diff options
author | Alyssa Ross <hi@alyssa.is> | 2021-07-09 12:30:28 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2021-07-23 09:11:31 +0000 |
commit | 55cc63c079f49e81d695a25bc2f5b3902f2bd290 (patch) | |
tree | e705335d97f50b927c76ccb4a3fbde9fab8372b9 /nixpkgs/nixos/tests/acme.nix | |
parent | c26eb6f74d9393127a21eee7a9620a920769f613 (diff) | |
parent | 87807e64a5ef5206b745a40af118c7be8db73681 (diff) | |
download | nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.tar nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.tar.gz nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.tar.bz2 nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.tar.lz nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.tar.xz nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.tar.zst nixlib-55cc63c079f49e81d695a25bc2f5b3902f2bd290.zip |
Merge commit '87807e64a5ef5206b745a40af118c7be8db73681'
Diffstat (limited to 'nixpkgs/nixos/tests/acme.nix')
-rw-r--r-- | nixpkgs/nixos/tests/acme.nix | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/nixpkgs/nixos/tests/acme.nix b/nixpkgs/nixos/tests/acme.nix index fe8c4af3ea21..6532fc4ac1d4 100644 --- a/nixpkgs/nixos/tests/acme.nix +++ b/nixpkgs/nixos/tests/acme.nix @@ -330,30 +330,38 @@ in import ./make-test-python.nix ({ lib, ... }: { with subtest("Can request certificate with HTTPS-01 challenge"): webserver.wait_for_unit("acme-finished-a.example.test.target") - check_fullchain(webserver, "a.example.test") - check_issuer(webserver, "a.example.test", "pebble") - check_connection(client, "a.example.test") with subtest("Certificates and accounts have safe + valid permissions"): group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}" webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" ) webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4" ) webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" ) webserver.succeed( - f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" + f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" ) + with subtest("Certs are accepted by web server"): + webserver.succeed("systemctl start nginx.service") + check_fullchain(webserver, "a.example.test") + check_issuer(webserver, "a.example.test", "pebble") + check_connection(client, "a.example.test") + + # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal with subtest("Can generate valid selfsigned certs"): webserver.succeed("systemctl clean acme-a.example.test.service --what=state") webserver.succeed("systemctl start acme-selfsigned-a.example.test.service") check_fullchain(webserver, "a.example.test") check_issuer(webserver, "a.example.test", "minica") + # Check selfsigned permissions + webserver.succeed( + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + ) # Will succeed if nginx can load the certs webserver.succeed("systemctl start nginx-config-reload.service") @@ -376,6 +384,8 @@ in import ./make-test-python.nix ({ lib, ... }: { webserver.wait_for_unit("acme-finished-a.example.test.target") check_connection_key_bits(client, "a.example.test", "384") webserver.succeed("grep testing /var/lib/acme/a.example.test/test") + # Clean to remove the testing file (and anything else messy we did) + webserver.succeed("systemctl clean acme-a.example.test.service --what=state") with subtest("Correctly implements OCSP stapling"): switch_to(webserver, "ocsp-stapling") |