diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-03-15 06:01:09 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-15 06:01:09 +0000 |
| commit | 4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc (patch) | |
| tree | f8c6337098e1dfb7dc01022c14d0cdee977130b5 /nixos | |
| parent | 2bffd64e73c7df9b8922ce33465e527d9694cf1a (diff) | |
| parent | 2bcf18c64c66b95e17d9c8755104d33bc5103c63 (diff) | |
| download | nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.tar nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.tar.gz nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.tar.bz2 nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.tar.lz nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.tar.xz nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.tar.zst nixlib-4aac48ff7f7e52d40dfd6b2cfaaff22ac2ae7bfc.zip | |
Merge master into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/budgie.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/pg_anonymizer.nix | 94 |
3 files changed, 96 insertions, 1 deletions
diff --git a/nixos/modules/services/x11/desktop-managers/budgie.nix b/nixos/modules/services/x11/desktop-managers/budgie.nix index fe39097a22e8..7d8bb1963d78 100644 --- a/nixos/modules/services/x11/desktop-managers/budgie.nix +++ b/nixos/modules/services/x11/desktop-managers/budgie.nix @@ -159,7 +159,7 @@ in { ++ cfg.sessionPath; # Fonts. - fonts.packages = mkDefault [ + fonts.packages = [ pkgs.noto-fonts pkgs.hack-font ]; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index ac64b85dd486..b2e824642092 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -683,6 +683,7 @@ in { peering-manager = handleTest ./web-apps/peering-manager.nix {}; peertube = handleTestOn ["x86_64-linux"] ./web-apps/peertube.nix {}; peroxide = handleTest ./peroxide.nix {}; + pg_anonymizer = handleTest ./pg_anonymizer.nix {}; pgadmin4 = handleTest ./pgadmin4.nix {}; pgbouncer = handleTest ./pgbouncer.nix {}; pgjwt = handleTest ./pgjwt.nix {}; diff --git a/nixos/tests/pg_anonymizer.nix b/nixos/tests/pg_anonymizer.nix new file mode 100644 index 000000000000..2960108e37c3 --- /dev/null +++ b/nixos/tests/pg_anonymizer.nix @@ -0,0 +1,94 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "pg_anonymizer"; + meta.maintainers = lib.teams.flyingcircus.members; + + nodes.machine = { pkgs, ... }: { + environment.systemPackages = [ pkgs.pg-dump-anon ]; + services.postgresql = { + enable = true; + extraPlugins = ps: [ ps.anonymizer ]; + settings.shared_preload_libraries = "anon"; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("postgresql.service") + + with subtest("Setup"): + machine.succeed("sudo -u postgres psql --command 'create database demo'") + machine.succeed( + "sudo -u postgres psql -d demo -f ${pkgs.writeText "init.sql" '' + create extension anon cascade; + select anon.init(); + create table player(id serial, name text, points int); + insert into player(id,name,points) values (1,'Foo', 23); + insert into player(id,name,points) values (2,'Bar',42); + security label for anon on column player.name is 'MASKED WITH FUNCTION anon.fake_last_name();'; + security label for anon on column player.points is 'MASKED WITH VALUE NULL'; + ''}" + ) + + def get_player_table_contents(): + return [ + x.split(',') for x in machine.succeed("sudo -u postgres psql -d demo --csv --command 'select * from player'").splitlines()[1:] + ] + + def check_anonymized_row(row, id, original_name): + assert row[0] == id, f"Expected first row to have ID {id}, but got {row[0]}" + assert row[1] != original_name, f"Expected first row to have a name other than {original_name}" + assert not bool(row[2]), "Expected points to be NULL in first row" + + def find_xsv_in_dump(dump, sep=','): + """ + Expecting to find a CSV (for pg_dump_anon) or TSV (for pg_dump) structure, looking like + + COPY public.player ... + 1,Shields, + 2,Salazar, + \. + + in the given dump (the commas are tabs in case of pg_dump). + Extract the CSV lines and split by `sep`. + """ + + try: + from itertools import dropwhile, takewhile + return [x.split(sep) for x in list(takewhile( + lambda x: x != "\\.", + dropwhile( + lambda x: not x.startswith("COPY public.player"), + dump.splitlines() + ) + ))[1:]] + except: + print(f"Dump to process: {dump}") + raise + + def check_original_data(output): + assert output[0] == ['1','Foo','23'], f"Expected first row from player table to be 1,Foo,23; got {output[0]}" + assert output[1] == ['2','Bar','42'], f"Expected first row from player table to be 2,Bar,42; got {output[1]}" + + def check_anonymized_rows(output): + check_anonymized_row(output[0], '1', 'Foo') + check_anonymized_row(output[1], '2', 'Bar') + + with subtest("Check initial state"): + check_original_data(get_player_table_contents()) + + with subtest("Anonymous dumps"): + check_original_data(find_xsv_in_dump( + machine.succeed("sudo -u postgres pg_dump demo"), + sep='\t' + )) + check_anonymized_rows(find_xsv_in_dump( + machine.succeed("sudo -u postgres pg_dump_anon -U postgres -h /run/postgresql -d demo"), + sep=',' + )) + + with subtest("Anonymize"): + machine.succeed("sudo -u postgres psql -d demo --command 'select anon.anonymize_database();'") + check_anonymized_rows(get_player_table_contents()) + ''; +}) |