nixos/tests/nginx-sandbox.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / nginx-sandbox.nix
at 23.11-pre 2.3 kB view raw
 1import ./make-test-python.nix ({ pkgs, ... }: {
 2  name = "nginx-sandbox";
 3  meta = with pkgs.lib.maintainers; {
 4    maintainers = [ izorkin ];
 5  };
 6
 7  # This test checks the creation and reading of a file in sandbox mode. Used simple lua script.
 8
 9  nodes.machine = { pkgs, ... }: {
10    nixpkgs.overlays = [
11      (self: super: {
12        nginx-lua = super.nginx.override {
13          modules = [
14            pkgs.nginxModules.lua
15          ];
16        };
17      })
18    ];
19    services.nginx.enable = true;
20    services.nginx.package = pkgs.nginx-lua;
21    services.nginx.virtualHosts.localhost = {
22      extraConfig = ''
23        location /test1-write {
24          content_by_lua_block {
25            local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
26            local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
27            local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
28          }
29        }
30        location /test1-read {
31          root /tmp;
32        }
33        location /test2-write {
34          content_by_lua_block {
35            local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
36            local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
37            local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
38          }
39        }
40        location /test2-read {
41          root /var/web;
42        }
43      '';
44    };
45    users.users.foo.isNormalUser = true;
46  };
47
48  testScript = ''
49    machine.wait_for_unit("nginx")
50    machine.wait_for_open_port(80)
51
52    # Checking write in temporary folder
53    machine.succeed("$(curl -vvv http://localhost/test1-write)")
54    machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')
55
56    # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
57    # in read-only mode.
58    machine.succeed("mkdir -p /var/web")
59    machine.succeed("chown nginx:nginx /var/web")
60    machine.succeed("$(curl -vvv http://localhost/test2-write)")
61    assert "404 Not Found" in machine.succeed(
62        "curl -vvv -s http://localhost/test2-read/bar.txt"
63    )
64  '';
65})