hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

flake.lock: Update (#244)

Browse source 
Automated changes by the
[update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock)
GitHub Action.

```
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9ca3f649614213b2aaf5f1e16ec06952fe4c2632?narHash=sha256-7EXDb5WBw%2Bd004Agt%2BJHC/Oyh/KTUglOaQ4MNjBbo5w%3D' (2024-05-27)
  → 'github:nixos/nixpkgs/71e91c409d1e654808b2621f28a327acfdad8dc2?narHash=sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w%3D' (2024-08-28)
```

### Running GitHub Actions on this PR

GitHub Actions will not run workflows on pull requests which are opened
by a GitHub Action.

To run GitHub Actions workflows on this PR, run:

```sh
git branch -D update_flake_lock_action
git fetch origin
git checkout update_flake_lock_action
git commit --amend --no-edit
git push origin update_flake_lock_action --force
```

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This commit is contained in:
Pierre Penninckx 2024-08-31 00:57:21 -07:00 committed by GitHub
parent 1774b61cfe
commit eb791b3019
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 121 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGELOG.md
View file

@ -9,6 +9,11 @@
- Bump Nextcloud default version from 27 to 28. Add support for version 29. - Bump Nextcloud default version from 27 to 28. Add support for version 29.
- Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now. - Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID. - Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
- Authelia options changed:
- `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
- `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
- `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
- Vaultwarden data folder changed to `/var/lib/vaultwarden`.
## User Facing Backwards Compatible Changes ## User Facing Backwards Compatible Changes

2
docs/contributing.md
View file

@ -21,8 +21,6 @@ gets updated. I intend to upstream to nixpkgs as much of those as makes sense.
Run all tests: Run all tests:
```bash ```bash
$ nix build .#checks.${system}.all
# or
$ nix flake check $ nix flake check
# or # or
$ nix run github:Mic92/nix-fast-build -- --skip-cached --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)" $ nix run github:Mic92/nix-fast-build -- --skip-cached --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"

6
flake.lock
View file

@ -35,11 +35,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1716769173, "lastModified": 1724819573,
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=", "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9ca3f649614213b2aaf5f1e16ec06952fe4c2632", "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
"type": "github" "type": "github"
}, },
"original": { "original": {

17
flake.nix
View file

@ -15,14 +15,11 @@
let let
originPkgs = nixpkgs.legacyPackages.${system}; originPkgs = nixpkgs.legacyPackages.${system};
patches = [ patches = [
(originPkgs.fetchpatch { # Leaving commented out for an example.
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/315018.patch"; # (originPkgs.fetchpatch {
hash = "sha256-8jcGyO/d+htfv/ZajxXh89S3OiDZAr7/fsWC1JpGczM="; # url = "https://github.com/NixOS/nixpkgs/pull/317107.patch";
}) # hash = "sha256-hoLrqV7XtR1hP/m0rV9hjYUBtrSjay0qcPUYlKKuVWk=";
(originPkgs.fetchpatch { # })
url = "https://github.com/NixOS/nixpkgs/pull/317107.patch";
hash = "sha256-hoLrqV7XtR1hP/m0rV9hjYUBtrSjay0qcPUYlKKuVWk=";
})
]; ];
patchedNixpkgs = originPkgs.applyPatches { patchedNixpkgs = originPkgs.applyPatches {
name = "nixpkgs-patched"; name = "nixpkgs-patched";
@ -99,10 +96,6 @@
shblib = pkgs.callPackage ./lib {}; shblib = pkgs.callPackage ./lib {};
in (rec { in (rec {
all = mergeTests [
modules
];
modules = shblib.check { modules = shblib.check {
inherit pkgs; inherit pkgs;
tests = tests =

60
modules/blocks/authelia.nix
View file

@ -41,8 +41,8 @@ in
ldapEndpoint = lib.mkOption { ldapEndpoint = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Endpoint for LDAP authentication backend."; description = "Endpoint of the LDAP authentication backend.";
example = "ldap.example.com"; example = "ldap://ldap.example.com:389";
}; };
dcdomain = lib.mkOption { dcdomain = lib.mkOption {
@ -97,9 +97,9 @@ in
description = "OIDC clients"; description = "OIDC clients";
default = [ default = [
{ {
id = "dummy_client"; client_id = "dummy_client";
description = "Dummy Client so Authelia can start"; client_name = "Dummy Client so Authelia can start";
secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret"; client_secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = []; redirect_uris = [];
@ -109,20 +109,33 @@ in
freeformType = lib.types.attrsOf lib.types.anything; freeformType = lib.types.attrsOf lib.types.anything;
options = { options = {
id = lib.mkOption { client_id = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Unique identifier of the OIDC client."; description = "Unique identifier of the OIDC client.";
}; };
description = lib.mkOption { client_name = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Human readable description of the OIDC client."; description = "Human readable description of the OIDC client.";
default = null; default = null;
}; };
secret = lib.mkOption { client_secret = lib.mkOption {
type = shblib.secretFileType; type = shblib.secretFileType;
description = "File containing the shared secret with the OIDC client."; description = ''
File containing the shared secret with the OIDC client.
Generate with:
```
nix run nixpkgs#authelia -- \
crypto hash generate pbkdf2 \
--variant sha512 \
--random \
--random.length 72 \
--random.charset rfc3986
```
'';
}; };
public = lib.mkOption { public = lib.mkOption {
@ -278,8 +291,7 @@ in
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile); AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
}; };
settings = { settings = {
server.host = "127.0.0.1"; server.address = "tcp://127.0.0.1:9091";
server.port = 9091;
# Inspired from https://github.com/lldap/lldap/blob/7d1f5abc137821c500de99c94f7579761fc949d8/example_configs/authelia_config.yml # Inspired from https://github.com/lldap/lldap/blob/7d1f5abc137821c500de99c94f7579761fc949d8/example_configs/authelia_config.yml
authentication_backend = { authentication_backend = {
@ -289,20 +301,22 @@ in
}; };
ldap = { ldap = {
implementation = "custom"; implementation = "custom";
url = cfg.ldapEndpoint; address = cfg.ldapEndpoint;
timeout = "5s"; timeout = "5s";
start_tls = "false"; start_tls = "false";
base_dn = cfg.dcdomain; base_dn = cfg.dcdomain;
username_attribute = "uid";
additional_users_dn = "ou=people"; additional_users_dn = "ou=people";
# Sign in with username or email. # Sign in with username or email.
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"; users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
additional_groups_dn = "ou=groups"; additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})"; groups_filter = "(member={dn})";
group_name_attribute = "cn";
mail_attribute = "mail";
display_name_attribute = "displayName";
user = "uid=admin,ou=people,${cfg.dcdomain}"; user = "uid=admin,ou=people,${cfg.dcdomain}";
attributes = {
username = "uid";
group_name = "cn";
mail = "mail";
display_name = "displayName";
};
}; };
}; };
totp = { totp = {
@ -317,11 +331,14 @@ in
# Inspired from https://www.authelia.com/configuration/session/introduction/ and https://www.authelia.com/configuration/session/redis # Inspired from https://www.authelia.com/configuration/session/introduction/ and https://www.authelia.com/configuration/session/redis
session = { session = {
name = "authelia_session"; name = "authelia_session";
domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}"; cookies = [{
domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
authelia_url = "https://${cfg.subdomain}.${cfg.domain}";
}];
same_site = "lax"; same_site = "lax";
expiration = "1h"; expiration = "1h";
inactivity = "5m"; inactivity = "5m";
remember_me_duration = "1M"; remember_me = "1M";
redis = { redis = {
host = config.services.redis.servers.authelia.unixSocket; host = config.services.redis.servers.authelia.unixSocket;
port = 0; port = 0;
@ -329,10 +346,9 @@ in
}; };
storage = { storage = {
postgres = { postgres = {
host = "/run/postgresql"; address = "unix:///run/postgresql";
username = autheliaCfg.user; username = autheliaCfg.user;
database = autheliaCfg.user; database = autheliaCfg.user;
port = config.services.postgresql.port;
# Uses peer auth for local users, so we don't need a password. # Uses peer auth for local users, so we don't need a password.
password = "test"; password = "test";
}; };
@ -416,7 +432,7 @@ in
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade; proxy_cache_bypass $http_upgrade;
proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port}; proxy_pass http://127.0.0.1:9091;
proxy_intercept_errors on; proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){ if ($request_method !~ ^(POST)$){
error_page 401 = /error/401; error_page 401 = /error/401;
@ -435,7 +451,7 @@ in
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
proxy_set_header Host $http_x_forwarded_host; proxy_set_header Host $http_x_forwarded_host;
proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port}; proxy_pass http://127.0.0.1:9091;
''; '';
}; };

8
modules/blocks/monitoring.nix
View file

@ -288,6 +288,14 @@ in
hash = "sha256-79hK7axHf6soku5DvdXkE/0K4WKc4pnS9VMbVc1FS2I="; hash = "sha256-79hK7axHf6soku5DvdXkE/0K4WKc4pnS9VMbVc1FS2I=";
}; };
subPackages = [
"cmd/loki"
"cmd/loki-canary"
"clients/cmd/promtail"
"cmd/logcli"
# Removes "cmd/lokitool"
];
ldflags = let t = "github.com/grafana/loki/pkg/util/build"; in [ ldflags = let t = "github.com/grafana/loki/pkg/util/build"; in [
"-s" "-s"
"-w" "-w"

6
modules/services/audiobookshelf.nix
View file

@ -152,9 +152,9 @@ in
shb.authelia.oidcClients = [ shb.authelia.oidcClients = [
{ {
id = cfg.oidcClientID; client_id = cfg.oidcClientID;
description = "Audiobookshelf"; client_name = "Audiobookshelf";
secret.source = cfg.ssoSecretFile; client_secret.source = cfg.ssoSecretFile;
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = [ redirect_uris = [

6
modules/services/jellyfin.nix
View file

@ -415,9 +415,9 @@ in
shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [ shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [
{ {
id = cfg.sso.clientID; client_id = cfg.sso.clientID;
description = "Jellyfin"; client_name = "Jellyfin";
secret.source = cfg.sso.secretFile; client_secret.source = cfg.sso.secretFile;
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ]; redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];

6
modules/services/nextcloud-server.nix
View file

@ -977,9 +977,9 @@ in
shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [ shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
{ {
id = cfg.apps.sso.clientID; client_id = cfg.apps.sso.clientID;
description = "Nextcloud"; client_name = "Nextcloud";
secret.source = cfg.apps.sso.secretFileForAuthelia; client_secret.source = cfg.apps.sso.secretFileForAuthelia;
public = false; public = false;
authorization_policy = cfg.apps.sso.authorization_policy; authorization_policy = cfg.apps.sso.authorization_policy;
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ]; redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];

5
modules/services/vaultwarden.nix
View file

@ -8,7 +8,7 @@ let
fqdn = "${cfg.subdomain}.${cfg.domain}"; fqdn = "${cfg.subdomain}.${cfg.domain}";
dataFolder = "/var/lib/bitwarden_rs"; dataFolder = "/var/lib/vaultwarden";
in in
{ {
options.shb.vaultwarden = { options.shb.vaultwarden = {
@ -152,7 +152,6 @@ in
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
config = { config = {
DATA_FOLDER = dataFolder;
IP_HEADER = "X-Real-IP"; IP_HEADER = "X-Real-IP";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
# Disabled because the /admin path is protected by SSO # Disabled because the /admin path is protected by SSO
@ -182,6 +181,8 @@ in
"d ${dataFolder} 0750 vaultwarden vaultwarden" "d ${dataFolder} 0750 vaultwarden vaultwarden"
"f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden" "f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
]; ];
# Needed to be able to write template config.
systemd.services.vaultwarden.serviceConfig.ProtectHome = lib.mkForce false;
systemd.services.vaultwarden.preStart = systemd.services.vaultwarden.preStart =
shblib.replaceSecrets { shblib.replaceSecrets {
userConfig = { userConfig = {

44
test/blocks/authelia.nix
View file

@ -17,11 +17,21 @@ in
../../modules/blocks/postgresql.nix ../../modules/blocks/postgresql.nix
]; ];
networking.hosts = {
"127.0.0.1" = [
"machine.com"
"client1.machine.com"
"client2.machine.com"
"ldap.machine.com"
"authelia.machine.com"
];
};
shb.ldap = { shb.ldap = {
enable = true; enable = true;
dcdomain = "dc=example,dc=com"; dcdomain = "dc=example,dc=com";
subdomain = "ldap"; subdomain = "ldap";
domain = "machine"; domain = "machine.com";
ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword; ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;
jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret"; jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
}; };
@ -29,8 +39,8 @@ in
shb.authelia = { shb.authelia = {
enable = true; enable = true;
subdomain = "authelia"; subdomain = "authelia";
domain = "machine"; domain = "machine.com";
ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}"; ldapEndpoint = "ldap://${config.shb.ldap.subdomain}.${config.shb.ldap.domain}:${toString config.shb.ldap.ldapPort}";
dcdomain = config.shb.ldap.dcdomain; dcdomain = config.shb.ldap.dcdomain;
secrets = { secrets = {
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile"; jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
@ -45,20 +55,20 @@ in
oidcClients = [ oidcClients = [
{ {
id = "client1"; client_id = "client1";
description = "My Client 1"; client_name = "My Client 1";
secret.source = pkgs.writeText "secret" "mysecuresecret"; client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$LR2wY11djfLrVQixdlLJew$rPByqFt6JfbIIAITxzAXckwh51QgV8E5YZmA8rXOzkMfBUcMq7cnOKEXF6MAFbjZaGf3J/B1OzLWZTCuZtALVw";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = [ "http://client1.machine/redirect" ]; redirect_uris = [ "http://client1.machine.com/redirect" ];
} }
{ {
id = "client2"; client_id = "client2";
description = "My Client 2"; client_name = "My Client 2";
secret.source = pkgs.writeText "secret" "myothersecret"; client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$76EqVU1N9K.iTOvD4WJ6ww$hqNJU.UHphiCjMChSqk27lUTjDqreuMuyV/u39Esc6HyiRXp5Ecx89ypJ5M0xk3Na97vbgDpwz7il5uwzQ4bfw";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = [ "http://client2.machine/redirect" ]; redirect_uris = [ "http://client2.machine.com/redirect" ];
} }
]; ];
}; };
@ -69,17 +79,17 @@ in
start_all() start_all()
machine.wait_for_unit("lldap.service") machine.wait_for_unit("lldap.service")
machine.wait_for_unit("authelia-authelia.machine.service") machine.wait_for_unit("authelia-authelia.machine.com.service")
machine.wait_for_open_port(${toString nodes.machine.services.authelia.instances."authelia.machine".settings.server.port}) machine.wait_for_open_port(9091)
endpoints = json.loads(machine.succeed("curl -s http://machine/.well-known/openid-configuration")) endpoints = json.loads(machine.succeed("curl -s http://machine.com/.well-known/openid-configuration"))
auth_endpoint = endpoints['authorization_endpoint'] auth_endpoint = endpoints['authorization_endpoint']
machine.succeed( machine.succeed(
"curl -f -s '" "curl -f -s '"
+ auth_endpoint + auth_endpoint
+ "?client_id=other" + "?client_id=other"
+ "&redirect_uri=http://client1.machine/redirect" + "&redirect_uri=http://client1.machine.com/redirect"
+ "&scope=openid%20profile%20email" + "&scope=openid%20profile%20email"
+ "&response_type=code" + "&response_type=code"
+ "&state=99999999'" + "&state=99999999'"
@ -89,7 +99,7 @@ in
"curl -f -s '" "curl -f -s '"
+ auth_endpoint + auth_endpoint
+ "?client_id=client1" + "?client_id=client1"
+ "&redirect_uri=http://client1.machine/redirect" + "&redirect_uri=http://client1.machine.com/redirect"
+ "&scope=openid%20profile%20email" + "&scope=openid%20profile%20email"
+ "&response_type=code" + "&response_type=code"
+ "&state=11111111'" + "&state=11111111'"
@ -99,7 +109,7 @@ in
"curl -f -s '" "curl -f -s '"
+ auth_endpoint + auth_endpoint
+ "?client_id=client2" + "?client_id=client2"
+ "&redirect_uri=http://client2.machine/redirect" + "&redirect_uri=http://client2.machine.com/redirect"
+ "&scope=openid%20profile%20email" + "&scope=openid%20profile%20email"
+ "&response_type=code" + "&response_type=code"
+ "&state=22222222'" + "&state=22222222'"

16
test/blocks/ssl.nix
View file

@ -103,8 +103,20 @@ in
"multi3.example.com" = mkVirtualHost "multi3" config.shb.certs.certs.selfsigned.multi; "multi3.example.com" = mkVirtualHost "multi3" config.shb.certs.certs.selfsigned.multi;
}; };
systemd.services.nginx = { systemd.services.nginx = {
after = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ]; after = [
requires = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ]; config.shb.certs.certs.selfsigned.top.systemdService
config.shb.certs.certs.selfsigned.subdomain.systemdService
config.shb.certs.certs.selfsigned.multi.systemdService
config.shb.certs.certs.selfsigned.cert1.systemdService
config.shb.certs.certs.selfsigned.cert2.systemdService
];
requires = [
config.shb.certs.certs.selfsigned.top.systemdService
config.shb.certs.certs.selfsigned.subdomain.systemdService
config.shb.certs.certs.selfsigned.multi.systemdService
config.shb.certs.certs.selfsigned.cert1.systemdService
config.shb.certs.certs.selfsigned.cert2.systemdService
];
}; };
}; };

3
test/common.nix
View file

@ -41,7 +41,8 @@ in
) )
+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") ( + lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
waitForPorts args waitForPorts args
++ (lib.optionals redirectSSO [ nodes.server.services.authelia.instances."auth.${domain}".settings.server.port ] ) # TODO: when the SSO block exists, replace this hardcoded port.
++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )
) )
+ lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args) + lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
+ '' + ''

9
test/services/vaultwarden.nix
View file

@ -31,7 +31,7 @@ let
{"email": "me@example.com"} {"email": "me@example.com"}
""")) """))
print(response) print(response)
if 'Kdf' not in response: if 'kdf' not in response:
raise Exception("Unrecognized response: {}".format(response)) raise Exception("Unrecognized response: {}".format(response))
with subtest("get token"): with subtest("get token"):
@ -45,7 +45,7 @@ let
&password=mypassword &password=mypassword
""")) """))
print(response) print(response)
if response["Message"] != "Username or password is incorrect. Try again": if response["message"] != "Username or password is incorrect. Try again":
raise Exception("Unrecognized response: {}".format(response)) raise Exception("Unrecognized response: {}".format(response))
''; '';
}; };
@ -174,6 +174,11 @@ in
nodes.client = {}; nodes.client = {};
testScript = commonTestScript.override { testScript = commonTestScript.override {
waitForPorts = { node, ... }: [
8222
5432
9091
];
extraScript = { proto_fqdn, ... }: '' extraScript = { proto_fqdn, ... }: ''
with subtest("unauthenticated access is not granted to /admin"): with subtest("unauthenticated access is not granted to /admin"):
response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}/admin") response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}/admin")