mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-21 13:10:33 +00:00
nixos/tests/pomerium: init
This commit is contained in:
parent
cb2f1df034
commit
309e836c33
|
@ -106,10 +106,26 @@ in
|
|||
];
|
||||
};
|
||||
};
|
||||
security.acme.certs = mkIf (cfg.useACMEHost != null) {
|
||||
${cfg.useACMEHost}.postRun = mkAfter ''
|
||||
/run/current-system/systemd/bin/systemctl -q is-active pomerium.service && /run/current-system/systemd/bin/systemctl restart pomerium.service
|
||||
'';
|
||||
|
||||
# postRun hooks on cert renew can't be used to restart Nginx since renewal
|
||||
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
|
||||
# which allows the acme-finished-$cert.target to signify the successful updating
|
||||
# of certs end-to-end.
|
||||
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
|
||||
# TODO(lukegb): figure out how to make config reloading work with credentials.
|
||||
|
||||
wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ];
|
||||
# Before the finished targets, after the renew services.
|
||||
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
||||
after = [ "acme-${cfg.useACMEHost}.service" ];
|
||||
# Block reloading if not all certs exist yet.
|
||||
unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||
ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
||||
|
|
|
@ -318,6 +318,7 @@ in
|
|||
plikd = handleTest ./plikd.nix {};
|
||||
plotinus = handleTest ./plotinus.nix {};
|
||||
podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
|
||||
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
|
||||
postfix = handleTest ./postfix.nix {};
|
||||
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
|
||||
postgis = handleTest ./postgis.nix {};
|
||||
|
|
102
nixos/tests/pomerium.nix
Normal file
102
nixos/tests/pomerium.nix
Normal file
|
@ -0,0 +1,102 @@
|
|||
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
name = "pomerium";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ lukegb ];
|
||||
};
|
||||
|
||||
nodes = let base = myIP: { pkgs, lib, ... }: {
|
||||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
dhcpcd.enable = false;
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
hosts = {
|
||||
"192.168.1.1" = [ "pomerium" "pom-auth" ];
|
||||
"192.168.1.2" = [ "backend" "dummy-oidc" ];
|
||||
};
|
||||
interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
|
||||
{ address = myIP; prefixLength = 24; }
|
||||
];
|
||||
};
|
||||
}; in {
|
||||
pomerium = { pkgs, lib, ... }: {
|
||||
imports = [ (base "192.168.1.1") ];
|
||||
services.pomerium = {
|
||||
enable = true;
|
||||
settings = {
|
||||
address = ":80";
|
||||
insecure_server = true;
|
||||
authenticate_service_url = "http://pom-auth";
|
||||
|
||||
idp_provider = "oidc";
|
||||
idp_scopes = [ "oidc" ];
|
||||
idp_client_id = "dummy";
|
||||
idp_provider_url = "http://dummy-oidc";
|
||||
|
||||
policy = [{
|
||||
from = "https://my.website";
|
||||
to = "http://192.168.1.2";
|
||||
allow_public_unauthenticated_access = true;
|
||||
preserve_host_header = true;
|
||||
} {
|
||||
from = "https://login.required";
|
||||
to = "http://192.168.1.2";
|
||||
allowed_domains = [ "my.domain" ];
|
||||
preserve_host_header = true;
|
||||
}];
|
||||
};
|
||||
secretsFile = pkgs.writeText "pomerium-secrets" ''
|
||||
# 12345678901234567890123456789012 in base64
|
||||
COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
|
||||
IDP_CLIENT_SECRET=dummy
|
||||
'';
|
||||
};
|
||||
};
|
||||
backend = { pkgs, lib, ... }: {
|
||||
imports = [ (base "192.168.1.2") ];
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."my.website" = {
|
||||
root = pkgs.runCommand "testdir" {} ''
|
||||
mkdir "$out"
|
||||
echo hello world > "$out/index.html"
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."dummy-oidc" = {
|
||||
root = pkgs.runCommand "testdir" {} ''
|
||||
mkdir -p "$out/.well-known"
|
||||
cat <<EOF >"$out/.well-known/openid-configuration"
|
||||
{
|
||||
"issuer": "http://dummy-oidc",
|
||||
"authorization_endpoint": "http://dummy-oidc/auth.txt",
|
||||
"token_endpoint": "http://dummy-oidc/token",
|
||||
"jwks_uri": "http://dummy-oidc/jwks.json",
|
||||
"userinfo_endpoint": "http://dummy-oidc/userinfo",
|
||||
"id_token_signing_alg_values_supported": ["RS256"]
|
||||
}
|
||||
EOF
|
||||
echo hello I am login page >"$out/auth.txt"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { ... }: ''
|
||||
backend.wait_for_unit("nginx")
|
||||
backend.wait_for_open_port(80)
|
||||
|
||||
pomerium.wait_for_unit("pomerium")
|
||||
pomerium.wait_for_open_port(80)
|
||||
|
||||
with subtest("no authentication required"):
|
||||
pomerium.succeed(
|
||||
"curl --resolve my.website:80:127.0.0.1 http://my.website | grep -q 'hello world'"
|
||||
)
|
||||
|
||||
with subtest("login required"):
|
||||
pomerium.succeed(
|
||||
"curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep -q pom-auth"
|
||||
)
|
||||
pomerium.succeed(
|
||||
"curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep -q 'hello I am login page'"
|
||||
)
|
||||
'';
|
||||
})
|
Loading…
Reference in a new issue