commit 0e857fc1d92ab5ce0c8b53e2a1df558892c3b2ff · pyrox.dev/nixpkgs

+48
nixos/tests/stunnel.nix
···

       123
       123
        
             client.succeed('[[ "$(< out)" == "" ]]')

     

       124
       124
        
           '';

     

       125
       125
        
         };

     

       126
       126
       +
       

     

       127
       127
       +
         mutualAuth = makeTest {

     

       128
       128
       +
           name = "mutualAuth";

     

       129
       129
       +
       

     

       130
       130
       +
           nodes = rec {

     

       131
       131
       +
             client = {

     

       132
       132
       +
               imports = [ makeCert stunnelCommon ];

     

       133
       133
       +
               services.stunnel.clients.authenticated-https = {

     

       134
       134
       +
                 accept = "80";

     

       135
       135
       +
                 connect = "server:443";

     

       136
       136
       +
                 verifyPeer = true;

     

       137
       137
       +
                 CAFile = "/authorized-server-cert.crt";

     

       138
       138
       +
                 cert = "/test-cert.pem";

     

       139
       139
       +
                 key = "/test-key.pem";

     

       140
       140
       +
               };

     

       141
       141
       +
             };

     

       142
       142
       +
             wrongclient = client;

     

       143
       143
       +
             server = {

     

       144
       144
       +
               imports = [ makeCert serverCommon stunnelCommon ];

     

       145
       145
       +
               services.stunnel.servers.https = {

     

       146
       146
       +
                 CAFile = "/authorized-client-certs.crt";

     

       147
       147
       +
                 verifyPeer = true;

     

       148
       148
       +
               };

     

       149
       149
       +
               environment.etc."webroot/index.html".text = "secret handshake";

     

       150
       150
       +
             };

     

       151
       151
       +
           };

     

       152
       152
       +
       

     

       153
       153
       +
           testScript = ''

     

       154
       154
       +
             start_all()

     

       155
       155
       +
       

     

       156
       156
       +
             ${copyCert "server" "client" "/authorized-server-cert.crt"}

     

       157
       157
       +
             ${copyCert "client" "server" "/authorized-client-certs.crt"}

     

       158
       158
       +
             ${copyCert "server" "wrongclient" "/authorized-server-cert.crt"}

     

       159
       159
       +
       

     

       160
       160
       +
             # In case stunnel came up before we got the cross-certs in place

     

       161
       161
       +
             client.succeed("systemctl reload-or-restart stunnel")

     

       162
       162
       +
             server.succeed("systemctl reload-or-restart stunnel")

     

       163
       163
       +
             wrongclient.succeed("systemctl reload-or-restart stunnel")

     

       164
       164
       +
       

     

       165
       165
       +
             server.wait_for_unit("simple-webserver")

     

       166
       166
       +
             client.fail("curl --fail --insecure https://server/ > out")

     

       167
       167
       +
             client.succeed('[[ "$(< out)" == "" ]]')

     

       168
       168
       +
             client.succeed("curl --fail http://localhost/ > out")

     

       169
       169
       +
             client.succeed('[[ "$(< out)" == "secret handshake" ]]')

     

       170
       170
       +
             wrongclient.fail("curl --fail http://localhost/ > out")

     

       171
       171
       +
             wrongclient.succeed('[[ "$(< out)" == "" ]]')

     

       172
       172
       +
           '';

     

       173
       173
       +
         };

     

       126
       174
        
       }