Merge branch 'master' into fix-sandbox-escape

tests/nixos/default.nix

@@ -7,7 +7,13 @@ let
   # https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
   runNixOSTestFor = system: test:
     (nixos-lib.runTest {
-      imports = [ test ];
+      imports = [
+        test
+
+        # Add the quickBuild attribute to the check packages
+        ./quick-build.nix
+      ];
+
       hostPkgs = nixpkgsFor.${system}.native;
       defaults = {
         nixpkgs.pkgs = nixpkgsFor.${system}.native;
@@ -133,5 +139,11 @@ in
 
   gzip-content-encoding = runNixOSTestFor "x86_64-linux" ./gzip-content-encoding.nix;
 
+  functional_user = runNixOSTestFor "x86_64-linux" ./functional/as-user.nix;
+
+  functional_trusted = runNixOSTestFor "x86_64-linux" ./functional/as-trusted-user.nix;
+
+  functional_root = runNixOSTestFor "x86_64-linux" ./functional/as-root.nix;
+
   user-sandboxing = runNixOSTestFor "x86_64-linux" ./user-sandboxing;
 }

tests/nixos/functional/as-root.nix

@@ -0,0 +1,12 @@
+{
+  name = "functional-tests-on-nixos_root";
+
+  imports = [ ./common.nix ];
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("""
+      run-test-suite >&2
+    """)
+  '';
+}

tests/nixos/functional/as-trusted-user.nix

@@ -0,0 +1,18 @@
+{
+  name = "functional-tests-on-nixos_trusted-user";
+
+  imports = [ ./common.nix ];
+
+  nodes.machine = {
+    users.users.alice = { isNormalUser = true; };
+    nix.settings.trusted-users = [ "alice" ];
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("""
+      export TEST_TRUSTED_USER=1
+      su --login --command "run-test-suite" alice >&2
+    """)
+  '';
+}

tests/nixos/functional/as-user.nix

@@ -0,0 +1,16 @@
+{
+  name = "functional-tests-on-nixos_user";
+
+  imports = [ ./common.nix ];
+
+  nodes.machine = {
+    users.users.alice = { isNormalUser = true; };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("""
+      su --login --command "run-test-suite" alice >&2
+    """)
+  '';
+}

tests/nixos/functional/common.nix

@@ -0,0 +1,71 @@
+{ lib, ... }:
+
+let
+  # FIXME (roberth) reference issue
+  inputDerivation = pkg: (pkg.overrideAttrs (o: {
+    disallowedReferences = [ ];
+  })).inputDerivation;
+
+in
+{
+  # We rarely change the script in a way that benefits from type checking, so
+  # we skip it to save time.
+  skipTypeCheck = true;
+
+  nodes.machine = { config, pkgs, ... }: {
+
+    virtualisation.writableStore = true;
+    system.extraDependencies = [
+      (inputDerivation config.nix.package)
+    ];
+
+    nix.settings.substituters = lib.mkForce [];
+
+    environment.systemPackages = let
+      run-test-suite = pkgs.writeShellApplication {
+        name = "run-test-suite";
+        runtimeInputs = [ pkgs.gnumake pkgs.jq pkgs.git ];
+        text = ''
+          set -x
+          cat /proc/sys/fs/file-max
+          ulimit -Hn
+          ulimit -Sn
+          cd ~
+          cp -r ${pkgs.nix.overrideAttrs (o: {
+            name = "nix-configured-source";
+            outputs = [ "out" ];
+            separateDebugInfo = false;
+            disallowedReferences = [ ];
+            buildPhase = ":";
+            checkPhase = ":";
+            installPhase = ''
+              cp -r . $out
+            '';
+            installCheckPhase = ":";
+            fixupPhase = ":";
+            doInstallCheck = true;
+          })} nix
+          chmod -R +w nix
+          cd nix
+
+          # Tests we don't need
+          echo >tests/functional/plugins/local.mk
+          sed -i tests/functional/local.mk \
+            -e 's!nix_tests += plugins\.sh!!' \
+            -e 's!nix_tests += test-libstoreconsumer\.sh!!' \
+            ;
+
+          export isTestOnNixOS=1
+          export version=${config.nix.package.version}
+          export NIX_REMOTE_=daemon
+          export NIX_REMOTE=daemon
+          export NIX_STORE=${builtins.storeDir}
+          make -j1 installcheck --keep-going
+        '';
+      };
+    in [
+      run-test-suite
+      pkgs.git
+    ];
+  };
+}

tests/nixos/quick-build.nix

@@ -0,0 +1,47 @@
+test@{ lib, extendModules, ... }:
+let
+  inherit (lib) mkOption types;
+in
+{
+  options = {
+    quickBuild = mkOption {
+      description = ''
+        Whether to perform a "quick" build of the Nix package to test.
+
+        When iterating on the functional tests, it's recommended to "set" this
+        to `true`, so that changes to the functional tests don't require any
+        recompilation of the package.
+        You can do so by building the `.quickBuild` attribute on the check package,
+        e.g:
+        ```console
+        nix build .#hydraJobs.functional_user.quickBuild
+        ```
+
+        We don't enable this by default to avoid the mostly unnecessary work of
+        performing an additional build of the package in cases where we build
+        the package normally anyway, such as in our pre-merge CI.
+      '';
+      type = types.bool;
+      default = false;
+    };
+  };
+
+  config = {
+    passthru.quickBuild = 
+      let withQuickBuild = extendModules { modules = [{ quickBuild = true; }]; };
+      in withQuickBuild.config.test;
+
+    defaults = { pkgs, ... }: {
+      config = lib.mkIf test.config.quickBuild {
+        nix.package = pkgs.nix_noTests;
+
+        system.forbiddenDependenciesRegexes = [
+          # This would indicate that the quickBuild feature is broken.
+          # It could happen if NixOS has a dependency on pkgs.nix instead of
+          # config.nix.package somewhere.
+          (builtins.unsafeDiscardStringContext pkgs.nix.outPath)
+        ];
+      };
+    };
+  };
+}