2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
6 systemd-analyze log-level debug
8 # Verify that the creds are properly loaded and we can read them from the service's unpriv user
9 systemd-run
-p LoadCredential
=passwd
:/etc
/passwd \
10 -p LoadCredential
=shadow
:/etc
/shadow \
11 -p SetCredential
=dog
:wuff \
13 --unit=test-54-unpriv.service \
16 cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp
/ts54-concat
17 ( cat /etc
/passwd
/etc
/shadow
&& echo -n wuff
) |
cmp /tmp
/ts54-concat
20 # Test that SetCredential= acts as fallback for LoadCredential=
21 echo piff
>/tmp
/ts54-fallback
22 [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
24 [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]
26 if systemd-detect-virt
-q -c ; then
27 expected_credential
=mynspawncredential
28 expected_value
=strangevalue
29 elif [ -d /sys
/firmware
/qemu_fw_cfg
/by_name
]; then
30 # Verify that passing creds through kernel cmdline works
31 [ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]
33 # And that it also works via SMBIOS
34 [ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
35 [ "$(systemd-creds --system cat binarysmbioscredential)" = "magicbinarydata" ]
37 # If we aren't run in nspawn, we are run in qemu
38 systemd-detect-virt
-q -v
39 expected_credential
=myqemucredential
40 expected_value
=othervalue
42 # Verify that writing a sysctl via the kernel cmdline worked
43 [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
45 # Verify that creating a user via sysusers via the kernel cmdline worked
46 grep -q ^credtestuser
: /etc
/passwd
48 # Verify that writing a file via tmpfiles worked
49 [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ]
50 [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ]
51 [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ]
53 echo "qemu_fw_cfg support missing in kernel. Sniff!"
54 expected_credential
=""
58 if [ "$expected_credential" != "" ] ; then
59 # If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
60 [ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]
62 # Test that propagation from system credential to service credential works
63 [ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
65 # Check it also works, if we rename it while propagating it
66 [ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]
68 # Combine it with a fallback (which should have no effect, given the cred should be passed down)
69 [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
72 systemd-run
-p AssertCredential
="$expected_credential" -p Type
=oneshot true
74 # And this should fail
75 systemd-run
-p AssertCredential
="undefinedcredential" -p Type
=oneshot true
&& { echo 'unexpected success'; exit 1; }
78 # Verify that the creds are immutable
79 systemd-run
-p LoadCredential
=passwd
:/etc
/passwd \
81 --unit=test-54-immutable-touch.service \
83 touch '${CREDENTIALS_DIRECTORY}/passwd' \
84 && { echo 'unexpected success'; exit 1; }
85 systemd-run
-p LoadCredential
=passwd
:/etc
/passwd \
87 --unit=test-54-immutable-rm.service \
89 rm '${CREDENTIALS_DIRECTORY}/passwd' \
90 && { echo 'unexpected success'; exit 1; }
92 # Check directory-based loading
93 mkdir
-p /tmp
/ts54-creds
/sub
94 echo -n a
>/tmp
/ts54-creds
/foo
95 echo -n b
>/tmp
/ts54-creds
/bar
96 echo -n c
>/tmp
/ts54-creds
/baz
97 echo -n d
>/tmp
/ts54-creds
/sub
/qux
98 systemd-run
-p LoadCredential
=cred
:/tmp
/ts54-creds \
100 --unit=test-54-dir.service \
103 cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
104 '${CREDENTIALS_DIRECTORY}/cred_bar' \
105 '${CREDENTIALS_DIRECTORY}/cred_baz' \
106 '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp
/ts54-concat
107 ( echo -n abcd
) |
cmp /tmp
/ts54-concat
109 rm -rf /tmp
/ts54-creds
111 # Now test encrypted credentials (only supported when built with OpenSSL though)
112 if systemctl
--version |
grep -q -- +OPENSSL
; then
113 echo -n $RANDOM >/tmp
/test-54-plaintext
114 systemd-creds encrypt
--name=test-54
/tmp
/test-54-plaintext
/tmp
/test-54-ciphertext
115 systemd-creds decrypt
--name=test-54
/tmp
/test-54-ciphertext |
cmp /tmp
/test-54-plaintext
117 systemd-run
-p LoadCredentialEncrypted
=test-54
:/tmp
/test-54-ciphertext \
120 cat '${CREDENTIALS_DIRECTORY}/test-54' |
cmp /tmp
/test-54-plaintext
122 echo -n $RANDOM >/tmp
/test-54-plaintext
123 systemd-creds encrypt
--name=test-54
/tmp
/test-54-plaintext
/tmp
/test-54-ciphertext
124 systemd-creds decrypt
--name=test-54
/tmp
/test-54-ciphertext |
cmp /tmp
/test-54-plaintext
126 systemd-run
-p SetCredentialEncrypted
=test-54
:"$(cat /tmp/test-54-ciphertext)" \
129 cat '${CREDENTIALS_DIRECTORY}/test-54' |
cmp /tmp
/test-54-plaintext
131 rm /tmp
/test-54-plaintext
/tmp
/test-54-ciphertext
134 systemd-analyze log-level info
projects / thirdparty / systemd.git / blob