nixos/tests/ecryptfs.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ecryptfs.nix
at 18.03-beta 3.0 kB view raw
 1import ./make-test.nix ({ pkgs, ... }:
 2{
 3  name = "ecryptfs";
 4
 5  machine = { config, pkgs, ... }: {
 6    imports = [ ./common/user-account.nix ];
 7    boot.kernelModules = [ "ecryptfs" ];
 8    security.pam.enableEcryptfs = true;
 9    environment.systemPackages = with pkgs; [ keyutils ];
10  };
11
12  testScript = ''
13    $machine->waitForUnit("default.target");
14
15    # Set alice up with a password and a home
16    $machine->succeed("(echo foobar; echo foobar) | passwd alice");
17    $machine->succeed("chown -R alice.users ~alice");
18
19    # Migrate alice's home
20    my $out = $machine->succeed("echo foobar | ecryptfs-migrate-home -u alice");
21    $machine->log("ecryptfs-migrate-home said: $out");
22
23    # Log alice in (ecryptfs passwhrase is wrapped during first login)
24    $machine->waitUntilTTYMatches(1, "login: ");
25    $machine->sendChars("alice\n");
26    $machine->waitUntilTTYMatches(1, "Password: ");
27    $machine->sendChars("foobar\n");
28    $machine->waitUntilTTYMatches(1, "alice\@machine");
29    $machine->sendChars("logout\n");
30    $machine->waitUntilTTYMatches(1, "login: ");
31
32    # Why do I need to do this??
33    $machine->succeed("su alice -c ecryptfs-umount-private || true");
34    $machine->sleep(1);
35    $machine->fail("mount | grep ecryptfs"); # check that encrypted home is not mounted
36
37    # Show contents of the user keyring
38    my $out = $machine->succeed("su - alice -c 'keyctl list \@u'");
39    $machine->log("keyctl unlink said: " . $out);
40
41    # Log alice again
42    $machine->waitUntilTTYMatches(1, "login: ");
43    $machine->sendChars("alice\n");
44    $machine->waitUntilTTYMatches(1, "Password: ");
45    $machine->sendChars("foobar\n");
46    $machine->waitUntilTTYMatches(1, "alice\@machine");
47
48    # Create some files in encrypted home
49    $machine->succeed("su alice -c 'touch ~alice/a'");
50    $machine->succeed("su alice -c 'echo c > ~alice/b'");
51
52    # Logout
53    $machine->sendChars("logout\n");
54    $machine->waitUntilTTYMatches(1, "login: ");
55
56    # Why do I need to do this??
57    $machine->succeed("su alice -c ecryptfs-umount-private || true");
58    $machine->sleep(1);
59
60    # Check that the filesystem is not accessible
61    $machine->fail("mount | grep ecryptfs");
62    $machine->succeed("su alice -c 'test \! -f ~alice/a'");
63    $machine->succeed("su alice -c 'test \! -f ~alice/b'");
64
65    # Log alice once more
66    $machine->waitUntilTTYMatches(1, "login: ");
67    $machine->sendChars("alice\n");
68    $machine->waitUntilTTYMatches(1, "Password: ");
69    $machine->sendChars("foobar\n");
70    $machine->waitUntilTTYMatches(1, "alice\@machine");
71
72    # Check that the files are there
73    $machine->sleep(1);
74    $machine->succeed("su alice -c 'test -f ~alice/a'");
75    $machine->succeed("su alice -c 'test -f ~alice/b'");
76    $machine->succeed(qq%test "\$(cat ~alice/b)" = "c"%);
77
78    # Catch https://github.com/NixOS/nixpkgs/issues/16766
79    $machine->succeed("su alice -c 'ls -lh ~alice/'");
80
81    $machine->sendChars("logout\n");
82    $machine->waitUntilTTYMatches(1, "login: ");
83  '';
84})