diff options
author | Scott Worley <scottworley@scottworley.com> | 2022-02-22 16:54:15 -0800 |
---|---|---|
committer | Scott Worley <scottworley@scottworley.com> | 2022-03-11 14:36:26 -0800 |
commit | 0e857fc1d92ab5ce0c8b53e2a1df558892c3b2ff (patch) | |
tree | caa3658939db93c55458cb29dc0b88cc1b992e46 /nixos/tests/stunnel.nix | |
parent | 131399effb405114449d7777da650d0977931178 (diff) |
nixos/tests/stunnel: Add mutual authentication test
Diffstat (limited to 'nixos/tests/stunnel.nix')
-rw-r--r-- | nixos/tests/stunnel.nix | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/nixos/tests/stunnel.nix b/nixos/tests/stunnel.nix index e5e2b85ccbe2f..22c087290fc7b 100644 --- a/nixos/tests/stunnel.nix +++ b/nixos/tests/stunnel.nix @@ -123,4 +123,52 @@ in { client.succeed('[[ "$(< out)" == "" ]]') ''; }; + + mutualAuth = makeTest { + name = "mutualAuth"; + + nodes = rec { + client = { + imports = [ makeCert stunnelCommon ]; + services.stunnel.clients.authenticated-https = { + accept = "80"; + connect = "server:443"; + verifyPeer = true; + CAFile = "/authorized-server-cert.crt"; + cert = "/test-cert.pem"; + key = "/test-key.pem"; + }; + }; + wrongclient = client; + server = { + imports = [ makeCert serverCommon stunnelCommon ]; + services.stunnel.servers.https = { + CAFile = "/authorized-client-certs.crt"; + verifyPeer = true; + }; + environment.etc."webroot/index.html".text = "secret handshake"; + }; + }; + + testScript = '' + start_all() + + ${copyCert "server" "client" "/authorized-server-cert.crt"} + ${copyCert "client" "server" "/authorized-client-certs.crt"} + ${copyCert "server" "wrongclient" "/authorized-server-cert.crt"} + + # In case stunnel came up before we got the cross-certs in place + client.succeed("systemctl reload-or-restart stunnel") + server.succeed("systemctl reload-or-restart stunnel") + wrongclient.succeed("systemctl reload-or-restart stunnel") + + server.wait_for_unit("simple-webserver") + client.fail("curl --fail --insecure https://server/ > out") + client.succeed('[[ "$(< out)" == "" ]]') + client.succeed("curl --fail http://localhost/ > out") + client.succeed('[[ "$(< out)" == "secret handshake" ]]') + wrongclient.fail("curl --fail http://localhost/ > out") + wrongclient.succeed('[[ "$(< out)" == "" ]]') + ''; + }; } |