lightscale/lab/test-negative.nix

{ pkgs, serverPkg, clientPkg }:
{
  name = "lightscale-lab-negative";
  nodes = {
    node1 = { ... }: {
      networking.hostName = "node1";
      networking.usePredictableInterfaceNames = false;
      virtualisation.vlans = [ 1 ];
      networking.interfaces.eth1.useDHCP = false;
      networking.interfaces.eth1.ipv4.addresses = [
        { address = "10.0.0.1"; prefixLength = 24; }
      ];
      networking.firewall.enable = false;
      boot.kernelModules = [ "wireguard" ];
      environment.systemPackages = [
        serverPkg
        clientPkg
        pkgs.wireguard-tools
        pkgs.iproute2
        pkgs.iputils
        pkgs.netcat-openbsd
        pkgs.curl
      ];
    };
    node2 = { ... }: {
      networking.hostName = "node2";
      networking.usePredictableInterfaceNames = false;
      virtualisation.vlans = [ 1 ];
      networking.interfaces.eth1.useDHCP = false;
      networking.interfaces.eth1.ipv4.addresses = [
        { address = "10.0.0.2"; prefixLength = 24; }
      ];
      networking.firewall.enable = false;
      boot.kernelModules = [ "wireguard" ];
      environment.systemPackages = [
        clientPkg
        pkgs.wireguard-tools
        pkgs.iproute2
        pkgs.iputils
        pkgs.netcat-openbsd
        pkgs.curl
      ];
    };
  };

  testScript = ''
    start_all()
    node1.wait_for_unit("multi-user.target")
    node2.wait_for_unit("multi-user.target")
    node1.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.1/24'")
    node2.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.2/24'")

    node1.succeed("touch /tmp/lightscale-server.log")
    node1.execute("sh -c 'tail -n +1 -f /tmp/lightscale-server.log >/dev/console 2>&1 &'")
    node1.succeed(
        "systemd-run --no-block --unit=lightscale-server --service-type=simple "
        "--property=Restart=on-failure --property=RestartSec=1 "
        "--property=TimeoutStartSec=30 "
        "--property=StandardOutput=append:/tmp/lightscale-server.log "
        "--property=StandardError=append:/tmp/lightscale-server.log "
        "--setenv=RUST_LOG=info -- "
        "lightscale-server --listen 10.0.0.1:8080 --state /tmp/lightscale-state.json"
    )
    node1.wait_for_unit("lightscale-server.service")
    node1.wait_for_open_port(8080, addr="10.0.0.1", timeout=120)

    import json
    import time

    net = json.loads(node1.succeed(
        "curl -sSf -X POST http://10.0.0.1:8080/v1/networks "
        "-H 'content-type: application/json' "
        "-d '{\"name\":\"lab\",\"requires_approval\":true," \
        "\"bootstrap_token_ttl_seconds\":600," \
        "\"bootstrap_token_uses\":5,\"bootstrap_token_tags\":[\"lab\"]}'"
    ))
    network_id = net["network"]["id"]
    bootstrap_token = net["bootstrap_token"]["token"]

    node1.succeed(
        "lightscale-client --profile admin --config /tmp/ls-config.json "
        "init http://10.0.0.1:8080"
    )
    node2.succeed(
        "lightscale-client --profile test --config /tmp/ls-config.json "
        "init http://10.0.0.1:8080"
    )

    def admin_cmd(cmd):
        return node1.succeed(
            "lightscale-client --profile admin --config /tmp/ls-config.json " + cmd
        )

    def create_token(ttl_seconds, uses):
        out = admin_cmd(
            f"admin token create {network_id} --ttl-seconds {ttl_seconds} --uses {uses}"
        )
        for line in out.splitlines():
            if line.startswith("token:"):
                return line.split(":", 1)[1].strip()
        raise Exception("token not found in output")

    # Invalid token should fail.
    node2.fail(
        "lightscale-client --profile test --config /tmp/ls-config.json "
        "--state-dir /tmp/ls-state-invalid register --node-name bad -- not-a-token"
    )

    # Expired token should fail.
    expired_token = create_token(1, 1)
    time.sleep(2)
    node2.fail(
        "lightscale-client --profile test --config /tmp/ls-config.json "
        "--state-dir /tmp/ls-state-expired register --node-name expired -- "
        + expired_token
    )

    # Revoked token should fail.
    revoked_token = create_token(600, 1)
    admin_cmd(f"admin token revoke {revoked_token}")
    node2.fail(
        "lightscale-client --profile test --config /tmp/ls-config.json "
        "--state-dir /tmp/ls-state-revoked register --node-name revoked -- "
        + revoked_token
    )

    # Approval-required flow.
    node2.succeed(
        "lightscale-client --profile test --config /tmp/ls-config.json "
        "--state-dir /tmp/ls-state-pending register --node-name pending -- "
        + bootstrap_token
    )
    node2.succeed(
        "lightscale-client --profile test --state-dir /tmp/ls-state-pending "
        "status | grep -q 'approved: false'"
    )

    data = json.loads(node2.succeed("cat /tmp/ls-state-pending/state.json"))
    node_id = data["node_id"]

    admin_cmd(f"admin approve {node_id}")
    node2.succeed(
        "lightscale-client --profile test --config /tmp/ls-config.json "
        "--state-dir /tmp/ls-state-pending netmap | grep -q 'approved: true'"
    )
  '';
}