movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixosTests.haproxy: migrate to runTest

Browse source 
Part of #386873
This commit is contained in:
Piotr Kwiecinski 2025-04-19 23:44:16 +02:00
parent 9258185510
commit 1c40626d78
No known key found for this signature in database
GPG key ID: EC0DE1CB9D5258B4
2 changed files with 116 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/tests/all-tests.nix
View file

@ -597,7 +597,7 @@ in
}; };
haka = handleTest ./haka.nix { }; haka = handleTest ./haka.nix { };
haste-server = handleTest ./haste-server.nix { }; haste-server = handleTest ./haste-server.nix { };
haproxy = handleTest ./haproxy.nix { }; haproxy = runTest ./haproxy.nix;
hardened = handleTest ./hardened.nix { }; hardened = handleTest ./hardened.nix { };
harmonia = runTest ./harmonia.nix; harmonia = runTest ./harmonia.nix;
headscale = handleTest ./headscale.nix { }; headscale = handleTest ./headscale.nix { };

232
nixos/tests/haproxy.nix
View file

@ -1,140 +1,138 @@
import ./make-test-python.nix ( { lib, hostPkgs, ... }:
{ lib, pkgs, ... }: {
{ name = "haproxy";
name = "haproxy"; nodes = {
nodes = { server =
server = { pkgs, ... }:
{ ... }: {
{ services.haproxy = {
services.haproxy = { enable = true;
enable = true; config = ''
config = '' global
global limited-quic
limited-quic
defaults defaults
mode http mode http
timeout connect 10s timeout connect 10s
timeout client 10s timeout client 10s
timeout server 10s timeout server 10s
log /dev/log local0 debug err log /dev/log local0 debug err
option logasap option logasap
option httplog option httplog
option httpslog option httpslog
backend http_server backend http_server
server httpd [::1]:8000 alpn http/1.1 server httpd [::1]:8000 alpn http/1.1
frontend http frontend http
bind :80 bind :80
bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1 bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1
bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt
http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc } http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc }
http-request use-service prometheus-exporter if { path /metrics } http-request use-service prometheus-exporter if { path /metrics }
use_backend http_server use_backend http_server
frontend http-cert-auth frontend http-cert-auth
bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt
bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3 bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3
use_backend http_server use_backend http_server
''; '';
};
services.httpd = {
enable = true;
virtualHosts.localhost = {
documentRoot = pkgs.writeTextDir "index.txt" "We are all good!";
adminAddr = "notme@yourhost.local";
listen = [
{
ip = "::1";
port = 8000;
}
];
};
};
networking.firewall.allowedTCPPorts = [
80
443
8443
];
networking.firewall.allowedUDPPorts = [
443
8443
];
}; };
client = services.httpd = {
{ ... }: enable = true;
{ virtualHosts.localhost = {
environment.systemPackages = [ pkgs.curlHTTP3 ]; documentRoot = pkgs.writeTextDir "index.txt" "We are all good!";
adminAddr = "notme@yourhost.local";
listen = [
{
ip = "::1";
port = 8000;
}
];
};
}; };
}; networking.firewall.allowedTCPPorts = [
testScript = '' 80
# Helpers 443
def cmd(command): 8443
print(f"+{command}") ];
r = os.system(command) networking.firewall.allowedUDPPorts = [
if r != 0: 443
raise Exception(f"Command {command} failed with exit code {r}") 8443
];
};
client =
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.curlHTTP3 ];
};
};
testScript = ''
# Helpers
def cmd(command):
print(f"+{command}")
r = os.system(command)
if r != 0:
raise Exception(f"Command {command} failed with exit code {r}")
def openssl(command): def openssl(command):
cmd(f"${pkgs.openssl}/bin/openssl {command}") cmd(f"${lib.getExe hostPkgs.openssl} {command}")
# Generate CA. # Generate CA.
openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt") openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt")
# Generate and sign Server. # Generate and sign Server.
openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr") openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr")
openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7") openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7")
cmd("cat server.crt server.key > fullchain.pem") cmd("cat server.crt server.key > fullchain.pem")
# Generate and sign Client. # Generate and sign Client.
openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr") openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr")
openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7") openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7")
cmd("cat client.crt client.key > client.pem") cmd("cat client.crt client.key > client.pem")
# Start the actual test. # Start the actual test.
start_all() start_all()
server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem") server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem")
server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt") server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt") server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt")
client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt") client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
client.copy_from_host("client.pem", "/root/client.pem") client.copy_from_host("client.pem", "/root/client.pem")
server.wait_for_unit("multi-user.target") server.wait_for_unit("multi-user.target")
server.wait_for_unit("haproxy.service") server.wait_for_unit("haproxy.service")
server.wait_for_unit("httpd.service") server.wait_for_unit("httpd.service")
assert "We are all good!" in client.succeed("curl -f http://server/index.txt") assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics") assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics")
with subtest("https"): with subtest("https"):
assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt") assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt")
with subtest("https-cert-auth"): with subtest("https-cert-auth"):
# Client must succeed in authenticating with the right certificate. # Client must succeed in authenticating with the right certificate.
assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt") assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
# Client must fail without certificate. # Client must fail without certificate.
client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt") client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")
with subtest("h3"): with subtest("h3"):
assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt") assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt")
with subtest("h3-cert-auth"): with subtest("h3-cert-auth"):
# Client must succeed in authenticating with the right certificate. # Client must succeed in authenticating with the right certificate.
assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt") assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
# Client must fail without certificate. # Client must fail without certificate.
client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt") client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")
with subtest("reload"): with subtest("reload"):
server.succeed("systemctl reload haproxy") server.succeed("systemctl reload haproxy")
# wait some time to ensure the following request hits the reloaded haproxy # wait some time to ensure the following request hits the reloaded haproxy
server.sleep(5) server.sleep(5)
assert "We are all good!" in client.succeed("curl -f http://server/index.txt") assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
''; '';
} }
)