]> git.ipfire.org Git - thirdparty/systemd.git/blob - test/units/testsuite-54.sh
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
test: drop whitespace after shell redirection operators
[thirdparty/systemd.git] / test / units / testsuite-54.sh
1 #!/usr/bin/env bash
2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
4 set -eux
5
6 systemd-analyze log-level debug
7
8 # Verify that the creds are properly loaded and we can read them from the service's unpriv user
9 systemd-run -p LoadCredential=passwd:/etc/passwd \
10 -p LoadCredential=shadow:/etc/shadow \
11 -p SetCredential=dog:wuff \
12 -p DynamicUser=1 \
13 --wait \
14 --pipe \
15 cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
16 ( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
17 rm /tmp/ts54-concat
18
19 # Test that SetCredential= acts as fallback for LoadCredential=
20 echo piff >/tmp/ts54-fallback
21 [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
22 rm /tmp/ts54-fallback
23 [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]
24
25 if systemd-detect-virt -q -c ; then
26 expected_credential=mynspawncredential
27 expected_value=strangevalue
28 elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
29 # Verify that passing creds through kernel cmdline works
30 [ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]
31
32 # And that it also works via SMBIOS
33 [ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
34 [ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]
35
36 # If we aren't run in nspawn, we are run in qemu
37 systemd-detect-virt -q -v
38 expected_credential=myqemucredential
39 expected_value=othervalue
40
41 # Verify that writing a sysctl via the kernel cmdline worked
42 [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
43
44 # Verify that creating a user via sysusers via the kernel cmdline worked
45 grep -q ^credtestuser: /etc/passwd
46
47 # Verify that writing a file via tmpfiles worked
48 [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ]
49 [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ]
50 [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ]
51 else
52 echo "qemu_fw_cfg support missing in kernel. Sniff!"
53 expected_credential=""
54 expected_value=""
55 fi
56
57 if [ "$expected_credential" != "" ] ; then
58 # If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
59 [ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]
60
61 # Test that propagation from system credential to service credential works
62 [ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
63
64 # Check it also works, if we rename it while propagating it
65 [ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]
66
67 # Combine it with a fallback (which should have no effect, given the cred should be passed down)
68 [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
69
70 # This should succeed
71 systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true
72
73 # And this should fail
74 systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; }
75 fi
76
77 # Verify that the creds are immutable
78 systemd-run -p LoadCredential=passwd:/etc/passwd \
79 -p DynamicUser=1 \
80 --wait \
81 touch '${CREDENTIALS_DIRECTORY}/passwd' \
82 && { echo 'unexpected success'; exit 1; }
83 systemd-run -p LoadCredential=passwd:/etc/passwd \
84 -p DynamicUser=1 \
85 --wait \
86 rm '${CREDENTIALS_DIRECTORY}/passwd' \
87 && { echo 'unexpected success'; exit 1; }
88
89 # Check directory-based loading
90 mkdir -p /tmp/ts54-creds/sub
91 echo -n a >/tmp/ts54-creds/foo
92 echo -n b >/tmp/ts54-creds/bar
93 echo -n c >/tmp/ts54-creds/baz
94 echo -n d >/tmp/ts54-creds/sub/qux
95 systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
96 -p DynamicUser=1 \
97 --wait \
98 --pipe \
99 cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
100 '${CREDENTIALS_DIRECTORY}/cred_bar' \
101 '${CREDENTIALS_DIRECTORY}/cred_baz' \
102 '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
103 ( echo -n abcd ) | cmp /tmp/ts54-concat
104 rm /tmp/ts54-concat
105 rm -rf /tmp/ts54-creds
106
107 # Now test encrypted credentials (only supported when built with OpenSSL though)
108 if systemctl --version | grep -q -- +OPENSSL ; then
109 echo -n $RANDOM >/tmp/test-54-plaintext
110 systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
111 systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
112
113 systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
114 --wait \
115 --pipe \
116 cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
117
118 echo -n $RANDOM >/tmp/test-54-plaintext
119 systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
120 systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
121
122 systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
123 --wait \
124 --pipe \
125 cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
126
127 rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
128 fi
129
130 systemd-analyze log-level info
131
132 echo OK >/testok
133
134 exit 0
Unnamed repository; edit this file 'description' to name the repository.