summary refs log tree commit diff
path: root/nixos/tests
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/tests')
-rw-r--r--nixos/tests/grsecurity.nix46
-rw-r--r--nixos/tests/hardened.nix36
-rw-r--r--nixos/tests/misc.nix9
-rw-r--r--nixos/tests/mysql-replication.nix10
-rw-r--r--nixos/tests/radicale.nix80
-rw-r--r--nixos/tests/slim.nix66
-rw-r--r--nixos/tests/xrdp.nix45
7 files changed, 236 insertions, 56 deletions
diff --git a/nixos/tests/grsecurity.nix b/nixos/tests/grsecurity.nix
deleted file mode 100644
index d4a419fd0e39..000000000000
--- a/nixos/tests/grsecurity.nix
+++ /dev/null
@@ -1,46 +0,0 @@
-# Basic test to make sure grsecurity works
-
-import ./make-test.nix ({ pkgs, ...} : {
-  name = "grsecurity";
-  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ copumpkin joachifm ];
-  };
-
-  machine = { config, pkgs, ... }:
-    { security.grsecurity.enable = true;
-      boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0;
-      boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
-      networking.useDHCP = false;
-    };
-
-  testScript = ''
-    subtest "grsec-lock", sub {
-      $machine->succeed("systemctl is-active grsec-lock");
-      $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
-      $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
-    };
-
-    subtest "paxtest", sub {
-      # TODO: running paxtest blackhat hangs the vm
-      my @pax_mustkill = (
-        "anonmap", "execbss", "execdata", "execheap", "execstack",
-        "mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack",
-      );
-      foreach my $name (@pax_mustkill) {
-        my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name;
-        $machine->succeed($paxtest) =~ /Killed/ or die
-      }
-    };
-
-    # tcc -run executes run-time generated code and so allows us to test whether
-    # paxmark actually works (otherwise, the process should be terminated)
-    subtest "tcc", sub {
-      $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
-      $machine->succeed("${pkgs.tinycc}/bin/tcc -run main.c");
-    };
-
-    subtest "RBAC", sub {
-      $machine->succeed("[ -c /dev/grsec ]");
-    };
-  '';
-})
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
new file mode 100644
index 000000000000..1d9a9043e03a
--- /dev/null
+++ b/nixos/tests/hardened.nix
@@ -0,0 +1,36 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "hardened";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ joachifm ];
+  };
+
+  machine =
+    { config, lib, pkgs, ... }:
+    with lib;
+    { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
+      users.users.sybil = { isNormalUser = true; group = "wheel"; };
+      imports = [ ../modules/profiles/hardened.nix ];
+    };
+
+  testScript =
+    ''
+      # Test hidepid
+      subtest "hidepid", sub {
+          $machine->succeed("grep -Fq hidepid=2 /proc/mounts");
+          $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
+          $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
+      };
+
+      # Test kernel module hardening
+      subtest "lock-modules", sub {
+          $machine->waitForUnit("multi-user.target");
+          # note: this better a be module we normally wouldn't load ...
+          $machine->fail("modprobe dccp");
+      };
+
+      # Test userns
+      subtest "userns", sub {
+          $machine->fail("unshare --user");
+      };
+    '';
+})
diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix
index cd4086cb8f62..b926a62194b4 100644
--- a/nixos/tests/misc.nix
+++ b/nixos/tests/misc.nix
@@ -25,8 +25,6 @@ import ./make-test.nix ({ pkgs, ...} : {
         };
       users.users.sybil = { isNormalUser = true; group = "wheel"; };
       security.sudo = { enable = true; wheelNeedsPassword = false; };
-      security.hideProcessInformation = true;
-      users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
     };
 
   testScript =
@@ -119,12 +117,5 @@ import ./make-test.nix ({ pkgs, ...} : {
       subtest "sudo", sub {
           $machine->succeed("su - sybil -c 'sudo true'");
       };
-
-      # Test hidepid
-      subtest "hidepid", sub {
-          $machine->succeed("grep -Fq hidepid=2 /etc/mtab");
-          $machine->succeed("[ `su - sybil -c 'pgrep -c -u root'` = 0 ]");
-          $machine->succeed("[ `su - alice -c 'pgrep -c -u root'` != 0 ]");
-      };
     '';
 })
diff --git a/nixos/tests/mysql-replication.nix b/nixos/tests/mysql-replication.nix
index b20bce8edce6..75c6d793febc 100644
--- a/nixos/tests/mysql-replication.nix
+++ b/nixos/tests/mysql-replication.nix
@@ -56,11 +56,19 @@ in
   testScript = ''
     $master->start;
     $master->waitForUnit("mysql");
+    $master->waitForOpenPort(3306);
     $slave1->start;
     $slave2->start;
     $slave1->waitForUnit("mysql");
+    $slave1->waitForOpenPort(3306);
     $slave2->waitForUnit("mysql");
-    $slave2->sleep(100); # Hopefully this is long enough!!
+    $slave2->waitForOpenPort(3306);
     $slave2->succeed("echo 'use testdb; select * from tests' | mysql -u root -N | grep 4");
+    $slave2->succeed("systemctl stop mysql");
+    $master->succeed("echo 'insert into testdb.tests values (123, 456);' | mysql -u root -N");
+    $slave2->succeed("systemctl start mysql");
+    $slave2->waitForUnit("mysql");
+    $slave2->waitForOpenPort(3306);
+    $slave2->succeed("echo 'select * from testdb.tests where Id = 123;' | mysql -u root -N | grep 456");
   '';
 })
diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix
new file mode 100644
index 000000000000..4c2ed8456ddd
--- /dev/null
+++ b/nixos/tests/radicale.nix
@@ -0,0 +1,80 @@
+let
+  port = 5232;
+  radicaleOverlay = self: super: {
+    radicale = super.radicale.overrideAttrs (oldAttrs: {
+      propagatedBuildInputs = with self.pythonPackages;
+        (oldAttrs.propagatedBuildInputs or []) ++ [
+          passlib
+        ];
+    });
+  };
+  common = { config, pkgs, ...}: {
+    services.radicale = {
+      enable = true;
+      config = let home = config.users.extraUsers.radicale.home; in ''
+        [server]
+        hosts = 127.0.0.1:${builtins.toString port}
+        daemon = False
+        [encoding]
+        [well-known]
+        [auth]
+        type = htpasswd
+        htpasswd_filename = /etc/radicale/htpasswd
+        htpasswd_encryption = bcrypt
+        [git]
+        [rights]
+        [storage]
+        type = filesystem
+        filesystem_folder = ${home}/collections
+        [logging]
+        [headers]
+      '';
+    };
+    # WARNING: DON'T DO THIS IN PRODUCTION!
+    # This puts secrets (albeit hashed) directly into the Nix store for ease of testing.
+    environment.etc."radicale/htpasswd".source = with pkgs; let
+      py = python.withPackages(ps: with ps; [ passlib ]);
+    in runCommand "htpasswd" {} ''
+        ${py}/bin/python -c "
+from passlib.apache import HtpasswdFile
+ht = HtpasswdFile(
+    '$out',
+    new=True,
+    default_scheme='bcrypt'
+)
+ht.set_password('someuser', 'really_secret_password')
+ht.save()
+"
+    '';
+  };
+
+in import ./make-test.nix ({ lib, ... }: {
+  name = "radicale";
+  meta.maintainers = with lib.maintainers; [ aneeshusa ];
+
+  # Test radicale with bcrypt-based htpasswd authentication
+  nodes = {
+    py2 = { config, pkgs, ... }@args: (common args) // {
+      nixpkgs.overlays = [
+        radicaleOverlay
+      ];
+    };
+    py3 = { config, pkgs, ... }@args: (common args) // {
+      nixpkgs.overlays = [
+        (self: super: {
+          python = self.python3;
+          pythonPackages = self.python3.pkgs;
+        })
+        radicaleOverlay
+      ];
+    };
+  };
+
+  testScript = ''
+    for my $machine ($py2, $py3) {
+      $machine->waitForUnit('radicale.service');
+      $machine->waitForOpenPort(${builtins.toString port});
+      $machine->succeed('curl -s http://someuser:really_secret_password@127.0.0.1:${builtins.toString port}/someuser/calendar.ics/');
+    }
+  '';
+})
diff --git a/nixos/tests/slim.nix b/nixos/tests/slim.nix
new file mode 100644
index 000000000000..7b939d836381
--- /dev/null
+++ b/nixos/tests/slim.nix
@@ -0,0 +1,66 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "slim";
+
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ aszlig ];
+  };
+
+  machine = { pkgs, lib, ... }: {
+    imports = [ ./common/user-account.nix ];
+    services.xserver.enable = true;
+    services.xserver.windowManager.default = "icewm";
+    services.xserver.windowManager.icewm.enable = true;
+    services.xserver.desktopManager.default = "none";
+    services.xserver.displayManager.slim = {
+      enable = true;
+
+      # Use a custom theme in order to get best OCR results
+      theme = pkgs.runCommand "slim-theme-ocr" {
+        nativeBuildInputs = [ pkgs.imagemagick ];
+      } ''
+        mkdir "$out"
+        convert -size 1x1 xc:white "$out/background.jpg"
+        convert -size 200x100 xc:white "$out/panel.jpg"
+        cat > "$out/slim.theme" <<EOF
+        background_color #ffffff
+        background_style tile
+
+        input_fgcolor #000000
+        msg_color #000000
+
+        session_color #000000
+        session_font Verdana:size=16:bold
+
+        username_msg Username:
+        username_font Verdana:size=16:bold
+        username_color #000000
+        username_x 50%
+        username_y 40%
+
+        password_msg Password:
+        password_x 50%
+        password_y 40%
+        EOF
+      '';
+    };
+  };
+
+  enableOCR = true;
+
+  testScript = { nodes, ... }: let
+    user = nodes.machine.config.users.extraUsers.alice;
+  in ''
+    startAll;
+    $machine->waitForText(qr/Username:/);
+    $machine->sendChars("${user.name}\n");
+    $machine->waitForText(qr/Password:/);
+    $machine->sendChars("${user.password}\n");
+
+    $machine->waitForFile('${user.home}/.Xauthority');
+    $machine->succeed('xauth merge ${user.home}/.Xauthority');
+    $machine->waitForWindow('^IceWM ');
+
+    # Make sure SLiM doesn't create a log file
+    $machine->fail('test -e /var/log/slim.log');
+  '';
+})
diff --git a/nixos/tests/xrdp.nix b/nixos/tests/xrdp.nix
new file mode 100644
index 000000000000..c997e36cc442
--- /dev/null
+++ b/nixos/tests/xrdp.nix
@@ -0,0 +1,45 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "xrdp";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ volth ];
+  };
+
+  nodes = {
+    server = { lib, pkgs, ... }: {
+      imports = [ ./common/user-account.nix ];
+      services.xrdp.enable = true;
+      services.xrdp.defaultWindowManager = "${pkgs.xterm}/bin/xterm";
+      networking.firewall.allowedTCPPorts = [ 3389 ];
+    };
+
+    client = { lib, pkgs, ... }: {
+      imports = [ ./common/x11.nix ./common/user-account.nix ];
+      services.xserver.displayManager.auto.user = "alice";
+      environment.systemPackages = [ pkgs.freerdp ];
+      services.xrdp.enable = true;
+      services.xrdp.defaultWindowManager = "${pkgs.icewm}/bin/icewm";
+    };
+  };
+
+  testScript = { nodes, ... }: ''
+    startAll;
+
+    $client->waitForX;
+    $client->waitForFile("/home/alice/.Xauthority");
+    $client->succeed("xauth merge ~alice/.Xauthority");
+
+    $client->sleep(5);
+
+    $client->execute("xterm &");
+    $client->sleep(1);
+    $client->sendChars("xfreerdp /cert-tofu /w:640 /h:480 /v:127.0.0.1 /u:alice /p:foobar\n");
+    $client->sleep(5);
+    $client->screenshot("localrdp");
+
+    $client->execute("xterm &");
+    $client->sleep(1);
+    $client->sendChars("xfreerdp /cert-tofu /w:640 /h:480 /v:server /u:alice /p:foobar\n");
+    $client->sleep(5);
+    $client->screenshot("remoterdp");
+  '';
+})
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-08 13:31:09 +0000