···
1
-
import ./make-test-python.nix (
1
+
{ lib, hostPkgs, ... }:
21
-
log /dev/log local0 debug err
20
+
log /dev/log local0 debug err
27
-
server httpd [::1]:8000 alpn http/1.1
26
+
server httpd [::1]:8000 alpn http/1.1
31
-
bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1
32
-
bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt
30
+
bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1
31
+
bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt
34
-
http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc }
33
+
http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc }
36
-
http-request use-service prometheus-exporter if { path /metrics }
37
-
use_backend http_server
35
+
http-request use-service prometheus-exporter if { path /metrics }
36
+
use_backend http_server
39
-
frontend http-cert-auth
40
-
bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt
41
-
bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3
38
+
frontend http-cert-auth
39
+
bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt
40
+
bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3
43
-
use_backend http_server
48
-
virtualHosts.localhost = {
49
-
documentRoot = pkgs.writeTextDir "index.txt" "We are all good!";
50
-
adminAddr = "notme@yourhost.local";
59
-
networking.firewall.allowedTCPPorts = [
64
-
networking.firewall.allowedUDPPorts = [
42
+
use_backend http_server
72
-
environment.systemPackages = [ pkgs.curlHTTP3 ];
47
+
virtualHosts.localhost = {
48
+
documentRoot = pkgs.writeTextDir "index.txt" "We are all good!";
49
+
adminAddr = "notme@yourhost.local";
78
-
print(f"+{command}")
79
-
r = os.system(command)
81
-
raise Exception(f"Command {command} failed with exit code {r}")
58
+
networking.firewall.allowedTCPPorts = [
63
+
networking.firewall.allowedUDPPorts = [
71
+
environment.systemPackages = [ pkgs.curlHTTP3 ];
77
+
print(f"+{command}")
78
+
r = os.system(command)
80
+
raise Exception(f"Command {command} failed with exit code {r}")
83
-
def openssl(command):
84
-
cmd(f"${pkgs.openssl}/bin/openssl {command}")
82
+
def openssl(command):
83
+
cmd(f"${lib.getExe hostPkgs.openssl} {command}")
87
-
openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt")
86
+
openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt")
89
-
# Generate and sign Server.
90
-
openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr")
91
-
openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7")
92
-
cmd("cat server.crt server.key > fullchain.pem")
88
+
# Generate and sign Server.
89
+
openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr")
90
+
openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7")
91
+
cmd("cat server.crt server.key > fullchain.pem")
94
-
# Generate and sign Client.
95
-
openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr")
96
-
openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7")
97
-
cmd("cat client.crt client.key > client.pem")
93
+
# Generate and sign Client.
94
+
openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr")
95
+
openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7")
96
+
cmd("cat client.crt client.key > client.pem")
99
-
# Start the actual test.
101
-
server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem")
102
-
server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
103
-
server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt")
98
+
# Start the actual test.
100
+
server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem")
101
+
server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
102
+
server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt")
105
-
client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
106
-
client.copy_from_host("client.pem", "/root/client.pem")
104
+
client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
105
+
client.copy_from_host("client.pem", "/root/client.pem")
108
-
server.wait_for_unit("multi-user.target")
109
-
server.wait_for_unit("haproxy.service")
110
-
server.wait_for_unit("httpd.service")
107
+
server.wait_for_unit("multi-user.target")
108
+
server.wait_for_unit("haproxy.service")
109
+
server.wait_for_unit("httpd.service")
112
-
assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
113
-
assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics")
111
+
assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
112
+
assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics")
115
-
with subtest("https"):
116
-
assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt")
114
+
with subtest("https"):
115
+
assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt")
118
-
with subtest("https-cert-auth"):
119
-
# Client must succeed in authenticating with the right certificate.
120
-
assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
121
-
# Client must fail without certificate.
122
-
client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")
117
+
with subtest("https-cert-auth"):
118
+
# Client must succeed in authenticating with the right certificate.
119
+
assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
120
+
# Client must fail without certificate.
121
+
client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")
124
-
with subtest("h3"):
125
-
assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt")
123
+
with subtest("h3"):
124
+
assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt")
127
-
with subtest("h3-cert-auth"):
128
-
# Client must succeed in authenticating with the right certificate.
129
-
assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
130
-
# Client must fail without certificate.
131
-
client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")
126
+
with subtest("h3-cert-auth"):
127
+
# Client must succeed in authenticating with the right certificate.
128
+
assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
129
+
# Client must fail without certificate.
130
+
client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")
133
-
with subtest("reload"):
134
-
server.succeed("systemctl reload haproxy")
135
-
# wait some time to ensure the following request hits the reloaded haproxy
137
-
assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
132
+
with subtest("reload"):
133
+
server.succeed("systemctl reload haproxy")
134
+
# wait some time to ensure the following request hits the reloaded haproxy
136
+
assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
pyrox.dev