nixos/tests/ecryptfs.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ecryptfs.nix
at 23.05-pre 2.8 kB view raw
 1import ./make-test-python.nix ({ ... }:
 2{
 3  name = "ecryptfs";
 4
 5  nodes.machine = { pkgs, ... }: {
 6    imports = [ ./common/user-account.nix ];
 7    boot.kernelModules = [ "ecryptfs" ];
 8    security.pam.enableEcryptfs = true;
 9    environment.systemPackages = with pkgs; [ keyutils ];
10  };
11
12  testScript = ''
13    def login_as_alice():
14        machine.wait_until_tty_matches("1", "login: ")
15        machine.send_chars("alice\n")
16        machine.wait_until_tty_matches("1", "Password: ")
17        machine.send_chars("foobar\n")
18        machine.wait_until_tty_matches("1", "alice\@machine")
19
20
21    def logout():
22        machine.send_chars("logout\n")
23        machine.wait_until_tty_matches("1", "login: ")
24
25
26    machine.wait_for_unit("default.target")
27
28    with subtest("Set alice up with a password and a home"):
29        machine.succeed("(echo foobar; echo foobar) | passwd alice")
30        machine.succeed("chown -R alice.users ~alice")
31
32    with subtest("Migrate alice's home"):
33        out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice")
34        machine.log(f"ecryptfs-migrate-home said: {out}")
35
36    with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"):
37        login_as_alice()
38        machine.send_chars("logout\n")
39        machine.wait_until_tty_matches("1", "login: ")
40
41    # Why do I need to do this??
42    machine.succeed("su alice -c ecryptfs-umount-private || true")
43    machine.sleep(1)
44
45    with subtest("check that encrypted home is not mounted"):
46        machine.fail("mount | grep ecryptfs")
47
48    with subtest("Show contents of the user keyring"):
49        out = machine.succeed("su - alice -c 'keyctl list \@u'")
50        machine.log(f"keyctl unlink said: {out}")
51
52    with subtest("Log alice again"):
53        login_as_alice()
54
55    with subtest("Create some files in encrypted home"):
56        machine.succeed("su alice -c 'touch ~alice/a'")
57        machine.succeed("su alice -c 'echo c > ~alice/b'")
58
59    with subtest("Logout"):
60        logout()
61
62    # Why do I need to do this??
63    machine.succeed("su alice -c ecryptfs-umount-private || true")
64    machine.sleep(1)
65
66    with subtest("Check that the filesystem is not accessible"):
67        machine.fail("mount | grep ecryptfs")
68        machine.succeed("su alice -c 'test \! -f ~alice/a'")
69        machine.succeed("su alice -c 'test \! -f ~alice/b'")
70
71    with subtest("Log alice once more"):
72        login_as_alice()
73
74    with subtest("Check that the files are there"):
75        machine.sleep(1)
76        machine.succeed("su alice -c 'test -f ~alice/a'")
77        machine.succeed("su alice -c 'test -f ~alice/b'")
78        machine.succeed('test "$(cat ~alice/b)" = "c"')
79
80    with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"):
81        machine.succeed("su alice -c 'ls -lh ~alice/'")
82
83    logout()
84  '';
85})