pyrox.dev
1import ./make-test-python.nix (
2 { pkgs, lib, ... }:
3 {
4 name = "pomerium";
5 meta = with lib.maintainers; {
6 maintainers = [
7 lukegb
8 devusb
9 ];
10 };
11
12 nodes =
13 let
14 base =
15 myIP:
16 { pkgs, lib, ... }:
17 {
18 virtualisation.vlans = [ 1 ];
19 networking = {
20 dhcpcd.enable = false;
21 firewall.allowedTCPPorts = [
22 80
23 443
24 ];
25 hosts = {
26 "192.168.1.1" = [
27 "pomerium"
28 "pom-auth"
29 ];
30 "192.168.1.2" = [
31 "backend"
32 "dummy-oidc"
33 ];
34 };
35 interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
36 {
37 address = myIP;
38 prefixLength = 24;
39 }
40 ];
41 };
42 };
43 in
44 {
45 pomerium =
46 { pkgs, lib, ... }:
47 {
48 imports = [ (base "192.168.1.1") ];
49 environment.systemPackages = with pkgs; [ chromium ];
50 services.pomerium = {
51 enable = true;
52 settings = {
53 address = ":80";
54 insecure_server = true;
55 authenticate_service_url = "http://pom-auth";
56
57 idp_provider = "oidc";
58 idp_scopes = [ "oidc" ];
59 idp_client_id = "dummy";
60 idp_provider_url = "http://dummy-oidc";
61
62 policy = [
63 {
64 from = "https://my.website";
65 to = "http://192.168.1.2";
66 allow_public_unauthenticated_access = true;
67 preserve_host_header = true;
68 }
69 {
70 from = "https://login.required";
71 to = "http://192.168.1.2";
72 allowed_domains = [ "my.domain" ];
73 preserve_host_header = true;
74 }
75 ];
76 };
77 secretsFile = pkgs.writeText "pomerium-secrets" ''
78 # 12345678901234567890123456789012 in base64
79 COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
80 IDP_CLIENT_SECRET=dummy
81 '';
82 };
83 };
84 backend =
85 { pkgs, lib, ... }:
86 {
87 imports = [ (base "192.168.1.2") ];
88 services.nginx.enable = true;
89 services.nginx.virtualHosts."my.website" = {
90 root = pkgs.runCommand "testdir" { } ''
91 mkdir "$out"
92 echo hello world > "$out/index.html"
93 '';
94 };
95 services.nginx.virtualHosts."dummy-oidc" = {
96 root = pkgs.runCommand "testdir" { } ''
97 mkdir -p "$out/.well-known"
98 cat <<EOF >"$out/.well-known/openid-configuration"
99 {
100 "issuer": "http://dummy-oidc",
101 "authorization_endpoint": "http://dummy-oidc/auth.txt",
102 "token_endpoint": "http://dummy-oidc/token",
103 "jwks_uri": "http://dummy-oidc/jwks.json",
104 "userinfo_endpoint": "http://dummy-oidc/userinfo",
105 "id_token_signing_alg_values_supported": ["RS256"]
106 }
107 EOF
108 echo hello I am login page >"$out/auth.txt"
109 '';
110 };
111 };
112 };
113
114 testScript =
115 { ... }:
116 ''
117 backend.wait_for_unit("nginx")
118 backend.wait_for_open_port(80)
119
120 pomerium.wait_for_unit("pomerium")
121 pomerium.wait_for_open_port(80)
122
123 with subtest("no authentication required"):
124 pomerium.succeed(
125 "curl --resolve my.website:80:127.0.0.1 http://my.website | grep 'hello world'"
126 )
127
128 with subtest("login required"):
129 pomerium.succeed(
130 "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep pom-auth"
131 )
132 pomerium.succeed(
133 "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep 'hello I am login page'"
134 )
135
136 with subtest("ui"):
137 pomerium.succeed(
138 # check for a string that only appears if the UI is displayed correctly
139 "chromium --no-sandbox --headless --disable-gpu --dump-dom --host-resolver-rules='MAP login.required 127.0.0.1:80' http://login.required/.pomerium | grep 'User Details Not Available'"
140 )
141 '';
142 }
143)