| blob | eca29292721fde0e3027c091567b969a21d2f8dd |
1 import ./make-test-python.nix ({ pkgs, lib, ... }:
3 let
4 port = 1888;
5 tlsPort = 1889;
6 anonPort = 1890;
7 password = "VERY_secret";
8 hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
9 topic = "test/foo";
11 snakeOil = pkgs.runCommand "snakeoil-certs" {
12 buildInputs = [ pkgs.gnutls.bin ];
13 caTemplate = pkgs.writeText "snakeoil-ca.template" ''
14 cn = server
15 expiration_days = -1
16 cert_signing_key
17 ca
18 '';
19 certTemplate = pkgs.writeText "snakeoil-cert.template" ''
20 cn = server
21 expiration_days = -1
22 tls_www_server
23 encryption_key
24 signing_key
25 '';
26 userCertTemplate = pkgs.writeText "snakeoil-user-cert.template" ''
27 organization = snakeoil
28 cn = client1
29 expiration_days = -1
30 tls_www_client
31 encryption_key
32 signing_key
33 '';
34 } ''
35 mkdir "$out"
37 certtool -p --bits 2048 --outfile "$out/ca.key"
38 certtool -s --template "$caTemplate" --load-privkey "$out/ca.key" \
39 --outfile "$out/ca.crt"
40 certtool -p --bits 2048 --outfile "$out/server.key"
41 certtool -c --template "$certTemplate" \
42 --load-ca-privkey "$out/ca.key" \
43 --load-ca-certificate "$out/ca.crt" \
44 --load-privkey "$out/server.key" \
45 --outfile "$out/server.crt"
47 certtool -p --bits 2048 --outfile "$out/client1.key"
48 certtool -c --template "$userCertTemplate" \
49 --load-privkey "$out/client1.key" \
50 --load-ca-privkey "$out/ca.key" \
51 --load-ca-certificate "$out/ca.crt" \
52 --outfile "$out/client1.crt"
53 '';
55 in {
56 name = "mosquitto";
57 meta = with pkgs.lib; {
58 maintainers = with maintainers; [ peterhoeg ];
59 };
61 nodes = let
62 client = { pkgs, ... }: {
63 environment.systemPackages = with pkgs; [ mosquitto ];
64 };
65 in {
66 server = { pkgs, ... }: {
67 networking.firewall.allowedTCPPorts = [ port tlsPort anonPort ];
68 networking.useNetworkd = true;
69 services.mosquitto = {
70 enable = true;
71 settings = {
72 sys_interval = 1;
73 };
74 listeners = [
75 {
76 inherit port;
77 users = {
78 password_store = {
79 inherit password;
80 };
81 password_file = {
82 passwordFile = pkgs.writeText "mqtt-password" password;
83 };
84 hashed_store = {
85 inherit hashedPassword;
86 };
87 hashed_file = {
88 hashedPasswordFile = pkgs.writeText "mqtt-hashed-password" hashedPassword;
89 };
91 reader = {
92 inherit password;
93 acl = [
94 "read ${topic}"
95 "read $SYS/#" # so we always have something to read
96 ];
97 };
98 writer = {
99 inherit password;
100 acl = [ "write ${topic}" ];
101 };
102 };
103 }
104 {
105 port = tlsPort;
106 users.client1 = {
107 acl = [ "read $SYS/#" ];
108 };
109 settings = {
110 cafile = "${snakeOil}/ca.crt";
111 certfile = "${snakeOil}/server.crt";
112 keyfile = "${snakeOil}/server.key";
113 require_certificate = true;
114 use_identity_as_username = true;
115 };
116 }
117 {
118 port = anonPort;
119 omitPasswordAuth = true;
120 settings.allow_anonymous = true;
121 acl = [ "pattern read #" ];
122 users = {
123 anonWriter = {
124 password = "<ignored>" + password;
125 acl = [ "write ${topic}" ];
126 };
127 };
128 }
129 ];
130 };
131 };
133 client1 = client;
134 client2 = client;
135 };
137 testScript = ''
138 def mosquitto_cmd(binary, user, topic, port):
139 return (
140 "mosquitto_{} "
141 "-V mqttv311 "
142 "-h server "
143 "-p {} "
144 "-u {} "
145 "-P '${password}' "
146 "-t '{}'"
147 ).format(binary, port, user, topic)
150 def publish(args, user, topic="${topic}", port=${toString port}):
151 return "{} {}".format(mosquitto_cmd("pub", user, topic, port), args)
153 def subscribe(args, user, topic="${topic}", port=${toString port}):
154 return "{} -W 5 -C 1 {}".format(mosquitto_cmd("sub", user, topic, port), args)
156 def parallel(*fns):
157 from threading import Thread
158 threads = [ Thread(target=fn) for fn in fns ]
159 for t in threads: t.start()
160 for t in threads: t.join()
162 def wait_uuid(uuid):
163 server.wait_for_console_text(uuid)
164 return None
167 start_all()
168 server.wait_for_unit("mosquitto.service")
170 with subtest("check passwords"):
171 client1.succeed(publish("-m test", "password_store"))
172 client1.succeed(publish("-m test", "password_file"))
173 client1.succeed(publish("-m test", "hashed_store"))
174 client1.succeed(publish("-m test", "hashed_file"))
176 with subtest("check acl"):
177 client1.succeed(subscribe("", "reader", topic="$SYS/#"))
178 client1.fail(subscribe("", "writer", topic="$SYS/#"))
180 parallel(
181 lambda: client1.succeed(subscribe("-i 3688cdd7-aa07-42a4-be22-cb9352917e40", "reader")),
182 lambda: [
183 wait_uuid("3688cdd7-aa07-42a4-be22-cb9352917e40"),
184 client2.succeed(publish("-m test", "writer"))
185 ])
187 parallel(
188 lambda: client1.fail(subscribe("-i 24ff16a2-ae33-4a51-9098-1b417153c712", "reader")),
189 lambda: [
190 wait_uuid("24ff16a2-ae33-4a51-9098-1b417153c712"),
191 client2.succeed(publish("-m test", "reader"))
192 ])
194 with subtest("check tls"):
195 client1.succeed(
196 subscribe(
197 "--cafile ${snakeOil}/ca.crt "
198 "--cert ${snakeOil}/client1.crt "
199 "--key ${snakeOil}/client1.key",
200 topic="$SYS/#",
201 port=${toString tlsPort},
202 user="no_such_user"))
204 with subtest("check omitPasswordAuth"):
205 parallel(
206 lambda: client1.succeed(subscribe("-i fd56032c-d9cb-4813-a3b4-6be0e04c8fc3",
207 "anonReader", port=${toString anonPort})),
208 lambda: [
209 wait_uuid("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"),
210 client2.succeed(publish("-m test", "anonWriter", port=${toString anonPort}))
211 ])
212 '';
213 })