test/units/testsuite-54.sh

   1 #!/usr/bin/env bash
   2 # SPDX-License-Identifier: LGPL-2.1-or-later
   3 # shellcheck disable=SC2016
   4 set -eux
   5
   6 systemd-analyze log-level debug
   7
   8 # Verify that the creds are properly loaded and we can read them from the service's unpriv user
   9 systemd-run -p LoadCredential=passwd:/etc/passwd \
  10             -p LoadCredential=shadow:/etc/shadow \
  11             -p SetCredential=dog:wuff \
  12             -p DynamicUser=1 \
  13             --wait \
  14             --pipe \
  15             cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
  16 ( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
  17 rm /tmp/ts54-concat
  18
  19 # Test that SetCredential= acts as fallback for LoadCredential=
  20 echo piff > /tmp/ts54-fallback
  21 [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
  22 rm /tmp/ts54-fallback
  23 [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]
  24
  25 if systemd-detect-virt -q -c ; then
  26     expected_credential=mynspawncredential
  27     expected_value=strangevalue
  28 elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
  29     # Verify that passing creds through kernel cmdline works
  30     [ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]
  31
  32     # And that it also works via SMBIOS
  33     [ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
  34     [ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]
  35
  36     # If we aren't run in nspawn, we are run in qemu
  37     systemd-detect-virt -q -v
  38     expected_credential=myqemucredential
  39     expected_value=othervalue
  40
  41     # Verify that writing a sysctl via the kernel cmdline worked
  42     [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
  43 else
  44     echo "qemu_fw_cfg support missing in kernel. Sniff!"
  45     expected_credential=""
  46     expected_value=""
  47 fi
  48
  49 if [ "$expected_credential" != "" ] ; then
  50     # If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
  51     [ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]
  52
  53     # Test that propagation from system credential to service credential works
  54     [ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
  55
  56     # Check it also works, if we rename it while propagating it
  57     [ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]
  58
  59     # Combine it with a fallback (which should have no effect, given the cred should be passed down)
  60     [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
  61
  62     # This should succeed
  63     systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true
  64
  65     # And this should fail
  66     systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; }
  67 fi
  68
  69 # Verify that the creds are immutable
  70 systemd-run -p LoadCredential=passwd:/etc/passwd \
  71             -p DynamicUser=1 \
  72             --wait \
  73             touch '${CREDENTIALS_DIRECTORY}/passwd' \
  74     && { echo 'unexpected success'; exit 1; }
  75 systemd-run -p LoadCredential=passwd:/etc/passwd \
  76             -p DynamicUser=1 \
  77             --wait \
  78             rm '${CREDENTIALS_DIRECTORY}/passwd' \
  79     && { echo 'unexpected success'; exit 1; }
  80
  81 # Check directory-based loading
  82 mkdir -p /tmp/ts54-creds/sub
  83 echo -n a >/tmp/ts54-creds/foo
  84 echo -n b >/tmp/ts54-creds/bar
  85 echo -n c >/tmp/ts54-creds/baz
  86 echo -n d >/tmp/ts54-creds/sub/qux
  87 systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
  88             -p DynamicUser=1 \
  89             --wait \
  90             --pipe \
  91             cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
  92                 '${CREDENTIALS_DIRECTORY}/cred_bar' \
  93                 '${CREDENTIALS_DIRECTORY}/cred_baz' \
  94                 '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
  95 ( echo -n abcd ) | cmp /tmp/ts54-concat
  96 rm /tmp/ts54-concat
  97 rm -rf /tmp/ts54-creds
  98
  99 # Now test encrypted credentials (only supported when built with OpenSSL though)
 100 if systemctl --version | grep -q -- +OPENSSL ; then
 101     echo -n $RANDOM >/tmp/test-54-plaintext
 102     systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
 103     systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
 104
 105     systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
 106                 --wait \
 107                 --pipe \
 108                 cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
 109
 110     echo -n $RANDOM >/tmp/test-54-plaintext
 111     systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
 112     systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
 113
 114     systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
 115                 --wait \
 116                 --pipe \
 117                 cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
 118
 119     rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
 120 fi
 121
 122 systemd-analyze log-level info
 123
 124 echo OK >/testok
 125
 126 exit 0