From 2120f02960dfe854caeec5707951872effae92b3 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 3 Mar 2021 17:18:09 +0100 Subject: [PATCH] nixos/tests/privoxy: add test --- nixos/tests/all-tests.nix | 1 + nixos/tests/privoxy.nix | 113 ++++++++++++++++++++++ pkgs/tools/networking/privoxy/default.nix | 3 + 3 files changed, 117 insertions(+) create mode 100644 nixos/tests/privoxy.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index fe60b0b83f5a..00e84a9df82c 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -326,6 +326,7 @@ in predictable-interface-names = handleTest ./predictable-interface-names.nix {}; printing = handleTest ./printing.nix {}; privacyidea = handleTest ./privacyidea.nix {}; + privoxy = handleTest ./privoxy.nix {}; prometheus = handleTest ./prometheus.nix {}; prometheus-exporters = handleTest ./prometheus-exporters.nix {}; prosody = handleTest ./xmpp/prosody.nix {}; diff --git a/nixos/tests/privoxy.nix b/nixos/tests/privoxy.nix new file mode 100644 index 000000000000..d16cc498691f --- /dev/null +++ b/nixos/tests/privoxy.nix @@ -0,0 +1,113 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + +let + # Note: For some reason Privoxy can't issue valid + # certificates if the CA is generated using gnutls :( + certs = pkgs.runCommand "example-certs" + { buildInputs = [ pkgs.openssl ]; } + '' + mkdir $out + + # generate CA keypair + openssl req -new -nodes -x509 \ + -extensions v3_ca -keyout $out/ca.key \ + -out $out/ca.crt -days 365 \ + -subj "/O=Privoxy CA/CN=Privoxy CA" + + # generate server key/signing request + openssl genrsa -out $out/server.key 3072 + openssl req -new -key $out/server.key \ + -out server.csr -sha256 \ + -subj "/O=An unhappy server./CN=example.com" + + # sign the request/generate the certificate + openssl x509 -req -in server.csr -CA $out/ca.crt \ + -CAkey $out/ca.key -CAcreateserial -out $out/server.crt \ + -days 500 -sha256 + ''; +in + +{ + name = "privoxy"; + meta = with lib.maintainers; { + maintainers = [ rnhmjoj ]; + }; + + machine = { ... }: { + services.nginx.enable = true; + services.nginx.virtualHosts."example.com" = { + addSSL = true; + sslCertificate = "${certs}/server.crt"; + sslCertificateKey = "${certs}/server.key"; + locations."/".root = pkgs.writeTextFile + { name = "bad-day"; + destination = "/how-are-you/index.html"; + text = "I've had a bad day!\n"; + }; + locations."/ads".extraConfig = '' + return 200 "Hot Nixpkgs PRs in your area. Click here!\n"; + ''; + }; + + services.privoxy = { + enable = true; + inspectHttps = true; + settings = { + ca-cert-file = "${certs}/ca.crt"; + ca-key-file = "${certs}/ca.key"; + debug = 65536; + }; + userActions = '' + {+filter{positive}} + example.com + + {+block{Fake ads}} + example.com/ads + ''; + userFilters = '' + FILTER: positive This is a filter example. + s/bad/great/ig + ''; + }; + + security.pki.certificateFiles = [ "${certs}/ca.crt" ]; + + networking.hosts."::1" = [ "example.com" ]; + networking.proxy.httpProxy = "http://localhost:8118"; + networking.proxy.httpsProxy = "http://localhost:8118"; + }; + + testScript = + '' + with subtest("Privoxy is running"): + machine.wait_for_unit("privoxy") + machine.wait_for_open_port("8118") + machine.succeed("curl -f http://config.privoxy.org") + + with subtest("Privoxy can filter http requests"): + machine.wait_for_open_port("80") + assert "great day" in machine.succeed( + "curl -sfL http://example.com/how-are-you? | tee /dev/stderr" + ) + + with subtest("Privoxy can filter https requests"): + machine.wait_for_open_port("443") + assert "great day" in machine.succeed( + "curl -sfL https://example.com/how-are-you? | tee /dev/stderr" + ) + + with subtest("Blocks are working"): + machine.wait_for_open_port("443") + machine.fail("curl -f https://example.com/ads 1>&2") + machine.succeed("curl -f https://example.com/PRIVOXY-FORCE/ads 1>&2") + + with subtest("Temporary certificates are cleaned"): + # Count current certificates + machine.succeed("test $(ls /run/privoxy/certs | wc -l) -gt 0") + # Forward in time 12 days, trigger the timer.. + machine.succeed("date -s \"$(date --date '12 days')\"") + machine.systemctl("start systemd-tmpfiles-clean") + # ...and count again + machine.succeed("test $(ls /run/privoxy/certs | wc -l) -eq 0") + ''; +}) diff --git a/pkgs/tools/networking/privoxy/default.nix b/pkgs/tools/networking/privoxy/default.nix index 7a6cf697a94d..9fce8d7a5f41 100644 --- a/pkgs/tools/networking/privoxy/default.nix +++ b/pkgs/tools/networking/privoxy/default.nix @@ -1,4 +1,5 @@ { lib, stdenv +, nixosTests , fetchurl, autoreconfHook , zlib, pcre, w3m, man , mbedtls, brotli @@ -31,6 +32,8 @@ stdenv.mkDerivation rec { rm -r $out/var ''; + passthru.tests.privoxy = nixosTests.privoxy; + meta = with lib; { homepage = "https://www.privoxy.org/"; description = "Non-caching web proxy with advanced filtering capabilities";