tobias/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-11-09 16:18:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
nixpkgs/nixos/tests/go-csp-collector.nix
Yifei Sun 53b7bada95
nixos/go-csp-collector: init test
2025-10-27 10:37:27 +01:00

67 lines
2 KiB
Nix
Raw Permalink Blame History

{ lib, ... }:
{
name = "go-csp-collector";
meta.maintainers = with lib.maintainers; [ stepbrobd ];
nodes.machine =
{ pkgs, ... }:
{
services.go-csp-collector = {
enable = true;
settings = {
debug = true;
port = 9999;
health-check-path = "/health";
filter-file = pkgs.writeText "filter" "chrome-extension://";
};
};
};
testScript = ''
import json
# health check
machine.wait_for_unit("go-csp-collector.service")
machine.wait_for_open_port(9999)
machine.succeed("curl -f http://localhost:9999/health")
# send valid csp report
machine.succeed(
"curl -f -X POST http://127.0.0.1:9999/ "
"-H 'Content-Type: application/csp-report' "
"-d '" + json.dumps({
"csp-report": {
"document-uri": "https://example.com/",
"referrer": "https://example.com/",
"violated-directive": "script-src",
"effective-directive": "script-src",
"original-policy": "script-src 'self'",
"blocked-uri": "https://example.org/malicious.js",
"status-code": 200
}
}) + "'"
)
logs = machine.succeed("journalctl -u go-csp-collector.service")
assert "level=debug" in logs, "debug mode not enabled"
assert "blocked_uri" in logs, "csp report not logged"
assert "https://example.org/malicious.js" in logs, "blocked uri not in logs"
# check rejection
machine.fail(
"curl -f -X POST http://[::1]:9999/ "
"-H 'Content-Type: application/csp-report' "
"-d '" + json.dumps({
"csp-report": {
"document-uri": "https://example.com/",
"blocked-uri": "chrome-extension://something",
"violated-directive": "script-src"
}
}) + "'"
)
logs = machine.succeed("journalctl -u go-csp-collector.service")
assert "invalid resource" in logs, "filter rejection not logged"
assert "chrome-extension://" in logs, "filtered uri pattern not in logs"
'';
}
Reference in a new issue View git blame Copy permalink