http-binary-cache-store: add tests for tls substitution

tests/functional/substituter-ssl-client-cert.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+# shellcheck source=common.sh
+source common.sh
+
+# Generate test certificates using EC keys for faster generation
+
+# Generate CA with EC key
+openssl ecparam -genkey -name prime256v1 -out "$TEST_ROOT/ca.key" 2>/dev/null
+openssl req -new -x509 -days 1 -key "$TEST_ROOT/ca.key" -out "$TEST_ROOT/ca.crt" \
+  -subj "/C=US/ST=Test/L=Test/O=TestCA/CN=Test CA" 2>/dev/null
+
+# Generate server certificate with EC key
+openssl ecparam -genkey -name prime256v1 -out "$TEST_ROOT/server.key" 2>/dev/null
+openssl req -new -key "$TEST_ROOT/server.key" -out "$TEST_ROOT/server.csr" \
+  -subj "/C=US/ST=Test/L=Test/O=TestServer/CN=localhost" 2>/dev/null
+openssl x509 -req -days 1 -in "$TEST_ROOT/server.csr" -CA "$TEST_ROOT/ca.crt" -CAkey "$TEST_ROOT/ca.key" \
+  -set_serial 01 -out "$TEST_ROOT/server.crt" 2>/dev/null
+
+# Generate client certificate with EC key
+openssl ecparam -genkey -name prime256v1 -out "$TEST_ROOT/client.key" 2>/dev/null
+openssl req -new -key "$TEST_ROOT/client.key" -out "$TEST_ROOT/client.csr" \
+  -subj "/C=US/ST=Test/L=Test/O=TestClient/CN=Nix Test Client" 2>/dev/null
+openssl x509 -req -days 1 -in "$TEST_ROOT/client.csr" -CA "$TEST_ROOT/ca.crt" -CAkey "$TEST_ROOT/ca.key" \
+  -set_serial 02 -out "$TEST_ROOT/client.crt" 2>/dev/null
+
+# Find a free port
+PORT=$(python3 -c 'import socket; s=socket.socket(); s.bind(("", 0)); print(s.getsockname()[1]); s.close()')
+
+# Start the SSL cache server
+python3 "${_NIX_TEST_SOURCE_DIR}/nix-binary-cache-ssl-server.py" \
+  --port "$PORT" \
+  --cert "$TEST_ROOT/server.crt" \
+  --key "$TEST_ROOT/server.key" \
+  --ca-cert "$TEST_ROOT/ca.crt" &
+SERVER_PID=$!
+
+# Function to stop server on exit
+stopServer() {
+  kill "$SERVER_PID" 2>/dev/null || true
+  wait "$SERVER_PID" 2>/dev/null || true
+}
+trap stopServer EXIT
+
+tries=0
+while ! curl -v -s -k --cert "$TEST_ROOT/client.crt" --key "$TEST_ROOT/client.key" \
+  "https://localhost:$PORT/nix-cache-info"; do
+  if (( tries++ >= 50 )); then
+    if kill -0 "$SERVER_PID" 2>/dev/null; then
+      echo "Server started but did not respond in time" >&2
+    else
+      echo "Server failed to start" >&2
+    fi
+    exit 1
+  fi
+  sleep 0.1
+done
+
+# Test 1: Verify server rejects connections without client certificate
+echo "Testing connection without client certificate (should fail)..." >&2
+if curl -s -k "https://localhost:$PORT/nix-cache-info" 2>&1 | grep -q "certificate required"; then
+  echo "FAIL: Server should have rejected connection" >&2
+  exit 1
+fi
+
+# Test 2: Verify server accepts connections with client certificate
+echo "Testing connection with client certificate..." >&2
+RESPONSE=$(curl -v -s -k --cert "$TEST_ROOT/client.crt" --key "$TEST_ROOT/client.key" \
+  "https://localhost:$PORT/nix-cache-info")
+
+if ! echo "$RESPONSE" | grepQuiet "StoreDir: "; then
+  echo "FAIL: Server should have accepted client certificate: $RESPONSE" >&2
+  exit 1
+fi
+
+# Test 3: Test Nix with SSL client certificate parameters
+# Set up substituter URL with SSL parameters
+sslCache="https://localhost:$PORT?ssl-cert=$TEST_ROOT/client.crt&ssl-key=$TEST_ROOT/client.key"
+
+# Configure Nix to trust our CA
+export NIX_SSL_CERT_FILE="$TEST_ROOT/ca.crt"
+
+# Test nix store info
+nix store info --store "$sslCache" --json | jq -e '.url' | grepQuiet "https://localhost:$PORT"
+
+# Test 4: Verify incorrect client certificate is rejected
+# Generate a different client cert not signed by our CA (also using EC)
+openssl ecparam -genkey -name prime256v1 -out "$TEST_ROOT/wrong.key" 2>/dev/null
+openssl req -new -x509 -days 1 -key "$TEST_ROOT/wrong.key" -out "$TEST_ROOT/wrong.crt" \
+  -subj "/C=US/ST=Test/L=Test/O=Wrong/CN=Wrong Client" 2>/dev/null
+
+wrongCache="https://localhost:$PORT?ssl-cert=$TEST_ROOT/wrong.crt&ssl-key=$TEST_ROOT/wrong.key"
+
+rm -rf "$TEST_HOME"
+
+# This should fail
+if nix store info --download-attempts 0 --store "$wrongCache"; then
+  echo "FAIL: Should have rejected wrong certificate" >&2
+  exit 1
+fi