| blob | c1678ed733bebd6c4c026d6a83c4064a8bff815e |
1 { system ? builtins.currentSystem
2 , config ? { }
3 , pkgs ? import ../.. { inherit system config; }
4 , package ? null
5 }:
7 with import ../lib/testing-python.nix { inherit system pkgs; };
9 let
10 lib = pkgs.lib;
12 # Makes a test for a PostgreSQL package, given by name and looked up from `pkgs`.
13 makeTestAttribute = name:
14 {
15 inherit name;
16 value = makePostgresqlTlsClientCertTest pkgs."${name}";
17 };
19 makePostgresqlTlsClientCertTest = pkg:
20 let
21 runWithOpenSSL = file: cmd: pkgs.runCommand file
22 {
23 buildInputs = [ pkgs.openssl ];
24 }
25 cmd;
26 caKey = runWithOpenSSL "ca.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
27 caCert = runWithOpenSSL
28 "ca.crt"
29 ''
30 openssl req -new -x509 -sha256 -key ${caKey} -out $out -subj "/CN=test.example" -days 36500
31 '';
32 serverKey =
33 runWithOpenSSL "server.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
34 serverKeyPath = "/var/lib/postgresql";
35 serverCert =
36 runWithOpenSSL "server.crt" ''
37 openssl req -new -sha256 -key ${serverKey} -out server.csr -subj "/CN=db.test.example"
38 openssl x509 -req -in server.csr -CA ${caCert} -CAkey ${caKey} \
39 -CAcreateserial -out $out -days 36500 -sha256
40 '';
41 clientKey =
42 runWithOpenSSL "client.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
43 clientCert =
44 runWithOpenSSL "client.crt" ''
45 openssl req -new -sha256 -key ${clientKey} -out client.csr -subj "/CN=test"
46 openssl x509 -req -in client.csr -CA ${caCert} -CAkey ${caKey} \
47 -CAcreateserial -out $out -days 36500 -sha256
48 '';
49 clientKeyPath = "/root";
51 in
52 makeTest {
53 name = "postgresql-tls-client-cert-${pkg.name}";
54 meta.maintainers = with lib.maintainers; [ erictapen ];
56 nodes.server = { ... }: {
57 system.activationScripts = {
58 keyPlacement.text = ''
59 mkdir -p '${serverKeyPath}'
60 cp '${serverKey}' '${serverKeyPath}/server.key'
61 chown postgres:postgres '${serverKeyPath}/server.key'
62 chmod 600 '${serverKeyPath}/server.key'
63 '';
64 };
65 services.postgresql = {
66 package = pkg;
67 enable = true;
68 enableTCPIP = true;
69 ensureUsers = [
70 {
71 name = "test";
72 ensureDBOwnership = true;
73 }
74 ];
75 ensureDatabases = [ "test" ];
76 settings = {
77 ssl = "on";
78 ssl_ca_file = toString caCert;
79 ssl_cert_file = toString serverCert;
80 ssl_key_file = "${serverKeyPath}/server.key";
81 };
82 authentication = ''
83 hostssl test test ::/0 cert clientcert=verify-full
84 '';
85 };
86 networking = {
87 interfaces.eth1 = {
88 ipv6.addresses = [
89 { address = "fc00::1"; prefixLength = 120; }
90 ];
91 };
92 firewall.allowedTCPPorts = [ 5432 ];
93 };
94 };
96 nodes.client = { ... }: {
97 system.activationScripts = {
98 keyPlacement.text = ''
99 mkdir -p '${clientKeyPath}'
100 cp '${clientKey}' '${clientKeyPath}/client.key'
101 chown root:root '${clientKeyPath}/client.key'
102 chmod 600 '${clientKeyPath}/client.key'
103 '';
104 };
105 environment = {
106 variables = {
107 PGHOST = "db.test.example";
108 PGPORT = "5432";
109 PGDATABASE = "test";
110 PGUSER = "test";
111 PGSSLMODE = "verify-full";
112 PGSSLCERT = clientCert;
113 PGSSLKEY = "${clientKeyPath}/client.key";
114 PGSSLROOTCERT = caCert;
115 };
116 systemPackages = [ pkg ];
117 };
118 networking = {
119 interfaces.eth1 = {
120 ipv6.addresses = [
121 { address = "fc00::2"; prefixLength = 120; }
122 ];
123 };
124 hosts = { "fc00::1" = [ "db.test.example" ]; };
125 };
126 };
128 testScript = ''
129 server.wait_for_unit("multi-user.target")
130 client.wait_for_unit("multi-user.target")
131 client.succeed("psql -c \"SELECT 1;\"")
132 '';
133 };
135 in
136 if package == null then
137 # all-tests.nix: Maps the generic function over all attributes of PostgreSQL packages
138 builtins.listToAttrs (map makeTestAttribute (builtins.attrNames (import ../../pkgs/servers/sql/postgresql pkgs)))
139 else
140 # Called directly from <package>.tests
141 makePostgresqlTlsClientCertTest package