+1

nixos/tests/all-tests.nix

··· 156 156 couchdb = handleTest ./couchdb.nix {}; 157 157 cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {}; 158 158 cups-pdf = handleTest ./cups-pdf.nix {}; 159 159 + curl-impersonate = handleTest ./curl-impersonate.nix {}; 159 160 custom-ca = handleTest ./custom-ca.nix {}; 160 161 croc = handleTest ./croc.nix {}; 161 162 deluge = handleTest ./deluge.nix {};

+157

nixos/tests/curl-impersonate.nix

··· 1 1 + /* 2 2 + Test suite for curl-impersonate 3 3 + 4 4 + Abstract: 5 5 + Uses the test suite from the curl-impersonate source repo which: 6 6 + 7 7 + 1. Performs requests with libcurl and captures the TLS client-hello 8 8 + packets with tcpdump to compare against known-good signatures 9 9 + 2. Spins up an nghttpd2 server to test client HTTP/2 headers against 10 10 + known-good headers 11 11 + 12 12 + See https://github.com/lwthiker/curl-impersonate/tree/main/tests/signatures 13 13 + for details. 14 14 + 15 15 + Notes: 16 16 + - We need to have our own web server running because the tests expect to be able 17 17 + to hit domains like wikipedia.org and the sandbox has no internet 18 18 + - We need to be able to do (verifying) TLS handshakes without internet access. 19 19 + We do that by creating a trusted CA and issuing a cert that includes 20 20 + all of the test domains as subject-alternative names and then spoofs the 21 21 + hostnames in /etc/hosts. 22 22 + */ 23 23 + 24 24 + import ./make-test-python.nix ({ pkgs, lib, ... }: let 25 25 + # Update with domains in TestImpersonate.TEST_URLS if needed from: 26 26 + # https://github.com/lwthiker/curl-impersonate/blob/main/tests/test_impersonate.py 27 27 + domains = [ 28 28 + "www.wikimedia.org" 29 29 + "www.wikipedia.org" 30 30 + "www.mozilla.org" 31 31 + "www.apache.org" 32 32 + "www.kernel.org" 33 33 + "git-scm.com" 34 34 + ]; 35 35 + 36 36 + tls-certs = let 37 37 + # Configure CA with X.509 v3 extensions that would be trusted by curl 38 38 + ca-cert-conf = pkgs.writeText "curl-impersonate-ca.cnf" '' 39 39 + basicConstraints = critical, CA:TRUE 40 40 + subjectKeyIdentifier = hash 41 41 + authorityKeyIdentifier = keyid:always, issuer:always 42 42 + keyUsage = critical, cRLSign, digitalSignature, keyCertSign 43 43 + ''; 44 44 + 45 45 + # Configure leaf certificate with X.509 v3 extensions that would be trusted 46 46 + # by curl and set subject-alternative names for test domains 47 47 + tls-cert-conf = pkgs.writeText "curl-impersonate-tls.cnf" '' 48 48 + basicConstraints = critical, CA:FALSE 49 49 + subjectKeyIdentifier = hash 50 50 + authorityKeyIdentifier = keyid:always, issuer:always 51 51 + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement 52 52 + extendedKeyUsage = critical, serverAuth 53 53 + subjectAltName = @alt_names 54 54 + 55 55 + [alt_names] 56 56 + ${lib.concatStringsSep "\n" (lib.imap0 (idx: domain: "DNS.${toString idx} = ${domain}") domains)} 57 57 + ''; 58 58 + in pkgs.runCommand "curl-impersonate-test-certs" { 59 59 + nativeBuildInputs = [ pkgs.openssl ]; 60 60 + } '' 61 61 + # create CA certificate and key 62 62 + openssl req -newkey rsa:4096 -keyout ca-key.pem -out ca-csr.pem -nodes -subj '/CN=curl-impersonate-ca.nixos.test' 63 63 + openssl x509 -req -sha512 -in ca-csr.pem -key ca-key.pem -out ca.pem -extfile ${ca-cert-conf} -days 36500 64 64 + openssl x509 -in ca.pem -text 65 65 + 66 66 + # create server certificate and key 67 67 + openssl req -newkey rsa:4096 -keyout key.pem -out csr.pem -nodes -subj '/CN=curl-impersonate.nixos.test' 68 68 + openssl x509 -req -sha512 -in csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile ${tls-cert-conf} -days 36500 69 69 + openssl x509 -in cert.pem -text 70 70 + 71 71 + # output CA cert and server cert and key 72 72 + mkdir -p $out 73 73 + cp key.pem cert.pem ca.pem $out 74 74 + ''; 75 75 + 76 76 + # Test script 77 77 + curl-impersonate-test = let 78 78 + # Build miniature libcurl client used by test driver 79 79 + minicurl = pkgs.runCommandCC "minicurl" { 80 80 + buildInputs = [ pkgs.curl ]; 81 81 + } '' 82 82 + mkdir -p $out/bin 83 83 + $CC -Wall -Werror -o $out/bin/minicurl ${pkgs.curl-impersonate.src}/tests/minicurl.c `curl-config --libs` 84 84 + ''; 85 85 + in pkgs.writeShellScript "curl-impersonate-test" '' 86 86 + set -euxo pipefail 87 87 + 88 88 + # Test driver requirements 89 89 + export PATH="${with pkgs; lib.makeBinPath [ 90 90 + bash 91 91 + coreutils 92 92 + python3Packages.pytest 93 93 + nghttp2 94 94 + tcpdump 95 95 + ]}" 96 96 + export PYTHONPATH="${with pkgs.python3Packages; makePythonPath [ 97 97 + pyyaml 98 98 + pytest-asyncio 99 99 + dpkt 100 100 + ]}" 101 101 + 102 102 + # Prepare test root prefix 103 103 + mkdir -p usr/{bin,lib} 104 104 + cp -rs ${pkgs.curl-impersonate}/* ${minicurl}/* usr/ 105 105 + 106 106 + cp -r ${pkgs.curl-impersonate.src}/tests ./ 107 107 + 108 108 + # Run tests 109 109 + cd tests 110 110 + pytest . --install-dir ../usr --capture-interface eth1 111 111 + ''; 112 112 + in { 113 113 + name = "curl-impersonate"; 114 114 + 115 115 + meta = with lib.maintainers; { 116 116 + maintainers = [ lilyinstarlight ]; 117 117 + }; 118 118 + 119 119 + nodes = { 120 120 + web = { nodes, pkgs, lib, config, ... }: { 121 121 + networking.firewall.allowedTCPPorts = [ 80 443 ]; 122 122 + 123 123 + services = { 124 124 + nginx = { 125 125 + enable = true; 126 126 + virtualHosts."curl-impersonate.nixos.test" = { 127 127 + default = true; 128 128 + addSSL = true; 129 129 + sslCertificate = "${tls-certs}/cert.pem"; 130 130 + sslCertificateKey = "${tls-certs}/key.pem"; 131 131 + }; 132 132 + }; 133 133 + }; 134 134 + }; 135 135 + 136 136 + curl = { nodes, pkgs, lib, config, ... }: { 137 137 + networking.extraHosts = lib.concatStringsSep "\n" (map (domain: "${nodes.web.networking.primaryIPAddress} ${domain}") domains); 138 138 + 139 139 + security.pki.certificateFiles = [ "${tls-certs}/ca.pem" ]; 140 140 + }; 141 141 + }; 142 142 + 143 143 + testScript = { nodes, ... }: '' 144 144 + start_all() 145 145 + 146 146 + with subtest("Wait for network"): 147 147 + web.wait_for_unit("network-online.target") 148 148 + curl.wait_for_unit("network-online.target") 149 149 + 150 150 + with subtest("Wait for web server"): 151 151 + web.wait_for_unit("nginx.service") 152 152 + web.wait_for_open_port(443) 153 153 + 154 154 + with subtest("Run curl-impersonate tests"): 155 155 + curl.succeed("${curl-impersonate-test}") 156 156 + ''; 157 157 + })

+3

pkgs/tools/networking/curl-impersonate/default.nix

··· 20 20 , unzip 21 21 , go 22 22 , p11-kit 23 23 + , nixosTests 23 24 }: 24 25 25 26 let ··· 179 180 updateScript = ./update.sh; 180 181 181 182 inherit (passthru.curl-impersonate-ff) src; 183 183 + 184 184 + tests = { inherit (nixosTests) curl-impersonate; }; 182 185 }; 183 186 }