nixos/tests/dhparams.nix at 22.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / dhparams.nix
at 22.05-pre 4.6 kB view raw
  1let
  2  common = { pkgs, ... }: {
  3    security.dhparams.enable = true;
  4    environment.systemPackages = [ pkgs.openssl ];
  5  };
  6
  7in import ./make-test-python.nix {
  8  name = "dhparams";
  9
 10  nodes.generation1 = { pkgs, config, ... }: {
 11    imports = [ common ];
 12    security.dhparams.params = {
 13      # Use low values here because we don't want the test to run for ages.
 14      foo.bits = 16;
 15      # Also use the old format to make sure the type is coerced in the right
 16      # way.
 17      bar = 17;
 18    };
 19
 20    systemd.services.foo = {
 21      description = "Check systemd Ordering";
 22      wantedBy = [ "multi-user.target" ];
 23      unitConfig = {
 24        # This is to make sure that the dhparams generation of foo occurs
 25        # before this service so we need this service to start as early as
 26        # possible to provoke a race condition.
 27        DefaultDependencies = false;
 28
 29        # We check later whether the service has been started or not.
 30        ConditionPathExists = config.security.dhparams.params.foo.path;
 31      };
 32      serviceConfig.Type = "oneshot";
 33      serviceConfig.RemainAfterExit = true;
 34      # The reason we only provide an ExecStop here is to ensure that we don't
 35      # accidentally trigger an error because a file system is not yet ready
 36      # during very early startup (we might not even have the Nix store
 37      # available, for example if future changes in NixOS use systemd mount
 38      # units to do early file system initialisation).
 39      serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
 40    };
 41  };
 42
 43  nodes.generation2 = {
 44    imports = [ common ];
 45    security.dhparams.params.foo.bits = 18;
 46  };
 47
 48  nodes.generation3 = common;
 49
 50  nodes.generation4 = {
 51    imports = [ common ];
 52    security.dhparams.stateful = false;
 53    security.dhparams.params.foo2.bits = 18;
 54    security.dhparams.params.bar2.bits = 19;
 55  };
 56
 57  nodes.generation5 = {
 58    imports = [ common ];
 59    security.dhparams.defaultBitSize = 30;
 60    security.dhparams.params.foo3 = {};
 61    security.dhparams.params.bar3 = {};
 62  };
 63
 64  testScript = { nodes, ... }: let
 65    getParamPath = gen: name: let
 66      node = "generation${toString gen}";
 67    in nodes.${node}.config.security.dhparams.params.${name}.path;
 68
 69    switchToGeneration = gen: let
 70      node = "generation${toString gen}";
 71      inherit (nodes.${node}.config.system.build) toplevel;
 72      switchCmd = "${toplevel}/bin/switch-to-configuration test";
 73    in ''
 74      with machine.nested("switch to generation ${toString gen}"):
 75          machine.succeed(
 76              "${switchCmd}"
 77          )
 78          machine = ${node}
 79    '';
 80
 81  in ''
 82    import re
 83
 84
 85    def assert_param_bits(path, bits):
 86        with machine.nested(f"check bit size of {path}"):
 87            output = machine.succeed(f"openssl dhparam -in {path} -text")
 88            pattern = re.compile(r"^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$", re.M)
 89            match = pattern.match(output)
 90            if match is None:
 91                raise Exception("bla")
 92            if match[1] != str(bits):
 93                raise Exception(f"bit size should be {bits} but it is {match[1]} instead.")
 94
 95
 96    machine = generation1
 97
 98    machine.wait_for_unit("multi-user.target")
 99
100    with subtest("verify startup order"):
101        machine.succeed("systemctl is-active foo.service")
102
103    with subtest("check bit sizes of dhparam files"):
104        assert_param_bits("${getParamPath 1 "foo"}", 16)
105        assert_param_bits("${getParamPath 1 "bar"}", 17)
106
107    ${switchToGeneration 2}
108
109    with subtest("check whether bit size has changed"):
110        assert_param_bits("${getParamPath 2 "foo"}", 18)
111
112    with subtest("ensure that dhparams file for 'bar' was deleted"):
113        machine.fail("test -e ${getParamPath 1 "bar"}")
114
115    ${switchToGeneration 3}
116
117    with subtest("ensure that 'security.dhparams.path' has been deleted"):
118        machine.fail("test -e ${nodes.generation3.config.security.dhparams.path}")
119
120    ${switchToGeneration 4}
121
122    with subtest("check bit sizes dhparam files"):
123        assert_param_bits(
124            "${getParamPath 4 "foo2"}", 18
125        )
126        assert_param_bits(
127            "${getParamPath 4 "bar2"}", 19
128        )
129
130    with subtest("check whether dhparam files are in the Nix store"):
131        machine.succeed(
132            "expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}",
133            "expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}",
134        )
135
136    ${switchToGeneration 5}
137
138    with subtest("check whether defaultBitSize works as intended"):
139        assert_param_bits("${getParamPath 5 "foo3"}", 30)
140        assert_param_bits("${getParamPath 5 "bar3"}", 30)
141  '';
142}