pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / pomerium.nix
at 23.11-beta 3.7 kB view raw
1import ./make-test-python.nix ({ pkgs, lib, ... }: { 2 name = "pomerium"; 3 meta = with lib.maintainers; { 4 maintainers = [ lukegb ]; 5 }; 6 7 nodes = let base = myIP: { pkgs, lib, ... }: { 8 virtualisation.vlans = [ 1 ]; 9 networking = { 10 dhcpcd.enable = false; 11 firewall.allowedTCPPorts = [ 80 443 ]; 12 hosts = { 13 "192.168.1.1" = [ "pomerium" "pom-auth" ]; 14 "192.168.1.2" = [ "backend" "dummy-oidc" ]; 15 }; 16 interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ 17 { address = myIP; prefixLength = 24; } 18 ]; 19 }; 20 }; in { 21 pomerium = { pkgs, lib, ... }: { 22 imports = [ (base "192.168.1.1") ]; 23 environment.systemPackages = with pkgs; [ chromium ]; 24 services.pomerium = { 25 enable = true; 26 settings = { 27 address = ":80"; 28 insecure_server = true; 29 authenticate_service_url = "http://pom-auth"; 30 31 idp_provider = "oidc"; 32 idp_scopes = [ "oidc" ]; 33 idp_client_id = "dummy"; 34 idp_provider_url = "http://dummy-oidc"; 35 36 policy = [{ 37 from = "https://my.website"; 38 to = "http://192.168.1.2"; 39 allow_public_unauthenticated_access = true; 40 preserve_host_header = true; 41 } { 42 from = "https://login.required"; 43 to = "http://192.168.1.2"; 44 allowed_domains = [ "my.domain" ]; 45 preserve_host_header = true; 46 }]; 47 }; 48 secretsFile = pkgs.writeText "pomerium-secrets" '' 49 # 12345678901234567890123456789012 in base64 50 COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= 51 IDP_CLIENT_SECRET=dummy 52 ''; 53 }; 54 }; 55 backend = { pkgs, lib, ... }: { 56 imports = [ (base "192.168.1.2") ]; 57 services.nginx.enable = true; 58 services.nginx.virtualHosts."my.website" = { 59 root = pkgs.runCommand "testdir" {} '' 60 mkdir "$out" 61 echo hello world > "$out/index.html" 62 ''; 63 }; 64 services.nginx.virtualHosts."dummy-oidc" = { 65 root = pkgs.runCommand "testdir" {} '' 66 mkdir -p "$out/.well-known" 67 cat <<EOF >"$out/.well-known/openid-configuration" 68 { 69 "issuer": "http://dummy-oidc", 70 "authorization_endpoint": "http://dummy-oidc/auth.txt", 71 "token_endpoint": "http://dummy-oidc/token", 72 "jwks_uri": "http://dummy-oidc/jwks.json", 73 "userinfo_endpoint": "http://dummy-oidc/userinfo", 74 "id_token_signing_alg_values_supported": ["RS256"] 75 } 76 EOF 77 echo hello I am login page >"$out/auth.txt" 78 ''; 79 }; 80 }; 81 }; 82 83 testScript = { ... }: '' 84 backend.wait_for_unit("nginx") 85 backend.wait_for_open_port(80) 86 87 pomerium.wait_for_unit("pomerium") 88 pomerium.wait_for_open_port(80) 89 90 with subtest("no authentication required"): 91 pomerium.succeed( 92 "curl --resolve my.website:80:127.0.0.1 http://my.website | grep 'hello world'" 93 ) 94 95 with subtest("login required"): 96 pomerium.succeed( 97 "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep pom-auth" 98 ) 99 pomerium.succeed( 100 "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep 'hello I am login page'" 101 ) 102 103 with subtest("ui"): 104 pomerium.succeed( 105 # check for a string that only appears if the UI is displayed correctly 106 "chromium --no-sandbox --headless --disable-gpu --dump-dom --host-resolver-rules='MAP login.required 127.0.0.1:80' http://login.required/.pomerium | grep 'contact your administrator'" 107 ) 108 ''; 109})