import ./make-test.nix ({ pkgs, ... }: {
  name = "nginx-sso";
  meta = {
    maintainers = with pkgs.stdenv.lib.maintainers; [ delroth ];
  };

  machine = {
    services.nginx.sso = {
      enable = true;
      configuration = {
        listen = { addr = "127.0.0.1"; port = 8080; };

        providers.token.tokens = {
          myuser = "MyToken";
        };

        acl = {
          rule_sets = [
            {
              rules = [ { field = "x-application"; equals = "MyApp"; } ];
              allow = [ "myuser" ];
            }
          ];
        };
      };
    };
  };

  testScript = ''
    startAll;

    $machine->waitForUnit("nginx-sso.service");
    $machine->waitForOpenPort(8080);

    # No valid user -> 401.
    $machine->fail("curl -sSf http://localhost:8080/auth");

    # Valid user but no matching ACL -> 403.
    $machine->fail("curl -sSf -H 'Authorization: Token MyToken' http://localhost:8080/auth");

    # Valid user and matching ACL -> 200.
    $machine->succeed("curl -sSf -H 'Authorization: Token MyToken' -H 'X-Application: MyApp' http://localhost:8080/auth");
  '';
})