From 5e6e949e84593e7fc87cdf6fc4b0a37e015a7265 Mon Sep 17 00:00:00 2001
From: Jonas Heinrich <onny@project-insanity.org>
Date: Tue, 8 Aug 2023 22:00:52 +0200
Subject: [PATCH] nixos/opensnitch: add test

---
 nixos/tests/all-tests.nix                   |  1 +
 nixos/tests/opensnitch.nix                  | 62 +++++++++++++++++++++
 pkgs/tools/networking/opensnitch/daemon.nix | 10 +++-
 3 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 nixos/tests/opensnitch.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 530447b99786..34531340c965 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -571,6 +571,7 @@ in {
   openresty-lua = handleTest ./openresty-lua.nix {};
   opensmtpd = handleTest ./opensmtpd.nix {};
   opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {};
+  opensnitch = handleTest ./opensnitch.nix {};
   openssh = handleTest ./openssh.nix {};
   octoprint = handleTest ./octoprint.nix {};
   openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {};
diff --git a/nixos/tests/opensnitch.nix b/nixos/tests/opensnitch.nix
new file mode 100644
index 000000000000..d84e4e0a935b
--- /dev/null
+++ b/nixos/tests/opensnitch.nix
@@ -0,0 +1,62 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "opensnitch";
+
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ onny ];
+  };
+
+  nodes = {
+    server =
+      { ... }: {
+        networking.firewall.allowedTCPPorts = [ 80 ];
+        services.caddy = {
+          enable = true;
+          virtualHosts."localhost".extraConfig = ''
+            respond "Hello, world!"
+          '';
+        };
+      };
+
+    clientBlocked =
+      { ... }: {
+        services.opensnitch = {
+          enable = true;
+          settings.DefaultAction = "deny";
+        };
+      };
+
+    clientAllowed =
+      { ... }: {
+        services.opensnitch = {
+          enable = true;
+          settings.DefaultAction = "deny";
+          rules = {
+            opensnitch = {
+              name = "curl";
+              enabled = true;
+              action = "allow";
+              duration = "always";
+              operator = {
+                type ="simple";
+                sensitive = false;
+                operand = "process.path";
+                data = "${pkgs.curl}/bin/curl";
+              };
+            };
+          };
+        };
+      };
+  };
+
+  testScript = ''
+    start_all()
+    server.wait_for_unit("caddy.service")
+    server.wait_for_open_port(80)
+
+    clientBlocked.wait_for_unit("opensnitchd.service")
+    clientBlocked.fail("curl http://server")
+
+    clientAllowed.wait_for_unit("opensnitchd.service")
+    clientAllowed.succeed("curl http://server")
+  '';
+})
diff --git a/pkgs/tools/networking/opensnitch/daemon.nix b/pkgs/tools/networking/opensnitch/daemon.nix
index 86bc8a604142..67bf77df2bb5 100644
--- a/pkgs/tools/networking/opensnitch/daemon.nix
+++ b/pkgs/tools/networking/opensnitch/daemon.nix
@@ -13,6 +13,7 @@
 , protoc-gen-go-grpc
 , testers
 , opensnitch
+, nixosTests
 }:
 
 buildGoModule rec {
@@ -69,9 +70,12 @@ buildGoModule rec {
       --prefix PATH : ${lib.makeBinPath [ iptables ]}
   '';
 
-  passthru.tests.version = testers.testVersion {
-    package = opensnitch;
-    command = "opensnitchd -version";
+  passthru.tests = {
+    inherit (nixosTests) opensnitch;
+    version = testers.testVersion {
+      package = opensnitch;
+      command = "opensnitchd -version";
+    };
   };
 
   meta = with lib; {