# Checks that `security.pki` options are working in curl and the main browser # engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser) and # WebKitGTK (via Midori). The test checks that certificates issued by a custom # trusted CA are accepted but those from an unknown CA are rejected. { system ? builtins.currentSystem, config ? { }, pkgs ? import ../.. { inherit system config; }, }: with import ../lib/testing-python.nix { inherit system pkgs; }; let inherit (pkgs) lib; makeCert = { caName, domain }: pkgs.runCommand "example-cert" { buildInputs = [ pkgs.gnutls ]; } '' mkdir $out # CA cert template cat >ca.template <server.template < Tuple[int, str]: """ Run a shell command as a specific user. """ return machine.execute(f"sudo -u {user} {cmd}") def wait_for_window_as(user: str, cls: str) -> None: """ Wait until a X11 window of a given user appears. """ def window_is_visible(last_try: bool) -> bool: ret, stdout = execute_as(user, f"xdotool search --onlyvisible --class {cls}") if last_try: machine.log(f"Last chance to match {cls} on the window list") return ret == 0 with machine.nested("Waiting for a window to appear"): retry(window_is_visible) machine.start() machine.wait_for_x() command = "${browser} ${testParams.args or ""}" with subtest("Good certificate is trusted in ${browser}"): execute_as( "alice", f"{command} https://good.example.com >&2 &" ) wait_for_window_as("alice", "${browser}") machine.sleep(4) execute_as("alice", "xdotool key ctrl+r") # reload to be safe machine.wait_for_text("It works!") machine.screenshot("good${browser}") execute_as("alice", "xdotool key ctrl+w") # close tab with subtest("Unknown CA is untrusted in ${browser}"): execute_as("alice", f"{command} https://bad.example.com >&2 &") machine.wait_for_text("${testParams.error}") machine.screenshot("bad${browser}") ''; }; in { curl = curlTest; } // pkgs.lib.mapAttrs mkBrowserTest { firefox = { error = "Security Risk"; }; chromium = { error = "not private"; }; qutebrowser = { args = "-T"; error = "Certificate error"; }; midori = { args = "-p"; error = "Security"; }; }