nixos/tests/dex-oidc.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / dex-oidc.nix
at master 3.0 kB view raw
 1{ lib, ... }:
 2{
 3  name = "dex-oidc";
 4  meta.maintainers = with lib.maintainers; [ Flakebi ];
 5
 6  nodes.machine =
 7    { pkgs, ... }:
 8    {
 9      environment.systemPackages = with pkgs; [ jq ];
10      services.dex = {
11        enable = true;
12        settings = {
13          issuer = "http://127.0.0.1:8080/dex";
14          storage = {
15            type = "postgres";
16            config.host = "/var/run/postgresql";
17          };
18          web.http = "127.0.0.1:8080";
19          oauth2.skipApprovalScreen = true;
20          staticClients = [
21            {
22              id = "oidcclient";
23              name = "Client";
24              redirectURIs = [ "https://example.com/callback" ];
25              secretFile = "/etc/dex/oidcclient";
26            }
27          ];
28          connectors = [
29            {
30              type = "mockPassword";
31              id = "mock";
32              name = "Example";
33              config = {
34                username = "admin";
35                password = "password";
36              };
37            }
38          ];
39        };
40      };
41
42      # This should not be set from nix but through other means to not leak the secret.
43      environment.etc."dex/oidcclient" = {
44        mode = "0400";
45        user = "dex";
46        text = "oidcclientsecret";
47      };
48
49      services.postgresql = {
50        enable = true;
51        ensureDatabases = [ "dex" ];
52        ensureUsers = [
53          {
54            name = "dex";
55            ensureDBOwnership = true;
56          }
57        ];
58      };
59    };
60
61  testScript = ''
62    with subtest("Web server gets ready"):
63        machine.wait_for_unit("dex.service", timeout=120)
64        # Wait until server accepts connections
65        machine.wait_until_succeeds("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid'", timeout=120)
66
67    with subtest("Login"):
68        state = machine.succeed("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid' | sed -n 's/.*state=\\(.*\\)\">.*/\\1/p'").strip()
69        print(f"Got state {state}")
70        # Login request returns 303 with redirect_url that has code as query parameter:
71        # https://example.com/callback?code=kibsamwdupuy2iwqnlbqei3u6&state=
72        code = machine.succeed(f"curl -fs 'localhost:8080/dex/auth/mock/login?back=&state={state}' -d 'login=admin&password=password' -w '%{{redirect_url}}' | sed -n 's/.*code=\\(.*\\)&.*/\\1/p'")
73        print(f"Got approval code {code}")
74        bearer = machine.succeed(f"curl -fs localhost:8080/dex/token -u oidcclient:oidcclientsecret -d 'grant_type=authorization_code&redirect_uri=https://example.com/callback&code={code}' | jq .access_token -r").strip()
75        print(f"Got access token {bearer}")
76
77    with subtest("Get userinfo"):
78        assert '"sub"' in machine.succeed(
79            f"curl -fs localhost:8080/dex/userinfo --oauth2-bearer {bearer}"
80        )
81  '';
82}