pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / nextcloud / openssl-sse.nix
at 23.05-pre 5.7 kB view raw
1args@{ pkgs, nextcloudVersion ? 25, ... }: 2 3(import ../make-test-python.nix ({ pkgs, ...}: let 4 adminuser = "root"; 5 adminpass = "notproduction"; 6 nextcloudBase = { 7 networking.firewall.allowedTCPPorts = [ 80 ]; 8 system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default 9 services.nextcloud = { 10 enable = true; 11 config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; 12 package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; 13 }; 14 }; 15in { 16 name = "nextcloud-openssl"; 17 meta = with pkgs.lib.maintainers; { 18 maintainers = [ ma27 ]; 19 }; 20 nodes.nextcloudwithopenssl1 = { 21 imports = [ nextcloudBase ]; 22 services.nextcloud.hostName = "nextcloudwithopenssl1"; 23 }; 24 nodes.nextcloudwithopenssl3 = { 25 imports = [ nextcloudBase ]; 26 services.nextcloud = { 27 hostName = "nextcloudwithopenssl3"; 28 enableBrokenCiphersForSSE = false; 29 }; 30 }; 31 testScript = { nodes, ... }: let 32 withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' 33 #!${pkgs.runtimeShell} 34 export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav 35 export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" 36 export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" 37 export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" 38 export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" 39 "''${@}" 40 ''; 41 withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; 42 withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; 43 copySharedFile1 = pkgs.writeScript "copy-shared-file" '' 44 #!${pkgs.runtimeShell} 45 echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file 46 ''; 47 copySharedFile3 = pkgs.writeScript "copy-shared-file" '' 48 #!${pkgs.runtimeShell} 49 echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 50 ''; 51 openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; 52 openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; 53 in '' 54 nextcloudwithopenssl1.start() 55 nextcloudwithopenssl1.wait_for_unit("multi-user.target") 56 nextcloudwithopenssl1.succeed("nextcloud-occ status") 57 nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") 58 59 with subtest("With OpenSSL 1 SSE can be enabled and used"): 60 nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") 61 nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 62 63 with subtest("Upload file and ensure it's encrypted"): 64 nextcloudwithopenssl1.succeed("${copySharedFile1}") 65 nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 66 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 67 68 with subtest("Switch to OpenSSL 3"): 69 nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 70 nextcloudwithopenssl1.wait_for_open_port(80) 71 nextcloudwithopenssl1.succeed("nextcloud-occ status") 72 73 with subtest("Existing encrypted files cannot be read, but new files can be added"): 74 nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") 75 nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") 76 nextcloudwithopenssl1.succeed("${copySharedFile3}") 77 nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 78 nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 79 80 with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): 81 nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") 82 nextcloudwithopenssl1.wait_for_open_port(80) 83 nextcloudwithopenssl1.succeed("nextcloud-occ status") 84 nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 85 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 86 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 87 nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 88 nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 89 90 with subtest("Ensure that everything can be decrypted"): 91 nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") 92 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 93 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 94 nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 95 96 with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): 97 nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 98 nextcloudwithopenssl1.wait_for_open_port(80) 99 nextcloudwithopenssl1.succeed("nextcloud-occ status") 100 nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 101 nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 102 103 nextcloudwithopenssl1.shutdown() 104 ''; 105})) args