nixos/tests/nginx-sandbox.nix

   1 import ./make-test-python.nix ({ pkgs, ... }: {
   2   name = "nginx-sandbox";
   3   meta = with pkgs.lib.maintainers; {
   4     maintainers = [ izorkin ];
   5   };
   6
   7   # This test checks the creation and reading of a file in sandbox mode. Used simple lua script.
   8
   9   nodes.machine = { pkgs, ... }: {
  10     nixpkgs.overlays = [
  11       (self: super: {
  12         nginx-lua = super.nginx.override {
  13           modules = [
  14             pkgs.nginxModules.lua
  15           ];
  16         };
  17       })
  18     ];
  19     services.nginx.enable = true;
  20     services.nginx.package = pkgs.nginx-lua;
  21     services.nginx.virtualHosts.localhost = {
  22       extraConfig = ''
  23         location /test1-write {
  24           content_by_lua_block {
  25             local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
  26             local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
  27             local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
  28           }
  29         }
  30         location /test1-read {
  31           root /tmp;
  32         }
  33         location /test2-write {
  34           content_by_lua_block {
  35             local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
  36             local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
  37             local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
  38           }
  39         }
  40         location /test2-read {
  41           root /var/web;
  42         }
  43       '';
  44     };
  45     users.users.foo.isNormalUser = true;
  46   };
  47
  48   testScript = ''
  49     machine.wait_for_unit("nginx")
  50     machine.wait_for_open_port(80)
  51
  52     # Checking write in temporary folder
  53     machine.succeed("$(curl -vvv http://localhost/test1-write)")
  54     machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')
  55
  56     # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
  57     # in read-only mode.
  58     machine.succeed("mkdir -p /var/web")
  59     machine.succeed("chown nginx:nginx /var/web")
  60     machine.succeed("$(curl -vvv http://localhost/test2-write)")
  61     assert "404 Not Found" in machine.succeed(
  62         "curl -vvv -s http://localhost/test2-read/bar.txt"
  63     )
  64   '';
  65 })