nixosTests.nginx-sandbox: remove broken test and move the sandboxing test to the openresty test

lol

nginx lua needs resty

the enableSandbox option of nginx was removed in 535896671b66d308df3ce467c94f8a9fecfdffea

the test fails with

```
vm-test-run-nginx-sandbox> machine # [ 47.753580] nginx[1142]: nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
vm-test-run-nginx-sandbox> machine # [ 47.756064] nginx[1142]: nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
vm-test-run-nginx-sandbox> machine # [ 57.911766] systemd[1]: Failed to start Nginx Web Server.
```

Artturin 2 years ago d3234553 13f32500

+48 -68

4 changed files

expand all

nixos

tests

all-tests.nix

nginx-sandbox.nix

openresty-lua.nix

pkgs

servers

http

nginx

generic.nix

-1

nixos/tests/all-tests.nix

··· 556 556 nginx-njs = handleTest ./nginx-njs.nix {}; 557 557 nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {}; 558 558 nginx-pubhtml = handleTest ./nginx-pubhtml.nix {}; 559 - nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; 560 559 nginx-sso = handleTest ./nginx-sso.nix {}; 561 560 nginx-status-page = handleTest ./nginx-status-page.nix {}; 562 561 nginx-tmpdir = handleTest ./nginx-tmpdir.nix {};

-65

nixos/tests/nginx-sandbox.nix

··· 1 - import ./make-test-python.nix ({ pkgs, ... }: { 2 - name = "nginx-sandbox"; 3 - meta = with pkgs.lib.maintainers; { 4 - maintainers = [ izorkin ]; 5 - }; 6 - 7 - # This test checks the creation and reading of a file in sandbox mode. Used simple lua script. 8 - 9 - nodes.machine = { pkgs, ... }: { 10 - nixpkgs.overlays = [ 11 - (self: super: { 12 - nginx-lua = super.nginx.override { 13 - modules = [ 14 - pkgs.nginxModules.lua 15 - ]; 16 - }; 17 - }) 18 - ]; 19 - services.nginx.enable = true; 20 - services.nginx.package = pkgs.nginx-lua; 21 - services.nginx.virtualHosts.localhost = { 22 - extraConfig = '' 23 - location /test1-write { 24 - content_by_lua_block { 25 - local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read') 26 - local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt') 27 - local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt') 28 - } 29 - } 30 - location /test1-read { 31 - root /tmp; 32 - } 33 - location /test2-write { 34 - content_by_lua_block { 35 - local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read') 36 - local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt') 37 - local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt') 38 - } 39 - } 40 - location /test2-read { 41 - root /var/web; 42 - } 43 - ''; 44 - }; 45 - users.users.foo.isNormalUser = true; 46 - }; 47 - 48 - testScript = '' 49 - machine.wait_for_unit("nginx") 50 - machine.wait_for_open_port(80) 51 - 52 - # Checking write in temporary folder 53 - machine.succeed("$(curl -vvv http://localhost/test1-write)") 54 - machine.succeed('test "$(curl -fvvv http://localhost/test1-read/foo.txt)" = worked') 55 - 56 - # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted 57 - # in read-only mode. 58 - machine.succeed("mkdir -p /var/web") 59 - machine.succeed("chown nginx:nginx /var/web") 60 - machine.succeed("$(curl -vvv http://localhost/test2-write)") 61 - assert "404 Not Found" in machine.succeed( 62 - "curl -vvv -s http://localhost/test2-read/bar.txt" 63 - ) 64 - ''; 65 - })

+47 -1

nixos/tests/openresty-lua.nix

··· 16 16 17 17 nodes = { 18 18 webserver = { pkgs, lib, ... }: { 19 + networking = { 20 + extraHosts = '' 21 + 127.0.0.1 default.test 22 + 127.0.0.1 sandbox.test 23 + ''; 24 + }; 19 25 services.nginx = { 20 26 enable = true; 21 27 package = pkgs.openresty; ··· 24 30 lua_package_path '${luaPath};;'; 25 31 ''; 26 32 27 - virtualHosts."default" = { 33 + virtualHosts."default.test" = { 28 34 default = true; 29 35 locations."/" = { 30 36 extraConfig = '' ··· 36 42 ''; 37 43 }; 38 44 }; 45 + 46 + virtualHosts."sandbox.test" = { 47 + locations."/test1-write" = { 48 + extraConfig = '' 49 + content_by_lua_block { 50 + local create = os.execute('${pkgs.coreutils}/bin/mkdir /tmp/test1-read') 51 + local create = os.execute('${pkgs.coreutils}/bin/touch /tmp/test1-read/foo.txt') 52 + local echo = os.execute('${pkgs.coreutils}/bin/echo worked > /tmp/test1-read/foo.txt') 53 + } 54 + ''; 55 + }; 56 + locations."/test1-read" = { 57 + root = "/tmp"; 58 + }; 59 + locations."/test2-write" = { 60 + extraConfig = '' 61 + content_by_lua_block { 62 + local create = os.execute('${pkgs.coreutils}/bin/mkdir /var/web/test2-read') 63 + local create = os.execute('${pkgs.coreutils}/bin/touch /var/web/test2-read/bar.txt') 64 + local echo = os.execute('${pkgs.coreutils}/bin/echo error-worked > /var/web/test2-read/bar.txt') 65 + } 66 + ''; 67 + }; 68 + locations."/test2-read" = { 69 + root = "/var/web"; 70 + }; 71 + }; 39 72 }; 40 73 }; 41 74 }; ··· 51 84 f"curl -w '%{{http_code}}' --head --fail {url}" 52 85 ) 53 86 assert http_code.split("\n")[-1] == "200" 87 + 88 + # This test checks the creation and reading of a file in sandbox mode. 89 + # Checking write in temporary folder 90 + webserver.succeed("$(curl -vvv http://sandbox.test/test1-write)") 91 + webserver.succeed('test "$(curl -fvvv http://sandbox.test/test1-read/foo.txt)" = worked') 92 + # Checking write in protected folder. In sandbox mode for the nginx service, the folder /var/web is mounted 93 + # in read-only mode. 94 + webserver.succeed("mkdir -p /var/web") 95 + webserver.succeed("chown nginx:nginx /var/web") 96 + webserver.succeed("$(curl -vvv http://sandbox.test/test2-write)") 97 + assert "404 Not Found" in machine.succeed( 98 + "curl -vvv -s http://sandbox.test/test2-read/bar.txt" 99 + ) 54 100 ''; 55 101 })

+1 -1

pkgs/servers/http/nginx/generic.nix

··· 186 186 passthru = { 187 187 inherit modules; 188 188 tests = { 189 - inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sandbox nginx-sso nginx-status-page nginx-unix-socket; 189 + inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-proxyprotocol nginx-pubhtml nginx-sso nginx-status-page nginx-unix-socket; 190 190 variants = lib.recurseIntoAttrs nixosTests.nginx-variants; 191 191 acme-integration = nixosTests.acme; 192 192 } // passthru.tests;