ci(nix): Startup/configure apache for renegotiate test under nix

flake.nix

@@ -29,6 +29,7 @@
           corretto
           pkgs.iproute2
           pkgs.apacheHttpd
+          pkgs.procps
           # GnuTLS-cli and serv utilities needed for some integration tests.
           pkgs.gnutls
           pkgs.gdb

nix/shell.sh

@@ -65,16 +65,14 @@ function integ {
         echo "    the test build s2n-tls from the main branch on github."
         echo "    Change the names of s2n[cd] to s2n[cd]_head and add those"
         echo "    binaries to \$PATH."
-        echo "- renegotiate_apache"
-        echo "   This test requires apache to be running. See codebuild/bin/s2n_apache.sh"
-        echo "    for more info."
         return
     fi
+    apache2_start
     if [[ -z "$1" ]]; then
-        banner "Running all integ tests except cross_compatibility, renegotiate_apache."
-        (cd $SRC_ROOT/build; ctest -L integrationv2 -E "(integrationv2_cross_compatibility|integrationv2_renegotiate_apache)" --verbose)
+        banner "Running all integ tests except cross_compatibility."
+        (cd $SRC_ROOT/build; ctest -L integrationv2 -E "(integrationv2_cross_compatibility)" --verbose)
     else
-        banner "Warning: cross_compatibility & renegotiate_apache are not supported in nix for various reasons integ help for more info."
+        banner "Warning: cross_compatibility is not supported in nix for various reasons. See `integ help` for more info."
         for test in $@; do
             ctest --test-dir ./build -L integrationv2 --no-tests=error --output-on-failure -R "$test" --verbose
             if [ "$?" -ne 0 ]; then
@@ -160,3 +158,34 @@ function test_nonstandard_compilation {
     ./codebuild/bin/test_dynamic_load.sh $(mktemp -d)
 }
 
+function apache2_config(){
+    export APACHE_NIX_STORE=$(dirname $(dirname $(which httpd)))
+    export APACHE2_INSTALL_DIR=/usr/local/apache2
+    export APACHE_SERVER_ROOT="$APACHE2_INSTALL_DIR"
+    export APACHE_RUN_USER=nobody
+    # Unprivileged groupname differs
+    export APACHE_RUN_GROUP=$(awk 'BEGIN{FS=":"} /65534/{print $1}' /etc/group)
+    export APACHE_PID_FILE="${APACHE2_INSTALL_DIR}/run/apache2.pid"
+    export APACHE_RUN_DIR="${APACHE2_INSTALL_DIR}/run" 
+    export APACHE_LOCK_DIR="${APACHE2_INSTALL_DIR}/lock"
+    export APACHE_LOG_DIR="${APACHE2_INSTALL_DIR}/log" 
+    export APACHE_CERT_DIR="$SRC_ROOT/tests/pems"
+}
+
+function apache2_start(){
+    if [[ "$(pgrep -c httpd)" -eq "0" ]]; then
+        apache2_config
+        if [[ ! -f "$APACHE2_INSTALL_DIR/apache2.conf" ]]; then
+            mkdir -p $APACHE2_INSTALL_DIR/{run,log,lock}
+            # NixOs specific base apache config
+            cp -R ./tests/integrationv2/apache2/nix/* $APACHE2_INSTALL_DIR
+            # Integrationv2::cross_compatibility site
+            cp -R ./codebuild/bin/apache2/{www,sites-enabled} $APACHE2_INSTALL_DIR
+        fi
+        httpd -k start -f "${APACHE2_INSTALL_DIR}/apache2.conf"
+        trap 'pkill httpd' ERR EXIT
+    else
+      echo "Apache is already running...and if the APACHE2_INSTALL_DIR is stale, it might be in an unknown state."
+    fi
+
+}

tests/integrationv2/apache2/nix/apache2.conf

@@ -0,0 +1,221 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#	/etc/apache2/
+#	|-- apache2.conf
+#	|	`--  ports.conf
+#	|-- mods-enabled
+#	|	|-- *.load
+#	|	`-- *.conf
+#	|-- conf-enabled
+#	|	`-- *.conf
+# 	`-- sites-enabled
+#	 	`-- *.conf
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections which can be
+#   customized anytime.
+#
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+#   directories contain particular configuration snippets which manage modules,
+#   global configuration fragments, or virtual host configurations,
+#   respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
+#   their respective man pages for detailed information.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot ${APACHE_SERVER_ROOT}
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+#Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# The directory where shm and other runtime files will be stored.
+#
+DefaultRuntimeDir ${APACHE_RUN_DIR}
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 60
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
+#
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+Include ports.conf
+
+# This module is built into the Ubuntu apache, but not nixpkgs
+<IfModule unixd_module>
+  User ${APACHE_RUN_USER}
+  Group ${APACHE_RUN_GROUP}
+</IfModule>
+
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+<Directory /usr/share>
+	AllowOverride None
+	Require all granted
+</Directory>
+
+<Directory ${APACHE_SERVER_ROOT}/www/>
+	Options Indexes FollowSymLinks
+	AllowOverride None
+	Require all granted
+</Directory>
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s  \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s  \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s " common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see README.Debian for details.
+
+# Include generic snippets of statements
+IncludeOptional conf-enabled/*.conf
+
+# Include the virtual host configurations:
+IncludeOptional sites-enabled/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

tests/integrationv2/apache2/nix/conf-enabled/other-vhosts-access-log.conf

@@ -0,0 +1,4 @@
+# Define an access log for VirtualHosts that don't define their own logfile
+CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

tests/integrationv2/apache2/nix/conf-enabled/serve-cgi-bin.conf

@@ -0,0 +1,20 @@
+<IfModule mod_alias.c>
+	<IfModule mod_cgi.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfModule mod_cgid.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfDefine ENABLE_USR_LIB_CGI_BIN>
+		ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+		<Directory "/usr/lib/cgi-bin">
+			AllowOverride None
+			Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+			Require all granted
+		</Directory>
+	</IfDefine>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

tests/integrationv2/apache2/nix/mods-enabled/access_compat.load

@@ -0,0 +1,2 @@
+# Depends: authn_core
+LoadModule access_compat_module ${APACHE_NIX_STORE}/modules/mod_access_compat.so

tests/integrationv2/apache2/nix/mods-enabled/alias.conf

@@ -0,0 +1,24 @@
+<IfModule alias_module>
+	# Aliases: Add here as many aliases as you need (with no limit). The format is
+	# Alias fakename realname
+	#
+	# Note that if you include a trailing / on fakename then the server will
+	# require it to be present in the URL.  So "/icons" isn't aliased in this
+	# example, only "/icons/".  If the fakename is slash-terminated, then the
+	# realname must also be slash terminated, and if the fakename omits the
+	# trailing slash, the realname must also omit it.
+	#
+	# We include the /icons/ alias for FancyIndexed directory listings.  If
+	# you do not use FancyIndexing, you may comment this out.
+
+	Alias /icons/ "${APACHE_NIX_STORE}/usr/share/apache2/icons/"
+
+	<Directory "${APACHE_NIX_STORE}/icons">
+		Options FollowSymlinks
+		AllowOverride None
+		Require all granted
+	</Directory>
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

tests/integrationv2/apache2/nix/mods-enabled/alias.load

@@ -0,0 +1 @@
+LoadModule alias_module ${APACHE_NIX_STORE}/modules/mod_alias.so

tests/integrationv2/apache2/nix/mods-enabled/auth_basic.load

@@ -0,0 +1,2 @@
+# Depends: authn_core
+LoadModule auth_basic_module ${APACHE_NIX_STORE}/modules/mod_auth_basic.so

tests/integrationv2/apache2/nix/mods-enabled/authn_core.load

@@ -0,0 +1 @@
+LoadModule authn_core_module ${APACHE_NIX_STORE}/modules/mod_authn_core.so

tests/integrationv2/apache2/nix/mods-enabled/authn_file.load

@@ -0,0 +1 @@
+LoadModule authn_file_module ${APACHE_NIX_STORE}/modules/mod_authn_file.so

tests/integrationv2/apache2/nix/mods-enabled/authz_core.load

@@ -0,0 +1 @@
+LoadModule authz_core_module ${APACHE_NIX_STORE}/modules/mod_authz_core.so

tests/integrationv2/apache2/nix/mods-enabled/authz_host.load

@@ -0,0 +1,2 @@
+# Depends: authz_core
+LoadModule authz_host_module ${APACHE_NIX_STORE}/modules/mod_authz_host.so

tests/integrationv2/apache2/nix/mods-enabled/authz_user.load

@@ -0,0 +1,2 @@
+# Depends: authz_core
+LoadModule authz_user_module ${APACHE_NIX_STORE}/modules/mod_authz_user.so