fix: add nixos module test

Author: brianmay

.commitlintrc.yaml

@@ -0,0 +1,28 @@
+---
+# The rules below have been manually copied from @commitlint/config-conventional
+# and match the v1.0.0 specification:
+# https://www.conventionalcommits.org/en/v1.0.0/#specification
+#
+# You can remove them and uncomment the config below when the following issue is
+# fixed: https://github.com/conventional-changelog/commitlint/issues/613
+#
+# extends:
+#   - '@commitlint/config-conventional'
+rules:
+  body-leading-blank: [1, always]
+  body-max-line-length: [2, always, 100]
+  footer-leading-blank: [1, always]
+  footer-max-line-length: [2, always, 100]
+  header-max-length: [2, always, 100]
+  subject-case:
+    - 2
+    - never
+    - [sentence-case, start-case, pascal-case, upper-case]
+  subject-empty: [2, never]
+  subject-full-stop: [2, never, "."]
+  type-case: [2, always, lower-case]
+  type-empty: [2, never]
+  type-enum:
+    - 2
+    - always
+    - [build, chore, ci, docs, feat, fix, perf, refactor, revert, style, test]

flake.nix

@@ -176,7 +176,6 @@
               export DATABASE_URL="postgres://phone_db:your_secure_password_here@localhost:${
                 toString postgres_port
               }/phone_db"
-              export IMAGE_DIR="/tmp/images"
 
               export LDAP_SERVER="localhost"
               export LDAP_PORT="${toString ldap_port}"
@@ -221,21 +220,162 @@
             };
             services.postgres = {
               enable = true;
-              package = pkgs.postgresql_15.withPackages (ps: [ps.postgis]);
+              package = pkgs.postgresql_15;
               listen_addresses = "127.0.0.1";
               port = postgres_port;
               initialDatabases = [{name = "phone_db";}];
               initialScript = ''
                 \c phone_db;
                 CREATE USER phone_db with encrypted password 'your_secure_password_here';
                 GRANT ALL PRIVILEGES ON DATABASE phone_db TO phone_db;
-                ALTER USER phone_db WITH SUPERUSER;
               '';
             };
           }
         ];
       };
+
+      test = pkgs.nixosTest {
+        name = "phone_db";
+        nodes.machine = {...}: {
+          imports = [
+            self.nixosModules.default
+          ];
+          services.phone_db = {
+            enable = true;
+            http_url = "http://localhost:4000";
+            port = 4000;
+            secrets = pkgs.writeText "secrets.txt" ''
+              export RELEASE_COOKIE="12345678901234567890123456789012345678901234567890123456"
+              export DATABASE_URL="postgres://phone_db:your_secure_password_here@localhost/phone_db"
+              export GUARDIAN_SECRET="1234567890123456789012345678901234567890123456789012345678901234"
+              export SECRET_KEY_BASE="1234567890123456789012345678901234567890123456789012345678901234"
+              export SIGNING_SALT="12345678901234567890123456789012"
+              export OIDC_DISCOVERY_URL="http://localhost"
+              export OIDC_CLIENT_ID="photos"
+              export OIDC_CLIENT_SECRET="12345678901234567890123456789012"
+              export OIDC_AUTH_SCOPE="openid profile groups"
+
+              export DATABASE_URL_TEST="postgres://phone_db:your_secure_password_here@localhost:${
+                toString postgres_port
+              }/phone_db_test"
+              export DATABASE_URL="postgres://phone_db:your_secure_password_here@localhost:${
+                toString postgres_port
+              }/phone_db"
+
+              export LDAP_SERVER="localhost"
+              export LDAP_PORT="${toString ldap_port}"
+              export LDAP_BASE_DN="${dn_suffix}"
+              export LDAP_USERNAME="root"
+              export LDAP_USER_PASSWORD="your_secure_password_here"
+
+              export PHONE_USERNAME="${phone_username}"
+              export PHONE_PASSWORD="${phone_password}"
+            '';
+          };
+          system.stateVersion = "24.05";
+
+          services.postgresql = {
+            enable = true;
+            package = pkgs.postgresql_15;
+            settings.port = postgres_port;
+            initialScript = pkgs.writeText "init.psql" ''
+              CREATE DATABASE phone_db;
+              CREATE USER phone_db with encrypted password 'your_secure_password_here';
+              ALTER DATABASE phone_db OWNER TO phone_db;
+            '';
+          };
+
+          services.openldap = {
+            enable = true;
+
+            /*
+            enable plain and secure connections
+            */
+            urlList = [ldap_url];
+
+            settings = {
+              attrs = {
+                olcLogLevel = "conns config";
+              };
+
+              children = {
+                "cn=schema".includes = [
+                  "${pkgs.openldap}/etc/schema/core.ldif"
+                  "${pkgs.openldap}/etc/schema/cosine.ldif"
+                  "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+                ];
+
+                "olcDatabase={1}mdb" = {
+                  attrs = {
+                    objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+                    olcDatabase = "{1}mdb";
+                    olcDbDirectory = "/var/lib/openldap/test";
+
+                    olcSuffix = dn_suffix;
+
+                    /*
+                    your admin account, do not use writeText on a production system
+                    */
+                    olcRootDN = root_dn;
+                    olcRootPW.path = pkgs.writeText "olcRootPW" "your_secure_password_here";
+
+                    olcAccess = [
+                      /*
+                      custom access rules for userPassword attributes
+                      */
+                      ''
+                        {0}to attrs=userPassword
+                          by self write
+                          by anonymous auth
+                          by * none
+                      ''
+
+                      /*
+                      allow read on anything else
+                      */
+                      ''
+                        {1}to *
+                          by * read
+                      ''
+                    ];
+                  };
+                  children = {
+                    "olcOverlay={2}ppolicy".attrs = {
+                      objectClass = ["olcOverlayConfig" "olcPPolicyConfig" "top"];
+                      olcOverlay = "{2}ppolicy";
+                      olcPPolicyHashCleartext = "TRUE";
+                    };
+                    "olcOverlay={3}memberof".attrs = {
+                      objectClass = ["olcOverlayConfig" "olcMemberOf" "top"];
+                      olcOverlay = "{3}memberof";
+                      olcMemberOfRefInt = "TRUE";
+                      olcMemberOfDangling = "ignore";
+                      olcMemberOfGroupOC = "groupOfNames";
+                      olcMemberOfMemberAD = "member";
+                      olcMemberOfMemberOfAD = "memberOf";
+                    };
+                    "olcOverlay={4}refint".attrs = {
+                      objectClass = ["olcOverlayConfig" "olcRefintConfig" "top"];
+                      olcOverlay = "{4}refint";
+                      olcRefintAttribute = ["memberof" "member" "manager" "owner"];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+
+        testScript = ''
+          machine.wait_for_unit("phone_db.service")
+          machine.wait_for_open_port(4000)
+          machine.succeed("${pkgs.curl}/bin/curl --fail -v http://localhost:4000/_health")
+          machine.succeed("${test_phone_call}/bin/test_phone_call")
+        '';
+      };
     in {
+      checks.nixosModules = test;
       packages = {
         devenv-up = devShell.config.procfileScript;
         default = pkg;

lib/phone_db/contacts/ldap.ex

@@ -55,6 +55,15 @@ defmodule PhoneDb.Contacts.Ldap do
     end
   end
 
+  def get_contact(%Contact{} = contact) do
+    authenticate()
+
+    case Paddle.get(%PhoneDb.Contacts.Ldap.Person{telephoneNumber: contact.phone_number}, nil) do
+      {:error, :noSuchObject} -> nil
+      {:ok, [person]} -> person
+    end
+  end
+
   def update_contact(%Contact{} = contact) do
     authenticate()
 

lib/phone_db/release.ex

@@ -0,0 +1,99 @@
+defmodule PhoneDb.Release do
+  @moduledoc """
+  Functions for managing released code
+  """
+  @app :phone_db
+
+  require Logger
+
+  alias Ecto.Adapters.SQL
+  import Ecto.Query
+  alias PhoneDb.Contacts.Contact
+  alias PhoneDb.Repo
+
+  def migrate do
+    for repo <- repos() do
+      {:ok, _, _} = Ecto.Migrator.with_repo(repo, &Ecto.Migrator.run(&1, :up, all: true))
+    end
+  end
+
+  def rollback(repo, version) do
+    for r <- repos(), r == repo do
+      {:ok, _, _} = Ecto.Migrator.with_repo(repo, &Ecto.Migrator.run(&1, :down, to: version))
+    end
+  end
+
+  def seconds_since_last_migration do
+    Repo.one(
+      from m in "schema_migrations",
+        select: fragment("EXTRACT(EPOCH FROM age(NOW(), ?::timestamp))::BIGINT", m.inserted_at),
+        order_by: [desc: m.inserted_at],
+        limit: 1
+    )
+  end
+
+  def migrations_check do
+    repos = Application.fetch_env!(@app, :ecto_repos)
+
+    migrations =
+      repos
+      |> Enum.map(&Ecto.Migrator.migrations/1)
+      |> List.flatten()
+      |> Enum.filter(fn
+        {:up, _, _} -> false
+        {_, _, _} -> true
+      end)
+
+    if Enum.empty?(migrations) do
+      :ok
+    else
+      Logger.error("Migrations pending: #{inspect(migrations)}")
+      {:error, "Migrations pending: #{inspect(migrations)}"}
+    end
+  end
+
+  def database_check do
+    repos = Application.fetch_env!(@app, :ecto_repos)
+
+    Enum.reduce_while(repos, :ok, fn item, _acc ->
+      case SQL.query(item, "SELECT 1") do
+        {:ok, %{num_rows: 1, rows: [[1]]}} ->
+          {:cont, :ok}
+
+        {:error, reason} ->
+          Logger.error("Database error: #{inspect(reason)}")
+          {:halt, {:error, inspect(reason)}}
+      end
+    end)
+  rescue
+    e ->
+      Logger.error("Database error: #{inspect(e)}")
+      {:error, inspect(e)}
+  end
+
+  def ldap_check do
+    contact = %Contact{phone_number: "000"}
+    # This probably will fail because the contact doesn't exist.
+    PhoneDb.Contacts.Ldap.get_contact(contact)
+    :ok
+  rescue
+    e ->
+      Logger.error("Database error: #{inspect(e)}")
+      {:error, inspect(e)}
+  end
+
+  def health_check do
+    with :ok <- database_check(),
+         :ok <- ldap_check() do
+      :ok
+    else
+      {:error, reason} -> {:error, reason}
+    end
+  end
+
+  defp repos do
+    Application.ensure_all_started(:ssl)
+    Application.load(@app)
+    Application.fetch_env!(@app, :ecto_repos)
+  end
+end

lib/phone_db_web/controllers/healh_check_controller.ex

@@ -0,0 +1,15 @@
+defmodule PhoneDbWeb.HealthCheckController do
+  use PhoneDbWeb, :controller
+
+  alias PhoneDb.Release
+
+  def index(conn, _params) do
+    case Release.health_check() do
+      :ok ->
+        text(conn, "HEALTHY")
+
+      {:error, _reason} ->
+        conn |> put_status(500) |> text("ERROR")
+    end
+  end
+end

lib/phone_db_web/controllers/page_controller.ex

@@ -25,9 +25,4 @@ defmodule PhoneDbWeb.PageController do
   def login(conn, _params) do
     redirect(conn, to: Routes.page_path(conn, :index))
   end
-
-  @spec health(Plug.Conn.t(), map()) :: Plug.Conn.t()
-  def health(conn, _params) do
-    send_resp(conn, 200, "healthy")
-  end
 end

lib/phone_db_web/router.ex

@@ -53,8 +53,8 @@ defmodule PhoneDbWeb.Router do
     plug :phone_auth
   end
 
-  scope "/health" do
-    get "/", PhoneDbWeb.PageController, :health
+  scope "/", PhoneDbWeb do
+    get "/_health", HealthCheckController, :index
   end
 
   live_session :default, on_mount: PhoneDbWeb.InitAssigns do

module.nix

@@ -3,8 +3,9 @@
   pkgs,
   config,
   ...
-}:
-with lib; let
+}: let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+
   cfg = config.services.phone_db;
 
   system = pkgs.stdenv.system;
@@ -26,7 +27,10 @@ in {
     enable = mkEnableOption "phone_db service";
     secrets = mkOption {type = types.path;};
     http_url = mkOption {type = types.str;};
-    port = mkOption {type = types.int;};
+    port = mkOption {
+      type = types.int;
+      default = 4000;
+    };
     data_dir = mkOption {
       type = types.str;
       default = "/var/lib/phone_db";
@@ -49,6 +53,7 @@ in {
       after = ["network.target" "postgresql.service" "openldap.service"];
       serviceConfig = {
         User = "phone_db";
+        ExecStartPre = ''${wrapper}/bin/phone_db eval "PhoneDb.Release.migrate"'';
         ExecStart = "${wrapper}/bin/phone_db start";
         ExecStop = "${wrapper}/bin/phone_db stop";
         ExecReload = "${wrapper}/bin/phone_db reload";