diff options
Diffstat (limited to 'nixpkgs/nixos/tests/authelia.nix')
| -rw-r--r-- | nixpkgs/nixos/tests/authelia.nix | 169 |
1 files changed, 169 insertions, 0 deletions
diff --git a/nixpkgs/nixos/tests/authelia.nix b/nixpkgs/nixos/tests/authelia.nix new file mode 100644 index 000000000000..679c65fea087 --- /dev/null +++ b/nixpkgs/nixos/tests/authelia.nix @@ -0,0 +1,169 @@ +# Test Authelia as an auth server for Traefik as a reverse proxy of a local web service +import ./make-test-python.nix ({ lib, ... }: { + name = "authelia"; + meta.maintainers = with lib.maintainers; [ jk ]; + + nodes = { + authelia = { config, pkgs, lib, ... }: { + services.authelia.instances.testing = { + enable = true; + secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile"; + secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile"; + settings = { + authentication_backend.file.path = "/etc/authelia/users_database.yml"; + access_control.default_policy = "one_factor"; + session.domain = "example.com"; + storage.local.path = "/tmp/db.sqlite3"; + notifier.filesystem.filename = "/tmp/notifications.txt"; + }; + }; + + # These should not be set from nix but through other means to not leak the secret! + # This is purely for testing purposes! + environment.etc."authelia/storageEncryptionKeyFile" = { + mode = "0400"; + user = "authelia-testing"; + text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this"; + }; + environment.etc."authelia/jwtSecretFile" = { + mode = "0400"; + user = "authelia-testing"; + text = "a_very_important_secret"; + }; + environment.etc."authelia/users_database.yml" = { + mode = "0400"; + user = "authelia-testing"; + text = '' + users: + bob: + disabled: false + displayname: bob + # password of password + password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs + email: bob@jim.com + groups: + - admin + - dev + ''; + }; + + services.traefik = { + enable = true; + + dynamicConfigOptions = { + tls.certificates = + let + certDir = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=example.com/CN=auth.example.com/CN=static.example.com' -days 36500 + mkdir -p $out + cp key.pem cert.pem $out + ''; + in + [{ + certFile = "${certDir}/cert.pem"; + keyFile = "${certDir}/key.pem"; + }]; + http.middlewares.authelia.forwardAuth = { + address = "http://localhost:9091/api/verify?rd=https%3A%2F%2Fauth.example.com%2F"; + trustForwardHeader = true; + authResponseHeaders = [ + "Remote-User" + "Remote-Groups" + "Remote-Email" + "Remote-Name" + ]; + }; + http.middlewares.authelia-basic.forwardAuth = { + address = "http://localhost:9091/api/verify?auth=basic"; + trustForwardHeader = true; + authResponseHeaders = [ + "Remote-User" + "Remote-Groups" + "Remote-Email" + "Remote-Name" + ]; + }; + + http.routers.simplehttp = { + rule = "Host(`static.example.com`)"; + tls = true; + entryPoints = "web"; + service = "simplehttp"; + }; + http.routers.simplehttp-basic-auth = { + rule = "Host(`static-basic-auth.example.com`)"; + tls = true; + entryPoints = "web"; + service = "simplehttp"; + middlewares = [ "authelia-basic@file" ]; + }; + + http.services.simplehttp = { + loadBalancer.servers = [{ + url = "http://localhost:8000"; + }]; + }; + + http.routers.authelia = { + rule = "Host(`auth.example.com`)"; + tls = true; + entryPoints = "web"; + service = "authelia@file"; + }; + + http.services.authelia = { + loadBalancer.servers = [{ + url = "http://localhost:9091"; + }]; + }; + }; + + staticConfigOptions = { + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + + entryPoints.web.address = ":443"; + }; + }; + + systemd.services.simplehttp = + let fakeWebPageDir = pkgs.writeTextDir "index.html" "hello"; in + { + script = "${pkgs.python3}/bin/python -m http.server --directory ${fakeWebPageDir} 8000"; + serviceConfig.Type = "simple"; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + testScript = '' + start_all() + + authelia.wait_for_unit("simplehttp.service") + authelia.wait_for_unit("traefik.service") + authelia.wait_for_unit("authelia-testing.service") + authelia.wait_for_open_port(443) + authelia.wait_for_unit("multi-user.target") + + with subtest("Check for authelia"): + # expect the login page + assert "Login - Authelia", "could not reach authelia" in \ + authelia.succeed("curl --insecure -sSf -H Host:auth.example.com https://authelia:443/") + + with subtest("Check contacting basic http server via traefik with https works"): + assert "hello", "could not reach raw static site" in \ + authelia.succeed("curl --insecure -sSf -H Host:static.example.com https://authelia:443/") + + with subtest("Test traefik and authelia"): + with subtest("No details fail"): + authelia.fail("curl --insecure -sSf -H Host:static-basic-auth.example.com https://authelia:443/") + with subtest("Incorrect details fail"): + authelia.fail("curl --insecure -sSf -u 'bob:wordpass' -H Host:static-basic-auth.example.com https://authelia:443/") + authelia.fail("curl --insecure -sSf -u 'alice:password' -H Host:static-basic-auth.example.com https://authelia:443/") + with subtest("Correct details pass"): + assert "hello", "could not reach authed static site with valid credentials" in \ + authelia.succeed("curl --insecure -sSf -u 'bob:password' -H Host:static-basic-auth.example.com https://authelia:443/") + ''; +}) |