From ab4e90c3315c365e3a8b918bb7c1343d3dfa3bf4 Mon Sep 17 00:00:00 2001
From: nikstur <nikstur@outlook.com>
Date: Sat, 25 Feb 2023 21:38:43 +0100
Subject: [PATCH] tests: correctly test appending secret to initrd

The way the test was implemented previously did not make it fail if no
secret was appended to the initrd. Now it is implemented similary to the
initrd-secrets test in Nixpkgs and works correctly.
---
 nix/tests/lanzaboote.nix | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/nix/tests/lanzaboote.nix b/nix/tests/lanzaboote.nix
index 8be761a..d748ac1 100644
--- a/nix/tests/lanzaboote.nix
+++ b/nix/tests/lanzaboote.nix
@@ -124,26 +124,31 @@ in
     '';
   };
 
-  # Test that a secret is appended to the initrd during installation.
-  # 
-  # During the execution of `preDeviceCommands`, no filesystem should be
-  # mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
-  initrd-secrets = mkSecureBootTest {
-    name = "lanzaboote-initrd-secrets";
-    machine = { ... }: {
-      boot.initrd.secrets = {
-        "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
+  # Test that a secret is appended to the initrd during installation. Smilar to
+  # the initrd-secrets test in Nixpkgs:
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix
+  initrd-secrets =
+    let
+      secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
+    in
+    mkSecureBootTest {
+      name = "lanzaboote-initrd-secrets";
+      machine = { ... }: {
+        boot.initrd.secrets = {
+          "/test" = secret;
+        };
+        boot.initrd.postMountCommands = ''
+          cp /test /mnt-root/secret-from-initramfs
+        '';
       };
+      testScript = ''
+        machine.start()
+        machine.wait_for_unit("multi-user.target")
 
-      boot.initrd.preDeviceCommands = ''
-        grep "this is a very secure secret" /etc/iamasecret
+        machine.succeed("cmp ${secret} /secret-from-initramfs")
+        assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
       '';
     };
-    testScript = ''
-      machine.start()
-      assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
-    '';
-  };
 
   # Test that the secrets configured to be appended to the initrd get updated
   # when installing a new generation even if the initrd itself (i.e. its store