path: root/nixos/tests/custom-ca.nix

# Checks that `security.pki` options are working in curl and the main browser
# engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser) and
# WebKitGTK (via Midori). The test checks that certificates issued by a custom
# trusted CA are accepted but those from an unknown CA are rejected.

{ system ? builtins.currentSystem,
  config ? {},
  pkgs ? import ../.. { inherit system config; }
}:

with import ../lib/testing-python.nix { inherit system pkgs; };

let
  inherit (pkgs) lib;

  makeCert = { caName, domain }: pkgs.runCommand "example-cert"
  { buildInputs = [ pkgs.gnutls ]; }
  ''
    mkdir $out

    # CA cert template
    cat >ca.template <<EOF
    organization = "${caName}"
    cn = "${caName}"
    expiration_days = 365
    ca
    cert_signing_key
    crl_signing_key
    EOF

    # server cert template
    cat >server.template <<EOF
    organization = "An example company"
    cn = "${domain}"
    expiration_days = 30
    dns_name = "${domain}"
    encryption_key
    signing_key
    EOF

    # generate CA keypair
    certtool                \
      --generate-privkey    \
      --key-type rsa        \
      --sec-param High      \
      --outfile $out/ca.key
    certtool                     \
      --generate-self-signed     \
      --load-privkey $out/ca.key \
      --template ca.template     \
      --outfile $out/ca.crt

    # generate server keypair
    certtool                    \
      --generate-privkey        \
      --key-type rsa            \
      --sec-param High          \
      --outfile $out/server.key
    certtool                            \
      --generate-certificate            \
      --load-privkey $out/server.key    \
      --load-ca-privkey $out/ca.key     \
      --load-ca-certificate $out/ca.crt \
      --template server.template        \
      --outfile $out/server.crt
  '';

  example-good-cert = makeCert
    { caName = "Example good CA";
      domain = "good.example.com";
    };

  example-bad-cert = makeCert
    { caName = "Unknown CA";
      domain = "bad.example.com";
    };

  webserverConfig =
    { networking.hosts."127.0.0.1" = [ "good.example.com" "bad.example.com" ];
      security.pki.certificateFiles = [ "${example-good-cert}/ca.crt" ];

      services.nginx.enable = true;
      services.nginx.virtualHosts."good.example.com" =
        { onlySSL = true;
          sslCertificate = "${example-good-cert}/server.crt";
          sslCertificateKey = "${example-good-cert}/server.key";
          locations."/".extraConfig = ''
            add_header Content-Type text/plain;
            return 200 'It works!';
          '';
        };
      services.nginx.virtualHosts."bad.example.com" =
        { onlySSL = true;
          sslCertificate = "${example-bad-cert}/server.crt";
          sslCertificateKey = "${example-bad-cert}/server.key";
          locations."/".extraConfig = ''
            add_header Content-Type text/plain;
            return 200 'It does not work!';
          '';
        };
    };

  curlTest = makeTest {
    name = "custom-ca-curl";
    meta.maintainers = with lib.maintainers; [ rnhmjoj ];
    nodes.machine = { ... }: webserverConfig;
    testScript = ''
        with subtest("Good certificate is trusted in curl"):
            machine.wait_for_unit("nginx")
            machine.wait_for_open_port(443)
            machine.succeed("curl -fv https://good.example.com")

        with subtest("Unknown CA is untrusted in curl"):
            machine.fail("curl -fv https://bad.example.com")
    '';
  };

  mkBrowserTest = browser: testParams: makeTest {
    name = "custom-ca-${browser}";
    meta.maintainers = with lib.maintainers; [ rnhmjoj ];

    enableOCR = true;

    nodes.machine = { pkgs, ... }:
      { imports =
          [ ./common/user-account.nix
            ./common/x11.nix
            webserverConfig
          ];

        # chromium-based browsers refuse to run as root
        test-support.displayManager.auto.user = "alice";

        # machine often runs out of memory with less
        virtualisation.memorySize = 1024;

        environment.systemPackages = [ pkgs.xdotool pkgs.${browser} ];
      };

    testScript = ''
      from typing import Tuple
      def execute_as(user: str, cmd: str) -> Tuple[int, str]:
          """
          Run a shell command as a specific user.
          """
          return machine.execute(f"sudo -u {user} {cmd}")


      def wait_for_window_as(user: str, cls: str) -> None:
          """
          Wait until a X11 window of a given user appears.
          """

          def window_is_visible(last_try: bool) -> bool:
              ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}")
              if last_try:
                  machine.log(f"Last chance to match {cls} on the window list")
              return ret == 0

          with machine.nested("Waiting for a window to appear"):
              retry(window_is_visible)


      machine.start()
      machine.wait_for_x()

      command = "${browser} ${testParams.args or ""}"
      with subtest("Good certificate is trusted in ${browser}"):
          execute_as(
              "alice", f"{command} https://good.example.com >&2 &"
          )
          wait_for_window_as("alice", "${browser}")
          machine.sleep(4)
          execute_as("alice", "xdotool key ctrl+r")  # reload to be safe
          machine.wait_for_text("It works!")
          machine.screenshot("good${browser}")
          execute_as("alice", "xdotool key ctrl+w")  # close tab

      with subtest("Unknown CA is untrusted in ${browser}"):
          execute_as("alice", f"{command} https://bad.example.com >&2 &")
          machine.wait_for_text("${testParams.error}")
          machine.screenshot("bad${browser}")
    '';
  };

in

{
  curl = curlTest;
} // pkgs.lib.mapAttrs mkBrowserTest {
  firefox = { error = "Security Risk"; };
  chromium = { error = "not private"; };
  qutebrowser = { args = "-T"; error = "Certificate error"; };
  midori = { args = "-p"; error = "Security"; };
}