diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
commit | 99fcaeccb89621dd492203ce1f2d551c06f228ed (patch) | |
tree | 41cb730ae07383004789779b0f6e11cb3f4642a3 /nixpkgs/nixos/tests/aesmd.nix | |
parent | 59c5f5ac8682acc13bb22bc29c7cf02f7d75f01f (diff) | |
parent | 75a5ebf473cd60148ba9aec0d219f72e5cf52519 (diff) | |
download | nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.gz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.bz2 nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.lz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.xz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.zst nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.zip |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Conflicts: nixpkgs/nixos/modules/config/console.nix nixpkgs/nixos/modules/services/mail/mailman.nix nixpkgs/nixos/modules/services/mail/public-inbox.nix nixpkgs/nixos/modules/services/mail/rss2email.nix nixpkgs/nixos/modules/services/networking/ssh/sshd.nix nixpkgs/pkgs/applications/networking/instant-messengers/dino/default.nix nixpkgs/pkgs/applications/networking/irc/weechat/default.nix nixpkgs/pkgs/applications/window-managers/sway/default.nix nixpkgs/pkgs/build-support/go/module.nix nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix nixpkgs/pkgs/development/interpreters/python/default.nix nixpkgs/pkgs/development/node-packages/overrides.nix nixpkgs/pkgs/development/tools/b4/default.nix nixpkgs/pkgs/servers/dict/dictd-db.nix nixpkgs/pkgs/servers/mail/public-inbox/default.nix nixpkgs/pkgs/tools/security/pinentry/default.nix nixpkgs/pkgs/tools/text/unoconv/default.nix nixpkgs/pkgs/top-level/all-packages.nix
Diffstat (limited to 'nixpkgs/nixos/tests/aesmd.nix')
-rw-r--r-- | nixpkgs/nixos/tests/aesmd.nix | 110 |
1 files changed, 75 insertions, 35 deletions
diff --git a/nixpkgs/nixos/tests/aesmd.nix b/nixpkgs/nixos/tests/aesmd.nix index 9f07426be8d8..848e1c599201 100644 --- a/nixpkgs/nixos/tests/aesmd.nix +++ b/nixpkgs/nixos/tests/aesmd.nix @@ -1,7 +1,7 @@ -import ./make-test-python.nix ({ pkgs, lib, ... }: { +{ pkgs, lib, ... }: { name = "aesmd"; meta = { - maintainers = with lib.maintainers; [ veehaitch ]; + maintainers = with lib.maintainers; [ trundle veehaitch ]; }; nodes.machine = { lib, ... }: { @@ -25,38 +25,78 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { # We don't have a real SGX machine in NixOS tests systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ]; + + specialisation = { + withQuoteProvider.configuration = { ... }: { + services.aesmd = { + quoteProviderLibrary = pkgs.sgx-azure-dcap-client; + environment = { + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; + }; + }; + }; + }; }; - testScript = '' - with subtest("aesmd.service starts"): - machine.wait_for_unit("aesmd.service") - status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") - assert status == 0, "Could not get MainPID of aesmd.service" - main_pid = main_pid.strip() - - with subtest("aesmd.service runtime directory permissions"): - runtime_dir = "/run/aesmd"; - res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() - assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" - - with subtest("aesm.socket available on host"): - socket_path = "/var/run/aesmd/aesm.socket" - machine.wait_until_succeeds(f"test -S {socket_path}") - machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") - for op in [ "-r", "-w", "-x" ]: - machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") - machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") - - with subtest("Copies white_list_cert_to_be_verify.bin"): - whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" - whitelist_perms = machine.succeed( - f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" - ).strip() - assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" - - with subtest("Writes and binds aesm.conf in service namespace"): - aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") - - assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" - ''; -}) + testScript = { nodes, ... }: + let + specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; + in + '' + def get_aesmd_pid(): + status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") + assert status == 0, "Could not get MainPID of aesmd.service" + return main_pid.strip() + + with subtest("aesmd.service starts"): + machine.wait_for_unit("aesmd.service") + + main_pid = get_aesmd_pid() + + with subtest("aesmd.service runtime directory permissions"): + runtime_dir = "/run/aesmd"; + res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() + assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" + + with subtest("aesm.socket available on host"): + socket_path = "/var/run/aesmd/aesm.socket" + machine.wait_until_succeeds(f"test -S {socket_path}") + machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") + for op in [ "-r", "-w", "-x" ]: + machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") + machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") + + with subtest("Copies white_list_cert_to_be_verify.bin"): + whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" + whitelist_perms = machine.succeed( + f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" + ).strip() + assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" + + with subtest("Writes and binds aesm.conf in service namespace"): + aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") + + assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" + + with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"): + status, environment = machine.systemctl("show --property Environment --value aesmd.service") + assert status == 0, "Could not get Environment of aesmd.service" + env_by_name = dict(entry.split("=", 1) for entry in environment.split()) + assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty" + + with subtest("aesmd.service with quote provider library starts"): + machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test') + machine.wait_for_unit("aesmd.service") + + main_pid = get_aesmd_pid() + + with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"): + ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH") + assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \ + "LD_LIBRARY_PATH is not set to the configured quote provider library" + + with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"): + azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL") + assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO" + ''; +} |