selfhostblocks/test/blocks/authelia.nix

{ pkgs, lib, ... }:
let
  pkgs' = pkgs;

  ldapAdminPassword = "ldapAdminPassword";
in
{
  basic = pkgs.testers.runNixOSTest {
    name = "authelia-basic";

    nodes.machine = { config, pkgs, ... }: {
      imports = [
        (pkgs'.path + "/nixos/modules/profiles/headless.nix")
        (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
        {
          options = {
            shb.backup = lib.mkOption { type = lib.types.anything; };
          };
        }
        ../../modules/blocks/authelia.nix
        ../../modules/blocks/ldap.nix
        ../../modules/blocks/postgresql.nix
      ];

      shb.ldap = {
        enable = true;
        dcdomain = "dc=example,dc=com";
        subdomain = "ldap";
        domain = "machine";
        ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;
        jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
      };

      shb.authelia = {
        enable = true;
        subdomain = "authelia";
        domain = "machine";
        ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
        dcdomain = config.shb.ldap.dcdomain;
        secrets = {
          jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
          ldapAdminPasswordFile = pkgs.writeText "ldapAdminPasswordFile" ldapAdminPassword;
          sessionSecretFile = pkgs.writeText "sessionSecretFile" "sessionSecretFile";
          storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKeyFile" "storageEncryptionKeyFile";
          identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecretFile" "identityProvidersOIDCHMACSecretFile";
          # This needs to be of the correct shape and at least 2048 bits. Generated with:
          #   nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048
          identityProvidersOIDCIssuerPrivateKeyFile = pkgs.writeText "identityProvidersOIDCIssuerPrivateKeyFile" (builtins.readFile ./keypair.pem);
        };

        oidcClients = [
          {
            id = "client1";
            description = "My Client 1";
            secret.source = pkgs.writeText "secret" "mysecuresecret";
            public = false;
            authorization_policy = "one_factor";
            redirect_uris = [ "http://client1.machine/redirect" ];
          }
          {
            id = "client2";
            description = "My Client 2";
            secret.source = pkgs.writeText "secret" "myothersecret";
            public = false;
            authorization_policy = "one_factor";
            redirect_uris = [ "http://client2.machine/redirect" ];
          }
        ];
      };
    };

    testScript = { nodes, ... }: ''
    import json

    start_all()
    machine.wait_for_unit("lldap.service")
    machine.wait_for_unit("authelia-authelia.machine.service")
    machine.wait_for_open_port(${toString nodes.machine.services.authelia.instances."authelia.machine".settings.server.port})

    endpoints = json.loads(machine.succeed("curl -s http://machine/.well-known/openid-configuration"))
    auth_endpoint = endpoints['authorization_endpoint']

    machine.succeed(
        "curl -f -s '"
        + auth_endpoint
        + "?client_id=other"
        + "&redirect_uri=http://client1.machine/redirect"
        + "&scope=openid%20profile%20email"
        + "&response_type=code"
        + "&state=99999999'"
    )

    machine.succeed(
        "curl -f -s '"
        + auth_endpoint
        + "?client_id=client1"
        + "&redirect_uri=http://client1.machine/redirect"
        + "&scope=openid%20profile%20email"
        + "&response_type=code"
        + "&state=11111111'"
    )

    machine.succeed(
        "curl -f -s '"
        + auth_endpoint
        + "?client_id=client2"
        + "&redirect_uri=http://client2.machine/redirect"
        + "&scope=openid%20profile%20email"
        + "&response_type=code"
        + "&state=22222222'"
    )
    '';
  };
}
add test for authelia 2023-12-11 06:56:31 +01:00			`{ pkgs, lib, ... }:`
			`let`
move CI to garnix (#210) 2024-03-20 06:50:41 +01:00			`pkgs' = pkgs;`

add test for authelia 2023-12-11 06:56:31 +01:00			`ldapAdminPassword = "ldapAdminPassword";`
			`in`
			`{`
move CI to garnix (#210) 2024-03-20 06:50:41 +01:00			`basic = pkgs.testers.runNixOSTest {`
add test for authelia 2023-12-11 06:56:31 +01:00			`name = "authelia-basic";`

			`nodes.machine = { config, pkgs, ... }: {`
			`imports = [`
move CI to garnix (#210) 2024-03-20 06:50:41 +01:00			`(pkgs'.path + "/nixos/modules/profiles/headless.nix")`
			`(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")`
add test for authelia 2023-12-11 06:56:31 +01:00			`{`
			`options = {`
			`shb.backup = lib.mkOption { type = lib.types.anything; };`
			`};`
			`}`
			`../../modules/blocks/authelia.nix`
			`../../modules/blocks/ldap.nix`
			`../../modules/blocks/postgresql.nix`
			`];`

			`shb.ldap = {`
			`enable = true;`
			`dcdomain = "dc=example,dc=com";`
			`subdomain = "ldap";`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`domain = "machine";`
add test for authelia 2023-12-11 06:56:31 +01:00			`ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;`
			`jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";`
			`};`

			`shb.authelia = {`
			`enable = true;`
			`subdomain = "authelia";`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`domain = "machine";`
add test for authelia 2023-12-11 06:56:31 +01:00			`ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";`
			`dcdomain = config.shb.ldap.dcdomain;`
			`secrets = {`
			`jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";`
			`ldapAdminPasswordFile = pkgs.writeText "ldapAdminPasswordFile" ldapAdminPassword;`
			`sessionSecretFile = pkgs.writeText "sessionSecretFile" "sessionSecretFile";`
			`storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKeyFile" "storageEncryptionKeyFile";`
			`identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecretFile" "identityProvidersOIDCHMACSecretFile";`
			`# This needs to be of the correct shape and at least 2048 bits. Generated with:`
			`# nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048`
			`identityProvidersOIDCIssuerPrivateKeyFile = pkgs.writeText "identityProvidersOIDCIssuerPrivateKeyFile" (builtins.readFile ./keypair.pem);`
			`};`

			`oidcClients = [`
			`{`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`id = "client1";`
			`description = "My Client 1";`
move templating code to lib file 2024-03-01 00:34:53 +01:00			`secret.source = pkgs.writeText "secret" "mysecuresecret";`
Combine authelia client YAML's into one YAML file - Fixes #126 - Generate a single oidc_clients.yaml to define all clients - `public` property of OIDC clients is now a bool (as it should be), not a string. - sed pattern changed to allow multiple replacements 2024-01-21 08:17:25 +01:00			`public = false;`
add test for authelia 2023-12-11 06:56:31 +01:00			`authorization_policy = "one_factor";`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`redirect_uris = [ "http://client1.machine/redirect" ];`
			`}`
			`{`
			`id = "client2";`
			`description = "My Client 2";`
move templating code to lib file 2024-03-01 00:34:53 +01:00			`secret.source = pkgs.writeText "secret" "myothersecret";`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`public = false;`
			`authorization_policy = "one_factor";`
			`redirect_uris = [ "http://client2.machine/redirect" ];`
add test for authelia 2023-12-11 06:56:31 +01:00			`}`
			`];`
			`};`
			`};`

			`testScript = { nodes, ... }: ''`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`import json`

add test for authelia 2023-12-11 06:56:31 +01:00			`start_all()`
			`machine.wait_for_unit("lldap.service")`
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`machine.wait_for_unit("authelia-authelia.machine.service")`
			`machine.wait_for_open_port(${toString nodes.machine.services.authelia.instances."authelia.machine".settings.server.port})`

			`endpoints = json.loads(machine.succeed("curl -s http://machine/.well-known/openid-configuration"))`
			`auth_endpoint = endpoints['authorization_endpoint']`

			`machine.succeed(`
			`"curl -f -s '"`
			`+ auth_endpoint`
			`+ "?client_id=other"`
			`+ "&redirect_uri=http://client1.machine/redirect"`
			`+ "&scope=openid%20profile%20email"`
			`+ "&response_type=code"`
			`+ "&state=99999999'"`
			`)`

			`machine.succeed(`
			`"curl -f -s '"`
			`+ auth_endpoint`
			`+ "?client_id=client1"`
			`+ "&redirect_uri=http://client1.machine/redirect"`
			`+ "&scope=openid%20profile%20email"`
			`+ "&response_type=code"`
			`+ "&state=11111111'"`
			`)`
add test for authelia 2023-12-11 06:56:31 +01:00
make authelia test validate clients exists 2024-01-24 06:52:23 +01:00			`machine.succeed(`
			`"curl -f -s '"`
			`+ auth_endpoint`
			`+ "?client_id=client2"`
			`+ "&redirect_uri=http://client2.machine/redirect"`
			`+ "&scope=openid%20profile%20email"`
			`+ "&response_type=code"`
			`+ "&state=22222222'"`
			`)`
add test for authelia 2023-12-11 06:56:31 +01:00			`'';`
			`};`
			`}`