{ pkgs, lib, ... }: let pkgs' = pkgs; ldapAdminPassword = "ldapAdminPassword"; in { basic = pkgs.testers.runNixOSTest { name = "authelia-basic"; nodes.machine = { config, pkgs, ... }: { imports = [ (pkgs'.path + "/nixos/modules/profiles/headless.nix") (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix") ../../modules/blocks/authelia.nix ../../modules/blocks/hardcodedsecret.nix ../../modules/blocks/ldap.nix ../../modules/blocks/postgresql.nix ]; networking.hosts = { "127.0.0.1" = [ "machine.com" "client1.machine.com" "client2.machine.com" "ldap.machine.com" "authelia.machine.com" ]; }; shb.ldap = { enable = true; dcdomain = "dc=example,dc=com"; subdomain = "ldap"; domain = "machine.com"; ldapUserPassword.result.path = pkgs.writeText "user_password" ldapAdminPassword; jwtSecret.result.path = pkgs.writeText "jwt_secret" "securejwtsecret"; }; shb.authelia = { enable = true; subdomain = "authelia"; domain = "machine.com"; ldapHostname = "${config.shb.ldap.subdomain}.${config.shb.ldap.domain}"; ldapPort = config.shb.ldap.ldapPort; dcdomain = config.shb.ldap.dcdomain; secrets = { jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path; ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path; sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path; storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path; identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path; identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path; }; oidcClients = [ { client_id = "client1"; client_name = "My Client 1"; client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$LR2wY11djfLrVQixdlLJew$rPByqFt6JfbIIAITxzAXckwh51QgV8E5YZmA8rXOzkMfBUcMq7cnOKEXF6MAFbjZaGf3J/B1OzLWZTCuZtALVw"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "http://client1.machine.com/redirect" ]; } { client_id = "client2"; client_name = "My Client 2"; client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$76EqVU1N9K.iTOvD4WJ6ww$hqNJU.UHphiCjMChSqk27lUTjDqreuMuyV/u39Esc6HyiRXp5Ecx89ypJ5M0xk3Na97vbgDpwz7il5uwzQ4bfw"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "http://client2.machine.com/redirect" ]; } ]; }; shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // { content = "jwtSecret"; }; shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // { content = ldapAdminPassword; }; shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // { content = "sessionSecret"; }; shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // { content = "storageEncryptionKey"; }; shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // { content = "identityProvidersOIDCHMACSecret"; }; shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // { source = (pkgs.runCommand "gen-private-key" {} '' mkdir $out ${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096 '') + "/private.pem"; }; }; testScript = { nodes, ... }: '' import json start_all() machine.wait_for_unit("lldap.service") machine.wait_for_unit("authelia-authelia.machine.com.service") machine.wait_for_open_port(9091) endpoints = json.loads(machine.succeed("curl -s http://machine.com/.well-known/openid-configuration")) auth_endpoint = endpoints['authorization_endpoint'] machine.succeed( "curl -f -s '" + auth_endpoint + "?client_id=other" + "&redirect_uri=http://client1.machine.com/redirect" + "&scope=openid%20profile%20email" + "&response_type=code" + "&state=99999999'" ) machine.succeed( "curl -f -s '" + auth_endpoint + "?client_id=client1" + "&redirect_uri=http://client1.machine.com/redirect" + "&scope=openid%20profile%20email" + "&response_type=code" + "&state=11111111'" ) machine.succeed( "curl -f -s '" + auth_endpoint + "?client_id=client2" + "&redirect_uri=http://client2.machine.com/redirect" + "&scope=openid%20profile%20email" + "&response_type=code" + "&state=22222222'" ) ''; }; }