From 15c8fb2585ee5417a45fef66cb740e72c44ab42b Mon Sep 17 00:00:00 2001
From: ibizaman <ibizaman@tiserbox.com>
Date: Mon, 2 Mar 2026 21:00:42 +0100
Subject: [PATCH] nixos/utils: add regressions tests to genJqSecretsReplacement

---
 nixos/tests/all-tests.nix                     |   1 +
 nixos/tests/utils/default.nix                 |   5 +
 nixos/tests/utils/genJqSecretsReplacement.nix | 177 ++++++++++++++++++
 3 files changed, 183 insertions(+)
 create mode 100644 nixos/tests/utils/default.nix
 create mode 100644 nixos/tests/utils/genJqSecretsReplacement.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 109a14676734..acc23c4d7b19 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -1698,6 +1698,7 @@ in
   userborn-mutable-users = runTest ./userborn-mutable-users.nix;
   userborn-static = runTest ./userborn-static.nix;
   ustreamer = runTest ./ustreamer.nix;
+  utils = import ./utils { inherit runTest; };
   uwsgi = runTest ./uwsgi.nix;
   v2ray = runTest ./v2ray.nix;
   varnish60 = runTest {
diff --git a/nixos/tests/utils/default.nix b/nixos/tests/utils/default.nix
new file mode 100644
index 000000000000..a7c5f242c822
--- /dev/null
+++ b/nixos/tests/utils/default.nix
@@ -0,0 +1,5 @@
+{ runTest }:
+
+{
+  genJqSecretsReplacement = runTest ./genJqSecretsReplacement.nix;
+}
diff --git a/nixos/tests/utils/genJqSecretsReplacement.nix b/nixos/tests/utils/genJqSecretsReplacement.nix
new file mode 100644
index 000000000000..0b99cb5d2612
--- /dev/null
+++ b/nixos/tests/utils/genJqSecretsReplacement.nix
@@ -0,0 +1,177 @@
+{ lib, pkgs, ... }:
+
+let
+  secretA = pkgs.writeText "secretA" "AAAAA";
+  secretJSON = pkgs.writeText "secretA" (
+    builtins.toJSON [
+      { "a" = "topsecretpassword1234"; }
+      { "b" = "topsecretpassword5678"; }
+    ]
+  );
+
+  tests = {
+    simple = {
+      set = {
+        example = [
+          {
+            irrelevant = "not interesting";
+          }
+          {
+            ignored = "ignored attr";
+            relevant = {
+              secret = {
+                _secret = secretA;
+              };
+            };
+          }
+        ];
+      };
+      expect = {
+        example = [
+          {
+            irrelevant = "not interesting";
+          }
+          {
+            ignored = "ignored attr";
+            relevant = {
+              secret = "AAAAA";
+            };
+          }
+        ];
+      };
+    };
+
+    structured = {
+      set = {
+        example = [
+          {
+            irrelevant = "not interesting";
+          }
+          {
+            ignored = "ignored attr";
+            relevant = {
+              secret = {
+                _secret = secretJSON;
+                quote = false;
+              };
+            };
+          }
+        ];
+      };
+      expect = {
+        example = [
+          {
+            irrelevant = "not interesting";
+          }
+          {
+            ignored = "ignored attr";
+            relevant = {
+              secret = [
+                { "a" = "topsecretpassword1234"; }
+                { "b" = "topsecretpassword5678"; }
+              ];
+            };
+          }
+        ];
+      };
+    };
+
+    loadCredentials = {
+      set = {
+        example = [
+          {
+            irrelevant = "not interesting";
+          }
+          {
+            ignored = "ignored attr";
+            relevant = {
+              secret = {
+                _secret = secretJSON;
+                quote = false;
+              };
+            };
+          }
+        ];
+      };
+      opts = {
+        loadCredential = true;
+      };
+      expect = {
+        example = [
+          {
+            irrelevant = "not interesting";
+          }
+          {
+            ignored = "ignored attr";
+            relevant = {
+              secret = [
+                { "a" = "topsecretpassword1234"; }
+                { "b" = "topsecretpassword5678"; }
+              ];
+            };
+          }
+        ];
+      };
+    };
+  };
+in
+{
+  name = "utils-genJqSecretsReplacement";
+  meta.maintainers = [ pkgs.lib.maintainers.ibizaman ];
+
+  nodes.machine =
+    { lib, utils, ... }:
+    let
+      secretsReplacements = lib.mapAttrs (
+        name: test:
+        (utils.genJqSecretsReplacement (test.opts or { }) test.set "/var/lib/genJqTest-${name}/file")
+      ) tests;
+    in
+    {
+      systemd.services = lib.mapAttrs' (
+        name: secretsReplacement:
+        lib.nameValuePair "genJqTest-${name}" {
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            LoadCredential = secretsReplacement.credentials;
+          };
+          script = "echo 'Done generating files'";
+          preStart = ''
+            mkdir -p /var/lib/genJqTest-${name}
+          ''
+          + secretsReplacement.script;
+        }
+      ) secretsReplacements;
+    };
+
+  testScript = ''
+    import json
+    machine.start()
+  ''
+  + lib.concatStringsSep "\n" (
+    lib.mapAttrsToList (
+      name: test:
+      let
+        expect = pkgs.writeText "expect" (builtins.toJSON test.expect);
+      in
+      ''
+        with subtest("${name}"):
+            machine.wait_for_unit("genJqTest-${name}.service")
+            gotRaw = machine.succeed("cat /var/lib/genJqTest-${name}/file")
+            try:
+                got = json.loads(gotRaw)
+            except Exception:
+                print(f"raw file: {gotRaw}")
+                raise
+            print(got)
+            with open("${expect}", "r") as file:
+                expect = json.loads(file.read())
+            if got != expect:
+                raise Exception(f"Unexpected file:\ngot={got}\n!=\nexpect={expect}")
+      ''
+    ) tests
+  );
+
+}