···
# Checks that `security.pki` options are working in curl and the main browser
+
# engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser) and
+
# WebKitGTK (via Midori). The test checks that certificates issued by a custom
+
# trusted CA are accepted but those from an unknown CA are rejected.
+
{ system ? builtins.currentSystem,
+
pkgs ? import ../.. { inherit system config; }
+
with import ../lib/testing-python.nix { inherit system pkgs; };
makeCert = { caName, domain }: pkgs.runCommand "example-cert"
···
domain = "bad.example.com";
+
{ networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ];
security.pki.certificateFiles = [ "${example-good-cert}/ca.crt" ];
services.nginx.enable = true;
···
return 200 'It does not work!';
+
name = "custom-ca-curl";
+
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
+
nodes.machine = { ... }: webserverConfig;
+
with subtest("Good certificate is trusted in curl"):
+
machine.wait_for_unit("nginx")
+
machine.wait_for_open_port(443)
+
machine.succeed("curl -fv https://good.example.com")
+
with subtest("Unknown CA is untrusted in curl"):
+
machine.fail("curl -fv https://bad.example.com")
+
mkBrowserTest = browser: testParams: makeTest {
+
name = "custom-ca-${browser}";
+
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
+
nodes.machine = { pkgs, ... }:
+
[ ./common/user-account.nix
+
# chromium-based browsers refuse to run as root
+
test-support.displayManager.auto.user = "alice";
+
# browsers may hang with the default memory
+
virtualisation.memorySize = 600;
+
environment.systemPackages = [ pkgs.xdotool pkgs.${browser} ];
+
from typing import Tuple
+
def execute_as(user: str, cmd: str) -> Tuple[int, str]:
+
Run a shell command as a specific user.
+
return machine.execute(f"sudo -u {user} {cmd}")
+
def wait_for_window_as(user: str, cls: str) -> None:
+
Wait until a X11 window of a given user appears.
+
def window_is_visible(last_try: bool) -> bool:
+
ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}")
+
machine.log(f"Last chance to match {cls} on the window list")
+
with machine.nested("Waiting for a window to appear"):
+
retry(window_is_visible)
+
command = "${browser} ${testParams.args or ""}"
+
with subtest("Good certificate is trusted in ${browser}"):
+
"alice", f"{command} https://good.example.com >&2 &"
+
wait_for_window_as("alice", "${browser}")
+
execute_as("alice", "xdotool key ctrl+r") # reload to be safe
+
machine.wait_for_text("It works!")
+
machine.screenshot("good${browser}")
+
execute_as("alice", "xdotool key ctrl+w") # close tab
+
with subtest("Unknown CA is untrusted in ${browser}"):
+
execute_as("alice", f"{command} https://bad.example.com >&2 &")
+
machine.wait_for_text("${testParams.error}")
+
machine.screenshot("bad${browser}")
+
} // pkgs.lib.mapAttrs mkBrowserTest {
+
firefox = { error = "Security Risk"; };
+
chromium = { error = "not private"; };
+
qutebrowser = { args = "-T"; error = "Certificate error"; };
+
midori = { error = "Security"; };
pyrox.dev