2024-05-25 00:02:38 +02:00
|
|
|
{ pkgs, lib, ... }:
|
|
|
|
let
|
|
|
|
pkgs' = pkgs;
|
|
|
|
|
2024-07-12 13:01:26 +02:00
|
|
|
testLib = pkgs.callPackage ../common.nix {};
|
|
|
|
|
2024-05-25 00:02:38 +02:00
|
|
|
subdomain = "v";
|
|
|
|
domain = "example.com";
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
commonTestScript = lib.makeOverridable testLib.accessScript {
|
|
|
|
inherit subdomain domain;
|
2024-07-12 13:01:26 +02:00
|
|
|
hasSSL = { node, ... }: !(isNull node.config.shb.vaultwarden.ssl);
|
|
|
|
waitForServices = { ... }: [
|
|
|
|
"vaultwarden.service"
|
|
|
|
"nginx.service"
|
|
|
|
];
|
|
|
|
waitForPorts = { node, ... }: [
|
|
|
|
8222
|
|
|
|
5432
|
|
|
|
];
|
2024-08-15 02:38:31 +02:00
|
|
|
# to get the get token test to succeed we need:
|
|
|
|
# 1. add group Vaultwarden_admin to LLDAP
|
|
|
|
# 2. add an Authelia user with to that group
|
|
|
|
# 3. login in Authelia with that user
|
|
|
|
# 4. go to the Vaultwarden /admin endpoint
|
|
|
|
# 5. create a Vaultwarden user
|
|
|
|
# 6. now login with that new user to Vaultwarden
|
|
|
|
extraScript = { node, proto_fqdn, ... }: ''
|
|
|
|
with subtest("prelogin"):
|
|
|
|
response = curl(client, "", "${proto_fqdn}/identity/accounts/prelogin", data=unline_with("", """
|
|
|
|
{"email": "me@example.com"}
|
|
|
|
"""))
|
|
|
|
print(response)
|
2024-08-31 09:57:21 +02:00
|
|
|
if 'kdf' not in response:
|
2024-08-15 02:38:31 +02:00
|
|
|
raise Exception("Unrecognized response: {}".format(response))
|
|
|
|
|
|
|
|
with subtest("get token"):
|
|
|
|
response = curl(client, "", "${proto_fqdn}/identity/connect/token", data=unline_with("", """
|
|
|
|
scope=api%20offline_access
|
|
|
|
&client_id=web
|
|
|
|
&deviceType=10
|
|
|
|
&deviceIdentifier=a60323bf-4686-4b4d-96e0-3c241fa5581c
|
|
|
|
&deviceName=firefox
|
|
|
|
&grant_type=password&username=me
|
|
|
|
&password=mypassword
|
|
|
|
"""))
|
|
|
|
print(response)
|
2024-08-31 09:57:21 +02:00
|
|
|
if response["message"] != "Username or password is incorrect. Try again":
|
2024-08-15 02:38:31 +02:00
|
|
|
raise Exception("Unrecognized response: {}".format(response))
|
|
|
|
'';
|
2024-07-12 13:01:26 +02:00
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
base = testLib.base pkgs' [
|
|
|
|
../../modules/services/vaultwarden.nix
|
|
|
|
];
|
2024-05-25 00:02:38 +02:00
|
|
|
|
|
|
|
basic = { config, ... }: {
|
2024-08-15 02:38:31 +02:00
|
|
|
shb.nginx.accessLog = true;
|
2024-05-25 00:02:38 +02:00
|
|
|
shb.vaultwarden = {
|
|
|
|
enable = true;
|
|
|
|
inherit subdomain domain;
|
2024-07-16 10:38:26 +02:00
|
|
|
|
2024-05-25 00:02:38 +02:00
|
|
|
port = 8222;
|
|
|
|
databasePasswordFile = pkgs.writeText "pwfile" "DBPASSWORDFILE";
|
|
|
|
};
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
# networking.hosts = {
|
|
|
|
# "127.0.0.1" = [ fqdn ];
|
2024-05-25 00:02:38 +02:00
|
|
|
# };
|
|
|
|
};
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
https = { config, ... }: {
|
|
|
|
shb.vaultwarden = {
|
2024-05-25 00:02:38 +02:00
|
|
|
ssl = config.shb.certs.certs.selfsigned.n;
|
|
|
|
};
|
2024-07-16 10:38:26 +02:00
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
# Not yet supported
|
|
|
|
# ldap = { config, ... }: {
|
|
|
|
# # shb.vaultwarden = {
|
2024-09-01 08:36:53 +02:00
|
|
|
# # ldapHostname = "127.0.0.1";
|
|
|
|
# # ldapPort = config.shb.ldap.webUIListenPort;
|
2024-07-16 10:38:26 +02:00
|
|
|
# # };
|
|
|
|
# };
|
2024-05-25 00:02:38 +02:00
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
sso = { config, ... }: {
|
2024-05-25 00:02:38 +02:00
|
|
|
shb.vaultwarden = {
|
|
|
|
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
|
|
|
};
|
|
|
|
};
|
2024-08-24 07:37:18 +02:00
|
|
|
|
|
|
|
backup = { config, ... }: {
|
|
|
|
imports = [
|
|
|
|
../../modules/blocks/restic.nix
|
|
|
|
];
|
|
|
|
shb.restic.instances."testinstance" = config.shb.vaultwarden.backup // {
|
|
|
|
enable = true;
|
2024-08-29 09:12:45 +02:00
|
|
|
passphraseFile = toString (pkgs.writeText "passphrase" "PassPhrase");
|
2024-08-24 07:37:18 +02:00
|
|
|
repositories = [
|
|
|
|
{
|
|
|
|
path = "/opt/repos/A";
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "00:00:00";
|
|
|
|
RandomizedDelaySec = "5h";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
in
|
|
|
|
{
|
|
|
|
basic = pkgs.testers.runNixOSTest {
|
|
|
|
name = "vaultwarden_basic";
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
nodes.server = {
|
|
|
|
imports = [
|
|
|
|
base
|
|
|
|
basic
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
nodes.client = {};
|
|
|
|
|
|
|
|
testScript = commonTestScript;
|
|
|
|
};
|
|
|
|
|
|
|
|
https = pkgs.testers.runNixOSTest {
|
|
|
|
name = "vaultwarden_https";
|
|
|
|
|
|
|
|
nodes.server = {
|
|
|
|
imports = [
|
|
|
|
base
|
|
|
|
(testLib.certs domain)
|
|
|
|
basic
|
|
|
|
https
|
|
|
|
];
|
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
|
|
|
|
nodes.client = {};
|
|
|
|
|
|
|
|
testScript = commonTestScript;
|
|
|
|
};
|
|
|
|
|
|
|
|
# Not yet supported
|
|
|
|
#
|
|
|
|
# ldap = pkgs.testers.runNixOSTest {
|
|
|
|
# name = "vaultwarden_ldap";
|
|
|
|
#
|
|
|
|
# nodes.server = lib.mkMerge [
|
|
|
|
# base
|
|
|
|
# basic
|
|
|
|
# ldap
|
|
|
|
# ];
|
|
|
|
#
|
|
|
|
# nodes.client = {};
|
|
|
|
#
|
|
|
|
# testScript = commonTestScript;
|
|
|
|
# };
|
|
|
|
|
|
|
|
sso = pkgs.testers.runNixOSTest {
|
|
|
|
name = "vaultwarden_sso";
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
nodes.server = { config, ... }: {
|
|
|
|
imports = [
|
|
|
|
base
|
|
|
|
(testLib.certs domain)
|
|
|
|
basic
|
|
|
|
https
|
|
|
|
(testLib.ldap domain pkgs')
|
|
|
|
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
|
|
|
|
sso
|
|
|
|
];
|
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
|
|
|
|
nodes.client = {};
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
testScript = commonTestScript.override {
|
2024-08-31 09:57:21 +02:00
|
|
|
waitForPorts = { node, ... }: [
|
|
|
|
8222
|
|
|
|
5432
|
|
|
|
9091
|
|
|
|
];
|
2024-07-16 10:38:26 +02:00
|
|
|
extraScript = { proto_fqdn, ... }: ''
|
|
|
|
with subtest("unauthenticated access is not granted to /admin"):
|
|
|
|
response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}/admin")
|
|
|
|
|
|
|
|
if response['code'] != 200:
|
|
|
|
raise Exception(f"Code is {response['code']}")
|
|
|
|
if response['auth_host'] != "auth.${domain}":
|
|
|
|
raise Exception(f"auth host should be auth.${domain} but is {response['auth_host']}")
|
|
|
|
if response['auth_query'] != "rd=${proto_fqdn}/admin":
|
|
|
|
raise Exception(f"auth query should be rd=${proto_fqdn}/admin but is {response['auth_query']}")
|
|
|
|
'';
|
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
};
|
2024-08-24 07:37:18 +02:00
|
|
|
|
|
|
|
backup = pkgs.testers.runNixOSTest {
|
|
|
|
name = "vaultwarden_backup";
|
|
|
|
|
|
|
|
nodes.server = { config, ... }: {
|
|
|
|
imports = [
|
|
|
|
base
|
|
|
|
basic
|
|
|
|
backup
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
nodes.client = {};
|
|
|
|
|
|
|
|
testScript = commonTestScript.override {
|
|
|
|
extraScript = { proto_fqdn, ... }: ''
|
|
|
|
with subtest("backup"):
|
|
|
|
server.succeed("systemctl start restic-backups-testinstance_opt_repos_A")
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
}
|