Skip to content

Commit

Permalink
Add a test for builtin:fetchurl cert verification
Browse files Browse the repository at this point in the history
  • Loading branch information
edolstra committed Sep 24, 2024
1 parent c04bc17 commit f2f47fa
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 0 deletions.
2 changes: 2 additions & 0 deletions tests/nixos/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -159,4 +159,6 @@ in
fsync = runNixOSTestFor "x86_64-linux" ./fsync.nix;

cgroups = runNixOSTestFor "x86_64-linux" ./cgroups;

fetchurl = runNixOSTestFor "x86_64-linux" ./fetchurl.nix;
}
78 changes: 78 additions & 0 deletions tests/nixos/fetchurl.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Test whether builtin:fetchurl properly performs TLS certificate
# checks on HTTPS servers.

{ lib, config, pkgs, ... }:

let

makeTlsCert = name: pkgs.runCommand name {
nativeBuildInputs = with pkgs; [ openssl ];
} ''
mkdir -p $out
openssl req -x509 \
-subj '/CN=${name}/' -days 49710 \
-addext 'subjectAltName = DNS:${name}' \
-keyout "$out/key.pem" -newkey ed25519 \
-out "$out/cert.pem" -noenc
'';

goodCert = makeTlsCert "good";
badCert = makeTlsCert "bad";

in

{
name = "nss-preload";

nodes = {
machine = { lib, pkgs, ... }: {
services.nginx = {
enable = true;

virtualHosts."good" = {
addSSL = true;
sslCertificate = "${goodCert}/cert.pem";
sslCertificateKey = "${goodCert}/key.pem";
root = pkgs.runCommand "nginx-root" {} ''
mkdir "$out"
echo 'hello world' > "$out/index.html"
'';
};

virtualHosts."bad" = {
addSSL = true;
sslCertificate = "${badCert}/cert.pem";
sslCertificateKey = "${badCert}/key.pem";
root = pkgs.runCommand "nginx-root" {} ''
mkdir "$out"
echo 'foobar' > "$out/index.html"
'';
};
};

security.pki.certificateFiles = [ "${goodCert}/cert.pem" ];

networking.hosts."127.0.0.1" = [ "good" "bad" ];

virtualisation.writableStore = true;

nix.settings.experimental-features = "nix-command";
};
};

testScript = { nodes, ... }: ''
machine.wait_for_unit("nginx")
machine.wait_for_open_port(443)
out = machine.succeed("curl https://good/index.html")
assert out == "hello world\n"
# Fetching from a server with a trusted cert should work.
machine.succeed("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://good/index.html\"; hash = \"sha256-qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A+4XSmaGSpEc=\"; }'")
# Fetching from a server with an untrusted cert should fail.
err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
print(err)
assert "SSL certificate problem: self-signed certificate" in err
'';
}

0 comments on commit f2f47fa

Please sign in to comment.