nixos/tests/ghostunnel.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ghostunnel.nix
at 25.11-pre 4.6 kB view raw
  1import ./make-test-python.nix (
  2  { pkgs, ... }:
  3  {
  4    name = "ghostunnel";
  5    nodes = {
  6      backend =
  7        { pkgs, ... }:
  8        {
  9          services.nginx.enable = true;
 10          services.nginx.virtualHosts."backend".root = pkgs.runCommand "webroot" { } ''
 11            mkdir $out
 12            echo hi >$out/hi.txt
 13          '';
 14          networking.firewall.allowedTCPPorts = [ 80 ];
 15        };
 16      service =
 17        { ... }:
 18        {
 19          services.ghostunnel.enable = true;
 20          services.ghostunnel.servers."plain-old" = {
 21            listen = "0.0.0.0:443";
 22            cert = "/root/service-cert.pem";
 23            key = "/root/service-key.pem";
 24            disableAuthentication = true;
 25            target = "backend:80";
 26            unsafeTarget = true;
 27          };
 28          services.ghostunnel.servers."client-cert" = {
 29            listen = "0.0.0.0:1443";
 30            cert = "/root/service-cert.pem";
 31            key = "/root/service-key.pem";
 32            cacert = "/root/ca.pem";
 33            target = "backend:80";
 34            allowCN = [ "client" ];
 35            unsafeTarget = true;
 36          };
 37          networking.firewall.allowedTCPPorts = [
 38            443
 39            1443
 40          ];
 41        };
 42      client =
 43        { pkgs, ... }:
 44        {
 45          environment.systemPackages = [
 46            pkgs.curl
 47          ];
 48        };
 49    };
 50
 51    testScript = ''
 52
 53      # prepare certificates
 54
 55      def cmd(command):
 56        print(f"+{command}")
 57        r = os.system(command)
 58        if r != 0:
 59          raise Exception(f"Command {command} failed with exit code {r}")
 60
 61      # Create CA
 62      cmd("${pkgs.openssl}/bin/openssl genrsa -out ca-key.pem 4096")
 63      cmd("${pkgs.openssl}/bin/openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem")
 64
 65      # Create service
 66      cmd("${pkgs.openssl}/bin/openssl genrsa -out service-key.pem 4096")
 67      cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=service' -sha256 -new -key service-key.pem -out service.csr")
 68      cmd("echo subjectAltName = DNS:service,IP:127.0.0.1 >> extfile.cnf")
 69      cmd("echo extendedKeyUsage = serverAuth >> extfile.cnf")
 70      cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out service-cert.pem -extfile extfile.cnf")
 71
 72      # Create client
 73      cmd("${pkgs.openssl}/bin/openssl genrsa -out client-key.pem 4096")
 74      cmd("${pkgs.openssl}/bin/openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr")
 75      cmd("echo extendedKeyUsage = clientAuth > extfile-client.cnf")
 76      cmd("${pkgs.openssl}/bin/openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf")
 77
 78      cmd("ls -al")
 79
 80      start_all()
 81
 82      # Configuration
 83      service.copy_from_host("ca.pem", "/root/ca.pem")
 84      service.copy_from_host("service-cert.pem", "/root/service-cert.pem")
 85      service.copy_from_host("service-key.pem", "/root/service-key.pem")
 86      client.copy_from_host("ca.pem", "/root/ca.pem")
 87      client.copy_from_host("service-cert.pem", "/root/service-cert.pem")
 88      client.copy_from_host("client-cert.pem", "/root/client-cert.pem")
 89      client.copy_from_host("client-key.pem", "/root/client-key.pem")
 90
 91      backend.wait_for_unit("nginx.service")
 92      service.wait_for_unit("multi-user.target")
 93      service.wait_for_unit("multi-user.target")
 94      client.wait_for_unit("multi-user.target")
 95
 96      # Check assumptions before the real test
 97      client.succeed("bash -c 'diff <(curl -v --no-progress-meter http://backend/hi.txt) <(echo hi)'")
 98
 99      # Plain old simple TLS can connect, ignoring cert
100      client.succeed("bash -c 'diff <(curl -v --no-progress-meter --insecure https://service/hi.txt) <(echo hi)'")
101
102      # Plain old simple TLS provides correct signature with its cert
103      client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service/hi.txt) <(echo hi)'")
104
105      # Client can authenticate with certificate
106      client.succeed("bash -c 'diff <(curl -v --no-progress-meter --cert /root/client-cert.pem --key /root/client-key.pem --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'")
107
108      # Client must authenticate with certificate
109      client.fail("bash -c 'diff <(curl -v --no-progress-meter --cacert /root/ca.pem https://service:1443/hi.txt) <(echo hi)'")
110    '';
111
112    meta.maintainers = with pkgs.lib.maintainers; [
113      roberth
114    ];
115  }
116)