test(nixos): add integration test for doubly-compressed content

Add an integration test with a compressing proxy (nginx is used).
This test verifies that fetched archives do not get decompressed
excessively.
This commit is contained in:
Sergei Zimmerman 2024-03-30 01:29:34 +03:00
parent 500683a949
commit a66b5a1526
No known key found for this signature in database
GPG Key ID: A9B0B557CA632325
2 changed files with 73 additions and 0 deletions

View File

@ -158,4 +158,6 @@ in
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git; fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak; ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
gzip-content-encoding = runNixOSTestFor "x86_64-linux" ./gzip-content-encoding.nix;
} }

View File

@ -0,0 +1,71 @@
# Test that compressed files fetched from server with compressed responses
# do not get excessively decompressed.
# E.g. fetching a zstd compressed tarball from a server,
# which compresses the response with `Content-Encoding: gzip`.
# The expected result is that the fetched file is a zstd archive.
{ lib, config, ... }:
let
pkgs = config.nodes.machine.nixpkgs.pkgs;
ztdCompressedFile = pkgs.stdenv.mkDerivation {
name = "dummy-zstd-compressed-archive";
dontUnpack = true;
nativeBuildInputs = with pkgs; [ zstd ];
buildPhase = ''
mkdir archive
for _ in {1..100}; do echo "lorem" > archive/file1; done
for _ in {1..100}; do echo "ipsum" > archive/file2; done
tar --zstd -cf archive.tar.zst archive
'';
installPhase = ''
install -Dm 644 -T archive.tar.zst $out/share/archive
'';
};
fileCmd = "${pkgs.file}/bin/file";
in
{
name = "gzip-content-encoding";
nodes =
{ machine =
{ config, pkgs, ... }:
{ networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx.enable = true;
services.nginx.virtualHosts."localhost" =
{ root = "${ztdCompressedFile}/share/";
# Make sure that nginx really tries to compress the
# file on the fly with no regard to size/mime.
# http://nginx.org/en/docs/http/ngx_http_gzip_module.html
extraConfig = ''
gzip on;
gzip_types *;
gzip_proxied any;
gzip_min_length 0;
'';
};
virtualisation.writableStore = true;
virtualisation.additionalPaths = with pkgs; [ file ];
nix.settings.substituters = lib.mkForce [ ];
};
};
# Check that when nix-prefetch-url is used with a zst tarball it does not get decompressed.
testScript = { nodes }: ''
# fmt: off
start_all()
machine.wait_for_unit("nginx.service")
machine.succeed("""
# Make sure that the file is properly compressed as the test would be meaningless otherwise
curl --compressed -v http://localhost/archive |& tr -s ' ' |& grep --ignore-case 'content-encoding: gzip'
archive_path=$(nix-prefetch-url http://localhost/archive --print-path | tail -n1)
[[ $(${fileCmd} --brief --mime-type $archive_path) == "application/zstd" ]]
tar --zstd -xf $archive_path
""")
'';
}