From 12c6d66bfd3de9a6619b249755a6e51673c3d78d Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 26 Feb 2025 12:44:04 +0900
Subject: [PATCH] cmd/fpkg/test: nixos test fpkg install/start

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 .gitea/workflows/test.yml       |  18 ++++++
 cmd/fpkg/test/configuration.nix |  60 ++++++++++++++++++
 cmd/fpkg/test/default.nix       |  34 ++++++++++
 cmd/fpkg/test/foot.nix          |  48 ++++++++++++++
 cmd/fpkg/test/test.py           | 108 ++++++++++++++++++++++++++++++++
 flake.nix                       |   1 +
 6 files changed, 269 insertions(+)
 create mode 100644 cmd/fpkg/test/configuration.nix
 create mode 100644 cmd/fpkg/test/default.nix
 create mode 100644 cmd/fpkg/test/foot.nix
 create mode 100644 cmd/fpkg/test/test.py

diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml
index c4e8d15..0ca93ab 100644
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -22,6 +22,23 @@ jobs:
           path: result/*
           retention-days: 1
 
+  fpkg:
+    name: Fpkg
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fpkg
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "fpkg-vm-output"
+          path: result/*
+          retention-days: 1
+
   race:
     name: Data race detector
     runs-on: nix
@@ -43,6 +60,7 @@ jobs:
     name: Flake checks
     needs:
       - fortify
+      - fpkg
       - race
     runs-on: nix
     steps:
diff --git a/cmd/fpkg/test/configuration.nix b/cmd/fpkg/test/configuration.nix
new file mode 100644
index 0000000..56390d9
--- /dev/null
+++ b/cmd/fpkg/test/configuration.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+{
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  # Automatically login on tty1 as a normal user:
+  services.getty.autologinUser = "alice";
+
+  environment = {
+    variables = {
+      SWAYSOCK = "/tmp/sway-ipc.sock";
+      WLR_RENDERER = "pixman";
+    };
+  };
+
+  # Automatically configure and start Sway when logging in on tty1:
+  programs.bash.loginShellInit = ''
+    if [ "$(tty)" = "/dev/tty1" ]; then
+      set -e
+
+      mkdir -p ~/.config/sway
+      (sed s/Mod4/Mod1/ /etc/sway/config &&
+      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
+      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
+
+      sway --validate
+      systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok
+    fi
+  '';
+
+  programs.sway.enable = true;
+
+  virtualisation = {
+    diskSize = 6 * 1024;
+
+    qemu.options = [
+      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
+      "-vga none -device virtio-gpu-pci"
+
+      # Increase zstd performance:
+      "-smp 8"
+    ];
+  };
+
+  environment.fortify = {
+    enable = true;
+    stateDir = "/var/lib/fortify";
+    users.alice = 0;
+
+    home-manager = _: _: { home.stateVersion = "23.05"; };
+  };
+}
diff --git a/cmd/fpkg/test/default.nix b/cmd/fpkg/test/default.nix
new file mode 100644
index 0000000..c0a2248
--- /dev/null
+++ b/cmd/fpkg/test/default.nix
@@ -0,0 +1,34 @@
+{
+  nixosTest,
+  callPackage,
+
+  system,
+  self,
+}:
+let
+  buildPackage = self.buildPackage.${system};
+in
+nixosTest {
+  name = "fpkg";
+  nodes.machine = {
+    environment.etc = {
+      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
+    };
+
+    imports = [
+      ./configuration.nix
+
+      self.nixosModules.fortify
+      self.inputs.home-manager.nixosModules.home-manager
+    ];
+  };
+
+  # adapted from nixos sway integration tests
+
+  # testScriptWithTypes:49: error: Cannot call function of unknown type
+  #           (machine.succeed if succeed else machine.execute)(
+  #           ^
+  # Found 1 error in 1 file (checked 1 source file)
+  skipTypeCheck = true;
+  testScript = builtins.readFile ./test.py;
+}
diff --git a/cmd/fpkg/test/foot.nix b/cmd/fpkg/test/foot.nix
new file mode 100644
index 0000000..34469da
--- /dev/null
+++ b/cmd/fpkg/test/foot.nix
@@ -0,0 +1,48 @@
+{
+  lib,
+  buildPackage,
+  foot,
+  wayland-utils,
+  inconsolata,
+}:
+
+buildPackage {
+  name = "foot";
+  inherit (foot) version;
+
+  app_id = 2;
+  id = "org.codeberg.dnkl.foot";
+
+  modules = [
+    {
+      home.packages = [
+        foot
+
+        # For wayland-info:
+        wayland-utils
+      ];
+    }
+  ];
+
+  nixosModules = [
+    {
+      # To help with OCR:
+      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
+        main = {
+          font = "inconsolata:size=14";
+        };
+        colors = rec {
+          foreground = "000000";
+          background = "ffffff";
+          regular2 = foreground;
+        };
+      };
+
+      fonts.packages = [ inconsolata ];
+    }
+  ];
+
+  script = ''
+    exec foot "$@"
+  '';
+}
diff --git a/cmd/fpkg/test/test.py b/cmd/fpkg/test/test.py
new file mode 100644
index 0000000..eaf07fc
--- /dev/null
+++ b/cmd/fpkg/test/test.py
@@ -0,0 +1,108 @@
+import json
+import shlex
+
+q = shlex.quote
+NODE_GROUPS = ["nodes", "floating_nodes"]
+
+
+def swaymsg(command: str = "", succeed=True, type="command"):
+    assert command != "" or type != "command", "Must specify command or type"
+    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
+    with machine.nested(
+            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
+    ):
+        ret = (machine.succeed if succeed else machine.execute)(
+            f"su - alice -c {shell}"
+        )
+
+    # execute also returns a status code, but disregard.
+    if not succeed:
+        _, ret = ret
+
+    if not succeed and not ret:
+        return None
+
+    parsed = json.loads(ret)
+    return parsed
+
+
+def walk(tree):
+    yield tree
+    for group in NODE_GROUPS:
+        for node in tree.get(group, []):
+            yield from walk(node)
+
+
+def wait_for_window(pattern):
+    def func(last_chance):
+        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
+
+        if last_chance:
+            nodes = list(nodes)
+            machine.log(f"Last call! Current list of windows: {nodes}")
+
+        return any(pattern in name for name in nodes)
+
+    retry(func)
+
+
+def collect_state_ui(name):
+    swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
+    machine.copy_from_vm(f"/tmp/{name}.ps", "")
+    swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
+    machine.copy_from_vm(f"/tmp/{name}.json", "")
+    machine.screenshot(name)
+
+
+def check_state(name, enablements):
+    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
+    if len(instances) != 1:
+        raise Exception(f"unexpected state length {len(instances)}")
+    instance = next(iter(instances.values()))
+
+    config = instance['config']
+
+    if len(config['command']) != 1 or not (config['command'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['command'][0]):
+        raise Exception(f"unexpected command {instance['config']['command']}")
+
+    if config['confinement']['enablements'] != enablements:
+        raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
+
+
+start_all()
+machine.wait_for_unit("multi-user.target")
+
+# To check fortify's version:
+print(machine.succeed("sudo -u alice -i fortify version"))
+
+# Wait for Sway to complete startup:
+machine.wait_for_file("/run/user/1000/wayland-1")
+machine.wait_for_file("/tmp/sway-ipc.sock")
+
+# Prepare fpkg directory:
+machine.succeed("install -dm 0700 -o alice -g users /var/lib/fortify/1000")
+
+# Install fpkg app:
+swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
+machine.wait_for_file("/tmp/fpkg-install-done")
+
+# Start app (foot) with Wayland enablement:
+swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
+wait_for_window("fortify@machine-foot")
+machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
+collect_state_ui("app_wayland")
+check_state("foot", 13)
+# Verify acl on XDG_RUNTIME_DIR:
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
+machine.send_chars("exit\n")
+machine.wait_until_fails("pgrep foot")
+# Verify acl cleanup on XDG_RUNTIME_DIR:
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
+
+# Exit Sway and verify process exit status 0:
+swaymsg("exit", succeed=False)
+machine.wait_for_file("/tmp/sway-exit-ok")
+
+# Print fortify runDir contents:
+print(machine.succeed("find /run/user/1000/fortify"))
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 30986a0..e1dccec 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,6 +58,7 @@
         in
         {
           fortify = callPackage ./test { inherit system self; };
+          fpkg = callPackage ./cmd/fpkg/test { inherit system self; };
           race = callPackage ./test {
             inherit system self;
             withRace = true;