[thirdparty/systemd.git] / test / units / testsuite-54.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
# shellcheck disable=SC2016
set -eux

systemd-analyze log-level debug

# Verify that the creds are properly loaded and we can read them from the service's unpriv user
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p LoadCredential=shadow:/etc/shadow \
            -p SetCredential=dog:wuff \
            -p DynamicUser=1 \
            --wait \
            --pipe \
            cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat

# Test that SetCredential= acts as fallback for LoadCredential=
echo piff > /tmp/ts54-fallback
[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
rm /tmp/ts54-fallback
[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]

if systemd-detect-virt -q -c ; then
    expected_credential=mynspawncredential
    expected_value=strangevalue
elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
    # Verify that passing creds through kernel cmdline works
    [ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]

    # And that it also works via SMBIOS
    [ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
    [ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]

    # If we aren't run in nspawn, we are run in qemu
    systemd-detect-virt -q -v
    expected_credential=myqemucredential
    expected_value=othervalue

    # Verify that writing a sysctl via the kernel cmdline worked
    [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]

    # Verify that creating a user via sysusers via the kernel cmdline worked
    grep -q ^credtestuser: /etc/passwd
else
    echo "qemu_fw_cfg support missing in kernel. Sniff!"
    expected_credential=""
    expected_value=""
fi

if [ "$expected_credential" != "" ] ; then
    # If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
    [ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]

    # Test that propagation from system credential to service credential works
    [ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]

    # Check it also works, if we rename it while propagating it
    [ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]

    # Combine it with a fallback (which should have no effect, given the cred should be passed down)
    [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]

    # This should succeed
    systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true

    # And this should fail
    systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; }
fi

# Verify that the creds are immutable
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p DynamicUser=1 \
            --wait \
            touch '${CREDENTIALS_DIRECTORY}/passwd' \
    && { echo 'unexpected success'; exit 1; }
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p DynamicUser=1 \
            --wait \
            rm '${CREDENTIALS_DIRECTORY}/passwd' \
    && { echo 'unexpected success'; exit 1; }

# Check directory-based loading
mkdir -p /tmp/ts54-creds/sub
echo -n a >/tmp/ts54-creds/foo
echo -n b >/tmp/ts54-creds/bar
echo -n c >/tmp/ts54-creds/baz
echo -n d >/tmp/ts54-creds/sub/qux
systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
            -p DynamicUser=1 \
            --wait \
            --pipe \
            cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
                '${CREDENTIALS_DIRECTORY}/cred_bar' \
                '${CREDENTIALS_DIRECTORY}/cred_baz' \
                '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
( echo -n abcd ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat
rm -rf /tmp/ts54-creds

# Now test encrypted credentials (only supported when built with OpenSSL though)
if systemctl --version | grep -q -- +OPENSSL ; then
    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
                --wait \
                --pipe \
                cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
                --wait \
                --pipe \
                cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
fi

systemd-analyze log-level info

echo OK >/testok

exit 0
Commit	Line	Data
30dd9f73	1	#!/usr/bin/env bash
7b3cec95	2	# SPDX-License-Identifier: LGPL-2.1-or-later
084575ff FS	3	# shellcheck disable=SC2016
084575ff FS	4	set -eux
30dd9f73 LP	5
	6	systemd-analyze log-level debug
	7
	8	# Verify that the creds are properly loaded and we can read them from the service's unpriv user
	9	systemd-run -p LoadCredential=passwd:/etc/passwd \
	10	-p LoadCredential=shadow:/etc/shadow \
	11	-p SetCredential=dog:wuff \
	12	-p DynamicUser=1 \
	13	--wait \
	14	--pipe \
0ee99483	15	cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
30dd9f73 LP	16	( cat /etc/passwd /etc/shadow && echo -n wuff ) \| cmp /tmp/ts54-concat
	17	rm /tmp/ts54-concat
	18
6d085447 LP	19	# Test that SetCredential= acts as fallback for LoadCredential=
	20	echo piff > /tmp/ts54-fallback
	21	[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
	22	rm /tmp/ts54-fallback
	23	[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]
	24
42a3f23c	25	if systemd-detect-virt -q -c ; then
93a1f57d LP	26	expected_credential=mynspawncredential
	27	expected_value=strangevalue
	28	elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
	29	# Verify that passing creds through kernel cmdline works
	30	[ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]
	31
8de7de46 LP	32	# And that it also works via SMBIOS
	33	[ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
	34	[ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]
	35
93a1f57d LP	36	# If we aren't run in nspawn, we are run in qemu
	37	systemd-detect-virt -q -v
	38	expected_credential=myqemucredential
	39	expected_value=othervalue
39f0d1d2 LP	40
	41	# Verify that writing a sysctl via the kernel cmdline worked
	42	[ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
3acb6ede LP	43
	44	# Verify that creating a user via sysusers via the kernel cmdline worked
	45	grep -q ^credtestuser: /etc/passwd
93a1f57d LP	46	else
	47	echo "qemu_fw_cfg support missing in kernel. Sniff!"
	48	expected_credential=""
	49	expected_value=""
	50	fi
	51
	52	if [ "$expected_credential" != "" ] ; then
42a3f23c	53	# If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
93a1f57d	54	[ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]
42a3f23c LP	55
42a3f23c LP	56	# Test that propagation from system credential to service credential works
93a1f57d	57	[ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
42a3f23c LP	58
42a3f23c LP	59	# Check it also works, if we rename it while propagating it
93a1f57d	60	[ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]
42a3f23c LP	61
42a3f23c LP	62	# Combine it with a fallback (which should have no effect, given the cred should be passed down)
93a1f57d	63	[ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
4f80cfca LP	64
	65	# This should succeed
	66	systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true
	67
	68	# And this should fail
	69	systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; }
42a3f23c LP	70	fi
42a3f23c LP	71
30dd9f73	72	# Verify that the creds are immutable
4e20fe27	73	systemd-run -p LoadCredential=passwd:/etc/passwd \
30dd9f73 LP	74	-p DynamicUser=1 \
30dd9f73 LP	75	--wait \
4e20fe27 ZJS	76	touch '${CREDENTIALS_DIRECTORY}/passwd' \
	77	&& { echo 'unexpected success'; exit 1; }
	78	systemd-run -p LoadCredential=passwd:/etc/passwd \
30dd9f73 LP	79	-p DynamicUser=1 \
30dd9f73 LP	80	--wait \
4e20fe27 ZJS	81	rm '${CREDENTIALS_DIRECTORY}/passwd' \
4e20fe27 ZJS	82	&& { echo 'unexpected success'; exit 1; }
30dd9f73	83
3989bdc1 AB	84	# Check directory-based loading
	85	mkdir -p /tmp/ts54-creds/sub
	86	echo -n a >/tmp/ts54-creds/foo
	87	echo -n b >/tmp/ts54-creds/bar
	88	echo -n c >/tmp/ts54-creds/baz
	89	echo -n d >/tmp/ts54-creds/sub/qux
	90	systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
	91	-p DynamicUser=1 \
	92	--wait \
	93	--pipe \
	94	cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
	95	'${CREDENTIALS_DIRECTORY}/cred_bar' \
	96	'${CREDENTIALS_DIRECTORY}/cred_baz' \
	97	'${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
	98	( echo -n abcd ) \| cmp /tmp/ts54-concat
	99	rm /tmp/ts54-concat
	100	rm -rf /tmp/ts54-creds
c69620ef	101
3989bdc1	102	# Now test encrypted credentials (only supported when built with OpenSSL though)
c69620ef LP	103	if systemctl --version \| grep -q -- +OPENSSL ; then
	104	echo -n $RANDOM >/tmp/test-54-plaintext
	105	systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
	106	systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext
	107
	108	systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
	109	--wait \
	110	--pipe \
	111	cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext
	112
	113	echo -n $RANDOM >/tmp/test-54-plaintext
	114	systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
	115	systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext
	116
1c3f490f	117	systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
c69620ef LP	118	--wait \
	119	--pipe \
	120	cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext
	121
	122	rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
	123	fi
	124
30dd9f73 LP	125	systemd-analyze log-level info
30dd9f73 LP	126
0ee99483	127	echo OK >/testok
30dd9f73 LP	128
30dd9f73 LP	129	exit 0