nixos/tests/pomerium.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / pomerium.nix
at 23.05-pre 3.3 kB view raw
  1import ./make-test-python.nix ({ pkgs, lib, ... }: {
  2  name = "pomerium";
  3  meta = with lib.maintainers; {
  4    maintainers = [ lukegb ];
  5  };
  6
  7  nodes = let base = myIP: { pkgs, lib, ... }: {
  8    virtualisation.vlans = [ 1 ];
  9    networking = {
 10      dhcpcd.enable = false;
 11      firewall.allowedTCPPorts = [ 80 443 ];
 12      hosts = {
 13        "192.168.1.1" = [ "pomerium" "pom-auth" ];
 14        "192.168.1.2" = [ "backend" "dummy-oidc" ];
 15      };
 16      interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
 17        { address = myIP; prefixLength = 24; }
 18      ];
 19    };
 20  }; in {
 21    pomerium = { pkgs, lib, ... }: {
 22      imports = [ (base "192.168.1.1") ];
 23      services.pomerium = {
 24        enable = true;
 25        settings = {
 26          address = ":80";
 27          insecure_server = true;
 28          authenticate_service_url = "http://pom-auth";
 29
 30          idp_provider = "oidc";
 31          idp_scopes = [ "oidc" ];
 32          idp_client_id = "dummy";
 33          idp_provider_url = "http://dummy-oidc";
 34
 35          policy = [{
 36            from = "https://my.website";
 37            to = "http://192.168.1.2";
 38            allow_public_unauthenticated_access = true;
 39            preserve_host_header = true;
 40          } {
 41            from = "https://login.required";
 42            to = "http://192.168.1.2";
 43            allowed_domains = [ "my.domain" ];
 44            preserve_host_header = true;
 45          }];
 46        };
 47        secretsFile = pkgs.writeText "pomerium-secrets" ''
 48          # 12345678901234567890123456789012 in base64
 49          COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
 50          IDP_CLIENT_SECRET=dummy
 51        '';
 52      };
 53    };
 54    backend = { pkgs, lib, ... }: {
 55      imports = [ (base "192.168.1.2") ];
 56      services.nginx.enable = true;
 57      services.nginx.virtualHosts."my.website" = {
 58        root = pkgs.runCommand "testdir" {} ''
 59          mkdir "$out"
 60          echo hello world > "$out/index.html"
 61        '';
 62      };
 63      services.nginx.virtualHosts."dummy-oidc" = {
 64        root = pkgs.runCommand "testdir" {} ''
 65          mkdir -p "$out/.well-known"
 66          cat <<EOF >"$out/.well-known/openid-configuration"
 67            {
 68              "issuer": "http://dummy-oidc",
 69              "authorization_endpoint": "http://dummy-oidc/auth.txt",
 70              "token_endpoint": "http://dummy-oidc/token",
 71              "jwks_uri": "http://dummy-oidc/jwks.json",
 72              "userinfo_endpoint": "http://dummy-oidc/userinfo",
 73              "id_token_signing_alg_values_supported": ["RS256"]
 74            }
 75          EOF
 76          echo hello I am login page >"$out/auth.txt"
 77        '';
 78      };
 79    };
 80  };
 81
 82  testScript = { ... }: ''
 83    backend.wait_for_unit("nginx")
 84    backend.wait_for_open_port(80)
 85
 86    pomerium.wait_for_unit("pomerium")
 87    pomerium.wait_for_open_port(80)
 88
 89    with subtest("no authentication required"):
 90        pomerium.succeed(
 91            "curl --resolve my.website:80:127.0.0.1 http://my.website | grep 'hello world'"
 92        )
 93
 94    with subtest("login required"):
 95        pomerium.succeed(
 96            "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep pom-auth"
 97        )
 98        pomerium.succeed(
 99            "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep 'hello I am login page'"
100        )
101  '';
102})