nixpkgs/nixos/tests/nginx-sandbox.nix

import ./make-test-python.nix ({ pkgs, ... }: {
  name = "nginx-sandbox";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ izorkin ];
  };

  # This test checks the creation and reading of a file in sandbox mode. Used simple lua script.

  machine = { pkgs, ... }: {
    nixpkgs.overlays = [
      (self: super: {
        nginx-lua = super.nginx.override {
          modules = [
            pkgs.nginxModules.lua
          ];
        };
      })
    ];
    services.nginx.enable = true;
    services.nginx.package = pkgs.nginx-lua;
    services.nginx.enableSandbox = true;
    services.nginx.virtualHosts.localhost = {
      extraConfig = ''
        location /test1-write {
          content_by_lua_block {
            local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
            local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
            local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
          }
        }
        location /test1-read {
          root /tmp;
        }
        location /test2-write {
          content_by_lua_block {
            local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
            local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
            local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
          }
        }
        location /test2-read {
          root /var/web;
        }
      '';
    };
    users.users.foo.isNormalUser = true;
  };

  testScript = ''
    machine.wait_for_unit("nginx")
    machine.wait_for_open_port(80)

    # Checking write in temporary folder
    machine.succeed("$(curl -vvv http://localhost/test1-write)")
    machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')

    # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
    # in read-only mode.
    machine.succeed("mkdir -p /var/web")
    machine.succeed("chown nginx:nginx /var/web")
    machine.succeed("$(curl -vvv http://localhost/test2-write)")
    assert "404 Not Found" in machine.succeed(
        "curl -vvv -s http://localhost/test2-read/bar.txt"
    )
  '';
})
nixos/tests: add nginx-sandbox test 2020-04-23 22:00:27 +03:00			`import ./make-test-python.nix ({ pkgs, ... }: {`
			`name = "nginx-sandbox";`
			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ izorkin ];`
			`};`

			`# This test checks the creation and reading of a file in sandbox mode. Used simple lua script.`

			`machine = { pkgs, ... }: {`
			`nixpkgs.overlays = [`
			`(self: super: {`
			`nginx-lua = super.nginx.override {`
			`modules = [`
			`pkgs.nginxModules.lua`
			`];`
			`};`
			`})`
			`];`
			`services.nginx.enable = true;`
			`services.nginx.package = pkgs.nginx-lua;`
nixos/nginx: add option enableSandbox 2020-05-12 15:02:57 +03:00			`services.nginx.enableSandbox = true;`
nixos/tests: add nginx-sandbox test 2020-04-23 22:00:27 +03:00			`services.nginx.virtualHosts.localhost = {`
			`extraConfig = ''`
			`location /test1-write {`
			`content_by_lua_block {`
			`local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')`
			`local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')`
			`local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')`
			`}`
			`}`
			`location /test1-read {`
			`root /tmp;`
			`}`
			`location /test2-write {`
			`content_by_lua_block {`
			`local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')`
			`local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')`
			`local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')`
			`}`
			`}`
			`location /test2-read {`
			`root /var/web;`
			`}`
			`'';`
			`};`
			`users.users.foo.isNormalUser = true;`
			`};`

			`testScript = ''`
			`machine.wait_for_unit("nginx")`
			`machine.wait_for_open_port(80)`

			`# Checking write in temporary folder`
			`machine.succeed("$(curl -vvv http://localhost/test1-write)")`
			`machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')`

			`# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted`
			`# in read-only mode.`
			`machine.succeed("mkdir -p /var/web")`
			`machine.succeed("chown nginx:nginx /var/web")`
			`machine.succeed("$(curl -vvv http://localhost/test2-write)")`
			`assert "404 Not Found" in machine.succeed(`
			`"curl -vvv -s http://localhost/test2-read/bar.txt"`
			`)`
			`'';`
			`})`