···
# Checks that `security.pki` options are working in curl and the main browser
2
-
# engines: Gecko (via Firefox), Chromium, QtWebEngine (Falkon) and WebKitGTK
3
-
# (via Midori). The test checks that certificates issued by a custom trusted
4
-
# CA are accepted but those from an unknown CA are rejected.
2
+
# engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser) and
3
+
# WebKitGTK (via Midori). The test checks that certificates issued by a custom
4
+
# trusted CA are accepted but those from an unknown CA are rejected.
6
+
{ system ? builtins.currentSystem,
8
+
pkgs ? import ../.. { inherit system config; }
6
-
import ./make-test-python.nix ({ pkgs, lib, ... }:
11
+
with import ../lib/testing-python.nix { inherit system pkgs; };
makeCert = { caName, domain }: pkgs.runCommand "example-cert"
···
domain = "bad.example.com";
75
-
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
79
-
nodes.machine = { pkgs, ... }:
80
-
{ imports = [ ./common/user-account.nix ./common/x11.nix ];
82
-
# chromium-based browsers refuse to run as root
83
-
test-support.displayManager.auto.user = "alice";
85
-
# browsers may hang with the default memory
86
-
virtualisation.memorySize = 600;
88
-
networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ];
77
+
{ networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ];
security.pki.certificateFiles = [ "${example-good-cert}/ca.crt" ];
services.nginx.enable = true;
···
return 200 'It does not work!';
111
-
environment.systemPackages = with pkgs; [
121
-
from typing import Tuple
122
-
def execute_as(user: str, cmd: str) -> Tuple[int, str]:
124
-
Run a shell command as a specific user.
126
-
return machine.execute(f"sudo -u {user} {cmd}")
101
+
curlTest = makeTest {
102
+
name = "custom-ca-curl";
103
+
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
104
+
nodes.machine = { ... }: webserverConfig;
106
+
with subtest("Good certificate is trusted in curl"):
107
+
machine.wait_for_unit("nginx")
108
+
machine.wait_for_open_port(443)
109
+
machine.succeed("curl -fv https://good.example.com")
111
+
with subtest("Unknown CA is untrusted in curl"):
112
+
machine.fail("curl -fv https://bad.example.com")
129
-
def wait_for_window_as(user: str, cls: str) -> None:
131
-
Wait until a X11 window of a given user appears.
116
+
mkBrowserTest = browser: testParams: makeTest {
117
+
name = "custom-ca-${browser}";
118
+
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
134
-
def window_is_visible(last_try: bool) -> bool:
135
-
ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}")
137
-
machine.log(f"Last chance to match {cls} on the window list")
140
-
with machine.nested("Waiting for a window to appear"):
141
-
retry(window_is_visible)
122
+
nodes.machine = { pkgs, ... }:
124
+
[ ./common/user-account.nix
129
+
# chromium-based browsers refuse to run as root
130
+
test-support.displayManager.auto.user = "alice";
132
+
# browsers may hang with the default memory
133
+
virtualisation.memorySize = 600;
146
-
with subtest("Good certificate is trusted in curl"):
147
-
machine.wait_for_unit("nginx")
148
-
machine.wait_for_open_port(443)
149
-
machine.succeed("curl -fv https://good.example.com")
135
+
environment.systemPackages = [ pkgs.xdotool pkgs.${browser} ];
151
-
with subtest("Unknown CA is untrusted in curl"):
152
-
machine.fail("curl -fv https://bad.example.com")
139
+
from typing import Tuple
140
+
def execute_as(user: str, cmd: str) -> Tuple[int, str]:
142
+
Run a shell command as a specific user.
144
+
return machine.execute(f"sudo -u {user} {cmd}")
155
-
"firefox": "Security Risk",
156
-
"chromium": "not private",
157
-
"qutebrowser -T": "Certificate error",
158
-
"midori": "Security"
161
-
machine.wait_for_x()
162
-
for command, error in browsers.items():
163
-
browser = command.split()[0]
164
-
with subtest("Good certificate is trusted in " + browser):
166
-
"alice", f"{command} https://good.example.com >&2 &"
168
-
wait_for_window_as("alice", browser)
169
-
machine.wait_for_text("It works!")
170
-
machine.screenshot("good" + browser)
171
-
execute_as("alice", "xdotool key ctrl+w") # close tab
147
+
def wait_for_window_as(user: str, cls: str) -> None:
149
+
Wait until a X11 window of a given user appears.
173
-
with subtest("Unknown CA is untrusted in " + browser):
174
-
execute_as("alice", f"{command} https://bad.example.com >&2 &")
175
-
machine.wait_for_text(error)
176
-
machine.screenshot("bad" + browser)
177
-
machine.succeed("pkill -f " + browser)
152
+
def window_is_visible(last_try: bool) -> bool:
153
+
ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}")
155
+
machine.log(f"Last chance to match {cls} on the window list")
158
+
with machine.nested("Waiting for a window to appear"):
159
+
retry(window_is_visible)
163
+
machine.wait_for_x()
165
+
command = "${browser} ${testParams.args or ""}"
166
+
with subtest("Good certificate is trusted in ${browser}"):
168
+
"alice", f"{command} https://good.example.com >&2 &"
170
+
wait_for_window_as("alice", "${browser}")
172
+
execute_as("alice", "xdotool key ctrl+r") # reload to be safe
173
+
machine.wait_for_text("It works!")
174
+
machine.screenshot("good${browser}")
175
+
execute_as("alice", "xdotool key ctrl+w") # close tab
177
+
with subtest("Unknown CA is untrusted in ${browser}"):
178
+
execute_as("alice", f"{command} https://bad.example.com >&2 &")
179
+
machine.wait_for_text("${testParams.error}")
180
+
machine.screenshot("bad${browser}")
188
+
} // pkgs.lib.mapAttrs mkBrowserTest {
189
+
firefox = { error = "Security Risk"; };
190
+
chromium = { error = "not private"; };
191
+
qutebrowser = { args = "-T"; error = "Certificate error"; };
192
+
midori = { error = "Security"; };
pyrox.dev