        ];
+        urls = {
+          public = "https://id.example.test/";
+          admin = "http://kratos.internal.test:4434/";
+          selfService = "https://auth.example.test";
+          defaultReturnTo = "https://app.example.test/";
+          allowedReturnUrls = [
+            "https://app.example.test/"
+            "https://auth.example.test/"
+          ];
+        };
+        secretFiles = {
+          default = [ defaultSecret ];
+          cookie = [ cookieSecret ];
+          cipher = [ cipherSecret ];
+          courierSmtpConnectionURI = smtpConnectionURI;
+        };
+        settings = {
+          selfservice.methods.password.enabled = true;
+        };
+      };
+    };
+
+  testScript =
+    { nodes, ... }:
+    let
+      settings = nodes.machine.services.kratos.settings;
+    in
+    ''
+      machine.wait_for_unit("postgresql.service")
+      machine.wait_for_unit("kratos-postgresql-init.service")
+      machine.wait_for_unit("kratos-migrate.service")
+      machine.wait_for_unit("kratos.service")
+      machine.wait_for_open_port(4433)
+      machine.wait_for_open_port(4434)
+
+      machine.succeed("curl --fail http://127.0.0.1:4433/health/ready")
+      machine.succeed("curl --fail http://127.0.0.1:4434/health/ready")
+      machine.succeed("su - postgres -c \"psql -tAc \\\"SELECT 1 FROM pg_database WHERE datname = 'kratos'\\\"\" | grep 1")
+
+      assert "${settings.serve.public.base_url}" == "https://id.example.test/"
+      assert "${settings.serve.admin.base_url}" == "http://kratos.internal.test:4434/"
+      assert "${settings.selfservice.default_browser_return_url}" == "https://app.example.test/"
+      assert "${settings.selfservice.flows.login.ui_url}" == "https://auth.example.test/login"
+      assert "${settings.selfservice.flows.registration.ui_url}" == "https://auth.example.test/registration"
+      assert "${settings.selfservice.flows.settings.ui_url}" == "https://auth.example.test/settings"
+      assert "${settings.selfservice.flows.error.ui_url}" == "https://auth.example.test/error"
+      assert "${settings.selfservice.flows.recovery.ui_url}" == "https://auth.example.test/recovery"
+      assert "${settings.selfservice.flows.verification.ui_url}" == "https://auth.example.test/verification"
+      assert "${settings.selfservice.flows.logout.after.default_browser_return_url}" == "https://auth.example.test/login"
+    '';
+}

nixos/tests/kratos.nix

@@ -0,0 +1,105 @@
+{ lib, ... }:
+
+{
+  name = "kratos";
+  meta.maintainers = with lib.maintainers; [ philocalyst ];
+
+  nodes.machine =
+    { config, ... }:
+    let
+      identitySchema = config.node.pkgs.writeText "kratos-identity.schema.json" ''
+        {
+          "$id": "https://example.com/schemas/identity.schema.json",
+          "$schema": "http://json-schema.org/draft-07/schema#",
+          "title": "Identity",
+          "type": "object",
+          "properties": {
+            "traits": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string",
+                  "format": "email",
+                  "ory.sh/kratos": {
+                    "credentials": {
+                      "password": {
+                        "identifier": true
+                      }
+                    },
+                    "recovery": {
+                      "via": "email"
+                    },
+                    "verification": {
+                      "via": "email"
+                    }
+                  }
+                }
+              },
+              "required": [ "email" ],
+              "additionalProperties": false
+            }
+          }
+        }
+      '';
+    in
+    {
+      services.kratos = {
+        enable = true;
+        identitySchemas = [
+          {
+            id = "default";
+            path = identitySchema;
+          }
+        ];
+        settings = {
+          selfservice = {
+            default_browser_return_url = "http://127.0.0.1:4455/";
+            allowed_return_urls = [ "http://127.0.0.1:4455/" ];
+            methods.password.enabled = true;
+            flows = {
+              error.ui_url = "http://127.0.0.1:4455/error";
+              settings = {
+                ui_url = "http://127.0.0.1:4455/settings";
+                privileged_session_max_age = "15m";
+              };
+              recovery = {
+                enabled = true;
+                ui_url = "http://127.0.0.1:4455/recovery";
+              };
+              verification = {
+                enabled = true;
+                ui_url = "http://127.0.0.1:4455/verification";
+              };
+              logout.after.default_browser_return_url = "http://127.0.0.1:4455/login";
+              login = {
+                ui_url = "http://127.0.0.1:4455/login";
+                lifespan = "10m";
+              };
+              registration = {
+                ui_url = "http://127.0.0.1:4455/registration";
+                lifespan = "10m";
+                after.password.hooks = [ { hook = "session"; } ];
+              };
+            };
+          };
+          secrets = {
+            cookie = [ "abcdefghijklmnopqrstuvwxyz123456" ];
+            cipher = [ "0123456789abcdef0123456789abcdef" ];
+            default = [ "abcdefghijklmnopqrstuvwxyz123456" ];
+          };
+          courier.smtp.connection_uri = "smtps://test:test@localhost:1025/?skip_ssl_verify=true";
+        };
+      };
+    };
+
+  testScript = ''
+    machine.wait_for_unit("kratos-migrate.service")
+    machine.wait_for_unit("kratos.service")
+    machine.wait_for_open_port(4433)
+    machine.wait_for_open_port(4434)
+
+    machine.succeed("curl --fail http://127.0.0.1:4433/health/ready")
+    machine.succeed("curl --fail http://127.0.0.1:4434/health/ready")
+    machine.succeed("test -f /var/lib/kratos/db.sqlite")
+  '';
+}