diff options
| author | Flakebi <flakebi@t-online.de> | 2021-09-20 01:43:54 +0200 |
|---|---|---|
| committer | Flakebi <flakebi@t-online.de> | 2021-09-25 13:12:51 +0200 |
| commit | 6ca43a69cc11dfeeab6bcac028847eb946d9c0fd (patch) | |
| tree | 7b282444c87af12efaa0181be5cc17c4b6d1c7c0 /nixos/tests | |
| parent | af34c6f62703f81963953a35a7176652aa2fe0bd (diff) | |
| download | nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.tar nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.tar.gz nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.tar.bz2 nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.tar.lz nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.tar.xz nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.tar.zst nixpkgs-6ca43a69cc11dfeeab6bcac028847eb946d9c0fd.zip | |
dex-oidc: add module
Diffstat (limited to 'nixos/tests')
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/dex-oidc.nix | 78 |
2 files changed, 79 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 66b0f4f258d..ccdeb33d2e2 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -97,6 +97,7 @@ in cryptpad = handleTest ./cryptpad.nix {}; deluge = handleTest ./deluge.nix {}; dendrite = handleTest ./dendrite.nix {}; + dex-oidc = handleTest ./dex-oidc.nix {}; dhparams = handleTest ./dhparams.nix {}; disable-installer-tools = handleTest ./disable-installer-tools.nix {}; discourse = handleTest ./discourse.nix {}; diff --git a/nixos/tests/dex-oidc.nix b/nixos/tests/dex-oidc.nix new file mode 100644 index 00000000000..37275a97ef0 --- /dev/null +++ b/nixos/tests/dex-oidc.nix @@ -0,0 +1,78 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "dex-oidc"; + meta.maintainers = with lib.maintainers; [ Flakebi ]; + + nodes.machine = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ jq ]; + services.dex = { + enable = true; + settings = { + issuer = "http://127.0.0.1:8080/dex"; + storage = { + type = "postgres"; + config.host = "/var/run/postgresql"; + }; + web.http = "127.0.0.1:8080"; + oauth2.skipApprovalScreen = true; + staticClients = [ + { + id = "oidcclient"; + name = "Client"; + redirectURIs = [ "https://example.com/callback" ]; + secretFile = "/etc/dex/oidcclient"; + } + ]; + connectors = [ + { + type = "mockPassword"; + id = "mock"; + name = "Example"; + config = { + username = "admin"; + password = "password"; + }; + } + ]; + }; + }; + + # This should not be set from nix but through other means to not leak the secret. + environment.etc."dex/oidcclient" = { + mode = "0400"; + user = "dex"; + text = "oidcclientsecret"; + }; + + services.postgresql = { + enable = true; + ensureDatabases =[ "dex" ]; + ensureUsers = [ + { + name = "dex"; + ensurePermissions = { "DATABASE dex" = "ALL PRIVILEGES"; }; + } + ]; + }; + }; + + testScript = '' + with subtest("Web server gets ready"): + machine.wait_for_unit("dex.service") + # Wait until server accepts connections + machine.wait_until_succeeds("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid'") + + with subtest("Login"): + state = machine.succeed("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid' | sed -n 's/.*state=\\(.*\\)\">.*/\\1/p'").strip() + print(f"Got state {state}") + machine.succeed(f"curl -fs 'localhost:8080/dex/auth/mock/login?back=&state={state}' -d 'login=admin&password=password'") + code = machine.succeed(f"curl -fs localhost:8080/dex/approval?req={state} | sed -n 's/.*code=\\(.*\\)&.*/\\1/p'").strip() + print(f"Got approval code {code}") + bearer = machine.succeed(f"curl -fs localhost:8080/dex/token -u oidcclient:oidcclientsecret -d 'grant_type=authorization_code&redirect_uri=https://example.com/callback&code={code}' | jq .access_token -r").strip() + print(f"Got access token {bearer}") + + with subtest("Get userinfo"): + assert '"sub"' in machine.succeed( + f"curl -fs localhost:8080/dex/userinfo --oauth2-bearer {bearer}" + ) + ''; +}) |