nixos/tests/pomerium.nix

   1 import ./make-test-python.nix ({ pkgs, lib, ... }: {
   2   name = "pomerium";
   3   meta = with lib.maintainers; {
   4     maintainers = [ lukegb ];
   5   };
   6
   7   nodes = let base = myIP: { pkgs, lib, ... }: {
   8     virtualisation.vlans = [ 1 ];
   9     networking = {
  10       dhcpcd.enable = false;
  11       firewall.allowedTCPPorts = [ 80 443 ];
  12       hosts = {
  13         "192.168.1.1" = [ "pomerium" "pom-auth" ];
  14         "192.168.1.2" = [ "backend" "dummy-oidc" ];
  15       };
  16       interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
  17         { address = myIP; prefixLength = 24; }
  18       ];
  19     };
  20   }; in {
  21     pomerium = { pkgs, lib, ... }: {
  22       imports = [ (base "192.168.1.1") ];
  23       services.pomerium = {
  24         enable = true;
  25         settings = {
  26           address = ":80";
  27           insecure_server = true;
  28           authenticate_service_url = "http://pom-auth";
  29
  30           idp_provider = "oidc";
  31           idp_scopes = [ "oidc" ];
  32           idp_client_id = "dummy";
  33           idp_provider_url = "http://dummy-oidc";
  34
  35           policy = [{
  36             from = "https://my.website";
  37             to = "http://192.168.1.2";
  38             allow_public_unauthenticated_access = true;
  39             preserve_host_header = true;
  40           } {
  41             from = "https://login.required";
  42             to = "http://192.168.1.2";
  43             allowed_domains = [ "my.domain" ];
  44             preserve_host_header = true;
  45           }];
  46         };
  47         secretsFile = pkgs.writeText "pomerium-secrets" ''
  48           # 12345678901234567890123456789012 in base64
  49           COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
  50           IDP_CLIENT_SECRET=dummy
  51         '';
  52       };
  53     };
  54     backend = { pkgs, lib, ... }: {
  55       imports = [ (base "192.168.1.2") ];
  56       services.nginx.enable = true;
  57       services.nginx.virtualHosts."my.website" = {
  58         root = pkgs.runCommand "testdir" {} ''
  59           mkdir "$out"
  60           echo hello world > "$out/index.html"
  61         '';
  62       };
  63       services.nginx.virtualHosts."dummy-oidc" = {
  64         root = pkgs.runCommand "testdir" {} ''
  65           mkdir -p "$out/.well-known"
  66           cat <<EOF >"$out/.well-known/openid-configuration"
  67             {
  68               "issuer": "http://dummy-oidc",
  69               "authorization_endpoint": "http://dummy-oidc/auth.txt",
  70               "token_endpoint": "http://dummy-oidc/token",
  71               "jwks_uri": "http://dummy-oidc/jwks.json",
  72               "userinfo_endpoint": "http://dummy-oidc/userinfo",
  73               "id_token_signing_alg_values_supported": ["RS256"]
  74             }
  75           EOF
  76           echo hello I am login page >"$out/auth.txt"
  77         '';
  78       };
  79     };
  80   };
  81
  82   testScript = { ... }: ''
  83     backend.wait_for_unit("nginx")
  84     backend.wait_for_open_port(80)
  85
  86     pomerium.wait_for_unit("pomerium")
  87     pomerium.wait_for_open_port(80)
  88
  89     with subtest("no authentication required"):
  90         pomerium.succeed(
  91             "curl --resolve my.website:80:127.0.0.1 http://my.website | grep 'hello world'"
  92         )
  93
  94     with subtest("login required"):
  95         pomerium.succeed(
  96             "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep pom-auth"
  97         )
  98         pomerium.succeed(
  99             "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep 'hello I am login page'"
 100         )
 101   '';
 102 })