blob: bfcd43a332791c79369ed5a024ef4a763477eb44 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
#!/bin/bash
# SPDX-License-Identifier: GPL-3.0-or-later
#
# Testinfra post-install validation sweep (runs on the host, over SSH).
#
# P1 status: advisory. This runs alongside the shell sweep (run_all_validations)
# so a real VM run can diff the two and prove parity before pytest becomes the
# primary validator (P3 cutover). It never sets the run's pass/fail here.
#
# Auth: a throwaway ed25519 keypair is generated per run, its pubkey authorized
# in the VM over the existing sshpass channel, and pytest/testinfra connects
# key-only via a generated ssh-config. The keypair lives in the results dir and
# is discarded with it.
#
# Uses globals from run-test.sh / vm-utils.sh: SCRIPT_DIR, VM_IP, SSH_PORT,
# ROOT_PASSWORD, ARCHSETUP_VM_CONF. Toggle with RUN_TESTINFRA=false.
# run_testinfra_validation <results_dir>
run_testinfra_validation() {
local results_dir="$1"
local tests_dir="$SCRIPT_DIR/tests"
local key="$results_dir/testinfra_key"
local sshcfg="$results_dir/testinfra_ssh_config"
if [ "${RUN_TESTINFRA:-true}" != "true" ]; then
return 0
fi
if ! command -v pytest >/dev/null 2>&1 || ! python3 -c 'import testinfra' >/dev/null 2>&1; then
warn "Testinfra/pytest not installed on host - skipping pytest sweep (run: make deps)"
return 0
fi
step "Running Testinfra validation sweep (advisory)"
# Prefer the root key the harness already authorized (inject_root_key). It
# survives the sshd prohibit-password hardening, so reuse it rather than
# authorizing a second key. Fall back to minting our own for standalone use.
if [ -n "${ROOT_SSH_KEY:-}" ] && [ -f "${ROOT_SSH_KEY}" ]; then
key="$ROOT_SSH_KEY"
else
rm -f "$key" "$key.pub"
if ! ssh-keygen -t ed25519 -N "" -q -f "$key"; then
warn "testinfra: ssh-keygen failed - skipping"
return 0
fi
if ! copy_to_vm "$key.pub" "/tmp/testinfra_key.pub" "$ROOT_PASSWORD"; then
warn "testinfra: pubkey copy failed - skipping"
return 0
fi
if ! vm_exec "$ROOT_PASSWORD" \
"mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat /tmp/testinfra_key.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"; then
warn "testinfra: authorizing key in VM failed - skipping"
return 0
fi
fi
# ssh-config so testinfra connects key-only, no host-key prompt.
cat > "$sshcfg" <<EOF
Host testinfra-target
HostName ${VM_IP:-localhost}
Port ${SSH_PORT:-2222}
User root
IdentityFile $key
IdentitiesOnly yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
EOF
# The account archsetup created, for the tests that need it.
local test_user
test_user=$(sed -n 's/^USERNAME=//p' "$ARCHSETUP_VM_CONF" 2>/dev/null | head -n1)
: "${test_user:=cjennings}"
ARCHSETUP_TEST_USER="$test_user" pytest "$tests_dir" \
--hosts="ssh://testinfra-target" \
--ssh-config="$sshcfg" \
--attribution-file="$results_dir/testinfra-attribution.txt" \
-v >> "$results_dir/testinfra.log" 2>&1
local rc=$?
if [ "$rc" -eq 0 ]; then
success "Testinfra sweep passed (advisory; see testinfra.log)"
else
warn "Testinfra sweep reported failures (advisory; see testinfra.log + testinfra-attribution.txt)"
fi
return 0
}
|
