diff options
Diffstat (limited to 'nixos/tests/dhparams.nix')
-rw-r--r-- | nixos/tests/dhparams.nix | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix new file mode 100644 index 000000000000..d11dfeec5d0c --- /dev/null +++ b/nixos/tests/dhparams.nix @@ -0,0 +1,144 @@ +let + common = { pkgs, ... }: { + security.dhparams.enable = true; + environment.systemPackages = [ pkgs.openssl ]; + }; + +in import ./make-test.nix { + name = "dhparams"; + + nodes.generation1 = { pkgs, config, ... }: { + imports = [ common ]; + security.dhparams.params = { + # Use low values here because we don't want the test to run for ages. + foo.bits = 16; + # Also use the old format to make sure the type is coerced in the right + # way. + bar = 17; + }; + + systemd.services.foo = { + description = "Check systemd Ordering"; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + # This is to make sure that the dhparams generation of foo occurs + # before this service so we need this service to start as early as + # possible to provoke a race condition. + DefaultDependencies = false; + + # We check later whether the service has been started or not. + ConditionPathExists = config.security.dhparams.params.foo.path; + }; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + # The reason we only provide an ExecStop here is to ensure that we don't + # accidentally trigger an error because a file system is not yet ready + # during very early startup (we might not even have the Nix store + # available, for example if future changes in NixOS use systemd mount + # units to do early file system initialisation). + serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true"; + }; + }; + + nodes.generation2 = { + imports = [ common ]; + security.dhparams.params.foo.bits = 18; + }; + + nodes.generation3 = common; + + nodes.generation4 = { + imports = [ common ]; + security.dhparams.stateful = false; + security.dhparams.params.foo2.bits = 18; + security.dhparams.params.bar2.bits = 19; + }; + + nodes.generation5 = { + imports = [ common ]; + security.dhparams.defaultBitSize = 30; + security.dhparams.params.foo3 = {}; + security.dhparams.params.bar3 = {}; + }; + + testScript = { nodes, ... }: let + getParamPath = gen: name: let + node = "generation${toString gen}"; + in nodes.${node}.config.security.dhparams.params.${name}.path; + + assertParamBits = gen: name: bits: let + path = getParamPath gen name; + in '' + $machine->nest('check bit size of ${path}', sub { + my $out = $machine->succeed('openssl dhparam -in ${path} -text'); + $out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m; + die "bit size should be ${toString bits} but it is $1 instead." + if $1 != ${toString bits}; + }); + ''; + + switchToGeneration = gen: let + node = "generation${toString gen}"; + inherit (nodes.${node}.config.system.build) toplevel; + switchCmd = "${toplevel}/bin/switch-to-configuration test"; + in '' + $machine->nest('switch to generation ${toString gen}', sub { + $machine->succeed('${switchCmd}'); + $main::machine = ''$${node}; + }); + ''; + + in '' + my $machine = $generation1; + + $machine->waitForUnit('multi-user.target'); + + subtest "verify startup order", sub { + $machine->succeed('systemctl is-active foo.service'); + }; + + subtest "check bit sizes of dhparam files", sub { + ${assertParamBits 1 "foo" 16} + ${assertParamBits 1 "bar" 17} + }; + + ${switchToGeneration 2} + + subtest "check whether bit size has changed", sub { + ${assertParamBits 2 "foo" 18} + }; + + subtest "ensure that dhparams file for 'bar' was deleted", sub { + $machine->fail('test -e ${getParamPath 1 "bar"}'); + }; + + ${switchToGeneration 3} + + subtest "ensure that 'security.dhparams.path' has been deleted", sub { + $machine->fail( + 'test -e ${nodes.generation3.config.security.dhparams.path}' + ); + }; + + ${switchToGeneration 4} + + subtest "check bit sizes dhparam files", sub { + ${assertParamBits 4 "foo2" 18} + ${assertParamBits 4 "bar2" 19} + }; + + subtest "check whether dhparam files are in the Nix store", sub { + $machine->succeed( + 'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}', + 'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', + ); + }; + + ${switchToGeneration 5} + + subtest "check whether defaultBitSize works as intended", sub { + ${assertParamBits 5 "foo3" 30} + ${assertParamBits 5 "bar3" 30} + }; + ''; +} |