import assert from "node:assert/strict" import { spawnSync } from "node:child_process" import test from "node:test" import { buildRemoteKexecRunnerScript, REMOTE_TRIBES_POST_INSTALL_SCRIPT, REMOTE_GUIX_INSTALL_SCRIPT, REMOTE_NBDE_SYNC_SCRIPT, REMOTE_TRIBES_ADMIN_SCRIPT, REMOTE_TRIBES_CERTIFICATE_SCRIPT } from "../../src/main/deployment/scripts" test("buildRemoteKexecRunnerScript can download and verify a pinned image URL", () => { const script = buildRemoteKexecRunnerScript({ authorizedKey: "ssh-ed25519 AAAA test@example", imageUrl: "https://mirror.tribe-one.org/tribes-1/guix-kexec-installer-x86_64-linux-pin.tar.gz", imageSha256: "a".repeat(64) }) assert.match(script, /kexec installer image source: download \$image_url/) assert.match(script, /download_installer\(\) \{/) assert.match( script, /curl --retry 10 --retry-delay 10 --retry-connrefused --retry-all-errors -fL --connect-timeout 20 -o guix-kexec-installer\.tar\.gz "\$image_url"/ ) assert.match(script, /wget --progress=dot:giga -O guix-kexec-installer\.tar\.gz "\$image_url"/) assert.match(script, /kexec installer download requires curl or wget/) assert.match( script, /printf '%s {2}%s\\n' "\$image_sha256" guix-kexec-installer\.tar\.gz \| sha256sum -c -/ ) assert.match(script, /kexec installer sha256 checksum: matches Legion pin/) assert.match(script, /tar -xzf guix-kexec-installer\.tar\.gz/) }) test("REMOTE_GUIX_INSTALL_SCRIPT builds the installed system from stable runtime inputs", () => { assert.doesNotMatch(REMOTE_GUIX_INSTALL_SCRIPT, /'"'"'/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /runtime_system_facts="\$installer_tribes_dir\/system-facts\.json"/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /install -m 600 \/root\/.ssh\/authorized_keys "\$runtime_authorized_keys"/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"bootloaderTargets": \["\$bootloader_target"\]/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /sort -k1,1rn -k2,2/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /prefer_efi_boot_entry\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"\$efibootmgr_bin" -n "\$entry"/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /boot_mode="\$\{LEGION_BOOT_MODE:-auto\}"/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\[ "\$boot_mode" = auto \]/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\[ -d \/sys\/firmware\/efi \]/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"rootLuksUuid": "\$luks_uuid"/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_NBDE_TANG_THRESHOLD/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /clevis luks bind -f -k - -d "\$device" sss/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(use-modules \(guix gexp\)/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(gnu system\)/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /%legion-initrd-network-modules/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"ixgbe"/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"i40e"/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(with-extensions \(list guile-json-4\)/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(use-modules \(tribes system materialize\)\)/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /\(tribes-operating-system-from-json-files\s+#:host-config-file "\$runtime_host_config"\s+#:system-facts-file "\$runtime_system_facts"\)/s ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(operating-system\s+\(inherit base-system\)/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /\(append %legion-initrd-network-modules\s+\(operating-system-initrd-modules base-system\)\)/s ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /install -m 600 "\$runtime_system_facts" "\$target_tribes_dir\/system-facts\.json"/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /install -m 600 "\$runtime_authorized_keys" "\$target_tribes_dir\/root-authorized_keys"/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: pinned commit=/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_MIRROR_URL:-https:\/\/mirror\.tribe-one\.org\/tribes-1/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /guix-channel-\$\{guix_pin_commit\}\.tar\.zst/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /guix-channel-latest\.tar\.zst/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: existing checkout cache at \$guix_cache_dir; skipping snapshot/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: probing commit snapshot \$snapshot_url/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: probing chosen snapshot \$snapshot_url/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: probe error: /) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: no usable mirror snapshot found; falling back to direct channel fetch/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /describe_guix_checkout_cache\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /repo=\$\{repo%\.git\}/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /"\$guix_daemon" --discover=no --disable-chroot --build-users-group=guixbuild/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /install_log="\$\{LEGION_INSTALL_LOG:-\/root\/legion\/guix-install\.log\}"/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /start_install_log\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /tee -a "\$install_log" <"\$fifo" >&2 &/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_status\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /@LEGION_STATUS v=1 phase=%s step=%s state=%s/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_failed_status\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /@LEGION_STATUS v=1 phase=%s step=%s state=failed/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /retry_command\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /curl_retry\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /curl_retry_probe\(\) \{/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /curl --retry 10 --retry-delay 10 --retry-connrefused --retry-all-errors "\$@"/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /curl --retry 3 --retry-delay 2 --retry-connrefused --retry-all-errors "\$@"/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_TIME_MACHINE_ATTEMPTS:-5/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_TIME_MACHINE_RETRY_DELAY:-20/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\$description failed on attempt \$attempt\/\$attempts/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_status guix-install system-init started/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_status guix-install script completed/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_SUBSTITUTE_HEALTH_TIMEOUT:-3/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /substitute_cache_info_url\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /filter_healthy_substitute_urls\(\) \{/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /curl_retry_probe -fsS\s+--connect-timeout "\$substitute_health_timeout" --max-time "\$substitute_health_timeout"/s ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /StoreDir:\[\[:space:\]\]\*\/gnu\/store/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /no healthy Guix substitute servers remain after probing \/nix-cache-info/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /substitute_urls=\$\(filter_healthy_substitute_urls "\$substitute_urls"\)/ ) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: transplanting checkout \$name \[\$description\]/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /seed_target_guix_checkout_cache\(\) \{/) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /target_parent="\$mnt\/root\/.cache\/guix\/checkouts"/) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: transplanting installer checkout cache into target root/ ) const initIndex = REMOTE_GUIX_INSTALL_SCRIPT.indexOf( 'retry_command "${LEGION_GUIX_TIME_MACHINE_ATTEMPTS:-5}"' ) const transplantIndex = REMOTE_GUIX_INSTALL_SCRIPT.indexOf( "seed_target_guix_checkout_cache\n\ninstall -d -m 755", initIndex ) assert.ok(initIndex >= 0) assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /env GUILE_AUTO_COMPILE=0 guix time-machine -C "\$LEGION_CHANNELS_FILE" --/ ) assert.ok(transplantIndex > initIndex) }) test("REMOTE_GUIX_INSTALL_SCRIPT retry_command preserves final failure status", () => { const start = REMOTE_GUIX_INSTALL_SCRIPT.indexOf("retry_command() {") const end = REMOTE_GUIX_INSTALL_SCRIPT.indexOf("\n\ncurl_retry() {", start) assert.ok(start >= 0) assert.ok(end > start) const retryFunction = REMOTE_GUIX_INSTALL_SCRIPT.slice(start, end) const result = spawnSync("sh", ["-s"], { input: `${retryFunction}\nretry_command 2 0 "expected failure" sh -c 'exit 7'\n`, encoding: "utf8" }) assert.equal(result.status, 7) assert.match(result.stderr, /expected failure failed on attempt 1\/2/) assert.match(result.stderr, /expected failure failed after 2 attempt\(s\)/) }) test("REMOTE_NBDE_SYNC_SCRIPT reconciles NBDE policy instead of only adding Tang pins", () => { assert.match(REMOTE_NBDE_SYNC_SCRIPT, /legion_status nbde-sync script started/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /legion_status nbde-sync script completed/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /nbde_mode="\$\{LEGION_NBDE_MODE:-degraded\}"/) assert.match( REMOTE_NBDE_SYNC_SCRIPT, /local_boot_key_path="\$\{LEGION_NBDE_LOCAL_BOOT_KEY_PATH:-\/boot\/nbde\/local-boot.key\}"/ ) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /remove_all_clevis_bindings\(\) \{/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /bind_quorum_tang_urls\(\) \{/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /curl_retry\(\) \{/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /curl_retry -fsS "\$tang_url\/adv" -o "\$adv_file"/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /ensure_local_boot_key\(\) \{/) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /secure_remove_local_boot_key_file\(\) \{/) assert.match( REMOTE_NBDE_SYNC_SCRIPT, /cryptsetup luksRemoveKey "\$device" "\$local_boot_key_path"/ ) assert.match(REMOTE_NBDE_SYNC_SCRIPT, /dd if=\/dev\/zero of="\$path"/) }) test("REMOTE_GUIX_INSTALL_SCRIPT stores local NBDE boot keys under /boot", () => { assert.match( REMOTE_GUIX_INSTALL_SCRIPT, /boot_local_boot_key_path="\$boot_nbde_dir\/local-boot.key"/ ) assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"localBootKeyFile": "\/boot\/nbde\/local-boot.key"/) assert.doesNotMatch( REMOTE_GUIX_INSTALL_SCRIPT, /"localBootKeyFile": "\/etc\/legion\/nbde\/local-boot.key"/ ) }) test("REMOTE_TRIBES_ADMIN_SCRIPT checks bootstrap readiness without starting a second release", () => { assert.match( REMOTE_TRIBES_ADMIN_SCRIPT, /internal_status_url="http:\/\/\$local_probe_host:\$local_probe_port\/__internal\/status"/ ) assert.match(REMOTE_TRIBES_ADMIN_SCRIPT, /curl_retry\(\) \{/) assert.match(REMOTE_TRIBES_ADMIN_SCRIPT, /curl_retry -fsS "\$internal_status_url"/) assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /bootstrap\/wait/) assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /tribes-app eval/) assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /LEGION_EVAL_EXPR/) assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /RELEASE_DISTRIBUTION=none/) assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /herd start tribes/) }) test("REMOTE_TRIBES_CERTIFICATE_SCRIPT triggers lego after DNS is ready", () => { assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /TRIBES_PUBLIC_HOST/) assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /service_name="lego-bootstrap-\$cert_name"/) assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /herd start haproxy/) assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /herd start "\$service_name"/) assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /expected certificate service \$service_name/) assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /legion_status tribes-certificate lego completed/) }) test("REMOTE_TRIBES_POST_INSTALL_SCRIPT installs sync TLS material when enabled", () => { assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /legion_status tribes-post-install secrets started/ ) assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /legion_status tribes-post-install script completed/ ) assert.match(REMOTE_TRIBES_POST_INSTALL_SCRIPT, /TRIBES_SYNC_LISTENER_ENABLED/) assert.match(REMOTE_TRIBES_POST_INSTALL_SCRIPT, /sync_secret_dir="\$\{TRIBES_SYNC_SECRET_DIR/) assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /install -m 600 -o "\$service_user" -g "\$service_group" "\$sync_ca_source" "\$sync_ca_target"/ ) assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /install -m 600 -o "\$service_user" -g "\$service_group" "\$sync_cert_source" "\$sync_cert_target"/ ) assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /install -m 600 -o "\$service_user" -g "\$service_group" "\$sync_key_source" "\$sync_key_target"/ ) assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /install -m 600 "\$host_config_source" "\$host_config_target"/ ) assert.match( REMOTE_TRIBES_POST_INSTALL_SCRIPT, /install -m 600 "\$channels_source" "\$channels_target"/ ) })