Skip to content

open-policy-agent: skip tests that require network, enable __darwinAllowLocalNetworking #394921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
NickCao merged 3 commits into from
Apr 18, 2025
Merged

open-policy-agent: skip tests that require network, enable __darwinAllowLocalNetworking #394921

NickCao merged 3 commits into from
Apr 18, 2025

Conversation

@teutat3s
Copy link
Member

@teutat3s teutat3s commented Mar 31, 2025
edited
Loading

This test does not work in the nix sandbox.

Related to #393129 (comment).
Fixes #390371.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

GaetanLepage
GaetanLepage reviewed Mar 31, 2025
View reviewed changes
pkgs/by-name/op/open-policy-agent/package.nix Outdated
Comment on lines 47 to 48
Copy link
Contributor

@GaetanLepage GaetanLepage Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[
# Skip tests that requires network, not available in the nix sandbox
lib.optionals stdenv.hostPlatform.isDarwin [
# Skip tests that requires network, not available in the darwin sandbox

Copy link
Contributor

@GaetanLepage GaetanLepage Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, let's try __darwinAllowLocalNetworking = true; first.

Copy link
Contributor

@GaetanLepage GaetanLepage Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this skip be darwin-only?

Copy link
Member Author

@teutat3s teutat3s Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue was also reported on aarch64-linux, so I'd leave out the conditional for darwin.
#390371

Copy link
Contributor

@GaetanLepage GaetanLepage Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok!

@github-actions github-actions bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Mar 31, 2025
@nix-owners nix-owners bot requested review from 06kellyjac and nlewo March 31, 2025 13:43
@teutat3s teutat3s changed the title open-policy-agent: skip test that requires network open-policy-agent: enable __darwinAllowLocalNetworking Mar 31, 2025
@teutat3s teutat3s requested a review from GaetanLepage March 31, 2025 13:57
@github-actions github-actions bot added 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. and removed 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Mar 31, 2025
@GaetanLepage
Copy link
Contributor

GaetanLepage commented Mar 31, 2025

Unfortunately it is not enough:

2025/03/31 14:34:09 http: TLS handshake error from 127.0.0.1:51348: remote error: tls: bad certificate
2025/03/31 14:34:09 http: TLS handshake error from 127.0.0.1:51349: remote error: tls: bad certificate
2025/03/31 14:34:09 http: TLS handshake error from 127.0.0.1:51350: remote error: tls: bad certificate
2025/03/31 14:34:09 http: TLS handshake error from 127.0.0.1:51351: remote error: tls: bad certificate
--- FAIL: TestHTTPSClient (0.06s)
    --- FAIL: TestHTTPSClient/Negative_Test:_No_Root_Ca (0.00s)
        --- FAIL: TestHTTPSClient/Negative_Test:_No_Root_Ca/http.send (0.00s)
            http_test.go:2658: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:51335", "tls_client_cert_file": "testdata/client-cert.pem", "tls_client_key_file": "testdata/client-key.pem"}, x): eval_builtin_error: http.send: Get "https://127.0.0.1:51335": tls: failed to verify certificate: x509: OSStatus -26276'
    --- FAIL: TestHTTPSClient/Negative_Test:_System_Certs_do_not_include_local_rootCA (0.00s)
        --- FAIL: TestHTTPSClient/Negative_Test:_System_Certs_do_not_include_local_rootCA/http.send (0.00s)
            http_test.go:2678: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:51335", "tls_client_cert_file": "testdata/client-cert.pem", "tls_client_key_file": "testdata/client-key.pem", "tls_use_system_certs": true}, x): eval_builtin_error: http.send: Get "https://127.0.0.1:51335": tls: failed to verify certificate: x509: OSStatus -26276'
2025/03/31 14:34:09 http: TLS handshake error from 127.0.0.1:51363: remote error: tls: bad certificate
--- FAIL: TestHTTPSNoClientCerts (0.02s)
    --- FAIL: TestHTTPSNoClientCerts/Negative_Test:_System_Certs_do_not_include_local_rootCA (0.00s)
        --- FAIL: TestHTTPSNoClientCerts/Negative_Test:_System_Certs_do_not_include_local_rootCA/http.send (0.00s)
            http_test.go:2917: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:51352", "tls_use_system_certs": true}, x): eval_builtin_error: http.send: Get "https://127.0.0.1:51352": tls: failed to verify certificate: x509: OSStatus -26276'
FAIL
FAIL    github.com/open-policy-agent/opa/v1/topdown     1.779s
FAIL

@teutat3s teutat3s changed the title open-policy-agent: enable __darwinAllowLocalNetworking open-policy-agent: skip test that requires network Mar 31, 2025
@teutat3s
Copy link
Member Author

teutat3s commented Mar 31, 2025

The issue was also reported on aarch64-linux, so I'd leave out the conditional for darwin.
#390371

@github-actions github-actions bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. and removed 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Mar 31, 2025
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Mar 31, 2025
@GaetanLepage
Copy link
Contributor

GaetanLepage commented Apr 2, 2025

On darwin:

--- FAIL: TestEvalWithSchemaFileWithRemoteRef (0.00s)
panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted [recovered]
        panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted

goroutine 431 [running]:
testing.tRunner.func1.2({0x1017b5ec0, 0x14000330000})
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/testing/testing.go:1734 +0x1ac
testing.tRunner.func1()
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/testing/testing.go:1737 +0x334
panic({0x1017b5ec0?, 0x14000330000?})
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/runtime/panic.go:792 +0x124
net/http/httptest.newLocalListener()
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/net/http/httptest/server.go:71 +0xdc
net/http/httptest.NewUnstartedServer(...)
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/net/http/httptest/server.go:119
net/http/httptest.NewServer({0x101a199e0, 0x14000303420})
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/net/http/httptest/server.go:106 +0x28
github.com/open-policy-agent/opa/cmd.kubeSchemaServer(0x140005a4a80)
        /private/tmp/nix-build-open-policy-agent-1.2.0.drv-1/source/cmd/eval_test.go:1830 +0xc8
github.com/open-policy-agent/opa/cmd.TestEvalWithSchemaFileWithRemoteRef(0x140005a4a80)
        /private/tmp/nix-build-open-policy-agent-1.2.0.drv-1/source/cmd/eval_test.go:800 +0x20
testing.tRunner(0x140005a4a80, 0x101a0ebb0)
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/testing/testing.go:1792 +0xe4
created by testing.(*T).Run in goroutine 1
        /nix/store/jp3z5jp9gaxsw7fdzbqn29aabmrxq62j-go-1.24.1/share/go/src/testing/testing.go:1851 +0x374
FAIL    github.com/open-policy-agent/opa/cmd    0.698s
FAIL

@teutat3s
Copy link
Member Author

teutat3s commented Apr 2, 2025

Does __darwinAllowLocalNetworking = true; help for this one?

teutat3s
teutat3s commented Apr 2, 2025
View reviewed changes
Copy link
Member Author

@teutat3s teutat3s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And we have another skip candidate: TestIntraQueryCache_ClientError
https://hydra.nixos.org/build/293831995/nixlog/1

@teutat3s teutat3s requested a review from GaetanLepage April 2, 2025 10:39
@teutat3s teutat3s changed the title open-policy-agent: skip test that requires network open-policy-agent: skip tests that requires network, enable __darwinAllowLocalNetworking Apr 2, 2025
@teutat3s
Copy link
Member Author

teutat3s commented Apr 2, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 394921

x86_64-linux

✅ 2 packages built:
  • matrix-authentication-service
  • open-policy-agent

@GaetanLepage
Copy link
Contributor

GaetanLepage commented Apr 2, 2025

Still failing on darwin with:

2025/04/02 14:17:01 http: TLS handshake error from 127.0.0.1:54189: remote error: tls: bad certificate
2025/04/02 14:17:01 http: TLS handshake error from 127.0.0.1:54190: remote error: tls: bad certificate
2025/04/02 14:17:01 http: TLS handshake error from 127.0.0.1:54191: remote error: tls: bad certificate
2025/04/02 14:17:01 http: TLS handshake error from 127.0.0.1:54192: remote error: tls: bad certificate
--- FAIL: TestHTTPSClient (0.05s)
    --- FAIL: TestHTTPSClient/Negative_Test:_No_Root_Ca (0.00s)
        --- FAIL: TestHTTPSClient/Negative_Test:_No_Root_Ca/http.send (0.00s)
            http_test.go:2658: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:54176", "tls_clien>
    --- FAIL: TestHTTPSClient/Negative_Test:_System_Certs_do_not_include_local_rootCA (0.00s)
        --- FAIL: TestHTTPSClient/Negative_Test:_System_Certs_do_not_include_local_rootCA/http.send (0.00s)
            http_test.go:2678: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:54176", "tls_clien>
2025/04/02 14:17:01 http: TLS handshake error from 127.0.0.1:54204: remote error: tls: bad certificate
--- FAIL: TestHTTPSNoClientCerts (0.02s)
    --- FAIL: TestHTTPSNoClientCerts/Negative_Test:_System_Certs_do_not_include_local_rootCA (0.00s)
        --- FAIL: TestHTTPSNoClientCerts/Negative_Test:_System_Certs_do_not_include_local_rootCA/http.send (0.00s)
            http_test.go:2917: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:54193", "tls_use_s>
FAIL
FAIL    github.com/open-policy-agent/opa/v1/topdown     2.596s
FAIL

@wegank wegank removed the 12.approvals: 1 This PR was reviewed and approved by one person. label Apr 3, 2025
@teutat3s teutat3s force-pushed the opa-skip-test branch 2 times, most recently from 22feaf5 to 06a80b9 Compare April 3, 2025 10:41
@teutat3s teutat3s changed the title open-policy-agent: skip tests that requires network, enable __darwinAllowLocalNetworking open-policy-agent: skip tests that require network, enable __darwinAllowLocalNetworking Apr 3, 2025
@teutat3s teutat3s requested a review from SuperSandro2000 April 3, 2025 10:42
@GaetanLepage
Copy link
Contributor

GaetanLepage commented Apr 3, 2025 

2025/04/03 16:44:18 http: TLS handshake error from 127.0.0.1:51660: remote error: tls: bad certificate
2025/04/03 16:44:18 http: TLS handshake error from 127.0.0.1:51661: remote error: tls: bad certificate
2025/04/03 16:44:18 http: TLS handshake error from 127.0.0.1:51662: remote error: tls: bad certificate
2025/04/03 16:44:18 http: TLS handshake error from 127.0.0.1:51663: remote error: tls: bad certificate
--- FAIL: TestHTTPSClient (0.07s)
    --- FAIL: TestHTTPSClient/Negative_Test:_No_Root_Ca (0.00s)
        --- FAIL: TestHTTPSClient/Negative_Test:_No_Root_Ca/http.send (0.00s)
            http_test.go:2658: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:51647", "tls_client_cert_file": "testdata/client-cert.pem", "tls_client_key_file": "testdata/client-key.pem"}, x): eval_builtin_error: http.send: Get "https://127.0.0.1:51647": tls: failed to verify certificate: x509: OSStatus -26276'
    --- FAIL: TestHTTPSClient/Negative_Test:_System_Certs_do_not_include_local_rootCA (0.00s)
        --- FAIL: TestHTTPSClient/Negative_Test:_System_Certs_do_not_include_local_rootCA/http.send (0.00s)
            http_test.go:2678: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:51647", "tls_client_cert_file": "testdata/client-cert.pem", "tls_client_key_file": "testdata/client-key.pem", "tls_use_system_certs": true}, x): eval_builtin_error: http.send: Get "https://127.0.0.1:51647": tls: failed to verify certificate: x509: OSStatus -26276'
2025/04/03 16:44:18 http: TLS handshake error from 127.0.0.1:51675: remote error: tls: bad certificate
--- FAIL: TestHTTPSNoClientCerts (0.02s)
    --- FAIL: TestHTTPSNoClientCerts/Negative_Test:_System_Certs_do_not_include_local_rootCA (0.00s)
        --- FAIL: TestHTTPSNoClientCerts/Negative_Test:_System_Certs_do_not_include_local_rootCA/http.send (0.00s)
            http_test.go:2917: Expected error '“my-server” certificate is not standards compliant' but got: 'http.send({"method": "get", "url": "https://127.0.0.1:51664", "tls_use_system_certs": true}, x): eval_builtin_error: http.send: Get "https://127.0.0.1:51664": tls: failed to verify certificate: x509: OSStatus -26276'
FAIL
FAIL    github.com/open-policy-agent/opa/v1/topdown     2.845s
FAIL
~

@teutat3s
Copy link
Member Author

teutat3s commented Apr 3, 2025

Weird. -skip=TestHTTPSClient does not do anything?

teutat3s added 2 commits April 18, 2025 14:06
@teutat3s @GaetanLepage
open-policy-agent: skip tests that require network
982ec51 
These tests do not work in the nix sandbox.
@teutat3s @GaetanLepage
open-policy-agent: enable __darwinAllowLocalNetworking
dadb234 
To fix test that requires networking in the darwin sandbox.
@GaetanLepage
Copy link
Contributor

GaetanLepage commented Apr 18, 2025

Weird. -skip=TestHTTPSClient does not do anything?

Turns out, you cannot pass -skip several times: https://nixos.org/manual/nixpkgs/unstable/#ssec-skip-go-tests

I have force-pushed a fix.

@GaetanLepage
Copy link
Contributor

GaetanLepage commented Apr 18, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 394921

x86_64-linux

✅ 2 packages built:
  • matrix-authentication-service
  • open-policy-agent

aarch64-linux

✅ 2 packages built:
  • matrix-authentication-service
  • open-policy-agent

x86_64-darwin

✅ 2 packages built:
  • matrix-authentication-service
  • open-policy-agent

aarch64-darwin

✅ 2 packages built:
  • matrix-authentication-service
  • open-policy-agent

@GaetanLepage GaetanLepage requested a review from drupol April 18, 2025 13:12
drupol
drupol reviewed Apr 18, 2025
View reviewed changes
@GaetanLepage GaetanLepage requested a review from NickCao April 18, 2025 19:52
@NickCao NickCao merged commit 3299717 into NixOS:master Apr 18, 2025
23 of 27 checks passed
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Apr 18, 2025

Backport failed for release-24.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-24.11
git worktree add -d .worktree/backport-394921-to-release-24.11 origin/release-24.11
cd .worktree/backport-394921-to-release-24.11
git switch --create backport-394921-to-release-24.11
git cherry-pick -x 982ec514ae046b36d6be259e95a2816bd47873cb dadb234094761065149f148dab69ee82357978e6 3baf3c4c6a519679ee266b4496ac4e2e1819e296

@teutat3s teutat3s mentioned this pull request Apr 24, 2025
Merged
13 tasks
@teutat3s teutat3s deleted the opa-skip-test branch July 15, 2025 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drupol drupol drupol approved these changes

@nlewo nlewo Awaiting requested review from nlewo

@06kellyjac 06kellyjac Awaiting requested review from 06kellyjac

@GaetanLepage GaetanLepage Awaiting requested review from GaetanLepage

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

@NickCao NickCao Awaiting requested review from NickCao

Assignees

No one assigned

Labels

10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build failure: open-policy-agent on aarch64-linux

6 participants

@teutat3s @GaetanLepage @drupol @SuperSandro2000 @wegank @NickCao