movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-14 21:49:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

tests/acme: check consistent account hash for legacy settings

Browse source 
To allow migration from 23.11 to 24.05 without triggering re-registrations,
the account hashing behaviour of the previous release can be retained by setting
`security.acme.defaults.server` to `null`.

We better also check for hash consistency with that setting to avoid unexpected
account hash changes again.
This commit is contained in:
Oliver Schmidt 2024-06-06 14:28:54 +02:00
parent e62df55210
commit 26bae04567
1 changed files with 36 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

35
nixos/tests/acme.nix
View file

@ -200,6 +200,14 @@ in {
# Tests HTTP-01 verification using Lego's built-in web server # Tests HTTP-01 verification using Lego's built-in web server
http01lego.configuration = simpleConfig; http01lego.configuration = simpleConfig;
# account hash generation with default server from <= 23.11
http01lego_legacyAccountHash.configuration = lib.mkMerge [
simpleConfig
{
security.acme.defaults.server = lib.mkForce null;
}
];
renew.configuration = lib.mkMerge [ renew.configuration = lib.mkMerge [
simpleConfig simpleConfig
{ {
@ -424,7 +432,7 @@ in {
backoff = BackoffTracker() backoff = BackoffTracker()
def switch_to(node, name): def switch_to(node, name, allow_fail=False):
# On first switch, this will create a symlink to the current system so that we can # On first switch, this will create a symlink to the current system so that we can
# quickly switch between derivations # quickly switch between derivations
root_specs = "/tmp/specialisation" root_specs = "/tmp/specialisation"
@ -438,9 +446,14 @@ in {
if rc > 0: if rc > 0:
switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration" switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration"
if not allow_fail:
node.succeed( node.succeed(
f"{switcher_path} test" f"{switcher_path} test"
) )
else:
node.execute(
f"{switcher_path} test"
)
# Ensures the issuer of our cert matches the chain # Ensures the issuer of our cert matches the chain
@ -544,7 +557,7 @@ in {
check_issuer(webserver, "http.example.test", "pebble") check_issuer(webserver, "http.example.test", "pebble")
# Perform account hash test # Perform account hash test
with subtest("Assert that account hash didn't unexpected change"): with subtest("Assert that account hash didn't unexpectedly change"):
hash = webserver.succeed("ls /var/lib/acme/.lego/accounts/") hash = webserver.succeed("ls /var/lib/acme/.lego/accounts/")
print("Account hash: " + hash) print("Account hash: " + hash)
assert hash.strip() == "d590213ed52603e9128d" assert hash.strip() == "d590213ed52603e9128d"
@ -727,5 +740,23 @@ in {
webserver.wait_for_unit(f"acme-finished-{test_domain}.target") webserver.wait_for_unit(f"acme-finished-{test_domain}.target")
wait_for_server() wait_for_server()
check_connection_key_bits(client, test_domain, "384") check_connection_key_bits(client, test_domain, "384")
# Perform http-01 w/ lego test again, but using the pre-24.05 account hashing
# (see https://github.com/NixOS/nixpkgs/pull/317257)
with subtest("Check account hashing compatibility with pre-24.05 settings"):
webserver.succeed("rm -rf /var/lib/acme/.lego/accounts/*")
switch_to(webserver, "http01lego_legacyAccountHash", allow_fail=True)
# unit is failed, but in a way that this throws no exception:
try:
webserver.wait_for_unit("acme-finished-http.example.test.target")
except Exception:
# The unit is allowed or even expected to fail due to not being able to
# reach the actual letsencrypt server. We only use it for serialising the
# test execution, such that the account check is done after the service run
# involving the account creation has been executed at least once.
pass
hash = webserver.succeed("ls /var/lib/acme/.lego/accounts/")
print("Account hash: " + hash)
assert hash.strip() == "1ccf607d9aa280e9af00"
''; '';
} }