diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1c8ee32428ea..f8b9e3c9c938 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -556,7 +556,6 @@ in { nginx-njs = handleTest ./nginx-njs.nix {}; nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {}; nginx-pubhtml = handleTest ./nginx-pubhtml.nix {}; - nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; nginx-status-page = handleTest ./nginx-status-page.nix {}; nginx-tmpdir = handleTest ./nginx-tmpdir.nix {}; diff --git a/nixos/tests/nginx-sandbox.nix b/nixos/tests/nginx-sandbox.nix deleted file mode 100644 index 92ba30a09cf9..000000000000 --- a/nixos/tests/nginx-sandbox.nix +++ /dev/null @@ -1,65 +0,0 @@ -import ./make-test-python.nix ({ pkgs, ... }: { - name = "nginx-sandbox"; - meta = with pkgs.lib.maintainers; { - maintainers = [ izorkin ]; - }; - - # This test checks the creation and reading of a file in sandbox mode. Used simple lua script. - - nodes.machine = { pkgs, ... }: { - nixpkgs.overlays = [ - (self: super: { - nginx-lua = super.nginx.override { - modules = [ - pkgs.nginxModules.lua - ]; - }; - }) - ]; - services.nginx.enable = true; - services.nginx.package = pkgs.nginx-lua; - services.nginx.virtualHosts.localhost = { - extraConfig = '' - location /test1-write { - content_by_lua_block { - local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read') - local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt') - local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt') - } - } - location /test1-read { - root /tmp; - } - location /test2-write { - content_by_lua_block { - local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read') - local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt') - local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt') - } - } - location /test2-read { - root /var/web; - } - ''; - }; - users.users.foo.isNormalUser = true; - }; - - testScript = '' - machine.wait_for_unit("nginx") - machine.wait_for_open_port(80) - - # Checking write in temporary folder - machine.succeed("$(curl -vvv http://localhost/test1-write)") - machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked') - - # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted - # in read-only mode. - machine.succeed("mkdir -p /var/web") - machine.succeed("chown nginx:nginx /var/web") - machine.succeed("$(curl -vvv http://localhost/test2-write)") - assert "404 Not Found" in machine.succeed( - "curl -vvv -s http://localhost/test2-read/bar.txt" - ) - ''; -}) diff --git a/nixos/tests/openresty-lua.nix b/nixos/tests/openresty-lua.nix index b177b3c194d7..9e987398f51d 100644 --- a/nixos/tests/openresty-lua.nix +++ b/nixos/tests/openresty-lua.nix @@ -16,6 +16,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: nodes = { webserver = { pkgs, lib, ... }: { + networking = { + extraHosts = '' + 127.0.0.1 default.test + 127.0.0.1 sandbox.test + ''; + }; services.nginx = { enable = true; package = pkgs.openresty; @@ -24,7 +30,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: lua_package_path '${luaPath};;'; ''; - virtualHosts."default" = { + virtualHosts."default.test" = { default = true; locations."/" = { extraConfig = '' @@ -36,6 +42,33 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ''; }; }; + + virtualHosts."sandbox.test" = { + locations."/test1-write" = { + extraConfig = '' + content_by_lua_block { + local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read') + local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt') + local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt') + } + ''; + }; + locations."/test1-read" = { + root = "/tmp"; + }; + locations."/test2-write" = { + extraConfig = '' + content_by_lua_block { + local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read') + local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt') + local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt') + } + ''; + }; + locations."/test2-read" = { + root = "/var/web"; + }; + }; }; }; }; @@ -51,5 +84,18 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: f"curl -w '%{{http_code}}' --head --fail {url}" ) assert http_code.split("\n")[-1] == "200" + + # This test checks the creation and reading of a file in sandbox mode. + # Checking write in temporary folder + webserver.succeed("$(curl -vvv http://sandbox.test/test1-write)") + webserver.succeed('test "$(curl -fvvv http://sandbox.test/test1-read/foo.txt)" = worked') + # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted + # in read-only mode. + webserver.succeed("mkdir -p /var/web") + webserver.succeed("chown nginx:nginx /var/web") + webserver.succeed("$(curl -vvv http://sandbox.test/test2-write)") + assert "404 Not Found" in machine.succeed( + "curl -vvv -s http://sandbox.test/test2-read/bar.txt" + ) ''; }) diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 8f90adab101b..6194548a6a99 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -186,7 +186,7 @@ stdenv.mkDerivation { passthru = { inherit modules; tests = { - inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sandbox nginx-sso nginx-status-page nginx-unix-socket; + inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sso nginx-status-page nginx-unix-socket; variants = lib.recurseIntoAttrs nixosTests.nginx-variants; acme-integration = nixosTests.acme; } // passthru.tests;