nixos/tests: add step-ca test

This commit is contained in:
Moritz Hedtke 2021-11-12 21:37:11 +01:00
parent 84a49fca51
commit 9d01ce82ac
No known key found for this signature in database
GPG Key ID: 6794D45A488C2EDE
4 changed files with 83 additions and 1 deletions

View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, nixosTests, ... }:
let
cfg = config.services.step-ca;
settingsFormat = (pkgs.formats.json { });
@ -82,6 +82,8 @@ in
});
in
{
passthru.tests.step-ca = nixosTests.step-ca;
assertions =
[
{

View File

@ -425,6 +425,7 @@ in
sslh = handleTest ./sslh.nix {};
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
step-ca = handleTestOn ["x86_64-linux"] ./step-ca.nix {};
strongswan-swanctl = handleTest ./strongswan-swanctl.nix {};
sudo = handleTest ./sudo.nix {};
sway = handleTest ./sway.nix {};

76
nixos/tests/step-ca.nix Normal file
View File

@ -0,0 +1,76 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
test-certificates = pkgs.runCommandLocal "test-certificates" { } ''
mkdir -p $out
echo insecure-root-password > $out/root-password-file
echo insecure-intermediate-password > $out/intermediate-password-file
${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca
${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key
'';
in
{
nodes =
{
caserver =
{ config, pkgs, ... }: {
services.step-ca = {
enable = true;
address = "0.0.0.0";
port = 8443;
openFirewall = true;
intermediatePasswordFile = "${test-certificates}/intermediate-password-file";
settings = {
dnsNames = [ "caserver" ];
root = "${test-certificates}/root_ca.crt";
crt = "${test-certificates}/intermediate_ca.crt";
key = "${test-certificates}/intermediate_ca.key";
db = {
type = "badger";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
];
};
};
};
};
caclient =
{ config, pkgs, ... }: {
security.acme.server = "https://caserver:8443/acme/acme/directory";
security.acme.email = "root@example.org";
security.acme.acceptTerms = true;
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
virtualHosts = {
"caclient" = {
forceSSL = true;
enableACME = true;
};
};
};
};
catester = { config, pkgs, ... }: {
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
};
};
testScript =
''
catester.start()
caserver.wait_for_unit("step-ca.service")
caclient.wait_for_unit("acme-finished-caclient.target")
catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"")
'';
})

View File

@ -7,6 +7,7 @@
, PCSC
, pkg-config
, hsmSupport ? true
, nixosTests
}:
buildGoModule rec {
@ -46,6 +47,8 @@ buildGoModule rec {
# panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted
__darwinAllowLocalNetworking = true;
passthru.tests.step-ca = nixosTests.step-ca;
meta = with lib; {
description = "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH";
homepage = "https://smallstep.com/certificates/";