Skip to content

Commit

Permalink
nixos/tests/postgresql: test plv8 hardening on non-JIT variants only
Browse files Browse the repository at this point in the history
PostgreSQL with JIT support enabled doesn't work with plv8. Hence, we'd
get an evaluation failure for each
`nixosTests.postgresql.postgresql.postgresql_jit_X`.

This should be restructured in the future (less VM tests for custom
extensions, but a single VM test for this case to cover). For now, we
should get this fix out and this is a good-enough approach.
  • Loading branch information
Ma27 committed Nov 16, 2024
1 parent ed7efb9 commit 0b15522
Showing 1 changed file with 14 additions and 7 deletions.
21 changes: 14 additions & 7 deletions nixos/tests/postgresql/postgresql.nix
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ let
postgresql-clauses = makeEnsureTestFor package;
};

test-sql = pkgs.writeText "postgresql-test" ''
test-sql = enableJIT: pkgs.writeText "postgresql-test" (''
CREATE EXTENSION pgcrypto; -- just to check if lib loading works
CREATE TABLE sth (
id int
Expand All @@ -26,6 +26,7 @@ let
INSERT INTO sth (id) VALUES (1);
CREATE TABLE xmltest ( doc xml );
INSERT INTO xmltest (doc) VALUES ('<test>ok</test>'); -- check if libxml2 enabled
'' + lib.optionalString enableJIT ''
-- check if hardening gets relaxed
CREATE EXTENSION plv8;
-- try to trigger the V8 JIT, which requires MemoryDenyWriteExecute
Expand All @@ -36,24 +37,30 @@ let
}
console.log(xs.reduce((acc, x) => acc + x, 0));
$$ LANGUAGE plv8;
'';
'');

makeTestForWithBackupAll =
package: backupAll:
let
enableJIT = lib.hasInfix "-jit-" package.name;
in
makeTest {
name = "postgresql${lib.optionalString backupAll "-backup-all"}-${package.name}";
meta = with lib.maintainers; {
maintainers = [ zagy ];
};

nodes.machine =
{ ... }:
{ config, ... }:
{
services.postgresql = {
inherit package;
inherit package enableJIT;
enable = true;
enableJIT = lib.hasInfix "-jit-" package.name;
extensions = ps: with ps; [ plv8 ];
# plv8 doesn't support postgresql with JIT, so we only run the test
# for the non-jit variant.
# TODO(@Ma27) split this off into its own VM test and move a few other
# extension tests to use postgresqlTestExtension.
extensions = lib.mkIf (!enableJIT) (ps: with ps; [ plv8 ]);
};

services.postgresqlBackup = {
Expand All @@ -80,7 +87,7 @@ let
with subtest("Postgresql is available just after unit start"):
machine.succeed(
"cat ${test-sql} | sudo -u postgres psql"
"cat ${test-sql enableJIT} | sudo -u postgres psql"
)
with subtest("Postgresql survives restart (bug #1735)"):
Expand Down

0 comments on commit 0b15522

Please sign in to comment.