nixpkgs/nixos/tests/mosquitto.nix

import ./make-test-python.nix ({ pkgs, lib, ... }:

let
  port = 1888;
  tlsPort = 1889;
  password = "VERY_secret";
  hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
  topic = "test/foo";

  snakeOil = pkgs.runCommand "snakeoil-certs" {
    buildInputs = [ pkgs.gnutls.bin ];
    caTemplate = pkgs.writeText "snakeoil-ca.template" ''
      cn = server
      expiration_days = -1
      cert_signing_key
      ca
    '';
    certTemplate = pkgs.writeText "snakeoil-cert.template" ''
      cn = server
      expiration_days = -1
      tls_www_server
      encryption_key
      signing_key
    '';
    userCertTemplate = pkgs.writeText "snakeoil-user-cert.template" ''
      organization = snakeoil
      cn = client1
      expiration_days = -1
      tls_www_client
      encryption_key
      signing_key
    '';
  } ''
    mkdir "$out"

    certtool -p --bits 2048 --outfile "$out/ca.key"
    certtool -s --template "$caTemplate" --load-privkey "$out/ca.key" \
                --outfile "$out/ca.crt"
    certtool -p --bits 2048 --outfile "$out/server.key"
    certtool -c --template "$certTemplate" \
                --load-ca-privkey "$out/ca.key" \
                --load-ca-certificate "$out/ca.crt" \
                --load-privkey "$out/server.key" \
                --outfile "$out/server.crt"

    certtool -p --bits 2048 --outfile "$out/client1.key"
    certtool -c --template "$userCertTemplate" \
                --load-privkey "$out/client1.key" \
                --load-ca-privkey "$out/ca.key" \
                --load-ca-certificate "$out/ca.crt" \
                --outfile "$out/client1.crt"
  '';

in {
  name = "mosquitto";
  meta = with pkgs.lib; {
    maintainers = with maintainers; [ pennae peterhoeg ];
  };

  nodes = let
    client = { pkgs, ... }: {
      environment.systemPackages = with pkgs; [ mosquitto ];
    };
  in {
    server = { pkgs, ... }: {
      networking.firewall.allowedTCPPorts = [ port tlsPort ];
      services.mosquitto = {
        enable = true;
        settings = {
          sys_interval = 1;
        };
        listeners = [
          {
            inherit port;
            users = {
              password_store = {
                inherit password;
              };
              password_file = {
                passwordFile = pkgs.writeText "mqtt-password" password;
              };
              hashed_store = {
                inherit hashedPassword;
              };
              hashed_file = {
                hashedPasswordFile = pkgs.writeText "mqtt-hashed-password" hashedPassword;
              };

              reader = {
                inherit password;
                acl = [
                  "read ${topic}"
                  "read $SYS/#" # so we always have something to read
                ];
              };
              writer = {
                inherit password;
                acl = [ "write ${topic}" ];
              };
            };
          }
          {
            port = tlsPort;
            users.client1 = {
              acl = [ "read $SYS/#" ];
            };
            settings = {
              cafile = "${snakeOil}/ca.crt";
              certfile = "${snakeOil}/server.crt";
              keyfile = "${snakeOil}/server.key";
              require_certificate = true;
              use_identity_as_username = true;
            };
          }
        ];
      };
    };

    client1 = client;
    client2 = client;
  };

  testScript = ''
    def mosquitto_cmd(binary, user, topic, port):
        return (
            "mosquitto_{} "
            "-V mqttv311 "
            "-h server "
            "-p {} "
            "-u {} "
            "-P '${password}' "
            "-t '{}'"
        ).format(binary, port, user, topic)


    def publish(args, user, topic="${topic}", port=${toString port}):
        return "{} {}".format(mosquitto_cmd("pub", user, topic, port), args)

    def subscribe(args, user, topic="${topic}", port=${toString port}):
        return "{} -W 5 -C 1 {}".format(mosquitto_cmd("sub", user, topic, port), args)

    def parallel(*fns):
        from threading import Thread
        threads = [ Thread(target=fn) for fn in fns ]
        for t in threads: t.start()
        for t in threads: t.join()


    start_all()
    server.wait_for_unit("mosquitto.service")

    with subtest("check passwords"):
        client1.succeed(publish("-m test", "password_store"))
        client1.succeed(publish("-m test", "password_file"))
        client1.succeed(publish("-m test", "hashed_store"))
        client1.succeed(publish("-m test", "hashed_file"))

    with subtest("check acl"):
        client1.succeed(subscribe("", "reader", topic="$SYS/#"))
        client1.fail(subscribe("", "writer", topic="$SYS/#"))

        parallel(
            lambda: client1.succeed(subscribe("-i 3688cdd7-aa07-42a4-be22-cb9352917e40", "reader")),
            lambda: [
                server.wait_for_console_text("3688cdd7-aa07-42a4-be22-cb9352917e40"),
                client2.succeed(publish("-m test", "writer"))
            ])

        parallel(
            lambda: client1.fail(subscribe("-i 24ff16a2-ae33-4a51-9098-1b417153c712", "reader")),
            lambda: [
                server.wait_for_console_text("24ff16a2-ae33-4a51-9098-1b417153c712"),
                client2.succeed(publish("-m test", "reader"))
            ])

    with subtest("check tls"):
        client1.succeed(
            subscribe(
                "--cafile ${snakeOil}/ca.crt "
                "--cert ${snakeOil}/client1.crt "
                "--key ${snakeOil}/client1.key",
                topic="$SYS/#",
                port=${toString tlsPort},
                user="no_such_user"))
  '';
})
nixos/mosquitto: harden systemd unit It can still network, it can only access the ssl related files if ssl is enabled. ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET\|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 → Overall exposure level for mosquitto.service: 1.1 OK 🙂 2021-04-24 16:22:54 +01:00			`import ./make-test-python.nix ({ pkgs, lib, ... }:`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00
			`let`
			`port = 1888;`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`tlsPort = 1889;`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`password = "VERY_secret";`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`topic = "test/foo";`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00
			`snakeOil = pkgs.runCommand "snakeoil-certs" {`
			`buildInputs = [ pkgs.gnutls.bin ];`
			`caTemplate = pkgs.writeText "snakeoil-ca.template" ''`
			`cn = server`
			`expiration_days = -1`
			`cert_signing_key`
			`ca`
			`'';`
			`certTemplate = pkgs.writeText "snakeoil-cert.template" ''`
			`cn = server`
			`expiration_days = -1`
			`tls_www_server`
			`encryption_key`
			`signing_key`
			`'';`
			`userCertTemplate = pkgs.writeText "snakeoil-user-cert.template" ''`
			`organization = snakeoil`
			`cn = client1`
			`expiration_days = -1`
			`tls_www_client`
			`encryption_key`
			`signing_key`
			`'';`
			`} ''`
			`mkdir "$out"`

			`certtool -p --bits 2048 --outfile "$out/ca.key"`
			`certtool -s --template "$caTemplate" --load-privkey "$out/ca.key" \`
			`--outfile "$out/ca.crt"`
			`certtool -p --bits 2048 --outfile "$out/server.key"`
			`certtool -c --template "$certTemplate" \`
			`--load-ca-privkey "$out/ca.key" \`
			`--load-ca-certificate "$out/ca.crt" \`
			`--load-privkey "$out/server.key" \`
			`--outfile "$out/server.crt"`

			`certtool -p --bits 2048 --outfile "$out/client1.key"`
			`certtool -c --template "$userCertTemplate" \`
			`--load-privkey "$out/client1.key" \`
			`--load-ca-privkey "$out/ca.key" \`
			`--load-ca-certificate "$out/ca.crt" \`
			`--outfile "$out/client1.crt"`
			`'';`

treewide: remove redundant rec 2019-08-13 22:52:01 +01:00			`in {`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`name = "mosquitto";`
treewide: simplify pkgs.stdenv.lib -> pkgs.lib The library does not depend on stdenv, that `stdenv` exposes `lib` is an artifact of the ancient origins of nixpkgs. 2021-01-10 19:08:30 +00:00			`meta = with pkgs.lib; {`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`maintainers = with maintainers; [ pennae peterhoeg ];`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`};`

			`nodes = let`
			`client = { pkgs, ... }: {`
			`environment.systemPackages = with pkgs; [ mosquitto ];`
			`};`
			`in {`
			`server = { pkgs, ... }: {`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`networking.firewall.allowedTCPPorts = [ port tlsPort ];`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`services.mosquitto = {`
			`enable = true;`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`settings = {`
			`sys_interval = 1;`
			`};`
nixos/mosquitto: rewrite the module mosquitto needs a lot of attention concerning its config because it doesn't parse it very well, often ignoring trailing parts of lines, duplicated config keys, or just looking back way further in the file to associated config keys with previously defined items than might be expected. this replaces the mosquitto module completely. we now have a hierarchical config that flattens out to the mosquitto format (hopefully) without introducing spooky action at a distance. 2021-05-21 18:23:01 +01:00			`listeners = [`
			`{`
			`inherit port;`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`users = {`
			`password_store = {`
			`inherit password;`
			`};`
			`password_file = {`
			`passwordFile = pkgs.writeText "mqtt-password" password;`
			`};`
			`hashed_store = {`
			`inherit hashedPassword;`
			`};`
			`hashed_file = {`
			`hashedPasswordFile = pkgs.writeText "mqtt-hashed-password" hashedPassword;`
			`};`

			`reader = {`
			`inherit password;`
			`acl = [`
			`"read ${topic}"`
			`"read $SYS/#" # so we always have something to read`
			`];`
			`};`
			`writer = {`
			`inherit password;`
			`acl = [ "write ${topic}" ];`
			`};`
			`};`
			`}`
			`{`
			`port = tlsPort;`
			`users.client1 = {`
			`acl = [ "read $SYS/#" ];`
			`};`
			`settings = {`
			`cafile = "${snakeOil}/ca.crt";`
			`certfile = "${snakeOil}/server.crt";`
			`keyfile = "${snakeOil}/server.key";`
			`require_certificate = true;`
			`use_identity_as_username = true;`
nixos/mosquitto: rewrite the module mosquitto needs a lot of attention concerning its config because it doesn't parse it very well, often ignoring trailing parts of lines, duplicated config keys, or just looking back way further in the file to associated config keys with previously defined items than might be expected. this replaces the mosquitto module completely. we now have a hierarchical config that flattens out to the mosquitto format (hopefully) without introducing spooky action at a distance. 2021-05-21 18:23:01 +01:00			`};`
			`}`
			`];`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`};`
			`};`

			`client1 = client;`
			`client2 = client;`
			`};`

nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`testScript = ''`
			`def mosquitto_cmd(binary, user, topic, port):`
nixos/mosquitto: Refactor integration test code 2019-11-20 17:58:24 +00:00			`return (`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`"mosquitto_{} "`
nixos/mosquitto: Refactor integration test code 2019-11-20 17:58:24 +00:00			`"-V mqttv311 "`
			`"-h server "`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`"-p {} "`
			`"-u {} "`
nixos/mosquitto: Refactor integration test code 2019-11-20 17:58:24 +00:00			`"-P '${password}' "`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`"-t '{}'"`
			`).format(binary, port, user, topic)`
nixos/mosquitto: Refactor integration test code 2019-11-20 17:58:24 +00:00

nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`def publish(args, user, topic="${topic}", port=${toString port}):`
			`return "{} {}".format(mosquitto_cmd("pub", user, topic, port), args)`
nixos/mosquitto: Refactor integration test code 2019-11-20 17:58:24 +00:00
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`def subscribe(args, user, topic="${topic}", port=${toString port}):`
nixos/mosquitto: refactor test a little 2021-10-24 18:11:45 +01:00			`return "{} -W 5 -C 1 {}".format(mosquitto_cmd("sub", user, topic, port), args)`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00
			`def parallel(*fns):`
			`from threading import Thread`
			`threads = [ Thread(target=fn) for fn in fns ]`
			`for t in threads: t.start()`
			`for t in threads: t.join()`
nixos/mosquitto: Refactor integration test code 2019-11-20 17:58:24 +00:00

nixos/mosquitto: Port integration test to python 2019-11-20 17:33:36 +00:00			`start_all()`
			`server.wait_for_unit("mosquitto.service")`
nixos/mosquitto: make the tests run 2019-06-24 06:59:53 +01:00
nixos/mosquitto: refactor test a little 2021-10-24 18:11:45 +01:00			`with subtest("check passwords"):`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`client1.succeed(publish("-m test", "password_store"))`
			`client1.succeed(publish("-m test", "password_file"))`
			`client1.succeed(publish("-m test", "hashed_store"))`
			`client1.succeed(publish("-m test", "hashed_file"))`

nixos/mosquitto: refactor test a little 2021-10-24 18:11:45 +01:00			`with subtest("check acl"):`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`client1.succeed(subscribe("", "reader", topic="$SYS/#"))`
nixos/mosquitto: refactor test a little 2021-10-24 18:11:45 +01:00			`client1.fail(subscribe("", "writer", topic="$SYS/#"))`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00
			`parallel(`
			`lambda: client1.succeed(subscribe("-i 3688cdd7-aa07-42a4-be22-cb9352917e40", "reader")),`
			`lambda: [`
			`server.wait_for_console_text("3688cdd7-aa07-42a4-be22-cb9352917e40"),`
			`client2.succeed(publish("-m test", "writer"))`
			`])`

			`parallel(`
nixos/mosquitto: refactor test a little 2021-10-24 18:11:45 +01:00			`lambda: client1.fail(subscribe("-i 24ff16a2-ae33-4a51-9098-1b417153c712", "reader")),`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`lambda: [`
			`server.wait_for_console_text("24ff16a2-ae33-4a51-9098-1b417153c712"),`
			`client2.succeed(publish("-m test", "reader"))`
			`])`

nixos/mosquitto: refactor test a little 2021-10-24 18:11:45 +01:00			`with subtest("check tls"):`
nixos/mosquitto: rewrite the test expand the test to check all four forms of passwords, tls certificates (both server and client), and that acl files are formatted properly. 2021-05-26 17:59:37 +01:00			`client1.succeed(`
			`subscribe(`
			`"--cafile ${snakeOil}/ca.crt "`
			`"--cert ${snakeOil}/client1.crt "`
			`"--key ${snakeOil}/client1.key",`
			`topic="$SYS/#",`
			`port=${toString tlsPort},`
			`user="no_such_user"))`
nixos/mosquitto: add test 2019-04-24 09:23:13 +01:00			`'';`
			`})`