Merge pull request #262254 from Artturin/nginxsandboxrem

This commit is contained in:
Artturi 2023-10-31 18:39:55 +02:00 committed by GitHub
commit 2d3a5c7ddb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 48 additions and 68 deletions

View file

@ -573,7 +573,6 @@ in {
nginx-njs = handleTest ./nginx-njs.nix {};
nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nginx-status-page = handleTest ./nginx-status-page.nix {};
nginx-tmpdir = handleTest ./nginx-tmpdir.nix {};

View file

@ -1,65 +0,0 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "nginx-sandbox";
meta = with pkgs.lib.maintainers; {
maintainers = [ izorkin ];
};
# This test checks the creation and reading of a file in sandbox mode. Used simple lua script.
nodes.machine = { pkgs, ... }: {
nixpkgs.overlays = [
(self: super: {
nginx-lua = super.nginx.override {
modules = [
pkgs.nginxModules.lua
];
};
})
];
services.nginx.enable = true;
services.nginx.package = pkgs.nginx-lua;
services.nginx.virtualHosts.localhost = {
extraConfig = ''
location /test1-write {
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
}
}
location /test1-read {
root /tmp;
}
location /test2-write {
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
}
}
location /test2-read {
root /var/web;
}
'';
};
users.users.foo.isNormalUser = true;
};
testScript = ''
machine.wait_for_unit("nginx")
machine.wait_for_open_port(80)
# Checking write in temporary folder
machine.succeed("$(curl -vvv http://localhost/test1-write)")
machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked')
# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
# in read-only mode.
machine.succeed("mkdir -p /var/web")
machine.succeed("chown nginx:nginx /var/web")
machine.succeed("$(curl -vvv http://localhost/test2-write)")
assert "404 Not Found" in machine.succeed(
"curl -vvv -s http://localhost/test2-read/bar.txt"
)
'';
})

View file

@ -16,6 +16,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
nodes = {
webserver = { pkgs, lib, ... }: {
networking = {
extraHosts = ''
127.0.0.1 default.test
127.0.0.1 sandbox.test
'';
};
services.nginx = {
enable = true;
package = pkgs.openresty;
@ -24,7 +30,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
lua_package_path '${luaPath};;';
'';
virtualHosts."default" = {
virtualHosts."default.test" = {
default = true;
locations."/" = {
extraConfig = ''
@ -36,6 +42,33 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
'';
};
};
virtualHosts."sandbox.test" = {
locations."/test1-write" = {
extraConfig = ''
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt')
}
'';
};
locations."/test1-read" = {
root = "/tmp";
};
locations."/test2-write" = {
extraConfig = ''
content_by_lua_block {
local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read')
local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt')
local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt')
}
'';
};
locations."/test2-read" = {
root = "/var/web";
};
};
};
};
};
@ -51,5 +84,18 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
f"curl -w '%{{http_code}}' --head --fail {url}"
)
assert http_code.split("\n")[-1] == "200"
# This test checks the creation and reading of a file in sandbox mode.
# Checking write in temporary folder
webserver.succeed("$(curl -vvv http://sandbox.test/test1-write)")
webserver.succeed('test "$(curl -fvvv http://sandbox.test/test1-read/foo.txt)" = worked')
# Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted
# in read-only mode.
webserver.succeed("mkdir -p /var/web")
webserver.succeed("chown nginx:nginx /var/web")
webserver.succeed("$(curl -vvv http://sandbox.test/test2-write)")
assert "404 Not Found" in machine.succeed(
"curl -vvv -s http://sandbox.test/test2-read/bar.txt"
)
'';
})

View file

@ -186,7 +186,7 @@ stdenv.mkDerivation {
passthru = {
inherit modules;
tests = {
inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sandbox nginx-sso nginx-status-page nginx-unix-socket;
inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sso nginx-status-page nginx-unix-socket;
variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
acme-integration = nixosTests.acme;
} // passthru.tests;