2022-11-10 12:05:24 +01:00
|
|
|
args@{ pkgs, nextcloudVersion ? 25, ... }:
|
|
|
|
|
|
|
|
(import ../make-test-python.nix ({ pkgs, ...}: let
|
|
|
|
adminuser = "root";
|
|
|
|
adminpass = "notproduction";
|
|
|
|
nextcloudBase = {
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
|
|
system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default
|
|
|
|
services.nextcloud = {
|
|
|
|
enable = true;
|
|
|
|
config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}";
|
|
|
|
package = pkgs.${"nextcloud" + (toString nextcloudVersion)};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in {
|
|
|
|
name = "nextcloud-openssl";
|
|
|
|
meta = with pkgs.lib.maintainers; {
|
|
|
|
maintainers = [ ma27 ];
|
|
|
|
};
|
|
|
|
nodes.nextcloudwithopenssl1 = {
|
|
|
|
imports = [ nextcloudBase ];
|
|
|
|
services.nextcloud.hostName = "nextcloudwithopenssl1";
|
|
|
|
};
|
|
|
|
nodes.nextcloudwithopenssl3 = {
|
|
|
|
imports = [ nextcloudBase ];
|
|
|
|
services.nextcloud = {
|
|
|
|
hostName = "nextcloudwithopenssl3";
|
|
|
|
enableBrokenCiphersForSSE = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
testScript = { nodes, ... }: let
|
|
|
|
withRcloneEnv = host: pkgs.writeScript "with-rclone-env" ''
|
|
|
|
#!${pkgs.runtimeShell}
|
|
|
|
export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav
|
|
|
|
export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/"
|
|
|
|
export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud"
|
|
|
|
export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}"
|
|
|
|
export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})"
|
|
|
|
"''${@}"
|
|
|
|
'';
|
|
|
|
withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1";
|
|
|
|
withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3";
|
|
|
|
copySharedFile1 = pkgs.writeScript "copy-shared-file" ''
|
|
|
|
#!${pkgs.runtimeShell}
|
|
|
|
echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file
|
|
|
|
'';
|
|
|
|
copySharedFile3 = pkgs.writeScript "copy-shared-file" ''
|
|
|
|
#!${pkgs.runtimeShell}
|
|
|
|
echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2
|
|
|
|
'';
|
|
|
|
openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel;
|
|
|
|
openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel;
|
|
|
|
in ''
|
|
|
|
nextcloudwithopenssl1.start()
|
|
|
|
nextcloudwithopenssl1.wait_for_unit("multi-user.target")
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
|
|
|
nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login")
|
2023-03-21 17:26:03 +01:00
|
|
|
nextcloud_version = ${toString nextcloudVersion}
|
2022-11-10 12:05:24 +01:00
|
|
|
|
|
|
|
with subtest("With OpenSSL 1 SSE can be enabled and used"):
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption")
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
|
|
|
|
|
|
|
|
with subtest("Upload file and ensure it's encrypted"):
|
|
|
|
nextcloudwithopenssl1.succeed("${copySharedFile1}")
|
|
|
|
nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
|
|
|
|
|
|
|
with subtest("Switch to OpenSSL 3"):
|
|
|
|
nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
|
|
|
|
nextcloudwithopenssl1.wait_for_open_port(80)
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
|
|
|
|
|
|
|
with subtest("Existing encrypted files cannot be read, but new files can be added"):
|
2023-03-21 17:26:03 +01:00
|
|
|
# This will succed starting NC26 because of their custom implementation of openssl_seal
|
|
|
|
read_existing_file_test = nextcloudwithopenssl1.fail if nextcloud_version < 26 else nextcloudwithopenssl1.succeed
|
|
|
|
read_existing_file_test("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2")
|
2022-11-10 12:05:24 +01:00
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable")
|
|
|
|
nextcloudwithopenssl1.succeed("${copySharedFile3}")
|
|
|
|
nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
|
|
|
|
|
|
|
with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"):
|
|
|
|
nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test")
|
|
|
|
nextcloudwithopenssl1.wait_for_open_port(80)
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
|
|
|
nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
|
|
|
|
nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
|
|
|
|
|
|
|
|
with subtest("Ensure that everything can be decrypted"):
|
|
|
|
nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
|
|
|
nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
|
|
|
|
|
|
|
|
with subtest("Switch to OpenSSL 3 ensure that all files are usable now"):
|
|
|
|
nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
|
|
|
|
nextcloudwithopenssl1.wait_for_open_port(80)
|
|
|
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
|
|
|
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
|
|
|
|
|
|
|
nextcloudwithopenssl1.shutdown()
|
|
|
|
'';
|
|
|
|
})) args
|