Merge remote-tracking branch 'origin/2.24-maintenance' into sync-2.24.9

2025-07-07 06:01:48 +02:00 · 2024-10-30 16:20:34 +01:00 · 2024-10-30 16:20:34 +01:00 · 828f8e197e
commit 828f8e197e
parent d9284d246c 82abed901f
24 changed files with 246 additions and 96 deletions
--- a/tests/nixos/default.nix
+++ b/tests/nixos/default.nix
@ -148,4 +148,6 @@ in
  user-sandboxing = runNixOSTestFor "x86_64-linux" ./user-sandboxing;

  fetchurl = runNixOSTestFor "x86_64-linux" ./fetchurl.nix;
+
+  s3-binary-cache-store = runNixOSTestFor "x86_64-linux" ./s3-binary-cache-store.nix;
 }
--- a/tests/nixos/fetchurl.nix
+++ b/tests/nixos/fetchurl.nix
@ -1,7 +1,7 @@
 # Test whether builtin:fetchurl properly performs TLS certificate
 # checks on HTTPS servers.

-{ lib, config, pkgs, ... }:
+{ pkgs, ... }:

 let

@ -25,7 +25,7 @@ in
  name = "nss-preload";

  nodes = {
-    machine = { lib, pkgs, ... }: {
+    machine = { pkgs, ... }: {
      services.nginx = {
        enable = true;

@ -60,13 +60,16 @@ in
    };
  };

-  testScript = { nodes, ... }: ''
+  testScript = ''
    machine.wait_for_unit("nginx")
    machine.wait_for_open_port(443)

    out = machine.succeed("curl https://good/index.html")
    assert out == "hello world\n"

+    out = machine.succeed("cat ${badCert}/cert.pem > /tmp/cafile.pem; curl --cacert /tmp/cafile.pem https://bad/index.html")
+    assert out == "foobar\n"
+
    # Fetching from a server with a trusted cert should work.
    machine.succeed("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://good/index.html\"; hash = \"sha256-qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A+4XSmaGSpEc=\"; }'")

@ -74,5 +77,8 @@ in
    err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
    print(err)
    assert "SSL certificate problem: self-signed certificate" in err
+
+    # Fetching from a server with a trusted cert should work via environment variable override.
+    machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")
  '';
 }
--- a/tests/nixos/nix-copy-closure.nix
+++ b/tests/nixos/nix-copy-closure.nix
@ -1,6 +1,6 @@
 # Test ‘nix-copy-closure’.

-{ lib, config, nixpkgs, hostPkgs, ... }:
+{ lib, config, nixpkgs, ... }:

 let
  pkgs = config.nodes.client.nixpkgs.pkgs;
--- a/tests/nixos/s3-binary-cache-store.nix
+++ b/tests/nixos/s3-binary-cache-store.nix
@ -0,0 +1,66 @@
+{ lib, config, nixpkgs, ... }:
+
+let
+  pkgs = config.nodes.client.nixpkgs.pkgs;
+
+  pkgA = pkgs.cowsay;
+
+  accessKey = "BKIKJAA5BMMU2RHO6IBB";
+  secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
+  env = "AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey}";
+
+  storeUrl = "s3://my-cache?endpoint=http://server:9000&region=eu-west-1";
+
+in {
+  name = "nix-copy-closure";
+
+  nodes =
+    { server =
+        { config, lib, pkgs, ... }:
+        { virtualisation.writableStore = true;
+          virtualisation.additionalPaths = [ pkgA ];
+          environment.systemPackages = [ pkgs.minio-client ];
+          nix.extraOptions = "experimental-features = nix-command";
+          services.minio = {
+            enable = true;
+            region = "eu-west-1";
+            rootCredentialsFile = pkgs.writeText "minio-credentials-full" ''
+              MINIO_ROOT_USER=${accessKey}
+              MINIO_ROOT_PASSWORD=${secretKey}
+            '';
+          };
+          networking.firewall.allowedTCPPorts = [ 9000 ];
+        };
+
+      client =
+        { config, pkgs, ... }:
+        { virtualisation.writableStore = true;
+          nix.extraOptions = "experimental-features = nix-command";
+        };
+    };
+
+  testScript = { nodes }: ''
+    # fmt: off
+    start_all()
+
+    # Create a binary cache.
+    server.wait_for_unit("minio")
+
+    server.succeed("mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4")
+    server.succeed("mc mb minio/my-cache")
+
+    server.succeed("${env} nix copy --to '${storeUrl}' ${pkgA}")
+
+    # Test fetchurl on s3:// URLs while we're at it.
+    client.succeed("${env} nix eval --impure --expr 'builtins.fetchurl { name = \"foo\"; url = \"s3://my-cache/nix-cache-info?endpoint=http://server:9000&region=eu-west-1\"; }'")
+
+    # Copy a package from the binary cache.
+    client.fail("nix path-info ${pkgA}")
+
+    client.succeed("${env} nix store info --store '${storeUrl}' >&2")
+
+    client.succeed("${env} nix copy --no-check-sigs --from '${storeUrl}' ${pkgA}")
+
+    client.succeed("nix path-info ${pkgA}")
+  '';
+}