nixpkgs/nixos/tests/nextcloud/openssl-sse.nix

args@{ pkgs, nextcloudVersion ? 25, ... }:

(import ../make-test-python.nix ({ pkgs, ...}: let
  adminuser = "root";
  adminpass = "notproduction";
  nextcloudBase = {
    networking.firewall.allowedTCPPorts = [ 80 ];
    system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default
    services.nextcloud = {
      enable = true;
      config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}";
      package = pkgs.${"nextcloud" + (toString nextcloudVersion)};
    };
  };
in {
  name = "nextcloud-openssl";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ ma27 ];
  };
  nodes.nextcloudwithopenssl1 = {
    imports = [ nextcloudBase ];
    services.nextcloud.hostName = "nextcloudwithopenssl1";
  };
  nodes.nextcloudwithopenssl3 = {
    imports = [ nextcloudBase ];
    services.nextcloud = {
      hostName = "nextcloudwithopenssl3";
      enableBrokenCiphersForSSE = false;
    };
  };
  testScript = { nodes, ... }: let
    withRcloneEnv = host: pkgs.writeScript "with-rclone-env" ''
      #!${pkgs.runtimeShell}
      export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav
      export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/"
      export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud"
      export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}"
      export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})"
      "''${@}"
    '';
    withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1";
    withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3";
    copySharedFile1 = pkgs.writeScript "copy-shared-file" ''
      #!${pkgs.runtimeShell}
      echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file
    '';
    copySharedFile3 = pkgs.writeScript "copy-shared-file" ''
      #!${pkgs.runtimeShell}
      echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2
    '';
    openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel;
    openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel;
  in ''
    nextcloudwithopenssl1.start()
    nextcloudwithopenssl1.wait_for_unit("multi-user.target")
    nextcloudwithopenssl1.succeed("nextcloud-occ status")
    nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login")
    nextcloud_version = ${toString nextcloudVersion}

    with subtest("With OpenSSL 1 SSE can be enabled and used"):
        nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption")
        nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")

    with subtest("Upload file and ensure it's encrypted"):
        nextcloudwithopenssl1.succeed("${copySharedFile1}")
        nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")

    with subtest("Switch to OpenSSL 3"):
        nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
        nextcloudwithopenssl1.wait_for_open_port(80)
        nextcloudwithopenssl1.succeed("nextcloud-occ status")

    with subtest("Existing encrypted files cannot be read, but new files can be added"):
        # This will succed starting NC26 because of their custom implementation of openssl_seal
        read_existing_file_test = nextcloudwithopenssl1.fail if nextcloud_version < 26 else nextcloudwithopenssl1.succeed
        read_existing_file_test("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2")
        nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable")
        nextcloudwithopenssl1.succeed("${copySharedFile3}")
        nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
        nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")

    with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"):
        nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test")
        nextcloudwithopenssl1.wait_for_open_port(80)
        nextcloudwithopenssl1.succeed("nextcloud-occ status")
        nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
        nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
        nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")

    with subtest("Ensure that everything can be decrypted"):
        nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2")
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
        nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")

    with subtest("Switch to OpenSSL 3 ensure that all files are usable now"):
        nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
        nextcloudwithopenssl1.wait_for_open_port(80)
        nextcloudwithopenssl1.succeed("nextcloud-occ status")
        nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
        nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")

    nextcloudwithopenssl1.shutdown()
  '';
})) args
nixos/nextcloud: fixup openssl compat change Upon testing the change itself I realized that it doesn't build properly because * the `pname` of a php extension is `php-<name>`, not `<name>`. * calling the extension `openssl-legacy` resulted in PHP trying to compile `ext/openssl-legacy` which broke since it doesn't exist: source root is php-8.1.12 setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c patching sources cdToExtensionRootPhase /nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory I didn't encounter that one before because I was mostly interested in having a sane behavior for everyone not using this "feature" and the documentation around this. My findings about the behavior with turning openssl1.1 on/off are still valid because I tested this on `master` with manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`. To work around the issue I had to slightly modify the extension build-system for PHP: * The attribute `extensionName` is now relevant to determine the output paths (e.g. `lib/openssl.so`). This is not a behavioral change for existing extensions because then `extensionName==name`. However when specifying `extName` in `php-packages.nix` this value is overridden and it is made sure that the extension called `extName` NOT `name` (i.e. `openssl` vs `openssl-legacy`) is built and installed. The `name` still has to be kept to keep the legacy openssl available as `php.extensions.openssl-legacy`. Additionally I implemented a small VM test to check the behavior with server-side encryption: * For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix` it's checked that OpenSSL 3 is used). With that the "default" behavior of the module is checked. * It is ensured that the PHP interpreter for Nextcloud's php-fpm actually loads the correct openssl extension. * It is tested that (encrypted) files remain usable when (temporarily) installing OpenSSL3 (of course then they're not decryptable, but on a rollback that should still be possible). Finally, a few more documentation changes: * I also mentioned the issue in `nextcloud.xml` to make sure the issue is at least mentioned in the manual section about Nextcloud. Not too much detail here, but the relevant option `enableBrokenCiphersForSSE` is referenced. * I fixed a few minor wording issues to also give the full context (we're talking about Nextcloud; we're talking about the PHP extension only; please check if you really need this even though it's enabled by default). This is because I felt that sometimes it might be hard to understand what's going on when e.g. an eval-warning appears without telling where exactly it comes from. 2022-11-10 11:05:24 +00:00			`args@{ pkgs, nextcloudVersion ? 25, ... }:`

			`(import ../make-test-python.nix ({ pkgs, ...}: let`
			`adminuser = "root";`
			`adminpass = "notproduction";`
			`nextcloudBase = {`
			`networking.firewall.allowedTCPPorts = [ 80 ];`
			`system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default`
			`services.nextcloud = {`
			`enable = true;`
			`config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}";`
			`package = pkgs.${"nextcloud" + (toString nextcloudVersion)};`
			`};`
			`};`
			`in {`
			`name = "nextcloud-openssl";`
			`meta = with pkgs.lib.maintainers; {`
			`maintainers = [ ma27 ];`
			`};`
			`nodes.nextcloudwithopenssl1 = {`
			`imports = [ nextcloudBase ];`
			`services.nextcloud.hostName = "nextcloudwithopenssl1";`
			`};`
			`nodes.nextcloudwithopenssl3 = {`
			`imports = [ nextcloudBase ];`
			`services.nextcloud = {`
			`hostName = "nextcloudwithopenssl3";`
			`enableBrokenCiphersForSSE = false;`
			`};`
			`};`
			`testScript = { nodes, ... }: let`
			`withRcloneEnv = host: pkgs.writeScript "with-rclone-env" ''`
			`#!${pkgs.runtimeShell}`
			`export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav`
			`export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/"`
			`export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud"`
			`export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}"`
			`export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})"`
			`"''${@}"`
			`'';`
			`withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1";`
			`withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3";`
			`copySharedFile1 = pkgs.writeScript "copy-shared-file" ''`
			`#!${pkgs.runtimeShell}`
			`echo 'hi' \| ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file`
			`'';`
			`copySharedFile3 = pkgs.writeScript "copy-shared-file" ''`
			`#!${pkgs.runtimeShell}`
			`echo 'bye' \| ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2`
			`'';`
			`openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel;`
			`openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel;`
			`in ''`
			`nextcloudwithopenssl1.start()`
			`nextcloudwithopenssl1.wait_for_unit("multi-user.target")`
			`nextcloudwithopenssl1.succeed("nextcloud-occ status")`
			`nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login")`
nixos/tests/nextcloud: do not expect failure on NC ≥26 with respect to RC4 bug 2023-03-21 16:26:03 +00:00			`nextcloud_version = ${toString nextcloudVersion}`
nixos/nextcloud: fixup openssl compat change Upon testing the change itself I realized that it doesn't build properly because * the `pname` of a php extension is `php-<name>`, not `<name>`. * calling the extension `openssl-legacy` resulted in PHP trying to compile `ext/openssl-legacy` which broke since it doesn't exist: source root is php-8.1.12 setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c patching sources cdToExtensionRootPhase /nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory I didn't encounter that one before because I was mostly interested in having a sane behavior for everyone not using this "feature" and the documentation around this. My findings about the behavior with turning openssl1.1 on/off are still valid because I tested this on `master` with manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`. To work around the issue I had to slightly modify the extension build-system for PHP: * The attribute `extensionName` is now relevant to determine the output paths (e.g. `lib/openssl.so`). This is not a behavioral change for existing extensions because then `extensionName==name`. However when specifying `extName` in `php-packages.nix` this value is overridden and it is made sure that the extension called `extName` NOT `name` (i.e. `openssl` vs `openssl-legacy`) is built and installed. The `name` still has to be kept to keep the legacy openssl available as `php.extensions.openssl-legacy`. Additionally I implemented a small VM test to check the behavior with server-side encryption: * For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix` it's checked that OpenSSL 3 is used). With that the "default" behavior of the module is checked. * It is ensured that the PHP interpreter for Nextcloud's php-fpm actually loads the correct openssl extension. * It is tested that (encrypted) files remain usable when (temporarily) installing OpenSSL3 (of course then they're not decryptable, but on a rollback that should still be possible). Finally, a few more documentation changes: * I also mentioned the issue in `nextcloud.xml` to make sure the issue is at least mentioned in the manual section about Nextcloud. Not too much detail here, but the relevant option `enableBrokenCiphersForSSE` is referenced. * I fixed a few minor wording issues to also give the full context (we're talking about Nextcloud; we're talking about the PHP extension only; please check if you really need this even though it's enabled by default). This is because I felt that sometimes it might be hard to understand what's going on when e.g. an eval-warning appears without telling where exactly it comes from. 2022-11-10 11:05:24 +00:00
			`with subtest("With OpenSSL 1 SSE can be enabled and used"):`
			`nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption")`
			`nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")`

			`with subtest("Upload file and ensure it's encrypted"):`
			`nextcloudwithopenssl1.succeed("${copySharedFile1}")`
			`nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file \| grep hi")`

			`with subtest("Switch to OpenSSL 3"):`
			`nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")`
			`nextcloudwithopenssl1.wait_for_open_port(80)`
			`nextcloudwithopenssl1.succeed("nextcloud-occ status")`

			`with subtest("Existing encrypted files cannot be read, but new files can be added"):`
nixos/tests/nextcloud: do not expect failure on NC ≥26 with respect to RC4 bug 2023-03-21 16:26:03 +00:00			`# This will succed starting NC26 because of their custom implementation of openssl_seal`
			`read_existing_file_test = nextcloudwithopenssl1.fail if nextcloud_version < 26 else nextcloudwithopenssl1.succeed`
			`read_existing_file_test("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2")`
nixos/nextcloud: fixup openssl compat change Upon testing the change itself I realized that it doesn't build properly because * the `pname` of a php extension is `php-<name>`, not `<name>`. * calling the extension `openssl-legacy` resulted in PHP trying to compile `ext/openssl-legacy` which broke since it doesn't exist: source root is php-8.1.12 setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c patching sources cdToExtensionRootPhase /nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory I didn't encounter that one before because I was mostly interested in having a sane behavior for everyone not using this "feature" and the documentation around this. My findings about the behavior with turning openssl1.1 on/off are still valid because I tested this on `master` with manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`. To work around the issue I had to slightly modify the extension build-system for PHP: * The attribute `extensionName` is now relevant to determine the output paths (e.g. `lib/openssl.so`). This is not a behavioral change for existing extensions because then `extensionName==name`. However when specifying `extName` in `php-packages.nix` this value is overridden and it is made sure that the extension called `extName` NOT `name` (i.e. `openssl` vs `openssl-legacy`) is built and installed. The `name` still has to be kept to keep the legacy openssl available as `php.extensions.openssl-legacy`. Additionally I implemented a small VM test to check the behavior with server-side encryption: * For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix` it's checked that OpenSSL 3 is used). With that the "default" behavior of the module is checked. * It is ensured that the PHP interpreter for Nextcloud's php-fpm actually loads the correct openssl extension. * It is tested that (encrypted) files remain usable when (temporarily) installing OpenSSL3 (of course then they're not decryptable, but on a rollback that should still be possible). Finally, a few more documentation changes: * I also mentioned the issue in `nextcloud.xml` to make sure the issue is at least mentioned in the manual section about Nextcloud. Not too much detail here, but the relevant option `enableBrokenCiphersForSSE` is referenced. * I fixed a few minor wording issues to also give the full context (we're talking about Nextcloud; we're talking about the PHP extension only; please check if you really need this even though it's enabled by default). This is because I felt that sometimes it might be hard to understand what's going on when e.g. an eval-warning appears without telling where exactly it comes from. 2022-11-10 11:05:24 +00:00			`nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable")`
			`nextcloudwithopenssl1.succeed("${copySharedFile3}")`
			`nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 \| grep bye")`

			`with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"):`
			`nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test")`
			`nextcloudwithopenssl1.wait_for_open_port(80)`
			`nextcloudwithopenssl1.succeed("nextcloud-occ status")`
			`nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 \| grep bye")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file \| grep hi")`
			`nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")`
			`nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")`

			`with subtest("Ensure that everything can be decrypted"):`
			`nextcloudwithopenssl1.succeed("echo y \| nextcloud-occ encryption:decrypt-all >&2")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 \| grep bye")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file \| grep hi")`
			`nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")`

			`with subtest("Switch to OpenSSL 3 ensure that all files are usable now"):`
			`nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")`
			`nextcloudwithopenssl1.wait_for_open_port(80)`
			`nextcloudwithopenssl1.succeed("nextcloud-occ status")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 \| grep bye")`
			`nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file \| grep hi")`

			`nextcloudwithopenssl1.shutdown()`
			`'';`
			`})) args`