nixos/tests/dhparams.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / dhparams.nix
at 24.11-pre 4.8 kB view raw
  1import ./make-test-python.nix {
  2  name = "dhparams";
  3
  4  nodes.machine = { pkgs, ... }: {
  5    security.dhparams.enable = true;
  6    environment.systemPackages = [ pkgs.openssl ];
  7
  8    specialisation = {
  9      gen1.configuration = { config, ... }: {
 10        security.dhparams.params = {
 11          # Use low values here because we don't want the test to run for ages.
 12          foo.bits = 1024;
 13          # Also use the old format to make sure the type is coerced in the right
 14          # way.
 15          bar = 1025;
 16        };
 17
 18        systemd.services.foo = {
 19          description = "Check systemd Ordering";
 20          wantedBy = [ "multi-user.target" ];
 21          before = [ "shutdown.target" ];
 22          conflicts = [ "shutdown.target" ];
 23          unitConfig = {
 24            # This is to make sure that the dhparams generation of foo occurs
 25            # before this service so we need this service to start as early as
 26            # possible to provoke a race condition.
 27            DefaultDependencies = false;
 28
 29            # We check later whether the service has been started or not.
 30            ConditionPathExists = config.security.dhparams.params.foo.path;
 31          };
 32          serviceConfig.Type = "oneshot";
 33          serviceConfig.RemainAfterExit = true;
 34          # The reason we only provide an ExecStop here is to ensure that we don't
 35          # accidentally trigger an error because a file system is not yet ready
 36          # during very early startup (we might not even have the Nix store
 37          # available, for example if future changes in NixOS use systemd mount
 38          # units to do early file system initialisation).
 39          serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
 40        };
 41      };
 42      gen2.configuration = {
 43        security.dhparams.params.foo.bits = 1026;
 44      };
 45      gen3.configuration =  {};
 46      gen4.configuration = {
 47        security.dhparams.stateful = false;
 48        security.dhparams.params.foo2.bits = 1027;
 49        security.dhparams.params.bar2.bits = 1028;
 50      };
 51      gen5.configuration = {
 52        security.dhparams.defaultBitSize = 1029;
 53        security.dhparams.params.foo3 = {};
 54        security.dhparams.params.bar3 = {};
 55      };
 56    };
 57  };
 58
 59  testScript = { nodes, ... }: let
 60    getParamPath = gen: name: let
 61      node = "gen${toString gen}";
 62    in nodes.machine.config.specialisation.${node}.configuration.security.dhparams.params.${name}.path;
 63
 64    switchToGeneration = gen: let
 65      switchCmd = "${nodes.machine.config.system.build.toplevel}/specialisation/gen${toString gen}/bin/switch-to-configuration test";
 66    in ''
 67      with machine.nested("switch to generation ${toString gen}"):
 68        machine.succeed("${switchCmd}")
 69    '';
 70
 71  in ''
 72    import re
 73
 74
 75    def assert_param_bits(path, bits):
 76        with machine.nested(f"check bit size of {path}"):
 77            output = machine.succeed(f"openssl dhparam -in {path} -text")
 78            pattern = re.compile(r"^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$", re.M)
 79            match = pattern.match(output)
 80            if match is None:
 81                raise Exception("bla")
 82            if match[1] != str(bits):
 83                raise Exception(f"bit size should be {bits} but it is {match[1]} instead.")
 84
 85    machine.wait_for_unit("multi-user.target")
 86    ${switchToGeneration 1}
 87
 88    with subtest("verify startup order"):
 89        machine.succeed("systemctl is-active foo.service")
 90
 91    with subtest("check bit sizes of dhparam files"):
 92        assert_param_bits("${getParamPath 1 "foo"}", 1024)
 93        assert_param_bits("${getParamPath 1 "bar"}", 1025)
 94
 95    ${switchToGeneration 2}
 96
 97    with subtest("check whether bit size has changed"):
 98        assert_param_bits("${getParamPath 2 "foo"}", 1026)
 99
100    with subtest("ensure that dhparams file for 'bar' was deleted"):
101        machine.fail("test -e ${getParamPath 1 "bar"}")
102
103    ${switchToGeneration 3}
104
105    with subtest("ensure that 'security.dhparams.path' has been deleted"):
106        machine.fail("test -e ${nodes.machine.config.specialisation.gen3.configuration.security.dhparams.path}")
107
108    ${switchToGeneration 4}
109
110    with subtest("check bit sizes dhparam files"):
111        assert_param_bits(
112            "${getParamPath 4 "foo2"}", 1027
113        )
114        assert_param_bits(
115            "${getParamPath 4 "bar2"}", 1028
116        )
117
118    with subtest("check whether dhparam files are in the Nix store"):
119        machine.succeed(
120            "expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}",
121            "expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}",
122        )
123
124    ${switchToGeneration 5}
125
126    with subtest("check whether defaultBitSize works as intended"):
127        assert_param_bits("${getParamPath 5 "foo3"}", 1029)
128        assert_param_bits("${getParamPath 5 "bar3"}", 1029)
129  '';
130}