nixpkgs/nixos/tests/ferm.nix


import ./make-test.nix ({ pkgs, ...} : {
  name = "ferm";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ mic92 ];
  };

  nodes =
    { client =
        { pkgs, ... }:
        with pkgs.lib;
        {
          networking = {
            dhcpcd.enable = false;
            interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
            interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
          };
      };
      server =
        { pkgs, ... }:
        with pkgs.lib;
        {
          networking = {
            dhcpcd.enable = false;
            interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
            interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
          };

          services = {
            ferm.enable = true;
            ferm.config = ''
              domain (ip ip6) table filter chain INPUT {
                interface lo ACCEPT;
                proto tcp dport 8080 REJECT reject-with tcp-reset;
              }
            '';
            nginx.enable = true;
            nginx.httpConfig = ''
              server {
                listen 80;
                listen [::]:80;
                listen 8080;
                listen [::]:8080;

                location /status { stub_status on; }
              }
            '';
          };
        };
    };

  testScript =
    ''
      startAll;

      $client->waitForUnit("network-online.target");
      $server->waitForUnit("ferm.service");
      $server->waitForUnit("nginx.service");
      $server->waitUntilSucceeds("ss -ntl | grep -q 80");

      subtest "port 80 is allowed", sub {
          $client->succeed("curl --fail -g http://192.168.1.1:80/status");
          $client->succeed("curl --fail -g http://[fd00::1]:80/status");
      };

      subtest "port 8080 is not allowed", sub {
          $server->succeed("curl --fail -g http://192.168.1.1:8080/status");
          $server->succeed("curl --fail -g http://[fd00::1]:8080/status");

          $client->fail("curl --fail -g http://192.168.1.1:8080/status");
          $client->fail("curl --fail -g http://[fd00::1]:8080/status");
      };
    '';
})
ferm: add integration test 2016-08-29 15:18:25 +02:00
			`import ./make-test.nix ({ pkgs, ...} : {`
			`name = "ferm";`
			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ mic92 ];`
			`};`

			`nodes =`
			`{ client =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ pkgs, ... }:`
ferm: add integration test 2016-08-29 15:18:25 +02:00			`with pkgs.lib;`
			`{`
			`networking = {`
nixos/tests/ferm: disable dhcpcd The test failed in one run on Hydra, logs look like dhcpcd changed ipv6 routing at just the wrong time. Disable dhcpcd. It's not needed, the test uses static IPs anyway. 2018-09-21 01:17:41 +02:00			`dhcpcd.enable = false;`
nixos/tests: rename IP addresses/routes options 2017-12-03 05:14:54 +01:00			`interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];`
			`interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];`
ferm: add integration test 2016-08-29 15:18:25 +02:00			`};`
			`};`
			`server =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ pkgs, ... }:`
ferm: add integration test 2016-08-29 15:18:25 +02:00			`with pkgs.lib;`
			`{`
			`networking = {`
nixos/tests/ferm: disable dhcpcd The test failed in one run on Hydra, logs look like dhcpcd changed ipv6 routing at just the wrong time. Disable dhcpcd. It's not needed, the test uses static IPs anyway. 2018-09-21 01:17:41 +02:00			`dhcpcd.enable = false;`
nixos/tests: rename IP addresses/routes options 2017-12-03 05:14:54 +01:00			`interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];`
			`interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];`
ferm: add integration test 2016-08-29 15:18:25 +02:00			`};`

			`services = {`
			`ferm.enable = true;`
			`ferm.config = ''`
			`domain (ip ip6) table filter chain INPUT {`
			`interface lo ACCEPT;`
			`proto tcp dport 8080 REJECT reject-with tcp-reset;`
			`}`
			`'';`
			`nginx.enable = true;`
			`nginx.httpConfig = ''`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`listen 8080;`
			`listen [::]:8080;`

			`location /status { stub_status on; }`
			`}`
			`'';`
			`};`
			`};`
			`};`

			`testScript =`
			`''`
			`startAll;`

nixos/tests/ferm: disable dhcpcd The test failed in one run on Hydra, logs look like dhcpcd changed ipv6 routing at just the wrong time. Disable dhcpcd. It's not needed, the test uses static IPs anyway. 2018-09-21 01:17:41 +02:00			`$client->waitForUnit("network-online.target");`
ferm: add integration test 2016-08-29 15:18:25 +02:00			`$server->waitForUnit("ferm.service");`
			`$server->waitForUnit("nginx.service");`
ferm: fix race condition in integration test (#18288) curl sent the request faster then nginx bound the port in some cases 2016-09-04 14:34:06 +02:00			`$server->waitUntilSucceeds("ss -ntl \| grep -q 80");`
ferm: add integration test 2016-08-29 15:18:25 +02:00
			`subtest "port 80 is allowed", sub {`
			`$client->succeed("curl --fail -g http://192.168.1.1:80/status");`
			`$client->succeed("curl --fail -g http://[fd00::1]:80/status");`
			`};`

			`subtest "port 8080 is not allowed", sub {`
			`$server->succeed("curl --fail -g http://192.168.1.1:8080/status");`
			`$server->succeed("curl --fail -g http://[fd00::1]:8080/status");`

			`$client->fail("curl --fail -g http://192.168.1.1:8080/status");`
			`$client->fail("curl --fail -g http://[fd00::1]:8080/status");`
			`};`
			`'';`
			`})`