From 7d551b00e3158aa2acbb44dcd8e5d5b82ceca4bb Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Tue, 10 Feb 2026 08:13:39 +0100 Subject: [PATCH] TEST-54-CREDS: add test cases for credential refreshing --- .../TEST-54-CREDS.units/refresh.sh | 29 +++++ test/meson.build | 1 + test/units/TEST-54-CREDS.sh | 102 ++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100755 test/integration-tests/TEST-54-CREDS/TEST-54-CREDS.units/refresh.sh diff --git a/test/integration-tests/TEST-54-CREDS/TEST-54-CREDS.units/refresh.sh b/test/integration-tests/TEST-54-CREDS/TEST-54-CREDS.units/refresh.sh new file mode 100755 index 00000000000..24aa5e88324 --- /dev/null +++ b/test/integration-tests/TEST-54-CREDS/TEST-54-CREDS.units/refresh.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +# shellcheck disable=SC2016 +set -eux +set -o pipefail + +OUTPUT_FILE="$1" + +dump_creds_tree() { + grep . "$CREDENTIALS_DIRECTORY"/* >"$OUTPUT_FILE" +} + +on_sighup() { + systemd-notify --reloading + dump_creds_tree + systemd-notify --ready +} + +trap on_sighup SIGHUP + +export SYSTEMD_LOG_LEVEL=debug + +dump_creds_tree +systemd-notify --ready + +sleep infinity & +while :; do + wait || : +done diff --git a/test/meson.build b/test/meson.build index 6c7fd666a08..7bf557cc193 100644 --- a/test/meson.build +++ b/test/meson.build @@ -351,6 +351,7 @@ if install_tests 'integration-tests/TEST-30-ONCLOCKCHANGE/TEST-30-ONCLOCKCHANGE.units', 'integration-tests/TEST-38-FREEZER/TEST-38-FREEZER.units', 'integration-tests/TEST-52-HONORFIRSTSHUTDOWN/TEST-52-HONORFIRSTSHUTDOWN.units', + 'integration-tests/TEST-54-CREDS/TEST-54-CREDS.units', 'integration-tests/TEST-55-OOMD/TEST-55-OOMD.units', 'integration-tests/TEST-62-RESTRICT-IFACES/TEST-62-RESTRICT-IFACES.units', 'integration-tests/TEST-63-PATH/TEST-63-PATH.units', diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh index ae16e5b3dfb..0eaf8a2dfb0 100755 --- a/test/units/TEST-54-CREDS.sh +++ b/test/units/TEST-54-CREDS.sh @@ -571,4 +571,106 @@ systemd-run -M testuser@ --user --wait -p ImportCredential=brummbaer \ kill "$PID" +# Now test credential refreshing + +UNIT_NAME="TEST-54-CREDS-refreshing-$RANDOM.service" +OUTPUT_FILE="/tmp/$UNIT_NAME.out" +POST_FLAG_FILE="/tmp/$UNIT_NAME.post-flag" + +cat >/run/systemd/system/"$UNIT_NAME" </run/credstore/test.creds.new-refresh-1 +[[ ! -e /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-1 ]] + +systemctl reload "$UNIT_NAME" +[[ ! -e /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-1 ]] +(! grep -q "test.creds.new-refresh-1" "$OUTPUT_FILE") + +echo "RefreshOnReload=credentials" >>/run/systemd/system/"$UNIT_NAME" +systemctl daemon-reload +systemctl reload "$UNIT_NAME" +diff /run/credstore/test.creds.new-refresh-1 /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-1 +diff "$OUTPUT_FILE" <(grep . /run/credentials/"$UNIT_NAME"/*) + +systemctl stop "$UNIT_NAME" +cat >>/run/systemd/system/"$UNIT_NAME" </run/credstore/test.creds.new-refresh-2 +[[ ! -e /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-2 ]] + +systemctl reload "$UNIT_NAME" +diff /run/credstore/test.creds.new-refresh-2 /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-2 +diff "$OUTPUT_FILE" <(grep . /run/credentials/"$UNIT_NAME"/*) + +echo "3" >/run/credstore/test.creds.new-refresh-3 +[[ ! -e /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-3 ]] + +rm "$OUTPUT_FILE" +systemctl edit --runtime --stdin "$UNIT_NAME" <>/run/systemd/system/"$UNIT_NAME" +systemctl daemon-reload +assert_eq "$(systemctl show "$UNIT_NAME" -P CanReload)" "no" +systemctl revert "$UNIT_NAME" +assert_eq "$(systemctl show "$UNIT_NAME" -P CanReload)" "yes" + +echo "BOGUS" >/run/credstore/test.creds.refresh-bogus +touch "$POST_FLAG_FILE" +systemctl reload "$UNIT_NAME" +diff /run/credstore/test.creds.new-refresh-3 /run/credentials/"$UNIT_NAME"/test.creds.new-refresh-3 +[[ ! -e /run/credentials/"$UNIT_NAME"/test.creds.refresh-bogus ]] +diff "$OUTPUT_FILE" <(grep . /run/credentials/"$UNIT_NAME"/*) +[[ ! -e "$POST_FLAG_FILE" ]] + +OUTPUT_FILE_USER="/tmp/TEST-54-CREDS-refreshing-user.out" + +systemd-notify --fork -- \ + systemd-run -M testuser@ --user --wait \ + --unit=brummbaer-refresh.service \ + --service-type=notify-reload \ + -p NotifyAccess=all \ + -p 'ImportCredential=brummbaer*' \ + -p RefreshOnReload=credentials \ + -p ProtectSystem=strict \ + -p ReadWritePaths=/tmp \ + /usr/lib/systemd/tests/testdata/TEST-54-CREDS.units/refresh.sh "$OUTPUT_FILE_USER" + +[[ -f "$TESTUSER_CRED_DIR/brummbaer-refresh.service/brummbaer" ]] +diff "$OUTPUT_FILE_USER" <(grep . "$TESTUSER_CRED_DIR"/brummbaer-refresh.service/*) + +run0 -u testuser --pipe -i \ + --property=EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \ + 'mkdir -p .config/credstore && echo "refreshed" >.config/credstore/brummbaer.refreshed' + +systemctl -M testuser@ --user reload brummbaer-refresh.service +assert_eq "$(cat "$TESTUSER_CRED_DIR"/brummbaer-refresh.service/brummbaer.refreshed)" "refreshed" +diff "$OUTPUT_FILE_USER" <(grep . "$TESTUSER_CRED_DIR"/brummbaer-refresh.service/*) + touch /testok -- 2.47.3