diff options
author | Scott Worley <scottworley@scottworley.com> | 2022-02-22 14:08:43 -0800 |
---|---|---|
committer | Scott Worley <scottworley@scottworley.com> | 2022-02-22 17:18:20 -0800 |
commit | 61585d1cd7f699dd9187ade7c0b21735c96b53ee (patch) | |
tree | 58825d019b7e6ee717fbfeea1241d3019260f078 | |
parent | 23d785aa6f853e6cf3430119811c334025bbef55 (diff) | |
download | nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.tar nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.tar.gz nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.tar.bz2 nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.tar.lz nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.tar.xz nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.tar.zst nixpkgs-61585d1cd7f699dd9187ade7c0b21735c96b53ee.zip |
nixos/tests/stunnel: init
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/stunnel.nix | 126 | ||||
-rw-r--r-- | pkgs/tools/networking/stunnel/default.nix | 6 |
3 files changed, 132 insertions, 1 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 3fd4945ed35..06ebf53dd80 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -483,6 +483,7 @@ in starship = handleTest ./starship.nix {}; step-ca = handleTestOn ["x86_64-linux"] ./step-ca.nix {}; strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; + stunnel = handleTest ./stunnel.nix {}; sudo = handleTest ./sudo.nix {}; sway = handleTest ./sway.nix {}; switchTest = handleTest ./switch-test.nix {}; diff --git a/nixos/tests/stunnel.nix b/nixos/tests/stunnel.nix new file mode 100644 index 00000000000..e5e2b85ccbe --- /dev/null +++ b/nixos/tests/stunnel.nix @@ -0,0 +1,126 @@ +{ system ? builtins.currentSystem, config ? { } +, pkgs ? import ../.. { inherit system config; } }: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +with pkgs.lib; + +let + stunnelCommon = { + services.stunnel = { + enable = true; + user = "stunnel"; + }; + users.groups.stunnel = { }; + users.users.stunnel = { + isSystemUser = true; + group = "stunnel"; + }; + }; + makeCert = { config, pkgs, ... }: { + system.activationScripts.create-test-cert = stringAfter [ "users" ] '' + ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa -nodes -out /test-cert.pem -keyout /test-key.pem -subj /CN=${config.networking.hostName} + ( umask 077; cat /test-key.pem /test-cert.pem > /test-key-and-cert.pem ) + chown stunnel /test-key.pem /test-key-and-cert.pem + ''; + }; + serverCommon = { pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ 443 ]; + services.stunnel.servers.https = { + accept = "443"; + connect = 80; + cert = "/test-key-and-cert.pem"; + }; + systemd.services.simple-webserver = { + wantedBy = [ "multi-user.target" ]; + script = '' + cd /etc/webroot + ${pkgs.python3}/bin/python -m http.server 80 + ''; + }; + }; + copyCert = src: dest: filename: '' + from shlex import quote + ${src}.wait_for_file("/test-key-and-cert.pem") + server_cert = ${src}.succeed("cat /test-cert.pem") + ${dest}.succeed("echo %s > ${filename}" % quote(server_cert)) + ''; + +in { + basicServer = makeTest { + name = "basicServer"; + + nodes = { + client = { }; + server = { + imports = [ makeCert serverCommon stunnelCommon ]; + environment.etc."webroot/index.html".text = "well met"; + }; + }; + + testScript = '' + start_all() + + ${copyCert "server" "client" "/authorized-server-cert.crt"} + + server.wait_for_unit("simple-webserver") + server.wait_for_unit("stunnel") + + client.succeed("curl --fail --cacert /authorized-server-cert.crt https://server/ > out") + client.succeed('[[ "$(< out)" == "well met" ]]') + ''; + }; + + serverAndClient = makeTest { + name = "serverAndClient"; + + nodes = { + client = { + imports = [ stunnelCommon ]; + services.stunnel.clients = { + httpsClient = { + accept = "80"; + connect = "server:443"; + CAFile = "/authorized-server-cert.crt"; + }; + httpsClientWithHostVerify = { + accept = "81"; + connect = "server:443"; + CAFile = "/authorized-server-cert.crt"; + verifyHostname = "server"; + }; + httpsClientWithHostVerifyFail = { + accept = "82"; + connect = "server:443"; + CAFile = "/authorized-server-cert.crt"; + verifyHostname = "wronghostname"; + }; + }; + }; + server = { + imports = [ makeCert serverCommon stunnelCommon ]; + environment.etc."webroot/index.html".text = "hello there"; + }; + }; + + testScript = '' + start_all() + + ${copyCert "server" "client" "/authorized-server-cert.crt"} + + server.wait_for_unit("simple-webserver") + server.wait_for_unit("stunnel") + + # In case stunnel came up before we got the server's cert copied over + client.succeed("systemctl reload-or-restart stunnel") + + client.succeed("curl --fail http://localhost/ > out") + client.succeed('[[ "$(< out)" == "hello there" ]]') + + client.succeed("curl --fail http://localhost:81/ > out") + client.succeed('[[ "$(< out)" == "hello there" ]]') + + client.fail("curl --fail http://localhost:82/ > out") + client.succeed('[[ "$(< out)" == "" ]]') + ''; + }; +} diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index c42e78c933d..b3ebacb2727 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, openssl }: +{ lib, stdenv, fetchurl, openssl, nixosTests }: stdenv.mkDerivation rec { pname = "stunnel"; @@ -28,6 +28,10 @@ stdenv.mkDerivation rec { "localstatedir=\${TMPDIR}" ]; + passthru.tests = { + stunnel = nixosTests.stunnel; + }; + meta = { description = "Universal tls/ssl wrapper"; homepage = "https://www.stunnel.org/"; |