mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-21 21:21:06 +00:00
bf7841aae1
Test that other users are not able to access the mysql database, and unix socket auth actually works.
84 lines
2.8 KiB
Nix
84 lines
2.8 KiB
Nix
import ./make-test-python.nix ({ pkgs, ...} : {
|
|
name = "mysql";
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
maintainers = [ eelco shlevy ];
|
|
};
|
|
|
|
nodes = {
|
|
mysql =
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
services.mysql.enable = true;
|
|
services.mysql.initialDatabases = [
|
|
{ name = "testdb"; schema = ./testdb.sql; }
|
|
{ name = "empty_testdb"; }
|
|
];
|
|
# note that using pkgs.writeText here is generally not a good idea,
|
|
# as it will store the password in world-readable /nix/store ;)
|
|
services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
|
|
CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
|
|
'';
|
|
services.mysql.package = pkgs.mysql57;
|
|
};
|
|
|
|
mariadb =
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
users.users.testuser = { };
|
|
users.users.testuser2 = { };
|
|
services.mysql.enable = true;
|
|
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
|
|
ALTER USER root@localhost IDENTIFIED WITH unix_socket;
|
|
DELETE FROM mysql.user WHERE password = ''' AND plugin = ''';
|
|
DELETE FROM mysql.user WHERE user = ''';
|
|
FLUSH PRIVILEGES;
|
|
'';
|
|
services.mysql.ensureDatabases = [ "testdb" "testdb2" ];
|
|
services.mysql.ensureUsers = [{
|
|
name = "testuser";
|
|
ensurePermissions = {
|
|
"testdb.*" = "ALL PRIVILEGES";
|
|
};
|
|
} {
|
|
name = "testuser2";
|
|
ensurePermissions = {
|
|
"testdb2.*" = "ALL PRIVILEGES";
|
|
};
|
|
}];
|
|
services.mysql.package = pkgs.mariadb;
|
|
};
|
|
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
|
|
mysql.wait_for_unit("mysql")
|
|
mysql.succeed("echo 'use empty_testdb;' | mysql -u root")
|
|
mysql.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4")
|
|
# ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
|
|
mysql.succeed("echo ';' | mysql -u passworduser --password=password123")
|
|
|
|
mariadb.wait_for_unit("mysql")
|
|
mariadb.succeed(
|
|
"echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"
|
|
)
|
|
mariadb.succeed(
|
|
"echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser"
|
|
)
|
|
# Ensure testuser2 is not able to insert into testdb as mysql testuser2
|
|
mariadb.fail(
|
|
"echo 'use testdb; insert into tests values (23);' | sudo -u testuser2 mysql -u testuser2"
|
|
)
|
|
# Ensure testuser2 is not able to authenticate as mysql testuser
|
|
mariadb.fail(
|
|
"echo 'use testdb; insert into tests values (23);' | sudo -u testuser2 mysql -u testuser"
|
|
)
|
|
mariadb.succeed(
|
|
"echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42"
|
|
)
|
|
'';
|
|
})
|