]>
Commit | Line | Data |
---|---|---|
30dd9f73 | 1 | #!/usr/bin/env bash |
7b3cec95 | 2 | # SPDX-License-Identifier: LGPL-2.1-or-later |
084575ff FS |
3 | # shellcheck disable=SC2016 |
4 | set -eux | |
30dd9f73 LP |
5 | |
6 | systemd-analyze log-level debug | |
7 | ||
8 | # Verify that the creds are properly loaded and we can read them from the service's unpriv user | |
9 | systemd-run -p LoadCredential=passwd:/etc/passwd \ | |
10 | -p LoadCredential=shadow:/etc/shadow \ | |
11 | -p SetCredential=dog:wuff \ | |
12 | -p DynamicUser=1 \ | |
13 | --wait \ | |
14 | --pipe \ | |
0ee99483 | 15 | cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat |
30dd9f73 LP |
16 | ( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat |
17 | rm /tmp/ts54-concat | |
18 | ||
6d085447 LP |
19 | # Test that SetCredential= acts as fallback for LoadCredential= |
20 | echo piff > /tmp/ts54-fallback | |
21 | [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ] | |
22 | rm /tmp/ts54-fallback | |
23 | [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ] | |
24 | ||
42a3f23c | 25 | if systemd-detect-virt -q -c ; then |
93a1f57d LP |
26 | expected_credential=mynspawncredential |
27 | expected_value=strangevalue | |
28 | elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then | |
29 | # Verify that passing creds through kernel cmdline works | |
30 | [ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ] | |
31 | ||
8de7de46 LP |
32 | # And that it also works via SMBIOS |
33 | [ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ] | |
34 | [ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ] | |
35 | ||
93a1f57d LP |
36 | # If we aren't run in nspawn, we are run in qemu |
37 | systemd-detect-virt -q -v | |
38 | expected_credential=myqemucredential | |
39 | expected_value=othervalue | |
39f0d1d2 LP |
40 | |
41 | # Verify that writing a sysctl via the kernel cmdline worked | |
42 | [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ] | |
3acb6ede LP |
43 | |
44 | # Verify that creating a user via sysusers via the kernel cmdline worked | |
45 | grep -q ^credtestuser: /etc/passwd | |
93a1f57d LP |
46 | else |
47 | echo "qemu_fw_cfg support missing in kernel. Sniff!" | |
48 | expected_credential="" | |
49 | expected_value="" | |
50 | fi | |
51 | ||
52 | if [ "$expected_credential" != "" ] ; then | |
42a3f23c | 53 | # If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh |
93a1f57d | 54 | [ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ] |
42a3f23c LP |
55 | |
56 | # Test that propagation from system credential to service credential works | |
93a1f57d | 57 | [ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ] |
42a3f23c LP |
58 | |
59 | # Check it also works, if we rename it while propagating it | |
93a1f57d | 60 | [ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ] |
42a3f23c LP |
61 | |
62 | # Combine it with a fallback (which should have no effect, given the cred should be passed down) | |
93a1f57d | 63 | [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ] |
4f80cfca LP |
64 | |
65 | # This should succeed | |
66 | systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true | |
67 | ||
68 | # And this should fail | |
69 | systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; } | |
42a3f23c LP |
70 | fi |
71 | ||
30dd9f73 | 72 | # Verify that the creds are immutable |
4e20fe27 | 73 | systemd-run -p LoadCredential=passwd:/etc/passwd \ |
30dd9f73 LP |
74 | -p DynamicUser=1 \ |
75 | --wait \ | |
4e20fe27 ZJS |
76 | touch '${CREDENTIALS_DIRECTORY}/passwd' \ |
77 | && { echo 'unexpected success'; exit 1; } | |
78 | systemd-run -p LoadCredential=passwd:/etc/passwd \ | |
30dd9f73 LP |
79 | -p DynamicUser=1 \ |
80 | --wait \ | |
4e20fe27 ZJS |
81 | rm '${CREDENTIALS_DIRECTORY}/passwd' \ |
82 | && { echo 'unexpected success'; exit 1; } | |
30dd9f73 | 83 | |
3989bdc1 AB |
84 | # Check directory-based loading |
85 | mkdir -p /tmp/ts54-creds/sub | |
86 | echo -n a >/tmp/ts54-creds/foo | |
87 | echo -n b >/tmp/ts54-creds/bar | |
88 | echo -n c >/tmp/ts54-creds/baz | |
89 | echo -n d >/tmp/ts54-creds/sub/qux | |
90 | systemd-run -p LoadCredential=cred:/tmp/ts54-creds \ | |
91 | -p DynamicUser=1 \ | |
92 | --wait \ | |
93 | --pipe \ | |
94 | cat '${CREDENTIALS_DIRECTORY}/cred_foo' \ | |
95 | '${CREDENTIALS_DIRECTORY}/cred_bar' \ | |
96 | '${CREDENTIALS_DIRECTORY}/cred_baz' \ | |
97 | '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat | |
98 | ( echo -n abcd ) | cmp /tmp/ts54-concat | |
99 | rm /tmp/ts54-concat | |
100 | rm -rf /tmp/ts54-creds | |
c69620ef | 101 | |
3989bdc1 | 102 | # Now test encrypted credentials (only supported when built with OpenSSL though) |
c69620ef LP |
103 | if systemctl --version | grep -q -- +OPENSSL ; then |
104 | echo -n $RANDOM >/tmp/test-54-plaintext | |
105 | systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext | |
106 | systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext | |
107 | ||
108 | systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \ | |
109 | --wait \ | |
110 | --pipe \ | |
111 | cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext | |
112 | ||
113 | echo -n $RANDOM >/tmp/test-54-plaintext | |
114 | systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext | |
115 | systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext | |
116 | ||
1c3f490f | 117 | systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \ |
c69620ef LP |
118 | --wait \ |
119 | --pipe \ | |
120 | cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext | |
121 | ||
122 | rm /tmp/test-54-plaintext /tmp/test-54-ciphertext | |
123 | fi | |
124 | ||
30dd9f73 LP |
125 | systemd-analyze log-level info |
126 | ||
0ee99483 | 127 | echo OK >/testok |
30dd9f73 LP |
128 | |
129 | exit 0 |