systemd/test/units/testsuite-54.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
# shellcheck disable=SC2016
set -eux

systemd-analyze log-level debug

# Verify that the creds are properly loaded and we can read them from the service's unpriv user
systemd-run -p LoadCredential=passwd:/etc/passwd \
    -p LoadCredential=shadow:/etc/shadow \
    -p SetCredential=dog:wuff \
    -p DynamicUser=1 \
    --unit=test-54-unpriv.service \
    --wait \
    --pipe \
    cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' \
    >/tmp/ts54-concat
(cat /etc/passwd /etc/shadow && echo -n wuff) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat

# Test that SetCredential= acts as fallback for LoadCredential=
echo piff >/tmp/ts54-fallback
[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
rm /tmp/ts54-fallback
[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]

if systemd-detect-virt -q -c ; then
    expected_credential=mynspawncredential
    expected_value=strangevalue
elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
    # Verify that passing creds through kernel cmdline works
    [ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]

    # And that it also works via SMBIOS
    [ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
    [ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]

    # If we aren't run in nspawn, we are run in qemu
    systemd-detect-virt -q -v
    expected_credential=myqemucredential
    expected_value=othervalue

    # Verify that writing a sysctl via the kernel cmdline worked
    [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]

    # Verify that creating a user via sysusers via the kernel cmdline worked
    grep -q ^credtestuser: /etc/passwd

    # Verify that writing a file via tmpfiles worked
    [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ]
    [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ]
    [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ]
else
    echo "qemu_fw_cfg support missing in kernel. Sniff!"
    expected_credential=""
    expected_value=""
fi

if [ "$expected_credential" != "" ] ; then
    # If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
    [ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]

    # Test that propagation from system credential to service credential works
    [ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]

    # Check it also works, if we rename it while propagating it
    [ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]

    # Combine it with a fallback (which should have no effect, given the cred should be passed down)
    [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]

    # This should succeed
    systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true

    # And this should fail
    (! systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true)
fi

# Verify that the creds are immutable
(! systemd-run -p LoadCredential=passwd:/etc/passwd \
    -p DynamicUser=1 \
    --unit=test-54-immutable-touch.service \
    --wait \
    touch '${CREDENTIALS_DIRECTORY}/passwd')
(! systemd-run -p LoadCredential=passwd:/etc/passwd \
    -p DynamicUser=1 \
    --unit=test-54-immutable-rm.service \
    --wait \
    rm '${CREDENTIALS_DIRECTORY}/passwd')

# Check directory-based loading
mkdir -p /tmp/ts54-creds/sub
echo -n a >/tmp/ts54-creds/foo
echo -n b >/tmp/ts54-creds/bar
echo -n c >/tmp/ts54-creds/baz
echo -n d >/tmp/ts54-creds/sub/qux
systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
    -p DynamicUser=1 \
    --unit=test-54-dir.service \
    --wait \
    --pipe \
    cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
        '${CREDENTIALS_DIRECTORY}/cred_bar' \
        '${CREDENTIALS_DIRECTORY}/cred_baz' \
        '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
cmp /tmp/ts54-concat <(echo -n abcd)
rm /tmp/ts54-concat
rm -rf /tmp/ts54-creds

# Now test encrypted credentials (only supported when built with OpenSSL though)
if systemctl --version | grep -q -- +OPENSSL ; then
    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
        --wait \
        --pipe \
        cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
        --wait \
        --pipe \
        cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
fi

# https://github.com/systemd/systemd/issues/27275
systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \
            -p 'ExecStartPre=true' \
            -p 'ExecStartPre=systemd-creds cat os' \
            --unit=test-54-exec-start.service \
            --wait \
            --pipe \
            true | cmp /etc/os-release

systemd-analyze log-level info

echo OK >/testok

exit 0
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`#!/usr/bin/env bash`
tests: add spdx headers to scripts and Makefiles 2021-10-17 16:13:06 +00:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
test: use set -eux and set -o pipefail everywhere This should make the scripts more robust. 2021-04-09 17:39:41 +00:00			`# shellcheck disable=SC2016`
			`set -eux`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00
			`systemd-analyze log-level debug`

			`# Verify that the creds are properly loaded and we can read them from the service's unpriv user`
			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
test: drop uses of "&& { echo 'unexpected success'; exit 1; }" Brief is sweet. 2023-04-05 13:50:42 +00:00			`-p LoadCredential=shadow:/etc/shadow \`
			`-p SetCredential=dog:wuff \`
			`-p DynamicUser=1 \`
			`--unit=test-54-unpriv.service \`
			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' \`
			`>/tmp/ts54-concat`
			`(cat /etc/passwd /etc/shadow && echo -n wuff) \| cmp /tmp/ts54-concat`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`rm /tmp/ts54-concat`

test: make sure that SetCredential=/LoadCredential fallback won#t regress 2022-04-21 15:35:38 +00:00			`# Test that SetCredential= acts as fallback for LoadCredential=`
test: drop whitespace after shell redirection operators (The one case that is left unchanged is '< <(subcommand)'.) This way, the style with no gap was already dominant. This way, the reader immediately knows that ' < ' is a comparison operator and ' << ' is a shift. In a few cases, replace custom EOF replacement by just EOF. There is no point in using someting like "_EOL" unless "EOF" appears in the text. 2023-02-05 20:41:24 +00:00			`echo piff >/tmp/ts54-fallback`
test: make sure that SetCredential=/LoadCredential fallback won#t regress 2022-04-21 15:35:38 +00:00			`[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]`
			`rm /tmp/ts54-fallback`
			`[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]`

test: also test nspawn system→service inheritance of creds 2022-04-22 09:31:00 +00:00			`if systemd-detect-virt -q -c ; then`
test: test new credential features 2022-04-22 19:44:26 +00:00			`expected_credential=mynspawncredential`
			`expected_value=strangevalue`
			`elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then`
			`# Verify that passing creds through kernel cmdline works`
			`[ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]`

pid1: import creds from SMBIOS too, not just qemu's fw_cfg This imports credentials also via SMBIOS' "OEM vendor string" section, similar to the existing import logic from fw_cfg. Functionality-wise this is very similar to the existing fw_cfg logic, both of which are easily settable on the qemu command line. Pros and cons of each: SMBIOS OEM vendor strings: - pro: fast, because memory mapped - pro: somewhat VMM independent, at least in theory - pro: qemu upstream sees this as the future - pro: no additional kernel module needed - con: strings only, thus binary data is base64 encoded fw_cfg: - pro: has been supported for longer in qemu - pro: supports binary data - con: slow, because IO port based - con: only qemu - con: requires qemu_fw_cfg.ko kernel module - con: qemu upstream sees this as legacy 2022-07-13 16:26:44 +00:00			`# And that it also works via SMBIOS`
			`[ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]`
			`[ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]`

test: test new credential features 2022-04-22 19:44:26 +00:00			`# If we aren't run in nspawn, we are run in qemu`
			`systemd-detect-virt -q -v`
			`expected_credential=myqemucredential`
			`expected_value=othervalue`
sysctl: also process sysctl requests via the "sysctl.extra" credential 2022-07-14 11:41:37 +00:00
			`# Verify that writing a sysctl via the kernel cmdline worked`
			`[ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]`
sysusers: allow defining additional sysusers lines via credentials 2022-07-13 09:06:04 +00:00
			`# Verify that creating a user via sysusers via the kernel cmdline worked`
			`grep -q ^credtestuser: /etc/passwd`
tmpfiles: accept additional tmpfiles lines via credential 2022-07-13 09:32:39 +00:00
			`# Verify that writing a file via tmpfiles worked`
			`[ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ]`
tmpfiles: automatically provision /etc/issue.d/ + /etc/motd.d/ + /etc/hosts from credentials 2022-07-15 14:33:20 +00:00			`[ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ]`
			`[ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ]`
test: test new credential features 2022-04-22 19:44:26 +00:00			`else`
			`echo "qemu_fw_cfg support missing in kernel. Sniff!"`
			`expected_credential=""`
			`expected_value=""`
			`fi`

			`if [ "$expected_credential" != "" ] ; then`
test: also test nspawn system→service inheritance of creds 2022-04-22 09:31:00 +00:00			`# If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh`
test: test new credential features 2022-04-22 19:44:26 +00:00			`[ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]`
test: also test nspawn system→service inheritance of creds 2022-04-22 09:31:00 +00:00
			`# Test that propagation from system credential to service credential works`
test: test new credential features 2022-04-22 19:44:26 +00:00			`[ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]`
test: also test nspawn system→service inheritance of creds 2022-04-22 09:31:00 +00:00
			`# Check it also works, if we rename it while propagating it`
test: test new credential features 2022-04-22 19:44:26 +00:00			`[ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]`
test: also test nspawn system→service inheritance of creds 2022-04-22 09:31:00 +00:00
			`# Combine it with a fallback (which should have no effect, given the cred should be passed down)`
test: test new credential features 2022-04-22 19:44:26 +00:00			`[ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]`
pid1: add mechanism for conditionalizing units/network/netdev/link based on credentials passed in This is useful when provisioning systems via nspawn/qemu and running specific services only if specific data is passed into the system. 2022-07-13 08:38:53 +00:00
			`# This should succeed`
			`systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true`

			`# And this should fail`
test: drop uses of "&& { echo 'unexpected success'; exit 1; }" Brief is sweet. 2023-04-05 13:50:42 +00:00			`(! systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true)`
test: also test nspawn system→service inheritance of creds 2022-04-22 09:31:00 +00:00			`fi`

test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`# Verify that the creds are immutable`
test: drop uses of "&& { echo 'unexpected success'; exit 1; }" Brief is sweet. 2023-04-05 13:50:42 +00:00			`(! systemd-run -p LoadCredential=passwd:/etc/passwd \`
			`-p DynamicUser=1 \`
			`--unit=test-54-immutable-touch.service \`
			`--wait \`
			`touch '${CREDENTIALS_DIRECTORY}/passwd')`
			`(! systemd-run -p LoadCredential=passwd:/etc/passwd \`
			`-p DynamicUser=1 \`
			`--unit=test-54-immutable-rm.service \`
			`--wait \`
			`rm '${CREDENTIALS_DIRECTORY}/passwd')`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00
core: teach LoadCredential= to load from a directory 2021-07-24 16:38:22 +00:00			`# Check directory-based loading`
			`mkdir -p /tmp/ts54-creds/sub`
			`echo -n a >/tmp/ts54-creds/foo`
			`echo -n b >/tmp/ts54-creds/bar`
			`echo -n c >/tmp/ts54-creds/baz`
			`echo -n d >/tmp/ts54-creds/sub/qux`
			`systemd-run -p LoadCredential=cred:/tmp/ts54-creds \`
test: drop uses of "&& { echo 'unexpected success'; exit 1; }" Brief is sweet. 2023-04-05 13:50:42 +00:00			`-p DynamicUser=1 \`
			`--unit=test-54-dir.service \`
			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/cred_foo' \`
			`'${CREDENTIALS_DIRECTORY}/cred_bar' \`
			`'${CREDENTIALS_DIRECTORY}/cred_baz' \`
			`'${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat`
testsuite-54: drop unnecessary pipe 2023-04-05 13:52:16 +00:00			`cmp /tmp/ts54-concat <(echo -n abcd)`
core: teach LoadCredential= to load from a directory 2021-07-24 16:38:22 +00:00			`rm /tmp/ts54-concat`
			`rm -rf /tmp/ts54-creds`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00
core: teach LoadCredential= to load from a directory 2021-07-24 16:38:22 +00:00			`# Now test encrypted credentials (only supported when built with OpenSSL though)`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00			`if systemctl --version \| grep -q -- +OPENSSL ; then`
			`echo -n $RANDOM >/tmp/test-54-plaintext`
			`systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext`

			`systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \`
test: drop uses of "&& { echo 'unexpected success'; exit 1; }" Brief is sweet. 2023-04-05 13:50:42 +00:00			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00
			`echo -n $RANDOM >/tmp/test-54-plaintext`
			`systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext`

test: shellcheck-ify test scripts 2021-09-29 18:30:08 +00:00			`systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \`
test: drop uses of "&& { echo 'unexpected success'; exit 1; }" Brief is sweet. 2023-04-05 13:50:42 +00:00			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext`
test: extend credentials test to cover encrypted credentials 2021-06-24 08:28:28 +00:00
			`rm /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`fi`

creds: make available to all ExecStartPre= and ExecStart= processes Fixes https://github.com/systemd/systemd/issues/27275 2023-04-15 02:01:52 +00:00			`# https://github.com/systemd/systemd/issues/27275`
			`systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \`
			`-p 'ExecStartPre=true' \`
			`-p 'ExecStartPre=systemd-creds cat os' \`
test: prefix the transient unit with test- to make coverage runs happy See 9fd8226312 for more details. Follow-up to c9210b7470. 2023-04-18 09:45:56 +00:00			`--unit=test-54-exec-start.service \`
creds: make available to all ExecStartPre= and ExecStart= processes Fixes https://github.com/systemd/systemd/issues/27275 2023-04-15 02:01:52 +00:00			`--wait \`
			`--pipe \`
			`true \| cmp /etc/os-release`

test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00			`systemd-analyze log-level info`

TEST-*: use spacing before redirection operator, but not after << EOF → <<EOF > foo < bar → >foo <bar 2021-04-07 22:09:55 +00:00			`echo OK >/testok`
test: add test suite for new credentials logic 2020-08-11 15:08:41 +00:00
			`exit 0`