nixos/tests/tang.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / tang.nix
at 23.11-beta 3.2 kB view raw
 1import ./make-test-python.nix ({ pkgs, ... }: {
 2  name = "tang";
 3  meta = with pkgs.lib.maintainers; {
 4    maintainers = [ jfroche ];
 5  };
 6
 7  nodes.server =
 8    { config
 9    , pkgs
10    , modulesPath
11    , ...
12    }: {
13      imports = [
14        "${modulesPath}/../tests/common/auto-format-root-device.nix"
15      ];
16      virtualisation = {
17        emptyDiskImages = [ 512 ];
18        useBootLoader = true;
19        useEFIBoot = true;
20        # This requires to have access
21        # to a host Nix store as
22        # the new root device is /dev/vdb
23        # an empty 512MiB drive, containing no Nix store.
24        mountHostNixStore = true;
25      };
26
27      boot.loader.systemd-boot.enable = true;
28
29      networking.interfaces.eth1.ipv4.addresses = [
30        { address = "192.168.0.1"; prefixLength = 24; }
31      ];
32
33      environment.systemPackages = with pkgs; [ clevis tang cryptsetup ];
34      services.tang = {
35        enable = true;
36        ipAddressAllow = [ "127.0.0.1/32" ];
37      };
38    };
39  testScript = ''
40    start_all()
41    machine.wait_for_unit("sockets.target")
42
43    with subtest("Check keys are generated"):
44      machine.wait_until_succeeds("curl -v http://127.0.0.1:7654/adv")
45      key = machine.wait_until_succeeds("tang-show-keys 7654")
46
47    with subtest("Check systemd access list"):
48      machine.succeed("ping -c 3 192.168.0.1")
49      machine.fail("curl -v --connect-timeout 3 http://192.168.0.1:7654/adv")
50
51    with subtest("Check basic encrypt and decrypt message"):
52      machine.wait_until_succeeds(f"""echo 'Hello World' | clevis encrypt tang '{{ "url": "http://127.0.0.1:7654", "thp":"{key}"}}' > /tmp/encrypted""")
53      decrypted = machine.wait_until_succeeds("clevis decrypt < /tmp/encrypted")
54      assert decrypted.strip() == "Hello World"
55      machine.wait_until_succeeds("tang-show-keys 7654")
56
57    with subtest("Check encrypt and decrypt disk"):
58      machine.succeed("cryptsetup luksFormat --force-password --batch-mode /dev/vdb <<<'password'")
59      machine.succeed(f"""clevis luks bind -s1 -y -f -d /dev/vdb tang '{{ "url": "http://127.0.0.1:7654", "thp":"{key}" }}' <<< 'password' """)
60      clevis_luks = machine.succeed("clevis luks list -d /dev/vdb")
61      assert clevis_luks.strip() == """1: tang '{"url":"http://127.0.0.1:7654"}'"""
62      machine.succeed("clevis luks unlock -d /dev/vdb")
63      machine.succeed("find /dev/mapper -name 'luks*' -exec cryptsetup close {} +")
64      machine.succeed("clevis luks unlock -d /dev/vdb")
65      machine.succeed("find /dev/mapper -name 'luks*' -exec cryptsetup close {} +")
66      # without tang available, unlock should fail
67      machine.succeed("systemctl stop tangd.socket")
68      machine.fail("clevis luks unlock -d /dev/vdb")
69      machine.succeed("systemctl start tangd.socket")
70
71    with subtest("Rotate server keys"):
72      machine.succeed("${pkgs.tang}/libexec/tangd-rotate-keys -d /var/lib/tang")
73      machine.succeed("clevis luks unlock -d /dev/vdb")
74      machine.succeed("find /dev/mapper -name 'luks*' -exec cryptsetup close {} +")
75
76    with subtest("Test systemd service security"):
77        output = machine.succeed("systemd-analyze security tangd@.service")
78        machine.log(output)
79        assert output[-9:-1] == "SAFE :-}"
80  '';
81})