vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / cryptpad.nix
blob9d6af15f5f86272b1d3e9db06cece721251e9ba5
1 { pkgs, ... }:
2 let
3   certs = pkgs.runCommand "cryptpadSelfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
4     mkdir -p $out
5     cd $out
6     openssl req -x509 -newkey rsa:4096 \
7       -keyout key.pem -out cert.pem -nodes -days 3650 \
8       -subj '/CN=cryptpad.localhost' \
9       -addext 'subjectAltName = DNS.1:cryptpad.localhost, DNS.2:cryptpad-sandbox.localhost'
10   '';
11   # data sniffed from cryptpad's /checkup network trace, seems to be re-usable
12   test_write_data = pkgs.writeText "cryptpadTestData" ''
13     {"command":"WRITE_BLOCK","content":{"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","signature":"aXcM9SMO59lwA7q7HbYB+AnzymmxSyy/KhkG/cXIBVzl8v+kkPWXmFuWhcuKfRF8yt3Zc3ktIsHoFyuyDSAwAA==","ciphertext":"AFwCIfBHKdFzDKjMg4cu66qlJLpP+6Yxogbl3o9neiQou5P8h8yJB8qgnQ=="},"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","nonce":"bitSbJMNSzOsg98nEzN80a231PCkBQeH"}
14   '';
17   name = "cryptpad";
18   meta = with pkgs.lib.maintainers; {
19     maintainers = [ martinetd ];
20   };
22   nodes.machine = {
23     services.cryptpad = {
24       enable = true;
25       configureNginx = true;
26       settings = {
27         httpUnsafeOrigin = "https://cryptpad.localhost";
28         httpSafeOrigin = "https://cryptpad-sandbox.localhost";
29       };
30     };
31     services.nginx = {
32       virtualHosts."cryptpad.localhost" = {
33         enableACME = false;
34         sslCertificate = "${certs}/cert.pem";
35         sslCertificateKey = "${certs}/key.pem";
36       };
37     };
38     security = {
39       pki.certificateFiles = [ "${certs}/cert.pem" ];
40     };
41   };
43   testScript = ''
44     machine.wait_for_unit("cryptpad.service")
45     machine.wait_for_unit("nginx.service")
46     machine.wait_for_open_port(3000)
48     # test home page
49     machine.succeed("curl --fail https://cryptpad.localhost -o /tmp/cryptpad_home.html")
50     machine.succeed("grep -F 'CryptPad: Collaboration suite' /tmp/cryptpad_home.html")
52     # test scripts/build.js actually generated customize content from config
53     machine.succeed("grep -F 'meta property=\"og:url\" content=\"https://cryptpad.localhost/index.html' /tmp/cryptpad_home.html")
55     # make sure child pages are accessible (e.g. check nginx try_files paths)
56     machine.succeed(
57         "grep -oE '/(customize|components)[^\"]*' /tmp/cryptpad_home.html"
58         "  | while read -r page; do"
59         "        curl -O --fail https://cryptpad.localhost$page || exit;"
60         "    done")
62     # test some API (e.g. check cryptpad main process)
63     machine.succeed("curl --fail -d @${test_write_data} -H 'Content-Type: application/json' https://cryptpad.localhost/api/auth")
65     # test telemetry has been disabled
66     machine.fail("journalctl -u cryptpad | grep TELEMETRY");
68     # for future improvements
69     machine.log(machine.execute("systemd-analyze security cryptpad.service")[1])
70   '';