nixos/tests/ghostunnel.nix at 22.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ghostunnel.nix
at 22.05-pre 4.3 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... }: {
  2  nodes = {
  3    backend = { pkgs, ... }: {
  4      services.nginx.enable = true;
  5      services.nginx.virtualHosts."backend".root = pkgs.runCommand "webroot" {} ''
  6        mkdir $out
  7        echo hi >$out/hi.txt
  8      '';
  9      networking.firewall.allowedTCPPorts = [ 80 ];
 10    };
 11    service = { ... }: {
 12      services.ghostunnel.enable = true;
 13      services.ghostunnel.servers."plain-old" = {
 14        listen = "0.0.0.0:443";
 15        cert = "/root/service-cert.pem";
 16        key = "/root/service-key.pem";
 17        disableAuthentication = true;
 18        target = "backend:80";
 19        unsafeTarget = true;
 20      };
 21      services.ghostunnel.servers."client-cert" = {
 22        listen = "0.0.0.0:1443";
 23        cert = "/root/service-cert.pem";
 24        key = "/root/service-key.pem";
 25        cacert = "/root/ca.pem";
 26        target = "backend:80";
 27        allowCN = ["client"];
 28        unsafeTarget = true;
 29      };
 30      networking.firewall.allowedTCPPorts = [ 443 1443 ];
 31    };
 32    client = { pkgs, ... }: {
 33      environment.systemPackages = [
 34        pkgs.curl
 35      ];
 36    };
 37  };
 38
 39  testScript = ''
 40
 41    # prepare certificates
 42
 43    def cmd(command):
 44      print(f"+{command}")
 45      r = os.system(command)
 46      if r != 0:
 47        raise Exception(f"Command {command} failed with exit code {r}")
 48
 49    # Create CA
 50    cmd("${pkgs.openssl}/bin/openssl genrsa -out ca-key.pem 4096")
 51    cmd("${pkgs.openssl}/bin/openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem")
 52
 53    # Create service
 54    cmd("${pkgs.openssl}/bin/openssl genrsa -out service-key.pem 4096")
 55    cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=service' -sha256 -new -key service-key.pem -out service.csr")
 56    cmd("echo subjectAltName = DNS:service,IP:127.0.0.1 >> extfile.cnf")
 57    cmd("echo extendedKeyUsage = serverAuth >> extfile.cnf")
 58    cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out service-cert.pem -extfile extfile.cnf")
 59
 60    # Create client
 61    cmd("${pkgs.openssl}/bin/openssl genrsa -out client-key.pem 4096")
 62    cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr")
 63    cmd("echo extendedKeyUsage = clientAuth > extfile-client.cnf")
 64    cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf")
 65
 66    cmd("ls -al")
 67
 68    start_all()
 69
 70    # Configuration
 71    service.copy_from_host("ca.pem", "/root/ca.pem")
 72    service.copy_from_host("service-cert.pem", "/root/service-cert.pem")
 73    service.copy_from_host("service-key.pem", "/root/service-key.pem")
 74    client.copy_from_host("ca.pem", "/root/ca.pem")
 75    client.copy_from_host("service-cert.pem", "/root/service-cert.pem")
 76    client.copy_from_host("client-cert.pem", "/root/client-cert.pem")
 77    client.copy_from_host("client-key.pem", "/root/client-key.pem")
 78
 79    backend.wait_for_unit("nginx.service")
 80    service.wait_for_unit("multi-user.target")
 81    service.wait_for_unit("multi-user.target")
 82    client.wait_for_unit("multi-user.target")
 83
 84    # Check assumptions before the real test
 85    client.succeed("bash -c 'diff <(curl -v --no-progress-meter http://backend/hi.txt) <(echo hi)'")
 86
 87    # Plain old simple TLS can connect, ignoring cert
 88    client.succeed("bash -c 'diff <(curl -v --no-progress-meter --insecure https://service/hi.txt) <(echo hi)'")
 89
 90    # Plain old simple TLS provides correct signature with its cert
 91    client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service/hi.txt) <(echo hi)'")
 92
 93    # Client can authenticate with certificate
 94    client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cert /root/client-cert.pem --key /root/client-key.pem --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'")
 95
 96    # Client must authenticate with certificate
 97    client.fail("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'")
 98  '';
 99
100  meta.maintainers = with pkgs.lib.maintainers; [
101    roberth
102  ];
103})