public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/tests/nginx-sandbox.nix
Izorkin 535896671b
nixos/nginx: remove option enableSandbox
2020-09-10 08:19:20 +03:00

66 lines
2.2 KiB
Nix
Raw Blame History

import ./make-test-python.nix ({ pkgs, ... }: {
name = "nginx-sandbox";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ izorkin ];
};
# This test checks the creation and reading of a file in sandbox mode. Used simple lua script.
machine = { pkgs, ... }: {
nixpkgs.overlays = [
(self: super: {
nginx-lua = super.nginx.override {
modules = [
pkgs.nginxModules.lua
];
};
})
];
services.nginx.enable = true;
services.nginx.package = pkgs.nginx-lua;
services.nginx.virtualHosts.localhost = {
extraConfig = ''
location /test1-write {
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
}
}
location /test1-read {
root /tmp;
}
location /test2-write {
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
}
}
location /test2-read {
root /var/web;
}
'';
};
users.users.foo.isNormalUser = true;
};
testScript = ''
machine.wait_for_unit("nginx")
machine.wait_for_open_port(80)
# Checking write in temporary folder
machine.succeed("$(curl -vvv http://localhost/test1-write)")
machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')
# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
# in read-only mode.
machine.succeed("mkdir -p /var/web")
machine.succeed("chown nginx:nginx /var/web")
machine.succeed("$(curl -vvv http://localhost/test2-write)")
assert "404 Not Found" in machine.succeed(
"curl -vvv -s http://localhost/test2-read/bar.txt"
)
'';
})
Reference in New Issue View Git Blame Copy Permalink