Merge pull request #262254 from Artturin/nginxsandboxrem (2d3a5c7d) · Commits · nix / nixpkgs

nixos/tests/all-tests.nix

+0 −1

Original line number	Diff line number	Diff line
		@@ -573,7 +573,6 @@ in {
		nginx-njs = handleTest ./nginx-njs.nix {};
		nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {};
		nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
		nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
		nginx-sso = handleTest ./nginx-sso.nix {};
		nginx-status-page = handleTest ./nginx-status-page.nix {};
		nginx-tmpdir = handleTest ./nginx-tmpdir.nix {};

nixos/tests/nginx-sandbox.nix

deleted100644 → 0

+0 −65

Original line number	Diff line number	Diff line
		import ./make-test-python.nix ({ pkgs, ... }: {
		name = "nginx-sandbox";
		meta = with pkgs.lib.maintainers; {
		maintainers = [ izorkin ];
		};

		# This test checks the creation and reading of a file in sandbox mode. Used simple lua script.

		nodes.machine = { pkgs, ... }: {
		nixpkgs.overlays = [
		(self: super: {
		nginx-lua = super.nginx.override {
		modules = [
		pkgs.nginxModules.lua
		];
		};
		})
		];
		services.nginx.enable = true;
		services.nginx.package = pkgs.nginx-lua;
		services.nginx.virtualHosts.localhost = {
		extraConfig = ''
		location /test1-write {
		content_by_lua_block {
		local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
		local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
		local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
		}
		}
		location /test1-read {
		root /tmp;
		}
		location /test2-write {
		content_by_lua_block {
		local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
		local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
		local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
		}
		}
		location /test2-read {
		root /var/web;
		}
		'';
		};
		users.users.foo.isNormalUser = true;
		};

		testScript = ''
		machine.wait_for_unit("nginx")
		machine.wait_for_open_port(80)

		# Checking write in temporary folder
		machine.succeed("$(curl -vvv http://localhost/test1-write)")
		machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')

		# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
		# in read-only mode.
		machine.succeed("mkdir -p /var/web")
		machine.succeed("chown nginx:nginx /var/web")
		machine.succeed("$(curl -vvv http://localhost/test2-write)")
		assert "404 Not Found" in machine.succeed(
		"curl -vvv -s http://localhost/test2-read/bar.txt"
		)
		'';
		})

nixos/tests/openresty-lua.nix

+47 −1

Original line number	Diff line number	Diff line
		@@ -16,6 +16,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:

		nodes = {
		webserver = { pkgs, lib, ... }: {
		networking = {
		extraHosts = ''
		127.0.0.1 default.test
		127.0.0.1 sandbox.test
		'';
		};
		services.nginx = {
		enable = true;
		package = pkgs.openresty;
		@@ -24,7 +30,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
		lua_package_path '${luaPath};;';
		'';

		virtualHosts."default" = {
		virtualHosts."default.test" = {
		default = true;
		locations."/" = {
		extraConfig = ''
		@@ -36,6 +42,33 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
		'';
		};
		};

		virtualHosts."sandbox.test" = {
		locations."/test1-write" = {
		extraConfig = ''
		content_by_lua_block {
		local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
		local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
		local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
		}
		'';
		};
		locations."/test1-read" = {
		root = "/tmp";
		};
		locations."/test2-write" = {
		extraConfig = ''
		content_by_lua_block {
		local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
		local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
		local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
		}
		'';
		};
		locations."/test2-read" = {
		root = "/var/web";
		};
		};
		};
		};
		};
		@@ -51,5 +84,18 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
		f"curl -w '%{{http_code}}' --head --fail {url}"
		)
		assert http_code.split("\n")[-1] == "200"

		# This test checks the creation and reading of a file in sandbox mode.
		# Checking write in temporary folder
		webserver.succeed("$(curl -vvv http://sandbox.test/test1-write)")
		webserver.succeed('test "$(curl -fvvv http://sandbox.test/test1-read/foo.txt)" = worked')
		# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
		# in read-only mode.
		webserver.succeed("mkdir -p /var/web")
		webserver.succeed("chown nginx:nginx /var/web")
		webserver.succeed("$(curl -vvv http://sandbox.test/test2-write)")
		assert "404 Not Found" in machine.succeed(
		"curl -vvv -s http://sandbox.test/test2-read/bar.txt"
		)
		'';
		})

pkgs/servers/http/nginx/generic.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -186,7 +186,7 @@ stdenv.mkDerivation {
		passthru = {
		inherit modules;
		tests = {
		inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sandbox nginx-sso nginx-status-page nginx-unix-socket;
		inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sso nginx-status-page nginx-unix-socket;
		variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
		acme-integration = nixosTests.acme;
		} // passthru.tests;

Admin message