From 2debec18eae9bee1abebeda880c76caf3a6179ca Mon Sep 17 00:00:00 2001
From: Rebecca Mahany-Horton <rebeccamahany@gmail.com>
Date: Wed, 17 Jan 2024 16:00:32 -0500
Subject: [PATCH] Set test secret

---
 .github/workflows/validate.yml | 15 +++++++--
 README.md                      |  2 +-
 tests/kolide-launcher.nix      | 61 +++++++++++++++++++++++-----------
 tests/test-secret              |  1 +
 4 files changed, 56 insertions(+), 23 deletions(-)
 create mode 100644 tests/test-secret

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 7cabe43..9a7fd94 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -24,10 +24,17 @@ jobs:
     - name: build
       run: NIXPKGS_ALLOW_UNFREE=1 nix build --impure
 
+    - name: set up test secret
+      run: |
+        mv ./tests/test-secret ./tests/test-secret.bak
+        echo -n "${{ secrets.NABALU_ENROLL_SECRET }}" | tee ./tests/test-secret
+
     - name: check flake (runs tests)
       run: NIXPKGS_ALLOW_UNFREE=1 nix flake check --impure --log-format internal-json
       timeout-minutes: 15
-    
+      env:
+        CI: "true"
+
     - name: get test derivation path
       id: test-derivation
       if: always()
@@ -40,7 +47,7 @@ jobs:
       if: always()
       with:
         name: test-screenshot
-        path: ${{ steps.test-derivation.outputs.drvpath }}/test.png
+        path: ${{ steps.test-derivation.outputs.drvpath }}/test-*.png
         retention-days: 1
 
     - name: show flake output attributes
@@ -54,3 +61,7 @@ jobs:
 
     - name: osqueryd version
       run: ./result/bin/osqueryd --version
+
+    - name: clean up after tests
+      if: always()
+      run: mv ./tests/test-secret.bak ./tests/test-secret
diff --git a/README.md b/README.md
index 31e8f4b..f73e671 100644
--- a/README.md
+++ b/README.md
@@ -80,4 +80,4 @@ Then start the `kolide-launcher.service` service.
 
 [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests)
 live in the [./tests](./tests) directory and are included via flake checks.
-They are able to be run via the `nix flake check` command.
+They are currently intended to run in CI only.
diff --git a/tests/kolide-launcher.nix b/tests/kolide-launcher.nix
index 044d7ea..f377f88 100644
--- a/tests/kolide-launcher.nix
+++ b/tests/kolide-launcher.nix
@@ -32,6 +32,7 @@ pkgs.nixosTest {
       };
     };
     services.xserver.desktopManager.mate.enable = true;
+    services.xserver.desktopManager.mate.debug = true;
 
     # This just quiets some log spam we don't care about
     hardware.pulseaudio.enable = true;
@@ -40,31 +41,25 @@ pkgs.nixosTest {
     system.stateVersion = "23.05";
   };
 
+  enableOCR = true;
+
   testScript = { nodes, ... }:
     let
-      user = nodes.machine.users.users.alice;
+      user = nodes.machine.config.users.users.alice;
+      uid = toString user.uid;
+      bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/${uid}/bus";
+      xauthority = "${user.home}/.Xauthority";
+      display = "DISPLAY=:0.0";
+      env = "${bus} XAUTHORITY=${xauthority} ${display}";
+      su = command: "su - ${user.name} -c '${env} ${command}'";
     in
     ''
       machine.start()
 
-      # TODO: currently launcher will shut itself down if its secret file doesn't exist,
-      # so we don't get all the way through setup and launcher doesn't stay running.
-      # In the future, we'll want to validate setup and that the service is running.
-
-      with subtest("kolide-launcher service starts"):
-        machine.wait_for_unit("kolide-launcher.service")
-        machine.sleep(10)
-        machine.systemctl("stop kolide-launcher.service")
-
-      with subtest("launcher set up correctly"):
-        machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/debug.json")
-
-      with subtest("get a screenshot"):
-        machine.wait_for_unit("display-manager.service")
-
-        machine.wait_for_file("${user.home}/.Xauthority")
-        machine.succeed("xauth merge ${user.home}/.Xauthority")
-
+      with subtest("log in to MATE"):
+        machine.wait_for_unit("display-manager.service", timeout=120)
+        machine.wait_for_file("${xauthority}")
+        machine.succeed("xauth merge ${xauthority}")
         machine.wait_until_succeeds("pgrep marco")
         machine.wait_for_window("marco")
         machine.wait_until_succeeds("pgrep mate-panel")
@@ -73,7 +68,33 @@ pkgs.nixosTest {
         machine.wait_until_succeeds("pgrep caja")
         machine.wait_for_window("Caja")
         machine.sleep(20)
-        machine.screenshot("test.png")
+        machine.screenshot("test-screen1.png")
+
+      with subtest("set up secret file"):
+        machine.copy_from_host("${./test-secret}", "/etc/kolide-k2/secret")
+
+      with subtest("launcher service runs and is set up correctly"):
+        machine.systemctl("stop kolide-launcher.service")
+        machine.systemctl("start kolide-launcher.service")
+        machine.wait_for_unit("kolide-launcher.service", timeout=120)
+        machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/debug.json")
+        machine.sleep(60)
+        machine.screenshot("test-screen2.png")
+
+      with subtest("osquery runs"):
+        machine.wait_until_succeeds("pgrep osqueryd", timeout=30)
+        machine.screenshot("test-screen3.png")
+
+      with subtest("launcher desktop runs"):
+        machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/kolide.png")
+        machine.wait_for_file("/var/kolide-k2/k2device.kolide.com/menu.json")
+        machine.screenshot("test-screen4.png")
+
+        print(machine.get_screen_text())
+
+        machine.wait_until_succeeds("pgrep -U ${uid} launcher")
+        machine.screenshot("test-screen5.png")
+      '''
 
       machine.shutdown()
     '';
diff --git a/tests/test-secret b/tests/test-secret
new file mode 100644
index 0000000..3263943
--- /dev/null
+++ b/tests/test-secret
@@ -0,0 +1 @@
+test-secret
\ No newline at end of file