From 309e836c3348debeef30463543b1a6830415db6b Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 8 Jan 2021 03:03:00 +0000 Subject: [PATCH] nixos/tests/pomerium: init --- .../modules/services/web-servers/pomerium.nix | 24 ++++- nixos/tests/all-tests.nix | 1 + nixos/tests/pomerium.nix | 102 ++++++++++++++++++ 3 files changed, 123 insertions(+), 4 deletions(-) create mode 100644 nixos/tests/pomerium.nix diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix index ae249d803aa2..a96df1dbf6de 100644 --- a/nixos/modules/services/web-servers/pomerium.nix +++ b/nixos/modules/services/web-servers/pomerium.nix @@ -106,10 +106,26 @@ in ]; }; }; - security.acme.certs = mkIf (cfg.useACMEHost != null) { - ${cfg.useACMEHost}.postRun = mkAfter '' - /run/current-system/systemd/bin/systemctl -q is-active pomerium.service && /run/current-system/systemd/bin/systemctl restart pomerium.service - ''; + + # postRun hooks on cert renew can't be used to restart Nginx since renewal + # runs as the unprivileged acme user. sslTargets are added to wantedBy + before + # which allows the acme-finished-$cert.target to signify the successful updating + # of certs end-to-end. + systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) { + # TODO(lukegb): figure out how to make config reloading work with credentials. + + wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ]; + # Before the finished targets, after the renew services. + before = [ "acme-finished-${cfg.useACMEHost}.target" ]; + after = [ "acme-${cfg.useACMEHost}.service" ]; + # Block reloading if not all certs exist yet. + unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 60; + ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; + ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; + }; }; }); } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 65c7d84ee644..6cef215b1335 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -318,6 +318,7 @@ in plikd = handleTest ./plikd.nix {}; plotinus = handleTest ./plotinus.nix {}; podman = handleTestOn ["x86_64-linux"] ./podman.nix {}; + pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {}; postfix = handleTest ./postfix.nix {}; postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {}; postgis = handleTest ./postgis.nix {}; diff --git a/nixos/tests/pomerium.nix b/nixos/tests/pomerium.nix new file mode 100644 index 000000000000..933614bb7d8a --- /dev/null +++ b/nixos/tests/pomerium.nix @@ -0,0 +1,102 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "pomerium"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lukegb ]; + }; + + nodes = let base = myIP: { pkgs, lib, ... }: { + virtualisation.vlans = [ 1 ]; + networking = { + dhcpcd.enable = false; + firewall.allowedTCPPorts = [ 80 443 ]; + hosts = { + "192.168.1.1" = [ "pomerium" "pom-auth" ]; + "192.168.1.2" = [ "backend" "dummy-oidc" ]; + }; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = myIP; prefixLength = 24; } + ]; + }; + }; in { + pomerium = { pkgs, lib, ... }: { + imports = [ (base "192.168.1.1") ]; + services.pomerium = { + enable = true; + settings = { + address = ":80"; + insecure_server = true; + authenticate_service_url = "http://pom-auth"; + + idp_provider = "oidc"; + idp_scopes = [ "oidc" ]; + idp_client_id = "dummy"; + idp_provider_url = "http://dummy-oidc"; + + policy = [{ + from = "https://my.website"; + to = "http://192.168.1.2"; + allow_public_unauthenticated_access = true; + preserve_host_header = true; + } { + from = "https://login.required"; + to = "http://192.168.1.2"; + allowed_domains = [ "my.domain" ]; + preserve_host_header = true; + }]; + }; + secretsFile = pkgs.writeText "pomerium-secrets" '' + # 12345678901234567890123456789012 in base64 + COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= + IDP_CLIENT_SECRET=dummy + ''; + }; + }; + backend = { pkgs, lib, ... }: { + imports = [ (base "192.168.1.2") ]; + services.nginx.enable = true; + services.nginx.virtualHosts."my.website" = { + root = pkgs.runCommand "testdir" {} '' + mkdir "$out" + echo hello world > "$out/index.html" + ''; + }; + services.nginx.virtualHosts."dummy-oidc" = { + root = pkgs.runCommand "testdir" {} '' + mkdir -p "$out/.well-known" + cat <"$out/.well-known/openid-configuration" + { + "issuer": "http://dummy-oidc", + "authorization_endpoint": "http://dummy-oidc/auth.txt", + "token_endpoint": "http://dummy-oidc/token", + "jwks_uri": "http://dummy-oidc/jwks.json", + "userinfo_endpoint": "http://dummy-oidc/userinfo", + "id_token_signing_alg_values_supported": ["RS256"] + } + EOF + echo hello I am login page >"$out/auth.txt" + ''; + }; + }; + }; + + testScript = { ... }: '' + backend.wait_for_unit("nginx") + backend.wait_for_open_port(80) + + pomerium.wait_for_unit("pomerium") + pomerium.wait_for_open_port(80) + + with subtest("no authentication required"): + pomerium.succeed( + "curl --resolve my.website:80:127.0.0.1 http://my.website | grep -q 'hello world'" + ) + + with subtest("login required"): + pomerium.succeed( + "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep -q pom-auth" + ) + pomerium.succeed( + "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep -q 'hello I am login page'" + ) + ''; +})