From 5a98dd0b3911be970dbaae414b150c35241d2523 Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@tweag.io>
Date: Mon, 22 May 2023 02:32:09 +0200
Subject: [PATCH] Add tests for bind mount of SSL certs in sandbox

---
 tests/linux-sandbox-cert-test.nix | 29 +++++++++++++++++++++++++++++
 tests/linux-sandbox.sh            | 24 ++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 tests/linux-sandbox-cert-test.nix

diff --git a/tests/linux-sandbox-cert-test.nix b/tests/linux-sandbox-cert-test.nix
new file mode 100644
index 000000000..2b86dad2e
--- /dev/null
+++ b/tests/linux-sandbox-cert-test.nix
@@ -0,0 +1,29 @@
+{ fixed-output }:
+
+with import ./config.nix;
+
+mkDerivation ({
+  name = "ssl-export";
+  buildCommand = ''
+    # Add some indirection, otherwise grepping into the debug output finds the string.
+    report () { echo CERT_$1_IN_SANDBOX; }
+
+    if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+      content=$(</etc/ssl/certs/ca-certificates.crt)
+      if [ "$content" == CERT_CONTENT ]; then
+        report present
+      fi
+    else
+      report missing
+    fi
+
+    # Always fail, because we do not want to bother with fixed-output
+    # derivations being cached, and do not want to compute the right hash.
+    false;
+  '';
+} // (
+  if fixed-output == "fixed-output"
+  then { outputHash = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; }
+  else { }
+))
+
diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh
index 5a2cf7abd..45f0ce7a4 100644
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@@ -40,3 +40,27 @@ grepQuiet 'may not be deterministic' $TEST_ROOT/log
 
 # Test that sandboxed builds cannot write to /etc easily
 (! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)
+
+
+## Test mounting of SSL certificates into the sandbox
+testCert () {
+    (! nix-build linux-sandbox-cert-test.nix --argstr fixed-output "$2" --no-out-link --sandbox-paths /nix/store --option ssl-cert-file "$3" 2> $TEST_ROOT/log)
+    cat $TEST_ROOT/log
+    grepQuiet "CERT_${1}_IN_SANDBOX" $TEST_ROOT/log
+}
+
+nocert=$TEST_ROOT/no-cert-file.pem
+cert=$TEST_ROOT/some-cert-file.pem
+echo -n "CERT_CONTENT" > $cert
+
+# No cert in sandbox when not a fixed-output derivation
+testCert missing normal       "$cert"
+
+# No cert in sandbox when ssl-cert-file is empty
+testCert missing fixed-output ""
+
+# No cert in sandbox when ssl-cert-file is a nonexistent file
+testCert missing fixed-output "$nocert"
+
+# Cert in sandbox when ssl-cert-file is set to an existing file
+testCert present fixed-output "$cert"