nixos/tests/h2o: some refactoring (#459979)

    TLS = "acme.test";

  };

  port = {

    HTTP = 8080;

    TLS = 8443;

  };

  sawatdi_chao_lok = "สวัสดีชาวโลก";

  hello_world_txt = hostPkgs.writeTextFile {

  nodes = {

    server =

      { pkgs, ... }:

      { config, ... }:

      {

        environment.systemPackages = [

          pkgs.curl

        ];

        services.h2o = {

          enable = true;

          defaultHTTPListenPort = port.HTTP;

          defaultTLSListenPort = port.TLS;

          defaultHTTPListenPort = 8080;

          defaultTLSListenPort = 8443;

          hosts = {

            "${domain.HTTP}" = {

              settings = {

        networking = {

          firewall = {

            allowedTCPPorts = with port; [

              HTTP

              TLS

            allowedTCPPorts = with config.services.h2o; [

              defaultHTTPListenPort

              defaultTLSListenPort

            ];

            allowedUDPPorts = with port; [

              TLS

            allowedUDPPorts = with config.services.h2o; [

              defaultTLSListenPort

            ];

          };

          extraHosts = ''

            127.0.0.1 ${domain.HTTP}

            127.0.0.1 ${domain.TLS}

            ${config.networking.primaryIPAddress} ${domain.HTTP}

            ${config.networking.primaryIPAddress} ${domain.TLS}

          '';

        };

      };

    client =

      { nodes, pkgs, ... }:

      {

        environment.systemPackages = [

          pkgs.curl

        ];

        security.pki.certificates = [

          (builtins.readFile ../../common/acme/server/ca.cert.pem)

        ];

        networking.extraHosts = ''

          ${nodes.server.networking.primaryIPAddress} ${domain.HTTP}

          ${nodes.server.networking.primaryIPAddress} ${domain.TLS}

        '';

      };

  };

  testScript =

    { nodes, ... }:

    let

      portStrHTTP = builtins.toString port.HTTP;

      portStrTLS = builtins.toString port.TLS;

      inherit (nodes) server;

      portStrHTTP = builtins.toString server.services.h2o.defaultHTTPListenPort;

      portStrTLS = builtins.toString server.services.h2o.defaultTLSListenPort;

    in

    # python

    ''

      start_all()

      server.wait_for_unit("h2o.service")

      server.wait_for_open_port(${portStrHTTP})

      server.wait_for_open_port(${portStrTLS})

      assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")

      assert "${sawatdi_chao_lok}" in client.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")

      tls_hello_world_head = server.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

      tls_hello_world_head = client.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

      assert "http/2 200" in tls_hello_world_head

      assert "server: h2o" in tls_hello_world_head

      assert "content-type: text/x-rst" in tls_hello_world_head

      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

      assert "${sawatdi_chao_lok}" in client.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

      quic_hello_world_head = server.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

      quic_hello_world_head = client.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

      assert "http/3 200" in quic_hello_world_head

      assert "server: h2o" in quic_hello_world_head

      assert "content-type: text/x-rst" in quic_hello_world_head

      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

      assert "${sawatdi_chao_lok}" in client.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

      assert "redirected" in server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()

      assert "redirected" in client.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()

      server.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

      client.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

      assert "${sawatdi_chao_lok}" in client.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

    '';

}

let

  domain = "h2o.local";

  port = 8080;

  sawatdi_chao_lok = "สวัสดีชาวโลก";

in

{

  nodes = {

    server =

      { pkgs, ... }:

      { pkgs, config, ... }:

      {

        services.h2o = {

          enable = true;

          package = pkgs.h2o.override { withMruby = true; };

          settings = {

            listen = port;

            listen = 8080;

            hosts = {

              "${domain}" = {

                paths = {

          };

        };

        networking.extraHosts = ''

          127.0.0.1 ${domain}

        '';

        networking.firewall.allowedTCPPorts = [

          config.services.h2o.settings.listen

        ];

      };

    client =

      { pkgs, ... }:

      {

        environment.systemPackages = [

          pkgs.curl

        ];

      };

  };

  testScript =

    { nodes, ... }:

    let

      portStr = builtins.toString port;

      inherit (nodes) server;

      portStr = builtins.toString server.services.h2o.settings.listen;

      origin = "http://server:${portStr}";

    in

    # python

    ''

      start_all()

      server.wait_for_unit("h2o.service")

      server.wait_for_open_port(${portStr})

      assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")

      assert "${sawatdi_chao_lok}" in client.succeed("curl --fail-with-body ${origin}/hello_world")

      assert "FILE_HANDLER" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")

      assert "FILE_HANDLER" in client.succeed("curl --fail-with-body ${origin}/file_handler")

    '';

}

let

  domain = "acme.test";

  port = 8443;

  hello_txt =

    name:

  mkH2OServer =

    recommendations:

    { pkgs, lib, ... }:

    {

      pkgs,

      lib,

      config,

      ...

    }:

    {

      services.h2o = {

        enable = true;

        hosts = {

          "${domain}" = {

            tls = {

              inherit port recommendations;

              inherit recommendations;

              port = 8443;

              policy = "force";

              identity = [

                {

      ];

      networking = {

        firewall.allowedTCPPorts = [ port ];

        firewall.allowedTCPPorts = [

          config.services.h2o.hosts.${domain}.tls.port

        ];

        extraHosts = "127.0.0.1 ${domain}";

      };

    };

    maintainers = with lib.maintainers; [ toastal ];

  };

  # not using a `client` since it’s easiest to test with acme.test pointing at

  # localhost for these machines

  nodes = {

    server_modern = mkH2OServer "modern";

    server_intermediate = mkH2OServer "intermediate";

  };

  testScript =

    { nodes, ... }:

    let

      portStr = builtins.toString port;

      inherit (nodes) server_modern server_intermediate server_old;

      modernPortStr = builtins.toString server_modern.services.h2o.hosts.${domain}.tls.port;

      intermediatePortStr = builtins.toString server_intermediate.services.h2o.hosts.${domain}.tls.port;

      oldPortStr = builtins.toString server_old.services.h2o.hosts.${domain}.tls.port;

    in

    # python

    ''

      curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:${portStr}/'"

      curl_head = "curl -v --head 'https://${domain}:${portStr}/'"

      curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:${portStr}/'"

      curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:${portStr}/'"

      curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:${portStr}/'"

      curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:{port}/'"

      curl_head = "curl -v --head 'https://${domain}:{port}/'"

      curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:{port}/'"

      curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:{port}/'"

      curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:{port}/'"

      start_all()

      server_modern.wait_for_unit("h2o.service")

      server_modern.wait_for_open_port(${portStr})

      modern_response = server_modern.succeed(curl_basic)

      server_modern.wait_for_open_port(${modernPortStr})

      modern_response = server_modern.succeed(curl_basic.format(port="${modernPortStr}"))

      assert "Hello, modern!" in modern_response

      modern_head = server_modern.succeed(curl_head)

      modern_head = server_modern.succeed(curl_head.format(port="${modernPortStr}"))

      assert "strict-transport-security" in modern_head

      server_modern.fail(curl_max_tls1_2)

      server_modern.fail(curl_max_tls1_2.format(port="${modernPortStr}"))

      server_intermediate.wait_for_unit("h2o.service")

      server_intermediate.wait_for_open_port(${portStr})

      intermediate_response = server_intermediate.succeed(curl_basic)

      server_intermediate.wait_for_open_port(${intermediatePortStr})

      intermediate_response = server_intermediate.succeed(curl_basic.format(port="${intermediatePortStr}"))

      assert "Hello, intermediate!" in intermediate_response

      intermediate_head = server_modern.succeed(curl_head)

      intermediate_head = server_modern.succeed(curl_head.format(port="${intermediatePortStr}"))

      assert "strict-transport-security" in intermediate_head

      server_intermediate.succeed(curl_max_tls1_2)

      server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher)

      server_intermediate.fail(curl_max_tls1_2_old_cipher)

      server_intermediate.succeed(curl_max_tls1_2.format(port="${intermediatePortStr}"))

      server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher.format(port="${intermediatePortStr}"))

      server_intermediate.fail(curl_max_tls1_2_old_cipher.format(port="${intermediatePortStr}"))

      server_old.wait_for_unit("h2o.service")

      server_old.wait_for_open_port(${portStr})

      old_response = server_old.succeed(curl_basic)

      server_old.wait_for_open_port(${oldPortStr})

      old_response = server_old.succeed(curl_basic.format(port="${oldPortStr}"))

      assert "Hello, old!" in old_response

      old_head = server_modern.succeed(curl_head)

      old_head = server_modern.succeed(curl_head.format(port="${oldPortStr}"))

      assert "strict-transport-security" in old_head

      server_old.succeed(curl_max_tls1_2)

      server_old.succeed(curl_max_tls1_2_intermediate_cipher)

      server_old.succeed(curl_max_tls1_2_old_cipher)

      server_old.succeed(curl_max_tls1_2.format(port="${oldPortStr}"))

      server_old.succeed(curl_max_tls1_2_intermediate_cipher.format(port="${oldPortStr}"))

      server_old.succeed(curl_max_tls1_2_old_cipher.format(port="${oldPortStr}"))

    '';

}