pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / nextcloud / openssl-sse.nix
at 23.11-pre 6.0 kB view raw
1args@{ pkgs, nextcloudVersion ? 25, ... }: 2 3(import ../make-test-python.nix ({ pkgs, ...}: let 4 adminuser = "root"; 5 adminpass = "notproduction"; 6 nextcloudBase = { 7 networking.firewall.allowedTCPPorts = [ 80 ]; 8 system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default 9 services.nextcloud = { 10 enable = true; 11 config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; 12 database.createLocally = true; 13 package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; 14 }; 15 }; 16in { 17 name = "nextcloud-openssl"; 18 meta = with pkgs.lib.maintainers; { 19 maintainers = [ ma27 ]; 20 }; 21 nodes.nextcloudwithopenssl1 = { 22 imports = [ nextcloudBase ]; 23 services.nextcloud.hostName = "nextcloudwithopenssl1"; 24 }; 25 nodes.nextcloudwithopenssl3 = { 26 imports = [ nextcloudBase ]; 27 services.nextcloud = { 28 hostName = "nextcloudwithopenssl3"; 29 enableBrokenCiphersForSSE = false; 30 }; 31 }; 32 testScript = { nodes, ... }: let 33 withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' 34 #!${pkgs.runtimeShell} 35 export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav 36 export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" 37 export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" 38 export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" 39 export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" 40 "''${@}" 41 ''; 42 withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; 43 withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; 44 copySharedFile1 = pkgs.writeScript "copy-shared-file" '' 45 #!${pkgs.runtimeShell} 46 echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file 47 ''; 48 copySharedFile3 = pkgs.writeScript "copy-shared-file" '' 49 #!${pkgs.runtimeShell} 50 echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 51 ''; 52 openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; 53 openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; 54 in '' 55 nextcloudwithopenssl1.start() 56 nextcloudwithopenssl1.wait_for_unit("multi-user.target") 57 nextcloudwithopenssl1.succeed("nextcloud-occ status") 58 nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") 59 nextcloud_version = ${toString nextcloudVersion} 60 61 with subtest("With OpenSSL 1 SSE can be enabled and used"): 62 nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") 63 nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 64 65 with subtest("Upload file and ensure it's encrypted"): 66 nextcloudwithopenssl1.succeed("${copySharedFile1}") 67 nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 68 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 69 70 with subtest("Switch to OpenSSL 3"): 71 nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 72 nextcloudwithopenssl1.wait_for_open_port(80) 73 nextcloudwithopenssl1.succeed("nextcloud-occ status") 74 75 with subtest("Existing encrypted files cannot be read, but new files can be added"): 76 # This will succeed starting NC26 because of their custom implementation of openssl_seal 77 read_existing_file_test = nextcloudwithopenssl1.fail if nextcloud_version < 26 else nextcloudwithopenssl1.succeed 78 read_existing_file_test("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") 79 nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") 80 nextcloudwithopenssl1.succeed("${copySharedFile3}") 81 nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 82 nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 83 84 with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): 85 nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") 86 nextcloudwithopenssl1.wait_for_open_port(80) 87 nextcloudwithopenssl1.succeed("nextcloud-occ status") 88 nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 89 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 90 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 91 nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 92 nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 93 94 with subtest("Ensure that everything can be decrypted"): 95 nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") 96 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 97 nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 98 nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 99 100 with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): 101 nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 102 nextcloudwithopenssl1.wait_for_open_port(80) 103 nextcloudwithopenssl1.succeed("nextcloud-occ status") 104 nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 105 nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 106 107 nextcloudwithopenssl1.shutdown() 108 ''; 109})) args