systemd/test/units/testsuite-54.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
# shellcheck disable=SC2016
set -eux

systemd-analyze log-level debug

# Verify that the creds are properly loaded and we can read them from the service's unpriv user
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p LoadCredential=shadow:/etc/shadow \
            -p SetCredential=dog:wuff \
            -p DynamicUser=1 \
            --wait \
            --pipe \
            cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat

# Verify that the creds are immutable
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p DynamicUser=1 \
            --wait \
            touch '${CREDENTIALS_DIRECTORY}/passwd' \
    && { echo 'unexpected success'; exit 1; }
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p DynamicUser=1 \
            --wait \
            rm '${CREDENTIALS_DIRECTORY}/passwd' \
    && { echo 'unexpected success'; exit 1; }

# Check directory-based loading
mkdir -p /tmp/ts54-creds/sub
echo -n a >/tmp/ts54-creds/foo
echo -n b >/tmp/ts54-creds/bar
echo -n c >/tmp/ts54-creds/baz
echo -n d >/tmp/ts54-creds/sub/qux
systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
            -p DynamicUser=1 \
            --wait \
            --pipe \
            cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
                '${CREDENTIALS_DIRECTORY}/cred_bar' \
                '${CREDENTIALS_DIRECTORY}/cred_baz' \
                '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
( echo -n abcd ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat
rm -rf /tmp/ts54-creds

# Now test encrypted credentials (only supported when built with OpenSSL though)
if systemctl --version | grep -q -- +OPENSSL ; then
    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
                --wait \
                --pipe \
                cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
                --wait \
                --pipe \
                cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
fi

systemd-analyze log-level info

echo OK >/testok

exit 0
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`#!/usr/bin/env bash`
tests: add spdx headers to scripts and Makefiles 2021-10-17 16:13:06 +00:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
test: use set -eux and set -o pipefail everywhere This should make the scripts more robust. 2021-04-09 17:39:41 +00:00			`# shellcheck disable=SC2016`
			`set -eux`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00
			`systemd-analyze log-level debug`

			`# Verify that the creds are properly loaded and we can read them from the service's unpriv user`
			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
			`-p LoadCredential=shadow:/etc/shadow \`
			`-p SetCredential=dog:wuff \`
			`-p DynamicUser=1 \`
			`--wait \`
			`--pipe \`
TEST-*: use spacing before redirection operator, but not after << EOF → <<EOF > foo < bar → >foo <bar 2021-04-07 22:09:55 +00:00			`cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`( cat /etc/passwd /etc/shadow && echo -n wuff ) \| cmp /tmp/ts54-concat`
			`rm /tmp/ts54-concat`

			`# Verify that the creds are immutable`
TEST-*: make failure tests actually fail on failure Here the intent was actually correct, and the tests still pass when the check is made effective. 2021-04-07 23:27:33 +00:00			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`-p DynamicUser=1 \`
			`--wait \`
TEST-*: make failure tests actually fail on failure Here the intent was actually correct, and the tests still pass when the check is made effective. 2021-04-07 23:27:33 +00:00			`touch '${CREDENTIALS_DIRECTORY}/passwd' \`
			`&& { echo 'unexpected success'; exit 1; }`
			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`-p DynamicUser=1 \`
			`--wait \`
TEST-*: make failure tests actually fail on failure Here the intent was actually correct, and the tests still pass when the check is made effective. 2021-04-07 23:27:33 +00:00			`rm '${CREDENTIALS_DIRECTORY}/passwd' \`
			`&& { echo 'unexpected success'; exit 1; }`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00
core: teach LoadCredential= to load from a directory 2021-07-24 16:38:22 +00:00			`# Check directory-based loading`
			`mkdir -p /tmp/ts54-creds/sub`
			`echo -n a >/tmp/ts54-creds/foo`
			`echo -n b >/tmp/ts54-creds/bar`
			`echo -n c >/tmp/ts54-creds/baz`
			`echo -n d >/tmp/ts54-creds/sub/qux`
			`systemd-run -p LoadCredential=cred:/tmp/ts54-creds \`
			`-p DynamicUser=1 \`
			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/cred_foo' \`
			`'${CREDENTIALS_DIRECTORY}/cred_bar' \`
			`'${CREDENTIALS_DIRECTORY}/cred_baz' \`
			`'${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat`
			`( echo -n abcd ) \| cmp /tmp/ts54-concat`
			`rm /tmp/ts54-concat`
			`rm -rf /tmp/ts54-creds`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00
core: teach LoadCredential= to load from a directory 2021-07-24 16:38:22 +00:00			`# Now test encrypted credentials (only supported when built with OpenSSL though)`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00			`if systemctl --version \| grep -q -- +OPENSSL ; then`
			`echo -n $RANDOM >/tmp/test-54-plaintext`
			`systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext`

			`systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \`
			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext`

			`echo -n $RANDOM >/tmp/test-54-plaintext`
			`systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext`

test: shellcheck-ify test scripts 2021-09-29 18:30:08 +00:00			`systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext`

			`rm /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`fi`

test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`systemd-analyze log-level info`

TEST-*: use spacing before redirection operator, but not after << EOF → <<EOF > foo < bar → >foo <bar 2021-04-07 22:09:55 +00:00			`echo OK >/testok`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00
			`exit 0`