1 files changed, 120 insertions, 0 deletions
diff --git a/scripts/testing/lib/testinfra.sh b/scripts/testing/lib/testinfra.sh
new file mode 100644
index 0000000..0822a9f
--- /dev/null
+++ b/scripts/testing/lib/testinfra.sh
@@ -0,0 +1,120 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# Testinfra post-install validation sweep (runs on the host, over SSH).
+#
+# This is the primary post-install validator (it replaced the shell
+# run_all_validations sweep). It connects to the freshly-installed VM over SSH
+# and runs the pytest suite under scripts/testing/tests/. Its result drives the
+# run's pass/fail, and per-test failures are bucketed (archsetup / base_install
+# / unknown) into the same issue-attribution report the shell sweep produced.
+#
+# Auth: reuse the root key the harness already authorized (inject_root_key),
+# which survives the sshd prohibit-password hardening; mint our own only if the
+# harness didn't (standalone use). pytest connects key-only via a generated
+# ssh-config. Key + config live in the results dir and are discarded with it.
+#
+# Uses globals from run-test.sh / vm-utils.sh: SCRIPT_DIR, VM_IP, SSH_PORT,
+# ROOT_PASSWORD, ROOT_SSH_KEY, ARCHSETUP_VM_CONF, plus the validation.sh
+# helpers attribute_issue / VALIDATION_*. Toggle with RUN_TESTINFRA=false.
+
+# Record each pytest failure from the attribution file into the issue arrays
+# (validation.sh's attribute_issue), so generate_issue_report covers them.
+_testinfra_record_attribution() {
+    local file="$1" bucket=""
+    [ -f "$file" ] || return 0
+    while IFS= read -r line; do
+        case "$line" in
+            "[archsetup]")    bucket=archsetup ;;
+            "[base_install]") bucket=base ;;
+            "[unknown]")      bucket=unknown ;;
+            "  "*)            attribute_issue "testinfra: ${line#  }" "$bucket" ;;
+        esac
+    done < "$file"
+}
+
+# run_testinfra_validation <results_dir>
+# Returns 0 only when the pytest sweep ran and passed. Returns non-zero when it
+# failed OR could not run (missing tooling / SSH setup) — a sweep that can't run
+# is not a pass. RUN_TESTINFRA=false is the one explicit opt-out (returns 0).
+run_testinfra_validation() {
+    local results_dir="$1"
+    local tests_dir="$SCRIPT_DIR/tests"
+    local key="$results_dir/testinfra_key"
+    local sshcfg="$results_dir/testinfra_ssh_config"
+
+    if [ "${RUN_TESTINFRA:-true}" != "true" ]; then
+        warn "RUN_TESTINFRA=false - skipping the Testinfra validation sweep"
+        return 0
+    fi
+    if ! command -v pytest >/dev/null 2>&1 || ! python3 -c 'import testinfra' >/dev/null 2>&1; then
+        error "Testinfra/pytest not installed on host - cannot validate (run: make deps)"
+        return 1
+    fi
+
+    section "Running Validation Checks (Testinfra)"
+
+    # Prefer the harness's already-authorized root key; mint one if absent.
+    if [ -n "${ROOT_SSH_KEY:-}" ] && [ -f "${ROOT_SSH_KEY}" ]; then
+        key="$ROOT_SSH_KEY"
+    else
+        rm -f "$key" "$key.pub"
+        if ! ssh-keygen -t ed25519 -N "" -q -f "$key"; then
+            error "testinfra: ssh-keygen failed"
+            return 1
+        fi
+        if ! copy_to_vm "$key.pub" "/tmp/testinfra_key.pub" "$ROOT_PASSWORD"; then
+            error "testinfra: pubkey copy failed"
+            return 1
+        fi
+        if ! vm_exec "$ROOT_PASSWORD" \
+            "mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat /tmp/testinfra_key.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"; then
+            error "testinfra: authorizing key in VM failed"
+            return 1
+        fi
+    fi
+
+    # ssh-config so testinfra connects key-only, no host-key prompt.
+    cat > "$sshcfg" <<EOF
+Host testinfra-target
+    HostName ${VM_IP:-localhost}
+    Port ${SSH_PORT:-2222}
+    User root
+    IdentityFile $key
+    IdentitiesOnly yes
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+EOF
+
+    # The account archsetup created, for the tests that need it.
+    local test_user
+    test_user=$(sed -n 's/^USERNAME=//p' "$ARCHSETUP_VM_CONF" 2>/dev/null | head -n1)
+    : "${test_user:=cjennings}"
+
+    local logf="$results_dir/testinfra.log"
+    ARCHSETUP_TEST_USER="$test_user" pytest "$tests_dir" \
+        --hosts="ssh://testinfra-target" \
+        --ssh-config="$sshcfg" \
+        --attribution-file="$results_dir/testinfra-attribution.txt" \
+        -v >> "$logf" 2>&1
+    local rc=$?
+
+    # Surface pytest's counts through the shared validation counters so the
+    # issue report summary is meaningful (the shell sweep no longer runs).
+    local summary
+    summary=$(grep -oE '[0-9]+ (passed|failed|error|errors|skipped)' "$logf" | tail -10)
+    VALIDATION_PASSED=$(echo "$summary" | awk '/passed/{print $1}' | tail -1); VALIDATION_PASSED=${VALIDATION_PASSED:-0}
+    VALIDATION_WARNINGS=$(echo "$summary" | awk '/skipped/{print $1}' | tail -1); VALIDATION_WARNINGS=${VALIDATION_WARNINGS:-0}
+    local nfail nerr
+    nfail=$(echo "$summary" | awk '/failed/{print $1}' | tail -1); nfail=${nfail:-0}
+    nerr=$(echo "$summary" | awk '/error/{print $1}' | tail -1); nerr=${nerr:-0}
+    VALIDATION_FAILED=$((nfail + nerr))
+
+    if [ "$rc" -eq 0 ]; then
+        success "Testinfra validation passed ($VALIDATION_PASSED passed, $VALIDATION_WARNINGS skipped)"
+    else
+        error "Testinfra validation failed ($VALIDATION_FAILED failed/error; see testinfra.log)"
+        _testinfra_record_attribution "$results_dir/testinfra-attribution.txt"
+    fi
+    return "$rc"
+}