libstore/filetransfer: add support for MTLS authentication

doc/manual/rl-next/mtls-substituter.md

@@ -0,0 +1,15 @@
+---
+synopsis: Support HTTPS binary caches using mTLS (client certificate) authentication
+issues: [13002]
+prs: [13030]
+---
+
+Added support for `tls-certificate` and `tls-private-key` options in substituter URLs.
+
+Example:
+
+```
+https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem
+```
+
+When these options are configured, Nix will use this certificate/private key pair to authenticate to the server.

src/libstore-test-support/https-store.cc

@@ -0,0 +1,125 @@
+#include "nix/store/tests/https-store.hh"
+
+#include <thread>
+
+namespace nix::testing {
+
+void TestHttpBinaryCacheStore::init()
+{
+    BinaryCacheStore::init();
+}
+
+ref<TestHttpBinaryCacheStore> TestHttpBinaryCacheStoreConfig::openTestStore() const
+{
+    auto store = make_ref<TestHttpBinaryCacheStore>(
+        ref{// FIXME we shouldn't actually need a mutable config
+            std::const_pointer_cast<HttpBinaryCacheStore::Config>(shared_from_this())});
+    store->init();
+    return store;
+}
+
+void HttpsBinaryCacheStoreTest::openssl(Strings args)
+{
+    runProgram("openssl", /*lookupPath=*/true, args);
+}
+
+void HttpsBinaryCacheStoreTest::SetUp()
+{
+    LibStoreNetworkTest::SetUp();
+
+#ifdef _WIN32
+    GTEST_SKIP() << "HTTPS store tests are not supported on Windows";
+#endif
+
+    tmpDir = createTempDir();
+    cacheDir = tmpDir / "cache";
+    delTmpDir = std::make_unique<AutoDelete>(tmpDir);
+
+    localCacheStore =
+        make_ref<LocalBinaryCacheStoreConfig>("file", cacheDir.string(), LocalBinaryCacheStoreConfig::Params{})
+            ->openStore();
+
+    caCert = tmpDir / "ca.crt";
+    caKey = tmpDir / "ca.key";
+    serverCert = tmpDir / "server.crt";
+    serverKey = tmpDir / "server.key";
+    clientCert = tmpDir / "client.crt";
+    clientKey = tmpDir / "client.key";
+
+    // clang-format off
+    openssl({"ecparam", "-genkey", "-name", "prime256v1", "-out", caKey.string()});
+    openssl({"req", "-new", "-x509", "-days", "1", "-key", caKey.string(), "-out", caCert.string(), "-subj", "/CN=TestCA"});
+    openssl({"ecparam", "-genkey", "-name", "prime256v1", "-out", serverKey.string()});
+    openssl({"req", "-new", "-key", serverKey.string(), "-out", (tmpDir / "server.csr").string(), "-subj", "/CN=localhost"});
+    openssl({"x509", "-req", "-in", (tmpDir / "server.csr").string(), "-CA", caCert.string(), "-CAkey", caKey.string(), "-CAcreateserial", "-out", serverCert.string(), "-days", "1"});
+    openssl({"ecparam", "-genkey", "-name", "prime256v1", "-out", clientKey.string()});
+    openssl({"req", "-new", "-key", clientKey.string(), "-out", (tmpDir / "client.csr").string(), "-subj", "/CN=TestClient"});
+    openssl({"x509", "-req", "-in", (tmpDir / "client.csr").string(), "-CA", caCert.string(), "-CAkey", caKey.string(), "-CAcreateserial", "-out", clientCert.string(), "-days", "1"});
+    // clang-format on
+
+#ifndef _WIN32 /* FIXME: Can't yet start processes on windows */
+    auto args = serverArgs();
+    serverPid = startProcess(
+        [&] {
+            if (chdir(cacheDir.c_str()) == -1)
+                _exit(1);
+            std::vector<char *> argv;
+            argv.push_back(const_cast<char *>("openssl"));
+            for (auto & a : args)
+                argv.push_back(const_cast<char *>(a.c_str()));
+            argv.push_back(nullptr);
+            execvp("openssl", argv.data());
+            _exit(1);
+        },
+        {.dieWithParent = true});
+#endif
+
+    /* As an optimization, sleep for a bit to allow the server to come up to avoid retrying when connecting.
+       This won't make the tests fail, but does make them run faster. We don't need to overcomplicate by waiting
+       for the port explicitly - this is enough. */
+    std::this_thread::sleep_for(std::chrono::milliseconds(50));
+
+    /* FIXME: Don't use global settings. Tests are not run concurrently, so this is fine for now. */
+    oldCaCert = settings.caFile;
+    settings.caFile = caCert.string();
+}
+
+void HttpsBinaryCacheStoreTest::TearDown()
+{
+    settings.caFile = oldCaCert;
+    serverPid.kill();
+    delTmpDir.reset();
+}
+
+std::vector<std::string> HttpsBinaryCacheStoreTest::serverArgs()
+{
+    return {
+        "s_server",
+        "-accept",
+        std::to_string(port),
+        "-cert",
+        serverCert.string(),
+        "-key",
+        serverKey.string(),
+        "-WWW", /* Serve from current directory. */
+        "-quiet",
+    };
+}
+
+std::vector<std::string> HttpsBinaryCacheStoreMtlsTest::serverArgs()
+{
+    auto args = HttpsBinaryCacheStoreTest::serverArgs();
+    /* With the -Verify option the client must supply a certificate or an error occurs, which is not the
+       case with -verify. */
+    args.insert(args.end(), {"-CAfile", caCert.string(), "-Verify", "1", "-verify_return_error"});
+    return args;
+}
+
+ref<TestHttpBinaryCacheStoreConfig> HttpsBinaryCacheStoreTest::makeConfig(BinaryCacheStoreConfig::Params params)
+{
+    auto res = make_ref<TestHttpBinaryCacheStoreConfig>("https", fmt("localhost:%d", port), std::move(params));
+    res->pathInfoCacheSize = 0; /* We don't want any caching in tests. */
+    return res;
+}
+
+} // namespace nix::testing

src/libstore-test-support/include/nix/store/tests/https-store.hh

@@ -0,0 +1,93 @@
+#pragma once
+///@file
+
+#include <gtest/gtest.h>
+#include <gmock/gmock.h>
+
+#include "nix/store/tests/libstore-network.hh"
+#include "nix/store/http-binary-cache-store.hh"
+#include "nix/store/store-api.hh"
+#include "nix/store/globals.hh"
+#include "nix/store/local-binary-cache-store.hh"
+#include "nix/util/file-system.hh"
+#include "nix/util/processes.hh"
+
+namespace nix::testing {
+
+class TestHttpBinaryCacheStoreConfig;
+
+/**
+ * Test shim for testing. We don't want to use the on-disk narinfo cache in unit
+ * tests.
+ */
+class TestHttpBinaryCacheStore : public HttpBinaryCacheStore
+{
+public:
+    TestHttpBinaryCacheStore(const TestHttpBinaryCacheStore &) = delete;
+    TestHttpBinaryCacheStore(TestHttpBinaryCacheStore &&) = delete;
+    TestHttpBinaryCacheStore & operator=(const TestHttpBinaryCacheStore &) = delete;
+    TestHttpBinaryCacheStore & operator=(TestHttpBinaryCacheStore &&) = delete;
+
+    TestHttpBinaryCacheStore(ref<HttpBinaryCacheStoreConfig> config)
+        : Store{*config}
+        , BinaryCacheStore{*config}
+        , HttpBinaryCacheStore(config)
+    {
+        diskCache = nullptr; /* Disable caching, we'll be creating a new binary cache for each test. */
+    }
+
+    void init() override;
+};
+
+class TestHttpBinaryCacheStoreConfig : public HttpBinaryCacheStoreConfig
+{
+public:
+    TestHttpBinaryCacheStoreConfig(
+        std::string_view scheme, std::string_view cacheUri, const Store::Config::Params & params)
+        : StoreConfig(params)
+        , HttpBinaryCacheStoreConfig(scheme, cacheUri, params)
+    {
+    }
+
+    ref<TestHttpBinaryCacheStore> openTestStore() const;
+
+    ref<Store> openStore() const override
+    {
+        return openTestStore();
+    }
+};
+
+class HttpsBinaryCacheStoreTest : public virtual LibStoreNetworkTest
+{
+    std::unique_ptr<AutoDelete> delTmpDir;
+
+public:
+    static void SetUpTestSuite()
+    {
+        initLibStore(/*loadConfig=*/false);
+    }
+
+protected:
+    std::filesystem::path tmpDir, cacheDir;
+    std::filesystem::path caCert, caKey, serverCert, serverKey;
+    std::filesystem::path clientCert, clientKey;
+    std::string oldCaCert;
+    Pid serverPid;
+    uint16_t port = 8443;
+    std::shared_ptr<Store> localCacheStore;
+
+    static void openssl(Strings args);
+    void SetUp() override;
+    void TearDown() override;
+
+    virtual std::vector<std::string> serverArgs();
+    ref<TestHttpBinaryCacheStoreConfig> makeConfig(BinaryCacheStoreConfig::Params params);
+};
+
+class HttpsBinaryCacheStoreMtlsTest : public HttpsBinaryCacheStoreTest
+{
+protected:
+    std::vector<std::string> serverArgs() override;
+};
+
+} // namespace nix::testing

src/libstore-test-support/include/nix/store/tests/libstore-network.hh

@@ -0,0 +1,39 @@
+#pragma once
+/// @file
+
+#include <gtest/gtest.h>
+
+namespace nix::testing {
+
+/**
+ * Whether to run network tests. This is global so that the test harness can
+ * enable this by default if we can run tests in isolation.
+ */
+extern bool networkTestsAvailable;
+
+/**
+ * Set up network tests and, if on linux, create a new network namespace for
+ * tests with a loopback interface. This is to avoid binding to ports in the
+ * host's namespace.
+ */
+void setupNetworkTests();
+
+class LibStoreNetworkTest : public virtual ::testing::Test
+{
+protected:
+    void SetUp() override
+    {
+        if (networkTestsAvailable)
+            return;
+        static bool warned = false;
+        if (!warned) {
+            warned = true;
+            GTEST_SKIP()
+                << "Network tests not enabled by default without user namespaces, use NIX_TEST_FORCE_NETWORK_TESTS=1 to override";
+        } else {
+            GTEST_SKIP();
+        }
+    }
+};
+
+} // namespace nix::testing

src/libstore-test-support/include/nix/store/tests/meson.build

@@ -4,6 +4,8 @@ include_dirs = [ include_directories('../../..') ]
 
 headers = files(
   'derived-path.hh',
+  'https-store.hh',
+  'libstore-network.hh',
   'libstore.hh',
   'nix_api_store.hh',
   'outputs-spec.hh',

src/libstore-test-support/libstore-network.cc

@@ -0,0 +1,60 @@
+#include "nix/store/tests/libstore-network.hh"
+#include "nix/util/error.hh"
+#include "nix/util/environment-variables.hh"
+
+#ifdef __linux__
+#  include "nix/util/file-system.hh"
+#  include "nix/util/linux-namespaces.hh"
+#  include <sched.h>
+#  include <sys/ioctl.h>
+#  include <net/if.h>
+#  include <netinet/in.h>
+#endif
+
+namespace nix::testing {
+
+bool networkTestsAvailable = false;
+
+#ifdef __linux__
+
+static void enterNetworkNamespace()
+{
+    auto uid = ::getuid();
+    auto gid = ::getgid();
+
+    if (::unshare(CLONE_NEWUSER | CLONE_NEWNET) == -1)
+        throw SysError("setting up a private network namespace for tests");
+
+    std::filesystem::path procSelf = "/proc/self";
+    writeFile(procSelf / "setgroups", "deny");
+    writeFile(procSelf / "uid_map", fmt("%d %d 1", uid, uid));
+    writeFile(procSelf / "gid_map", fmt("%d %d 1", gid, gid));
+
+    AutoCloseFD fd(::socket(PF_INET, SOCK_DGRAM, IPPROTO_IP));
+    if (!fd)
+        throw SysError("cannot open IP socket for loopback interface");
+
+    struct ::ifreq ifr = {};
+    strcpy(ifr.ifr_name, "lo");
+    ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING;
+    if (::ioctl(fd.get(), SIOCSIFFLAGS, &ifr) == -1)
+        throw SysError("cannot set loopback interface flags");
+}
+
+#endif
+
+void setupNetworkTests()
+try {
+    networkTestsAvailable = getEnvOs(OS_STR("NIX_TEST_FORCE_NETWORK_TESTS")).has_value();
+
+#ifdef __linux__
+    if (!networkTestsAvailable && userNamespacesSupported()) {
+        enterNetworkNamespace();
+        networkTestsAvailable = true;
+    }
+#endif
+} catch (SystemError & e) {
+    /* Ignore any set up errors. */
+}
+
+} // namespace nix::testing

src/libstore-test-support/meson.build

@@ -28,10 +28,15 @@ subdir('nix-meson-build-support/subprojects')
 rapidcheck = dependency('rapidcheck')
 deps_public += rapidcheck
 
+gtest = dependency('gtest')
+deps_public += gtest
+
 subdir('nix-meson-build-support/common')
 
 sources = files(
   'derived-path.cc',
+  'https-store.cc',
+  'libstore-network.cc',
   'outputs-spec.cc',
   'path.cc',
   'test-main.cc',

src/libstore-test-support/package.nix

@@ -7,6 +7,7 @@
   nix-store-c,
 
   rapidcheck,
+  gtest,
 
   # Configuration Options
 
@@ -39,6 +40,7 @@ mkMesonLibrary (finalAttrs: {
     nix-store
     nix-store-c
     rapidcheck
+    gtest
   ];
 
   mesonFlags = [