Merge pull request #248011 from onny/opensnitch-test

nixos/opensnitch: add test
This commit is contained in:
Arnout Engelen 2023-08-17 12:43:42 +02:00 committed by GitHub
commit 46d051737d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 70 additions and 3 deletions

View file

@ -573,6 +573,7 @@ in {
openresty-lua = handleTest ./openresty-lua.nix {};
opensmtpd = handleTest ./opensmtpd.nix {};
opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {};
opensnitch = handleTest ./opensnitch.nix {};
openssh = handleTest ./openssh.nix {};
octoprint = handleTest ./octoprint.nix {};
openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {};

View file

@ -0,0 +1,62 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "opensnitch";
meta = with pkgs.lib.maintainers; {
maintainers = [ onny ];
};
nodes = {
server =
{ ... }: {
networking.firewall.allowedTCPPorts = [ 80 ];
services.caddy = {
enable = true;
virtualHosts."localhost".extraConfig = ''
respond "Hello, world!"
'';
};
};
clientBlocked =
{ ... }: {
services.opensnitch = {
enable = true;
settings.DefaultAction = "deny";
};
};
clientAllowed =
{ ... }: {
services.opensnitch = {
enable = true;
settings.DefaultAction = "deny";
rules = {
opensnitch = {
name = "curl";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${pkgs.curl}/bin/curl";
};
};
};
};
};
};
testScript = ''
start_all()
server.wait_for_unit("caddy.service")
server.wait_for_open_port(80)
clientBlocked.wait_for_unit("opensnitchd.service")
clientBlocked.fail("curl http://server")
clientAllowed.wait_for_unit("opensnitchd.service")
clientAllowed.succeed("curl http://server")
'';
})

View file

@ -13,6 +13,7 @@
, protoc-gen-go-grpc
, testers
, opensnitch
, nixosTests
}:
buildGoModule rec {
@ -69,9 +70,12 @@ buildGoModule rec {
--prefix PATH : ${lib.makeBinPath [ iptables ]}
'';
passthru.tests.version = testers.testVersion {
package = opensnitch;
command = "opensnitchd -version";
passthru.tests = {
inherit (nixosTests) opensnitch;
version = testers.testVersion {
package = opensnitch;
command = "opensnitchd -version";
};
};
meta = with lib; {