nixpkgs/nixos/tests/influxdb2.nix

import ./make-test-python.nix (
  { pkgs, ... }:
  {
    name = "influxdb2";
    meta = with pkgs.lib.maintainers; {
      maintainers = [ offline ];
    };

    nodes.machine =
      { lib, ... }:
      {
        environment.systemPackages = [ pkgs.influxdb2-cli ];
        # Make sure that the service is restarted immediately if tokens need to be rewritten
        # without relying on any Restart=on-failure behavior
        systemd.services.influxdb2.serviceConfig.RestartSec = 6000;
        services.influxdb2.enable = true;
        services.influxdb2.provision = {
          enable = true;
          initialSetup = {
            organization = "default";
            bucket = "default";
            passwordFile = pkgs.writeText "admin-pw" "ExAmPl3PA55W0rD";
            tokenFile = pkgs.writeText "admin-token" "verysecureadmintoken";
          };
          organizations.someorg = {
            buckets.somebucket = { };
            auths.sometoken = {
              description = "some auth token";
              readBuckets = [ "somebucket" ];
              writeBuckets = [ "somebucket" ];
            };
          };
          users.someuser.passwordFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga";
        };

        specialisation.withModifications.configuration =
          { ... }:
          {
            services.influxdb2.provision = {
              organizations.someorg.buckets.somebucket.present = false;
              organizations.someorg.auths.sometoken.present = false;
              users.someuser.present = false;

              organizations.myorg = {
                description = "Myorg description";
                buckets.mybucket = {
                  description = "Mybucket description";
                };
                auths.mytoken = {
                  operator = true;
                  description = "operator token";
                  tokenFile = pkgs.writeText "tmp-tok" "someusertoken";
                };
              };
              users.myuser.passwordFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga";
            };
          };

        specialisation.withParentDelete.configuration =
          { ... }:
          {
            services.influxdb2.provision = {
              organizations.someorg.present = false;
              # Deleting the parent implies:
              #organizations.someorg.buckets.somebucket.present = false;
              #organizations.someorg.auths.sometoken.present = false;
            };
          };

        specialisation.withNewTokens.configuration =
          { ... }:
          {
            services.influxdb2.provision = {
              organizations.default = {
                auths.operator = {
                  operator = true;
                  description = "new optoken";
                  tokenFile = pkgs.writeText "tmp-tok" "newoptoken";
                };
                auths.allaccess = {
                  operator = true;
                  description = "new allaccess";
                  tokenFile = pkgs.writeText "tmp-tok" "newallaccess";
                };
                auths.specifics = {
                  description = "new specifics";
                  readPermissions = [
                    "users"
                    "tasks"
                  ];
                  writePermissions = [ "tasks" ];
                  tokenFile = pkgs.writeText "tmp-tok" "newspecificstoken";
                };
              };
            };
          };
      };

    testScript =
      { nodes, ... }:
      let
        specialisations = "${nodes.machine.system.build.toplevel}/specialisation";
        tokenArg = "--token verysecureadmintoken";
      in
      ''
        def assert_contains(haystack, needle):
            if needle not in haystack:
                print("The haystack that will cause the following exception is:")
                print("---")
                print(haystack)
                print("---")
                raise Exception(f"Expected string '{needle}' was not found")

        def assert_lacks(haystack, needle):
            if needle in haystack:
                print("The haystack that will cause the following exception is:")
                print("---")
                print(haystack, end="")
                print("---")
                raise Exception(f"Unexpected string '{needle}' was found")

        machine.wait_for_unit("influxdb2.service")

        machine.fail("curl --fail -X POST 'http://localhost:8086/api/v2/signin' -u admin:wrongpassword")
        machine.succeed("curl --fail -X POST 'http://localhost:8086/api/v2/signin' -u admin:ExAmPl3PA55W0rD")

        out = machine.succeed("influx org list ${tokenArg}")
        assert_contains(out, "default")
        assert_lacks(out, "myorg")
        assert_contains(out, "someorg")

        out = machine.succeed("influx bucket list ${tokenArg} --org default")
        assert_contains(out, "default")

        machine.fail("influx bucket list ${tokenArg} --org myorg")

        out = machine.succeed("influx bucket list ${tokenArg} --org someorg")
        assert_contains(out, "somebucket")

        out = machine.succeed("influx user list ${tokenArg}")
        assert_contains(out, "admin")
        assert_lacks(out, "myuser")
        assert_contains(out, "someuser")

        out = machine.succeed("influx auth list ${tokenArg}")
        assert_lacks(out, "operator token")
        assert_contains(out, "some auth token")

        with subtest("withModifications"):
          machine.succeed('${specialisations}/withModifications/bin/switch-to-configuration test')
          machine.wait_for_unit("influxdb2.service")

          out = machine.succeed("influx org list ${tokenArg}")
          assert_contains(out, "default")
          assert_contains(out, "myorg")
          assert_contains(out, "someorg")

          out = machine.succeed("influx bucket list ${tokenArg} --org myorg")
          assert_contains(out, "mybucket")

          out = machine.succeed("influx bucket list ${tokenArg} --org someorg")
          assert_lacks(out, "somebucket")

          out = machine.succeed("influx user list ${tokenArg}")
          assert_contains(out, "admin")
          assert_contains(out, "myuser")
          assert_lacks(out, "someuser")

          out = machine.succeed("influx auth list ${tokenArg}")
          assert_contains(out, "operator token")
          assert_lacks(out, "some auth token")

          # Make sure the user token is also usable
          machine.succeed("influx auth list --token someusertoken")

        with subtest("keepsUnrelated"):
          machine.succeed('${nodes.machine.system.build.toplevel}/bin/switch-to-configuration test')
          machine.wait_for_unit("influxdb2.service")

          out = machine.succeed("influx org list ${tokenArg}")
          assert_contains(out, "default")
          assert_contains(out, "myorg")
          assert_contains(out, "someorg")

          out = machine.succeed("influx bucket list ${tokenArg} --org default")
          assert_contains(out, "default")

          out = machine.succeed("influx bucket list ${tokenArg} --org myorg")
          assert_contains(out, "mybucket")

          out = machine.succeed("influx bucket list ${tokenArg} --org someorg")
          assert_contains(out, "somebucket")

          out = machine.succeed("influx user list ${tokenArg}")
          assert_contains(out, "admin")
          assert_contains(out, "myuser")
          assert_contains(out, "someuser")

          out = machine.succeed("influx auth list ${tokenArg}")
          assert_contains(out, "operator token")
          assert_contains(out, "some auth token")

        with subtest("withParentDelete"):
          machine.succeed('${specialisations}/withParentDelete/bin/switch-to-configuration test')
          machine.wait_for_unit("influxdb2.service")

          out = machine.succeed("influx org list ${tokenArg}")
          assert_contains(out, "default")
          assert_contains(out, "myorg")
          assert_lacks(out, "someorg")

          out = machine.succeed("influx bucket list ${tokenArg} --org default")
          assert_contains(out, "default")

          out = machine.succeed("influx bucket list ${tokenArg} --org myorg")
          assert_contains(out, "mybucket")

          machine.fail("influx bucket list ${tokenArg} --org someorg")

          out = machine.succeed("influx user list ${tokenArg}")
          assert_contains(out, "admin")
          assert_contains(out, "myuser")
          assert_contains(out, "someuser")

          out = machine.succeed("influx auth list ${tokenArg}")
          assert_contains(out, "operator token")
          assert_lacks(out, "some auth token")

        with subtest("withNewTokens"):
          machine.succeed('${specialisations}/withNewTokens/bin/switch-to-configuration test')
          machine.wait_for_unit("influxdb2.service")

          out = machine.succeed("influx auth list ${tokenArg}")
          assert_contains(out, "operator token")
          assert_contains(out, "some auth token")
          assert_contains(out, "new optoken")
          assert_contains(out, "new allaccess")
          assert_contains(out, "new specifics")
      '';
  }
)