# verb: setup
# Run this first, otherwise any encrypted credentials wouldn't be decryptable
-# as we regnerate the host key
+# as we regenerate the host key
rm -fv /var/lib/systemd/credential.secret
systemd-creds setup
test -e /var/lib/systemd/credential.secret
elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
# Verify that passing creds through kernel cmdline works
[ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]
+ [ "$(systemd-creds --system cat waldi)" = "woooofffwufffwuff" ]
# And that it also works via SMBIOS
[ "$(systemd-creds --system cat smbioscredential)" = "magicdata" ]
rm /tmp/ts54-concat
rm -rf /tmp/ts54-creds
+# Check that globs work as expected
+mkdir -p /run/credstore
+echo -n a >/run/credstore/test.creds.first
+echo -n b >/run/credstore/test.creds.second
+mkdir -p /etc/credstore
+echo -n c >/etc/credstore/test.creds.third
+systemd-run -p "ImportCredential=test.creds.*" \
+ --unit=test-54-ImportCredential.service \
+ -p DynamicUser=1 \
+ --wait \
+ --pipe \
+ cat '${CREDENTIALS_DIRECTORY}/test.creds.first' \
+ '${CREDENTIALS_DIRECTORY}/test.creds.second' \
+ '${CREDENTIALS_DIRECTORY}/test.creds.third' >/tmp/ts54-concat
+cmp /tmp/ts54-concat <(echo -n abc)
+
# Now test encrypted credentials (only supported when built with OpenSSL though)
if systemctl --version | grep -q -- +OPENSSL ; then
echo -n $RANDOM >/tmp/test-54-plaintext
--pipe \
true | cmp /etc/os-release
-systemd-analyze log-level info
+if ! systemd-detect-virt -q -c ; then
+ # Validate that the credential we inserted via the initrd logic arrived
+ test "$(systemd-creds cat --system myinitrdcred)" = "guatemala"
+
+ # Check that the fstab credential logic worked
+ test -d /injected
+ grep -q /injected /proc/self/mountinfo
+
+ # Make sure the getty generator processed the credentials properly
+ systemctl -P Wants show getty.target | grep -q container-getty@idontexist.service
+fi
+
+# Decrypt/encrypt via varlink
+
+echo -n '{"data":"Zm9vYmFyCg=="}' > /tmp/vlcredsdata
-echo OK >/testok
+varlinkctl call /run/systemd/io.systemd.Credentials io.systemd.Credentials.Encrypt "$(cat /tmp/vlcredsdata)" | \
+ varlinkctl call /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt > /tmp/vlcredsdata2
+
+cmp /tmp/vlcredsdata /tmp/vlcredsdata2
+rm /tmp/vlcredsdata /tmp/vlcredsdata2
+
+systemd-analyze log-level info
-exit 0
+touch /testok