pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / mosquitto.nix
at 23.11-beta 6.6 kB view raw
1import ./make-test-python.nix ({ pkgs, lib, ... }: 2 3let 4 port = 1888; 5 tlsPort = 1889; 6 anonPort = 1890; 7 password = "VERY_secret"; 8 hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw=="; 9 topic = "test/foo"; 10 11 snakeOil = pkgs.runCommand "snakeoil-certs" { 12 buildInputs = [ pkgs.gnutls.bin ]; 13 caTemplate = pkgs.writeText "snakeoil-ca.template" '' 14 cn = server 15 expiration_days = -1 16 cert_signing_key 17 ca 18 ''; 19 certTemplate = pkgs.writeText "snakeoil-cert.template" '' 20 cn = server 21 expiration_days = -1 22 tls_www_server 23 encryption_key 24 signing_key 25 ''; 26 userCertTemplate = pkgs.writeText "snakeoil-user-cert.template" '' 27 organization = snakeoil 28 cn = client1 29 expiration_days = -1 30 tls_www_client 31 encryption_key 32 signing_key 33 ''; 34 } '' 35 mkdir "$out" 36 37 certtool -p --bits 2048 --outfile "$out/ca.key" 38 certtool -s --template "$caTemplate" --load-privkey "$out/ca.key" \ 39 --outfile "$out/ca.crt" 40 certtool -p --bits 2048 --outfile "$out/server.key" 41 certtool -c --template "$certTemplate" \ 42 --load-ca-privkey "$out/ca.key" \ 43 --load-ca-certificate "$out/ca.crt" \ 44 --load-privkey "$out/server.key" \ 45 --outfile "$out/server.crt" 46 47 certtool -p --bits 2048 --outfile "$out/client1.key" 48 certtool -c --template "$userCertTemplate" \ 49 --load-privkey "$out/client1.key" \ 50 --load-ca-privkey "$out/ca.key" \ 51 --load-ca-certificate "$out/ca.crt" \ 52 --outfile "$out/client1.crt" 53 ''; 54 55in { 56 name = "mosquitto"; 57 meta = with pkgs.lib; { 58 maintainers = with maintainers; [ pennae peterhoeg ]; 59 }; 60 61 nodes = let 62 client = { pkgs, ... }: { 63 environment.systemPackages = with pkgs; [ mosquitto ]; 64 }; 65 in { 66 server = { pkgs, ... }: { 67 networking.firewall.allowedTCPPorts = [ port tlsPort anonPort ]; 68 networking.useNetworkd = true; 69 services.mosquitto = { 70 enable = true; 71 settings = { 72 sys_interval = 1; 73 }; 74 listeners = [ 75 { 76 inherit port; 77 users = { 78 password_store = { 79 inherit password; 80 }; 81 password_file = { 82 passwordFile = pkgs.writeText "mqtt-password" password; 83 }; 84 hashed_store = { 85 inherit hashedPassword; 86 }; 87 hashed_file = { 88 hashedPasswordFile = pkgs.writeText "mqtt-hashed-password" hashedPassword; 89 }; 90 91 reader = { 92 inherit password; 93 acl = [ 94 "read ${topic}" 95 "read $SYS/#" # so we always have something to read 96 ]; 97 }; 98 writer = { 99 inherit password; 100 acl = [ "write ${topic}" ]; 101 }; 102 }; 103 } 104 { 105 port = tlsPort; 106 users.client1 = { 107 acl = [ "read $SYS/#" ]; 108 }; 109 settings = { 110 cafile = "${snakeOil}/ca.crt"; 111 certfile = "${snakeOil}/server.crt"; 112 keyfile = "${snakeOil}/server.key"; 113 require_certificate = true; 114 use_identity_as_username = true; 115 }; 116 } 117 { 118 port = anonPort; 119 omitPasswordAuth = true; 120 settings.allow_anonymous = true; 121 acl = [ "pattern read #" ]; 122 users = { 123 anonWriter = { 124 password = "<ignored>" + password; 125 acl = [ "write ${topic}" ]; 126 }; 127 }; 128 } 129 ]; 130 }; 131 }; 132 133 client1 = client; 134 client2 = client; 135 }; 136 137 testScript = '' 138 def mosquitto_cmd(binary, user, topic, port): 139 return ( 140 "mosquitto_{} " 141 "-V mqttv311 " 142 "-h server " 143 "-p {} " 144 "-u {} " 145 "-P '${password}' " 146 "-t '{}'" 147 ).format(binary, port, user, topic) 148 149 150 def publish(args, user, topic="${topic}", port=${toString port}): 151 return "{} {}".format(mosquitto_cmd("pub", user, topic, port), args) 152 153 def subscribe(args, user, topic="${topic}", port=${toString port}): 154 return "{} -W 5 -C 1 {}".format(mosquitto_cmd("sub", user, topic, port), args) 155 156 def parallel(*fns): 157 from threading import Thread 158 threads = [ Thread(target=fn) for fn in fns ] 159 for t in threads: t.start() 160 for t in threads: t.join() 161 162 def wait_uuid(uuid): 163 server.wait_for_console_text(uuid) 164 return None 165 166 167 start_all() 168 server.wait_for_unit("mosquitto.service") 169 170 with subtest("check passwords"): 171 client1.succeed(publish("-m test", "password_store")) 172 client1.succeed(publish("-m test", "password_file")) 173 client1.succeed(publish("-m test", "hashed_store")) 174 client1.succeed(publish("-m test", "hashed_file")) 175 176 with subtest("check acl"): 177 client1.succeed(subscribe("", "reader", topic="$SYS/#")) 178 client1.fail(subscribe("", "writer", topic="$SYS/#")) 179 180 parallel( 181 lambda: client1.succeed(subscribe("-i 3688cdd7-aa07-42a4-be22-cb9352917e40", "reader")), 182 lambda: [ 183 wait_uuid("3688cdd7-aa07-42a4-be22-cb9352917e40"), 184 client2.succeed(publish("-m test", "writer")) 185 ]) 186 187 parallel( 188 lambda: client1.fail(subscribe("-i 24ff16a2-ae33-4a51-9098-1b417153c712", "reader")), 189 lambda: [ 190 wait_uuid("24ff16a2-ae33-4a51-9098-1b417153c712"), 191 client2.succeed(publish("-m test", "reader")) 192 ]) 193 194 with subtest("check tls"): 195 client1.succeed( 196 subscribe( 197 "--cafile ${snakeOil}/ca.crt " 198 "--cert ${snakeOil}/client1.crt " 199 "--key ${snakeOil}/client1.key", 200 topic="$SYS/#", 201 port=${toString tlsPort}, 202 user="no_such_user")) 203 204 with subtest("check omitPasswordAuth"): 205 parallel( 206 lambda: client1.succeed(subscribe("-i fd56032c-d9cb-4813-a3b4-6be0e04c8fc3", 207 "anonReader", port=${toString anonPort})), 208 lambda: [ 209 wait_uuid("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"), 210 client2.succeed(publish("-m test", "anonWriter", port=${toString anonPort})) 211 ]) 212 ''; 213})