From f84fa539fd255d5016f5f7f973e17675ed81d35f Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Fri, 8 Oct 2021 15:25:09 -0600
Subject: [PATCH] zkap-spending-service: Add tests about reachability from
 other machines.

- The serivice can be reached by other machines.
- The metrics cannot be reached by other machines.
---
 nixos/modules/issuer.nix   |  2 +-
 nixos/modules/spending.nix |  6 ++++++
 nixos/tests/spending.nix   | 11 ++++++++++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 5cec1c4a..da3eed73 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -189,7 +189,7 @@ in {
       extraGroups = [ "keys" ];
     };
 
-    # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
+    # Open 80 and 443 for nginx
     networking.firewall.allowedTCPPorts = [
       80
       443
diff --git a/nixos/modules/spending.nix b/nixos/modules/spending.nix
index c6340af1..325dd147 100644
--- a/nixos/modules/spending.nix
+++ b/nixos/modules/spending.nix
@@ -145,5 +145,11 @@ in
           };
         };
       };
+
+      # Open 80 and 443 for nginx
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
+      ];
     };
 }
diff --git a/nixos/tests/spending.nix b/nixos/tests/spending.nix
index ef88b682..8500471a 100644
--- a/nixos/tests/spending.nix
+++ b/nixos/tests/spending.nix
@@ -11,10 +11,14 @@
       services.private-storage-spending.enable = true;
       services.private-storage-spending.domain = "localhost";
     };
+    external = { ... }: {
+      # A node that has no particular configuration, for testing access rules
+      # for external hosts.
+    };
   };
   testScript = { nodes }: let
     revision = nodes.spending.config.passthru.ourpkgs.zkap-spending-service.meta.rev;
-    curl = "${pkgs.curl}/bin/curl -sSf";
+    curl = "${pkgs.curl}/bin/curl -sSf --max-time 5";
   in
     ''
       import json
@@ -25,6 +29,9 @@
       with subtest("Ensure we can ping the spending service"):
         output = spending.succeed("${curl} http://localhost/v1/_ping")
         assert json.loads(output)["status"] == "ok", "Could not ping spending service."
+      with subtest("Ensure external hosts can ping the spending service"):
+        output = external.succeed("${curl} http://spending/v1/_ping")
+        assert json.loads(output)["status"] == "ok", "Could not ping spending service."
       with subtest("Ensure that the spending service version matches the expected version"):
         output = spending.succeed("${curl} http://localhost/v1/_version")
         assert json.loads(output)["revision"] == "${revision}", "Spending service revision does not match."
@@ -32,5 +39,7 @@
         # TODO: We should pass "-H 'accept: application/openmetrics-text'" here.
         # See https://github.com/prometheus/prometheus/issues/8932
         output = spending.succeed("${curl} http://localhost/metrics | ${pkgs.prometheus}/bin/promtool check metrics")
+      with subtest("Ensure that the metrics are not accesible from other machines"):
+        output = external.fail("${curl} http://spending/metrics")
     '';
 }
-- 
GitLab