Skip to content

Commit 6958196

Browse files
rtirti
committed
wip: converting tests
1 parent b29ba96 commit 6958196

File tree

1 file changed

+201
-3
lines changed

1 file changed

+201
-3
lines changed

tests.nix

Lines changed: 201 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ pkgs.nixosTest {
77
system.stateVersion = "24.05";
88
networking.dhcpcd.enable = false;
99
environment.systemPackages = [ wrap ];
10+
11+
users.users.alice = {
12+
isNormalUser = true;
13+
};
1014
};
1115

1216
# let
@@ -253,9 +257,203 @@ pkgs.nixosTest {
253257
# tests
254258
# );
255259

256-
testScript = ''
260+
testScript = /* python */ ''
257261
machine.wait_for_unit("default.target")
258-
print(machine.succeed("wrap -h"))
259-
print(machine.fail("wrap -x"))
262+
263+
as_alice = lambda x: f"su -- alice -c '{x.replace("'", "'\'" + "'")}'"
264+
265+
# with subtest("first test name"):
266+
# print(machine.succeed(as_alice("""
267+
# echo "some bash code"
268+
# """)))
269+
270+
# with subtest("env-home-is-always-exposed"):
271+
# print(machine.succeed("""su -- alice -c '
272+
# HOME=/homedir wrap bash -c \'echo $HOME\' | grep homedir
273+
# '"""))
274+
275+
276+
277+
with subtest("Environment variable $HOME is always exposed"):
278+
print(machine.succeed(as_alice("""
279+
set -e
280+
export HOME=/homedir/foo
281+
wrap bash -c 'echo $HOME' | grep '^/homedir$'
282+
false
283+
""")))
284+
# TODO: why is this not failing????
285+
286+
# with subtest("env-editor-is-always-exposed"):
287+
# print(machine.succeed(as_alice("""
288+
# EDITOR=myeditor wrap bash -c 'echo $EDITOR' | grep myeditor
289+
# """)))
290+
#
291+
# with subtest("user-name-is-hidden"):
292+
# print(machine.succeed(as_alice("""
293+
# wrap whoami 2> error-msg || true
294+
# cat error-msg | grep "cannot find name for user ID"
295+
# """)))
296+
#
297+
# with subtest("u-exposes-user-name"):
298+
# print(machine.succeed(as_alice("""
299+
# wrap -u whoami
300+
# """)))
301+
#
302+
# with subtest("env-wayland-display-is-hidden"):
303+
# print(machine.succeed(as_alice("""
304+
# WAYLAND_DISPLAY=wl-0 wrap bash -c 'set -u; echo $WAYLAND_DISPLAY' 2> error-msg || true
305+
# cat error-msg | grep "WAYLAND_DISPLAY: unbound variable"
306+
# """)))
307+
#
308+
# with subtest("d-exposes-env-wayland-display"):
309+
# print(machine.succeed(as_alice("""
310+
# export XDG_RUNTIME_DIR="/tmp"
311+
# export WAYLAND_DISPLAY="wl-0"
312+
# mkdir -p $XDG_RUNTIME_DIR
313+
# touch $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
314+
# wrap -d bash -c 'echo $WAYLAND_DISPLAY' | grep wl-0
315+
# """)))
316+
#
317+
# with subtest("d-exposes-env-x11-display"):
318+
# print(machine.succeed(as_alice("""
319+
# export DISPLAY=":0"
320+
# wrap -d bash -c 'echo $DISPLAY' | grep ":0"
321+
# """)))
322+
#
323+
# with subtest("d-exposes-socket-x11"):
324+
# print(machine.succeed(as_alice("""
325+
# mkdir -p /tmp/.X11-unix
326+
# touch /tmp/.X11-unix/X12345
327+
# export DISPLAY=":12345"
328+
# wrap -d bash -c 'ls /tmp/.X11-unix/X12345'
329+
# rm /tmp/.X11-unix/X12345
330+
# """)))
331+
#
332+
# with subtest("d-exposes-xauthority"):
333+
# print(machine.succeed(as_alice("""
334+
# export DISPLAY=":12345"
335+
# export HOME=/tmp/home
336+
# mkdir -p $HOME
337+
# touch $HOME/.Xauthority
338+
# wrap -d bash -c 'cat $HOME/.Xauthority'
339+
# """)))
340+
#
341+
# with subtest("d-exposes-custom-xauthority"):
342+
# print(machine.succeed(as_alice("""
343+
# export DISPLAY=":12345"
344+
# export XAUTHORITY="myxauthfile"
345+
# export HOME=/tmp/home
346+
# mkdir -p $HOME
347+
# touch $HOME/$XAUTHORITY
348+
# wrap -d bash -c 'cat $HOME/.Xauthority'
349+
# """)))
350+
#
351+
# with subtest("r-exposes-path-readonly"):
352+
# print(machine.succeed(as_alice("""
353+
# mkdir -p /tmp/some-dir
354+
# echo "file-content" > /tmp/some-dir/test-file
355+
# wrap -r /tmp/some-dir bash -c 'cat /tmp/some-dir/test-file' | grep "file-content"
356+
# wrap -r /tmp/some-dir bash -c 'echo more >> /tmp/some-dir/test-file' 2> error-msg || true
357+
# cat error-msg | grep "/tmp/some-dir/test-file: Read-only file system"
358+
# """)))
359+
#
360+
# with subtest("w-exposes-path-readwrite"):
361+
# print(machine.succeed(as_alice("""
362+
# mkdir -p /tmp/some-dir
363+
# echo "file-content" > /tmp/some-dir/test-file
364+
# wrap -w /tmp/some-dir bash -c 'cat /tmp/some-dir/test-file' | grep "file-content"
365+
# wrap -w /tmp/some-dir bash -c 'echo more >> /tmp/some-dir/test-file'
366+
# cat /tmp/some-dir/test-file | grep "more"
367+
# """)))
368+
#
369+
# with subtest("cwd-exposed-by-default"):
370+
# print(machine.succeed(as_alice("""
371+
# mkdir -p /tmp/some-dir
372+
# cd /tmp/some-dir
373+
# echo "file-content" > test-file
374+
# wrap bash -c 'cat test-file' | grep "file-content"
375+
# """)))
376+
#
377+
# with subtest("cwd-not-exposed-by-p"):
378+
# print(machine.succeed(as_alice("""
379+
# mkdir -p /tmp/some-dir
380+
# cd /tmp/some-dir
381+
# echo "file-content" > test-file
382+
# wrap -p bash -c 'cat test-file; echo $?' | grep 1
383+
# """)))
384+
#
385+
# with subtest("-p-cds-to-root"):
386+
# print(machine.succeed(as_alice("""
387+
# mkdir -p /tmp/new-home
388+
# export HOME=/tmp/new-home
389+
# wrap -p bash -c 'pwd' | grep /
390+
# """)))
391+
#
392+
# with subtest("cwd not shared implicitly for home directories"):
393+
# print(machine.succeed(as_alice("""
394+
# mkdir -p /tmp/new-home
395+
# export HOME=/tmp/new-home
396+
# touch /tmp/new-home/something-in-home
397+
# cd $HOME
398+
#
399+
# pwd | grep '^/tmp/new-home$' \
400+
# || (echo 'Unexpected: Home directory is not cwd outside sandbox'; false)
401+
#
402+
# ls -l /tmp | grep '[[:space:]]new-home$' \
403+
# || (echo 'Unexpected: Home directory outside sandbox not found'; false)
404+
#
405+
# ls -l $HOME | grep '[[:space:]]something-in-home$' \
406+
# || (echo 'Unexpected: File in $HOME outside sandbox not found'; false)
407+
#
408+
# wrap bash -c 'pwd' | grep '^/$' \
409+
# || (echo 'Unexpected: Cwd in sandbox is not /'; false)
410+
#
411+
# wrap bash -c 'ls -l $HOME' | grep '^total 0$' \
412+
# || (echo 'Unexpected: Sandbox $HOME is not empty'; false)
413+
#
414+
# true
415+
# """)))
416+
#
417+
# with subtest("parameter -f forces to share the cwd $HOME, even though it is excluded from sharing as cwd implicitly"):
418+
# print(machine.succeed(as_alice("""
419+
# mkdir -p /tmp/new-home
420+
# export HOME=/tmp/new-home
421+
# touch /tmp/new-home/something-in-home
422+
# cd $HOME
423+
#
424+
# pwd | grep '^/tmp/new-home$' \
425+
# || (echo 'Unexpected: Home directory is not cwd outside sandbox'; false)
426+
#
427+
# ls -l /tmp | grep '[[:space:]]new-home$' \
428+
# || (echo 'Unexpected: Home directory outside sandbox not found'; false)
429+
#
430+
# ls -l $HOME | grep '[[:space:]]something-in-home$' \
431+
# || (echo 'Unexpected: File in $HOME outside sandbox not found'; false)
432+
#
433+
# wrap -f bash -c 'pwd' | grep '^/tmp/new-home$' \
434+
# || (echo 'Unexpected: Cwd in sandbox is not $HOME'; false)
435+
#
436+
# wrap -f bash -c 'ls $HOME' | grep '^something-in-home$' \
437+
# || (echo 'Unexpected: Sandbox $HOME is empty'; false)
438+
#
439+
# true
440+
# """)))
441+
#
442+
# with subtest("parameter -f forces to share the cwd /, even though it is excluded from sharing as cwd implicitly"):
443+
# print(machine.succeed(as_alice("""
444+
# cd /
445+
#
446+
# pwd | grep "^/$" \
447+
# || (echo 'Unexpected: Cwd to be / outside sandbox'; false)
448+
# ls -l | grep "[[:space:]]bin$" \
449+
# || (echo 'Unexpected: Bin dir is missing in / outside sandbox'; false)
450+
#
451+
# wrap -f bash -c 'pwd' | grep '^/$' 2> /dev/null \
452+
# || (echo 'Unexpected: Cwd in sandbox is not /'; false)
453+
# wrap -f bash -c 'ls -l' | grep 'bin$' 2> /dev/null \
454+
# || (echo 'Unexpected: Bin dir not in / inside sandbox'; false)
455+
#
456+
# true
457+
# """)))
260458
'';
261459
}

0 commit comments

Comments
 (0)